Add a definition for HKDF-CTR, which is the HKDF algorithm using HMAC-CTR
authorRyan Sleevi <sleevi@google.com>
Sun, 27 Jan 2013 20:59:50 -0800
changeset 29 d3d5457ef60b
parent 28 17347680f504
child 30 0c723a7d29b3
Add a definition for HKDF-CTR, which is the HKDF algorithm using HMAC-CTR

As an alternative to Concat, provide a key derivation function based on HKDF,
which cis the same KDF used in protocols like IKEv2 and is very similar to that
of TLS's PRF.
spec/Overview-WebCryptoAPI.xml
spec/Overview.html
--- a/spec/Overview-WebCryptoAPI.xml	Sun Jan 27 20:59:29 2013 -0800
+++ b/spec/Overview-WebCryptoAPI.xml	Sun Jan 27 20:59:50 2013 -0800
@@ -3475,6 +3475,75 @@
             </ul>
           </div>
         </div>
+        <div id="hkdf-ctr" class="section">
+          <h3>HKDF-CTR</h3>
+          <div id="hkdf-ctr-description" class="section">
+            <h4>Description</h4>
+            <p class="norm">This section is non-normative.</p>
+            <p>
+              The <code>"HKDF-CTR"</code> algorithm identifier is used to
+              perform key derivation using the algorithm described in
+              RFC 5869 [<a href="#RFC5869">RFC5869</a>] and NIST SP 800-56C
+              [<a href="#SP800-56C">SP800-56C</a>], using HMAC in counter mode,
+              as described in Section 5.1 of NIST SP 800-108
+              [<a href="#SP800-108">SP800-108</a>].
+            </p>
+          </div>
+          <div id="hkdf-ctr-registration" class="section">
+            <h4>Registration</h4>
+            <p>
+              The <a href="#recognized-algorithm-name">recognized algorithm name</a>
+              for this algorithm is <code>"HKDF-CTR"</code>.
+            </p>
+            <table>
+              <thead>
+                <tr>
+                  <th><a href="#supported-operations">Operation</a></th>
+                  <th><a href="#algorithm-specific-params">Parameters</a></th>
+                  <th><a href="#algorithm-result">Result</a></th>
+                </tr>
+              </thead>
+              <tbody>
+                <tr>
+                  <td>deriveKey</td>
+                  <td><a href="#dfn-HkdfCtrParams">HkdfCtrParams</a></td>
+                  <td><a href="#dfn-Key">Key</a>?</td>
+                </tr>
+              </tbody>
+            </table>
+          </div>
+          <div id="hkdf-ctr-params" class="section">
+            <h4>HkdfCtrParams dictionary</h4>
+            <x:codeblock language="idl">
+dictionary <dfn id="dfn-HkdfCtrParams">HkdfCtrParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
+  <span class="comment">// The algorithm to use with HMAC (eg: <a href="#sha-256">SHA-256</a></span>
+  AlgorithmIdentifier hashAlg;
+  <span class="comment">// A bit string that corresponds to the label that identifies the purpose for the derived keying material.</span>
+  ArrayBufferView label;
+  <span class="comment">// A bit string that corresponds to the context of the key derivation, as described in Section 5 of NIST SP 800-108 [<a href="#SP800-108">SP800-108</a>]</span>
+  ArrayBufferView context;
+};
+            </x:codeblock>
+            <div class="ednote">
+              <p>
+                The definition of HKDF allows the caller to supply an optional pseudorandom salt
+                value, which is used as the key during the extract phase. If this value is not
+                supplied, an all zero string is used instead. However, support for an explicit
+                salt value is not widely implemented in existing APIs, nor is it required by
+                existing usages of HKDF. Should this be an optional parameter, and if so, what
+                should the behaviour be of a user agent that does not support explicit salt
+                values (is it conforming or non-conforming?)
+              </p>
+            </div>
+          </div>
+          <div id="hkdf2-ctr-operations" class="section">
+            <h4>Operations</h4>
+            <ul>
+              <li>Derive Key</li>
+            </ul>
+          </div>
+        </div>
+
         <div id="pbkdf2" class="section">
           <h3>PBKDF2</h3>
           <div id="pbkdf2-description" class="section">
@@ -3835,11 +3904,28 @@
               <cite><a href="http://tools.ietf.org/html/rfc5705">Keying Material Exporters for
               Transport Layer Security (TLS)</a></cite>, E. Rescorla. IETF.
