NIST SP 800-135, Revision 1 NIST Special Publication 800-135 Revision 1 Recommendation for Existing Application-Specific Key Derivation Functions Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y December 2011 U.S. Department of Commerce John Bryson, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary for Standards and Technology and Director iiNIST SP 800-135, Revision 1 Abstract Cryptographic keys are vital to the security of internet security applications and protocols. Many widely-used internet secur ity protocols have their own application- specific Key Derivation Functions (KDFs) that are used to generate the cryptographic keys required for their cryptographic functi ons. This Recommendation provides security requirements for those KDFs. KEY WORDS: Cryptographic ke y, shared secret, Diffie-He llman (DH) key exchange, hash function, Key Derivation Function (KDF), Hash-based Key Derivation Function, Randomness Extraction, Key expansion, Ps eudorandom Function (PRF), HMAC, ANS X9.42-2001, ANS X9.63-2001, IKE, SSH, TLS, SRTP, SNMP and TPM. iiiNIST SP 800-135, Revision 1 iv Acknowledgements The author gratefully appreciates the comments and contributions of the many reviewers in various Federal agencies and the public. In particular, the author would like to thank Elaine Barker, William E. Burr, Lily Chen, Tim Polk, Tim Hall, Scott Rose and Hugo Krawczyk. NIST SP 800-135, Revision 1 Table of Contents 1  Introduction........................................................................................  2 2 3 3 5 6 7 8 10 10 10 11 12 12 13 15 16 17 18 202  Authority ............................................................................................   3  Glossary of Terms, Acronyms and Mathematical Symbols..............   3.1 Terms and Definitions..............................................................................   3.2 Acronyms................................................................................................. 4   3.3 Symbols & Mathematical Operations......................................................   4 Extraction-then-Expansion (E-E) Key Derivation Procedure ...........   4.1 Internet Key Exchange (IKE) ..................................................................   4.1.1 IKE version 1 (IKEv1).................................................................   4.1.2 IKE version 2 (IKEv2)...............................................................   4.2 Key Derivation in Transport Layer Security (TLS)...............................   4.2.1 Key Derivation in TLS versions 1.0 and 1.1 .............................   4.2.2 Key Derivation in TLS version 1.2............................................   5 Other Exis ting Key Derivati on Functi ons .......................................   5.1  Key Derivation Functions in American National Standards (ANS) X9.42-2001 and ANS X9.63-2001 ........................................................   5.2 Secure Shell (SSH) Key Derivation Function .......................................   5.3 The Secure Real-time Tran sport Protocol (SRT P) Key Derivation Function .................................................................................................   5.4 Simple Network Manageme nt Protocol (SNMP) Key Derivation Function/Key Localization Function .....................................................   5.5 Trusted Platform Module (TPM) Key Derivation Function..................   6 References........................................................................................   Appendix A — Ch ange Log .........................................................................   1NIST SP 800-135, Revision 1 Recommendation for Applicat ion-Specific