The FIPS Compliance of HKDF
HKDF is an HMAC-based key-derivation function specified in RFC 5869. It’s nice and we generally like using it. FIPS (Federal Information Processing Standards) is used generally as a moniker for the set of standards, recommendations, and guidance published by the U.S. National Institute of Standards and Technology, and more specifically for FIPS 140, the standard concerning the validation of cryptographic modules. There are a number of regulatory settings (such as FedRAMP) that require FIPS 140 compliance, and it often doesn’t let us have nice things. As of earlier this year, I decided to finally bite the bullet and pursue a FIPS 140-3 validation for the Go cryptography standard library, trying to retain as many nice things as possible, so I am diving into the finer details of what’s allowed and what’s not.
The FIPS compliance of HKDF is a somewhat confusing and controversial topic, partially because the normative reference is split over at least four separate documents, but in practice it’s approved for almost any purpose.