             </dd>
+            <dt id="RFC5869">RFC 5869</dt>
+            <dd>
+              <cite><a href="https://tools.ietf.org/html/rfc5869">HMAC-based Extract-and-Expand
+              Key Derivation Function (HKDF)</a></cite>, H. Krawczyk, P. Eronen. IETF.
+            </dd>
             <dt id="SP800-56A">NIST SP 800-56A</dt>
             <dd>
               <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">
-              NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete
-              Logarithm Cryptography (Revised)</a></cite>, March 2007, NIST.
+              NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment
+              Schemes Using Discrete Logarithm Cryptography (Revised)</a></cite>, March 2007, NIST.
+            </dd>
+            <dt id="SP800-56C">NIST SP 800-56C</dt>
+            <dd>
+              <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf">
+              NIST Special Publication 800-56C: Recommendation for Key Derivation through
+              Extraction-then-Expansion</a></cite>, November 2011, NIST.
+            </dd>
+            <dt id="SP800-108">NIST SP 800-108</dt>
+            <dd>
+              <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf">
+              NIST Special Publication 800-108: Recommendation for Key Derivation Using
+              Pseudorandom Functions (Revised)</a></cite>, October 2009, NIST.
             </dd>
             <dt id="StreamsAPI">StreamsAPI</dt>
             <dd>
--- a/spec/Overview.html	Sun Jan 27 20:59:29 2013 -0800
+++ b/spec/Overview.html	Sun Jan 27 20:59:50 2013 -0800
@@ -49,7 +49,7 @@
 communications.
       </p>
   
-      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 23 further editorial notes in the document.</p></div>
+      <div class="ednote"><div class="ednoteHeader">Editorial note</div><p>There are 24 further editorial notes in the document.</p></div>
     </div>
 
     <div class="section">
@@ -141,7 +141,7 @@
 
     <div id="toc">
       <h2>Table of Contents</h2>
-      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-processing-model">12.1. Processing Model</a></li><li><a href="#cryptooperation-events">12.2. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.3. Attributes</a></li><li><a href="#CryptoOperation-methods">12.4. Methods</a><ul><li><a href="#CryptoOperation-method-process">12.4.1. process(ArrayBufferView data)</a></li><li><a href="#CryptoOperation-method-finish">12.4.2. The finish() method</a></li><li><a href="#CryptoOperation-method-abort">12.4.3. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#crypto-interface">14. Crypto interface</a></li><li><a href="#subtlecrypto-interface">15. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">15.1. Description</a></li><li><a href="#subtlecrypto-interface-methods">15.2. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">15.2.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">15.2.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">15.2.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">15.2.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">15.2.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">15.2.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">15.2.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-importKey">15.2.8. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">15.2.9. The exportKey method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">16. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">16.1. Description</a></li></ul></li><li><a href="#big-integer">17. BigInteger</a></li><li><a href="#keypair">18. KeyPair</a></li><li><a href="#key-discovery">19. Key Discovery</a></li><li><a href="#algorithms">20. Algorithms</a><ul><li><a href="#recommended-algorithms">20.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">20.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">20.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">20.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">20.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">20.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">20.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">20.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">20.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">20.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">20.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">20.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">20.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">20.