draft-ietf-kitten-aes-cts-hmac-sha2-02.txt   draft-ietf-kitten-aes-cts-hmac-sha2-03.txt 
Network Working Group M. Jenkins Network Working Group M. Jenkins
Internet Draft National Security Agency Internet Draft National Security Agency
Intended Status: Informational M. Peck Intended Status: Informational M. Peck
Expires: November 7, 2014 The MITRE Corporation Expires: January 3, 2015 The MITRE Corporation
K. Burgin K. Burgin
May 6, 2014 July 2, 2014
AES Encryption with HMAC-SHA2 for Kerberos 5 AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-02 draft-ietf-kitten-aes-cts-hmac-sha2-03
Abstract Abstract
This document specifies two encryption types and two corresponding This document specifies two encryption types and two corresponding
checksum types for Kerberos 5. The new types use AES in CTS mode checksum types for Kerberos 5. The new types use AES in CTS mode
(CBC mode with ciphertext stealing) for confidentiality and HMAC with (CBC mode with ciphertext stealing) for confidentiality and HMAC with
a SHA-2 hash for integrity. a SHA-2 hash for integrity.
Status of this Memo Status of this Memo
skipping to change at page 2, line 15 skipping to change at page 2, line 15
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3
3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3
4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4
5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5
6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 7 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
This document defines two encryption types and two corresponding This document defines two encryption types and two corresponding
checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.
To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode
defined in [SP800-38A+], also referred to as ciphertext stealing or defined in [SP800-38A+], also referred to as ciphertext stealing or
skipping to change at page 4, line 18 skipping to change at page 4, line 18
When the encryption type is aes128-cts-hmac-sha256-128, the output When the encryption type is aes128-cts-hmac-sha256-128, the output
key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, key length k is 128 bits for all applications of KDF-HMAC-SHA2(key,
constant) which is computed as follows: constant) which is computed as follows:
K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80)
KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1))
When the encryption type is aes256-cts-hmac-sha384-192, the output When the encryption type is aes256-cts-hmac-sha384-192, the output
key length k is 256 bits when deriving the base-key (from a key length k is 256 bits when deriving the base-key (from a
passphrase as described in Section 4) and Ke, and the output key passphrase as described in Section 4), Ke, and Kp. The output key
length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key,
constant) is computed as follows: constant) is computed as follows:
If deriving Kc or Ki (the constant ends with 0x99 or 0x55): If deriving Kc or Ki (the constant ends with 0x99 or 0x55):
k = 192 k = 192
K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0)
KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1))
If deriving the base-key (the constant is "kerberos", the byte If deriving the base-key (the constant is "kerberos", the byte
string 0x6B65726265726F73) or Ke (the constant ends with 0xAA): string 0x6B65726265726F73), Ke (the constant ends with 0xAA),
or Kp (the constant is "prf", the byte string 0x707266):
k = 256 k = 256
K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00)
KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1))
4. Key Generation from Pass Phrases 4. Key Generation from Pass Phrases
PBKDF2 [RFC2898] is used to derive the base-key from a passphrase PBKDF2 [RFC2898] is used to derive the base-key from a passphrase
and salt. and salt.
If no string-to-key parameters are specified, the default number of If no string-to-key parameters are specified, the default number of
skipping to change at page 6, line 6 skipping to change at page 6, line 6
random-to-key function: identity function. random-to-key function: identity function.
key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The
key usage number is expressed as four octets in big-endian order. key usage number is expressed as four octets in big-endian order.
Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) Kc = KDF-HMAC-SHA2(base-key, usage | 0x99)
Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA)
Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) Ki = KDF-HMAC-SHA2(base-key, usage | 0x55)
cipherstate: a 128-bit CBC initialization vector. cipherstate: a 128-bit CBC initialization vector derived from
the ciphertext.
initial cipherstate: all bits zero. initial cipherstate: all bits zero.
encryption function: as follows, where E() is AES encryption in encryption function: as follows, where E() is AES encryption in
CBC-CS3 mode, h is the size of truncated HMAC, and c is the AES CBC-CS3 mode, and h is the size of truncated HMAC.
block size.
N = random nonce of length c (128 bits) N = random nonce of length 128 bits (the AES block size)
IV = cipherstate IV = cipherstate
C = E(Ke, N | plaintext, IV) C = E(Ke, N | plaintext, IV)
H = HMAC(Ki, IV | C) H = HMAC(Ki, IV | C)
ciphertext = C | H[1..h] ciphertext = C | H[1..h]
cipherstate = next-to-last 128-bit block of C cipherstate = the last full (128 bit) block of C
Note: if C is only a single block, then cipherstate = C (i.e. the next-to-last block if the last block
is not a full 128 bits)
decryption function: as follows, where D() is AES encryption in decryption function: as follows, where D() is AES decryption in
CBC-CS3 mode, and h is the size of truncated HMAC. CBC-CS3 mode, and h is the size of truncated HMAC.
