This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
HKDF-CTR references RFC5869, NIST SP800-56C and NIST SP800-108. These references specify different algorithms. RFC5869 calculates output keying material as the concatenation of T(i) i=1, ..., N where T(i) = HMAC-Hash(PRK, T(i-1) | info | [i] ) where PRK is a key derived from the base key through an extraction step and [i] is a single octet representation of i. By contrast, SP800-108 calculates the output keying material as the concatenation of K(i) i=1,...,N where K(i) := PRF(KI, [i] || Label || 0x00 || Context || [L] ) where KI is the key derivation key and [L] is the binary representation of the number of output bits. Which reference should we use, or should we support both as separate algorithms ?
Aligning with SP 100-108 as per mailing list discussion https://dvcs.w3.org/hg/webcrypto-api/rev/8f4969dfc115