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">20.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">20.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">20.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">20.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">20.5.1. Description</a></li><li><a href="#rsa-pss-registration">20.5.2. Registration</a></li><li><a href="#rsa-pss-params">20.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">20.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">20.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">20.6.1. Description</a></li><li><a href="#rsa-oaep-registration">20.6.2. Registration</a></li><li><a href="#rsa-oaep-params">20.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">20.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">20.7. ECDSA</a><ul><li><a href="#ecdsa-description">20.7.1. Description</a></li><li><a href="#ecdsa-registration">20.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">20.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">20.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">20.7.5. Operations</a></li></ul></li><li><a href="#ecdh">20.8. ECDH</a><ul><li><a href="#ecdh-description">20.8.1. Description</a></li><li><a href="#ecdh-registration">20.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">20.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">20.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">20.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">20.9.1. Description</a></li><li><a href="#aes-ctr-registration">20.9.2. Registration</a></li><li><a href="#aes-ctr-params">20.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">20.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">20.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">20.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">20.10.1. Description</a></li><li><a href="#aes-cbc-registration">20.10.2. Registration</a></li><li><a href="#aes-cbc-params">20.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">20.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">20.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">20.11.1. Description</a></li><li><a href="#aes-gcm-registration">20.11.2. Registration</a></li><li><a href="#aes-gcm-params">20.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">20.11.4. Operations</a></li></ul></li><li><a href="#hmac">20.12. HMAC</a><ul><li><a href="#hmac-description">20.12.1. Description</a></li><li><a href="#hmac-registration">20.12.2. Registration</a></li><li><a href="#hmac-params">20.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">20.12.4. Operations</a></li></ul></li><li><a href="#dh">20.13. Diffie-Hellman</a><ul><li><a href="#dh-description">20.13.1. Description</a></li><li><a href="#dh-registration">20.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">20.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">20.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">20.13.5. Operations</a></li></ul></li><li><a href="#sha">20.14. SHA</a><ul><li><a href="#sha-description">20.14.1. Description</a></li><li><a href="#sha-registration">20.14.2. Registration</a></li><li><a href="#sha-operations">20.14.3. Operations</a></li></ul></li><li><a href="#concatkdf">20.15. Concat KDF</a><ul><li><a href="#concatkdf-description">20.15.1. Description</a></li><li><a href="#concatkdf-registration">20.15.2. Registration</a></li><li><a href="#concat-params">20.15.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">20.15.4. Operations</a></li></ul></li><li><a href="#pbkdf2">20.16. PBKDF2</a><ul><li><a href="#pbkdf2-description">20.16.1. Description</a></li><li><a href="#pbkdf2-registration">20.16.2. Registration</a></li><li><a href="#pbkdf2-params">20.16.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">20.16.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">21. Algorithm normalizing rules</a></li><li><a href="#examples-section">22. JavaScript Example Code</a><ul><li><a href="#examples-signing">22.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">22.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">23. Acknowledgements</a></li><li><a href="#references">24. References</a><ul><li><a href="#normative-references">24.1. Normative References</a></li><li><a href="#informative-references">24.2. Informative References</a></li></ul></li></ul></div>
+      <div class="toc"><ul><li><a href="#introduction">1. Introduction</a></li><li><a href="#use-cases">2. Use Cases</a><ul><li><a href="#multifactor-authentication">2.1. Multi-factor Authentication</a></li><li><a href="#protected-document">2.2. Protected Document Exchange</a></li><li><a href="#cloud-storage">2.3. Cloud Storage</a></li><li><a href="#document-signing">2.4. Document Signing</a></li><li><a href="#data-integrity-protection">2.5. Data Integrity Protection</a></li><li><a href="#secure-messaging">2.6. Secure Messaging</a></li><li><a href="#jose">2.7. Javascript Object Signing and Encryption (JOSE)</a></li></ul></li><li><a href="#conformance">3. Conformance</a></li><li><a href="#scope">4. Scope</a><ul><li><a href="#scope-abstraction">4.1. Level of abstraction</a></li><li><a href="#scope-algorithms">4.2. Cryptographic algorithms</a></li><li><a href="#scope-operations">4.3. Operations</a></li><li><a href="#scope-out-of-scope">4.4. Out of scope</a></li></ul></li><li><a href="#security">5. Security considerations</a><ul><li><a href="#security-implementers">5.1. Security considerations for implementers</a></li><li><a href="#security-developers">5.2. Security considerations for developers</a></li></ul></li><li><a href="#privacy">6. Privacy considerations</a></li><li><a href="#dependencies">7. Dependencies</a></li><li><a href="#terminology">8. Terminology</a></li><li><a href="#RandomSource-interface">9. RandomSource interface</a><ul><li><a href="#RandomSource-description">9.1. Description</a></li><li><a href="#RandomSource-interface-methods">9.2. Methods and Parameters</a><ul><li><a href="#RandomSource-method-getRandomValues">9.2.1. The getRandomValues method</a></li></ul></li></ul></li><li><a href="#algorithm-dictionary">10. Algorithm dictionary</a><ul><li><a href="#algorithm-dictionary-members">10.1. Algorithm Dictionary Members</a></li></ul></li><li><a href="#key-interface">11. Key interface</a><ul><li><a href="#key-interface-description">11.1. Description</a></li><li><a href="#key-interface-members">11.2. Key interface members</a></li><li><a href="#key-interface-clone">11.3. Structured clone algorithm</a></li></ul></li><li><a href="#cryptooperation-interface">12. CryptoOperation interface</a><ul><li><a href="#CryptoOperation-processing-model">12.1. Processing Model</a></li><li><a href="#cryptooperation-events">12.2. Event Handler Attributes</a></li><li><a href="#CryptoOperation-attributes">12.3. Attributes</a></li><li><a href="#CryptoOperation-methods">12.4. Methods</a><ul><li><a href="#CryptoOperation-method-process">12.4.1. process(ArrayBufferView data)</a></li><li><a href="#CryptoOperation-method-finish">12.4.2. The finish() method</a></li><li><a href="#CryptoOperation-method-abort">12.4.3. The abort() method</a></li></ul></li></ul></li><li><a href="#KeyOperation-interface">13. KeyOperation interface</a></li><li><a href="#crypto-interface">14. Crypto interface</a></li><li><a href="#subtlecrypto-interface">15. SubtleCrypto interface</a><ul><li><a href="#subtlecrypto-interface-description">15.1. Description</a></li><li><a href="#subtlecrypto-interface-methods">15.2. Methods and Parameters</a><ul><li><a href="#SubtleCrypto-method-encrypt">15.2.1. The encrypt method</a></li><li><a href="#SubtleCrypto-method-decrypt">15.2.2. The decrypt method</a></li><li><a href="#SubtleCrypto-method-sign">15.2.3. The sign method</a></li><li><a href="#SubtleCrypto-method-verify">15.2.4. The verify method</a></li><li><a href="#SubtleCrypto-method-digest">15.2.5. The digest method</a></li><li><a href="#SubtleCrypto-method-generateKey">15.2.6. The generateKey method</a></li><li><a href="#SubtleCrypto-method-deriveKey">15.2.7. The deriveKey method</a></li><li><a href="#SubtleCrypto-method-importKey">15.2.8. The importKey method</a></li><li><a href="#SubtleCrypto-method-exportKey">15.2.9. The exportKey method</a></li></ul></li></ul></li><li><a href="#WorkerCrypto-interface">16. WorkerCrypto interface</a><ul><li><a href="#WorkerCrypto-description">16.1. Description</a></li></ul></li><li><a href="#big-integer">17. BigInteger</a></li><li><a href="#keypair">18. KeyPair</a></li><li><a href="#key-discovery">19. Key Discovery</a></li><li><a href="#algorithms">20. Algorithms</a><ul><li><a href="#recommended-algorithms">20.1. Recommended algorithms</a></li><li><a href="#defining-an-algorithm">20.2. Defining an algorithm</a><ul><li><a href="#recognized-algorithm-name">20.2.1. Recognized algorithm name</a></li><li><a href="#supported-operations">20.2.2. Supported operations</a></li><li><a href="#algorithm-specific-params">20.2.3. Algorithm-specific parameters</a></li><li><a href="#algorithm-result">20.2.4. Algorithm results</a></li><li><a href="#algorithm-alias">20.2.5. Algorithm aliases</a></li></ul></li><li><a href="#rsaes-pkcs1">20.3. RSAES-PKCS1-v1_5</a><ul><li><a href="#rsaes-pkcs1-description">20.3.1. Description</a></li><li><a href="#rsaes-pkcs1-registration">20.3.2. Registration</a></li><li><a href="#RsaKeyGenParams-dictionary">20.3.3. RsaKeyGenParams dictionary</a></li><li><a href="#rsaes-pkcs1-operations">20.3.4. Operations</a></li></ul></li><li><a href="#rsassa-pkcs1">20.4. RSASSA-PKCS1-v1_5</a><ul><li><a href="#rsassa-pkcs1-description">20.4.1. Description</a></li><li><a href="#rsassa-pkcs1-registration">20.4.2. Registration</a></li><li><a href="#RsaSsaParams-dictionary">20.4.3. RsaSsaParams dictionary</a></li><li><a href="#rsassa-pkcs1-operations">20.4.4. Operations</a></li></ul></li><li><a href="#rsa-pss">20.5. RSA-PSS</a><ul><li><a href="#rsa-pss-description">20.5.1. Description</a></li><li><a href="#rsa-pss-registration">20.5.2. Registration</a></li><li><a href="#rsa-pss-params">20.5.3. RsaPssParams dictionary</a></li><li><a href="#rsa-pss-operations">20.5.4. Operations</a></li></ul></li><li><a href="#rsa-oaep">20.6. RSA-OAEP</a><ul><li><a href="#rsa-oaep-description">20.6.1. Description</a></li><li><a href="#rsa-oaep-registration">20.6.2. Registration</a></li><li><a href="#rsa-oaep-params">20.6.3. RsaOaepParams dictionary</a></li><li><a href="#rsa-oaep-operations">20.6.4. Operations</a></li></ul></li><li><a href="#ecdsa">20.7. ECDSA</a><ul><li><a href="#ecdsa-description">20.7.1. Description</a></li><li><a href="#ecdsa-registration">20.7.2. Registration</a></li><li><a href="#EcdsaParams-dictionary">20.7.3. EcdsaParams dictionary</a></li><li><a href="#EcKeyGenParams-dictionary">20.7.4. EcKeyGenParams dictionary</a></li><li><a href="#ecdsa-operations">20.7.5. Operations</a></li></ul></li><li><a href="#ecdh">20.8. ECDH</a><ul><li><a href="#ecdh-description">20.8.1. Description</a></li><li><a href="#ecdh-registration">20.8.2. Registration</a></li><li><a href="#dh-EcdhKeyDeriveParams">20.8.3. EcdhKeyDeriveParams dictionary</a></li><li><a href="#ecdh-operations">20.8.4. Operations</a></li></ul></li><li><a href="#aes-ctr">20.9. AES-CTR</a><ul><li><a href="#aes-ctr-description">20.9.1. Description</a></li><li><a href="#aes-ctr-registration">20.9.2. Registration</a></li><li><a href="#aes-ctr-params">20.9.3. AesCtrParams dictionary</a></li><li><a href="#aes-keygen-params">20.9.4. AesKeyGenParams dictionary</a></li><li><a href="#aes-ctr-operations">20.9.5. Operations</a></li></ul></li><li><a href="#aes-cbc">20.10. AES-CBC</a><ul><li><a href="#aes-cbc-description">20.10.1. Description</a></li><li><a href="#aes-cbc-registration">20.10.2. Registration</a></li><li><a href="#aes-cbc-params">20.10.3. AesCbcParams dictionary</a></li><li><a href="#aes-cbc-operations">20.10.4. Operations</a></li></ul></li><li><a href="#aes-gcm">20.11. AES-GCM</a><ul><li><a href="#aes-gcm-description">20.11.1. Description</a></li><li><a href="#aes-gcm-registration">20.11.2. Registration</a></li><li><a href="#aes-gcm-params">20.11.3. AesGcmParams dictionary</a></li><li><a href="#aes-gcm-operations">20.11.4. Operations</a></li></ul></li><li><a href="#hmac">20.12. HMAC</a><ul><li><a href="#hmac-description">20.12.1. Description</a></li><li><a href="#hmac-registration">20.12.2. Registration</a></li><li><a href="#hmac-params">20.12.3. HmacParams dictionary</a></li><li><a href="#hmac-operations">20.12.4. Operations</a></li></ul></li><li><a href="#dh">20.13. Diffie-Hellman</a><ul><li><a href="#dh-description">20.13.1. Description</a></li><li><a href="#dh-registration">20.13.2. Registration</a></li><li><a href="#dh-DhKeyGenParams">20.13.3. DhKeyGenParams dictionary</a></li><li><a href="#dh-DhKeyDeriveParams">20.13.4. DhKeyDeriveParams dictionary</a></li><li><a href="#dh-operations">20.13.5. Operations</a></li></ul></li><li><a href="#sha">20.14. SHA</a><ul><li><a href="#sha-description">20.14.1. Description</a></li><li><a href="#sha-registration">20.14.2. Registration</a></li><li><a href="#sha-operations">20.14.3. Operations</a></li></ul></li><li><a href="#concatkdf">20.15. Concat KDF</a><ul><li><a href="#concatkdf-description">20.15.1. Description</a></li><li><a href="#concatkdf-registration">20.15.2. Registration</a></li><li><a href="#concat-params">20.15.3. ConcatParams dictionary</a></li><li><a href="#concat-operations">20.15.4. Operations</a></li></ul></li><li><a href="#hkdf-ctr">20.16. HKDF-CTR</a><ul><li><a href="#hkdf-ctr-description">20.16.1. Description</a></li><li><a href="#hkdf-ctr-registration">20.16.2. Registration</a></li><li><a href="#hkdf-ctr-params">20.16.3. HkdfCtrParams dictionary</a></li><li><a href="#hkdf2-ctr-operations">20.16.4. Operations</a></li></ul></li><li><a href="#pbkdf2">20.17. PBKDF2</a><ul><li><a href="#pbkdf2-description">20.17.1. Description</a></li><li><a href="#pbkdf2-registration">20.17.2. Registration</a></li><li><a href="#pbkdf2-params">20.17.3. Pbkdf2Params dictionary</a></li><li><a href="#pbkdf2-operations">20.17.4. Operations</a></li></ul></li></ul></li><li><a href="#algorithm-normalizing-rules">21. Algorithm normalizing rules</a></li><li><a href="#examples-section">22. JavaScript Example Code</a><ul><li><a href="#examples-signing">22.1. Generate a signing key pair, sign some data</a></li><li><a href="#examples-symmetric-encryption">22.2. Symmetric Encryption</a></li></ul></li><li><a href="#acknowledgements-section">23. Acknowledgements</a></li><li><a href="#references">24. References</a><ul><li><a href="#normative-references">24.1. Normative References</a></li><li><a href="#informative-references">24.2. Informative References</a></li></ul></li></ul></div>
     </div>
 
     <div id="sections">
@@ -3484,13 +3484,82 @@
             </ul>
           </div>
         </div>
+        <div id="hkdf-ctr" class="section">
+          <h3>20.16. HKDF-CTR</h3>
+          <div id="hkdf-ctr-description" class="section">
+            <h4>20.16.1. Description</h4>
+            <p class="norm">This section is non-normative.</p>
+            <p>
+              The <code>"HKDF-CTR"</code> algorithm identifier is used to
+              perform key derivation using the algorithm described in
+              RFC 5869 [<a href="#RFC5869">RFC5869</a>] and NIST SP 800-56C
+              [<a href="#SP800-56C">SP800-56C</a>], using HMAC in counter mode,
+              as described in Section 5.1 of NIST SP 800-108
+              [<a href="#SP800-108">SP800-108</a>].
+            </p>
+          </div>
+          <div id="hkdf-ctr-registration" class="section">
+            <h4>20.16.2. Registration</h4>
+            <p>
+              The <a href="#recognized-algorithm-name">recognized algorithm name</a>
+              for this algorithm is <code>"HKDF-CTR"</code>.
+            </p>
+            <table>
+              <thead>
+                <tr>
+                  <th><a href="#supported-operations">Operation</a></th>
+                  <th><a href="#algorithm-specific-params">Parameters</a></th>
+                  <th><a href="#algorithm-result">Result</a></th>
+                </tr>
+              </thead>
+              <tbody>
+                <tr>
+                  <td>deriveKey</td>
+                  <td><a href="#dfn-HkdfCtrParams">HkdfCtrParams</a></td>
+                  <td><a href="#dfn-Key">Key</a>?</td>
+                </tr>
+              </tbody>
+            </table>
+          </div>
+          <div id="hkdf-ctr-params" class="section">
+            <h4>20.16.3. HkdfCtrParams dictionary</h4>
+            <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
+dictionary <dfn id="dfn-HkdfCtrParams">HkdfCtrParams</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
+  <span class="comment">// The algorithm to use with HMAC (eg: <a href="#sha-256">SHA-256</a></span>
+  AlgorithmIdentifier hashAlg;
+  <span class="comment">// A bit string that corresponds to the label that identifies the purpose for the derived keying material.</span>
+  ArrayBufferView label;
+  <span class="comment">// A bit string that corresponds to the context of the key derivation, as described in Section 5 of NIST SP 800-108 [<a href="#SP800-108">SP800-108</a>]</span>
+  ArrayBufferView context;
+};
+            </code></pre></div></div>
+            <div class="ednote"><div class="ednoteHeader">Editorial note</div>
+              <p>
+                The definition of HKDF allows the caller to supply an optional pseudorandom salt
+                value, which is used as the key during the extract phase. If this value is not
+                supplied, an all zero string is used instead. However, support for an explicit
+                salt value is not widely implemented in existing APIs, nor is it required by
+                existing usages of HKDF. Should this be an optional parameter, and if so, what
+                should the behaviour be of a user agent that does not support explicit salt
+                values (is it conforming or non-conforming?)
+              </p>
+            </div>
+          </div>
+          <div id="hkdf2-ctr-operations" class="section">
+            <h4>20.16.4. Operations</h4>
+            <ul>
+              <li>Derive Key</li>
+            </ul>
+          </div>
+        </div>
+
         <div id="pbkdf2" class="section">
-          <h3>20.16. PBKDF2</h3>
+          <h3>20.17. PBKDF2</h3>
           <div id="pbkdf2-description" class="section">
-            <h4>20.16.1. Description</h4>
+            <h4>20.17.1. Description</h4>
           </div>
           <div id="pbkdf2-registration" class="section">
-            <h4>20.16.2. Registration</h4>
+            <h4>20.17.2. Registration</h4>
             <p>
               The <a href="#recognized-algorithm-name">recognized algorithm name</a> for
               this algorithm is <code>"PBKDF2"</code>.
@@ -3513,7 +3582,7 @@
             </table>
           </div>
           <div id="pbkdf2-params" class="section">
-            <h4>20.16.3. Pbkdf2Params dictionary</h4>
+            <h4>20.17.3. Pbkdf2Params dictionary</h4>
             <div class="block"><div class="blockTitleDiv"><span class="blockTitle">IDL</span></div><div class="blockContent"><pre class="code"><code class="idl-code">
 dictionary <dfn id="dfn-Pbkdf2Params">Pbkdf2Params</dfn> : <a href="#dfn-AlgorithmParameters">AlgorithmParameters</a> {
   ArrayBufferView salt;
@@ -3532,7 +3601,7 @@
             </div>
           </div>
           <div id="pbkdf2-operations" class="section">
-            <h4>20.16.4. Operations</h4>
+            <h4>20.17.4. Operations</h4>
             <ul>
               <li>Derive Key</li>
             </ul>
@@ -3844,11 +3913,28 @@
               <cite><a href="http://tools.ietf.org/html/rfc5705">Keying Material Exporters for
               Transport Layer Security (TLS)</a></cite>, E. Rescorla. IETF.
             </dd>
+            <dt id="RFC5869">RFC 5869</dt>
+            <dd>
+              <cite><a href="https://tools.ietf.org/html/rfc5869">HMAC-based Extract-and-Expand
+              Key Derivation Function (HKDF)</a></cite>, H. Krawczyk, P. Eronen. IETF.
+            </dd>
             <dt id="SP800-56A">NIST SP 800-56A</dt>
             <dd>
               <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf">
-              NIST SP 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete
-              Logarithm Cryptography (Revised)</a></cite>, March 2007, NIST.
+              NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment
+              Schemes Using Discrete Logarithm Cryptography (Revised)</a></cite>, March 2007, NIST.
+            </dd>
+            <dt id="SP800-56C">NIST SP 800-56C</dt>
+            <dd>
+              <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf">
+              NIST Special Publication 800-56C: Recommendation for Key Derivation through
+              Extraction-then-Expansion</a></cite>, November 2011, NIST.
+            </dd>
+            <dt id="SP800-108">NIST SP 800-108</dt>
+            <dd>
+              <cite><a href="http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf">
+              NIST Special Publication 800-108: Recommendation for Key Derivation Using
+              Pseudorandom Functions (Revised)</a></cite>, October 2009, NIST.
             </dd>
             <dt id="StreamsAPI">StreamsAPI</dt>
             <dd>