(C, H) = ciphertext (C, H) = ciphertext
IV = cipherstate IV = cipherstate
if H != HMAC(Ki, IV | C)[1..h] if H != HMAC(Ki, IV | C)[1..h]
stop, report error stop, report error
(N, P) = D(Ke, C, IV) (N, P) = D(Ke, C, IV)
Note: N is set to the first block of the decryption output, Note: N is set to the first block of the decryption output,
P is set to the rest of the output. P is set to the rest of the output.
cipherstate = next-to-last 128-bit block of C cipherstate = the last full (128 bit) block of C
Note: if C is only a single block, then cipherstate = C (i.e. the next-to-last block if the last block
is not a full 128 bits)
pseudo-random function: pseudo-random function:
Kp = KDF-HMAC-SHA2(protocol-key, "prf") If the enctype is aes128-cts-hmac-sha256-128:
PRF = HMAC(Kp, octet-string) k = 128
6. Checksum Parameters If the enctype is aes256-cts-hmac-sha384-192:
k = 256
Kp = KDF-HMAC-SHA2(base-key, "prf")
PRF = k-truncate(HMAC-SHA2(Kp, octet-string))
where SHA2 is SHA-256 if the enctype is
aes128-cts-hmac-sha256-128,
and is SHA-384 if the enctype is aes256-cts-hmac-sha384-192.
6. Checksum Parameters
The following parameters apply to the checksum types hmac-sha256-128- The following parameters apply to the checksum types hmac-sha256-128-
aes128 and hmac-sha384-192-aes256, which are the associated checksums aes128 and hmac-sha384-192-aes256, which are the associated checksums
for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192,
respectively. respectively.
associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate.
get_mic: HMAC(Kc, message)[1..h]. get_mic: HMAC(Kc, message)[1..h].
verify_mic: get_mic and compare. verify_mic: get_mic and compare.
skipping to change at page 7, line 48 skipping to change at page 8, line 10
NIST guidance in section 5.3 of [SP800-38A] requires CBC NIST guidance in section 5.3 of [SP800-38A] requires CBC
initialization vectors be unpredictable. This specification does not initialization vectors be unpredictable. This specification does not
formally comply with that guidance. However, the use of a confounder formally comply with that guidance. However, the use of a confounder
as the first block of plaintext fills the cryptographic role as the first block of plaintext fills the cryptographic role
typically played by an initialization vector. This approach was typically played by an initialization vector. This approach was
chosen to align with other Kerberos cryptosystem approaches. chosen to align with other Kerberos cryptosystem approaches.
8.1. Random Values in Salt Strings 8.1. Random Values in Salt Strings
NIST guidance in Section 5.1 of [SP800-132] requires the salt used as NIST guidance in Section 5.1 of [SP800-132] requires that a portion
input to the PBKDF to contain at least 128 bits of random. Some of the salt of at least 128 bits shall be randomly generated. Some
known issues with including random values in Kerberos encryption type known issues with including random values in Kerberos encryption type
salt strings are: salt strings are:
* Cross-realm TGTs are currently managed by entering the same
password at two KDCs to get the same keys. If each KDC uses a
random salt, they won't have the same keys.
* The string-to-key function as defined in [RFC3961] requires the * The string-to-key function as defined in [RFC3961] requires the
salt to be valid UTF-8 strings. Not every 128-bit random string salt to be valid UTF-8 strings. Not every 128-bit random string
will be valid UTF-8. will be valid UTF-8.
* Current implementations of password history checking will not Further, using a salt containing a random portion may have the
work. following issues with some implementations:
* Cross-realm TGTs are typically managed by entering the same
password at two KDCs to get the same keys. If each KDC uses a random
salt, they won't have the same keys.
* Random salts may interfere with password history checking.
* ktutil's add_entry command assumes the default salt. * ktutil's add_entry command assumes the default salt.
9. Acknowledgements 9. Acknowledgements
Kelley Burgin was employed at the National Security Agency during Kelley Burgin was employed at the National Security Agency during
much of the work on this document. much of the work on this document.
10. References 10. References
skipping to change at page 10, line 27 skipping to change at page 10, line 39
EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4
BA 41 F2 8F AF 69 E7 3D BA 41 F2 8F AF 69 E7 3D
Ke value for key usage 2 (constant = 0x00000002AA): Ke value for key usage 2 (constant = 0x00000002AA):
56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7
A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49
Ki value for key usage 2 (constant = 0x0000000255): Ki value for key usage 2 (constant = 0x0000000255):
69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6
22 C4 D0 0F FC 23 ED 1F 22 C4 D0 0F FC 23 ED 1F
Sample encryptions (all using the default cipher state): Sample encryptions (all using the default cipher state):
---------------------------------------------------- --------------------------------------------------------
The following test vectors are for The following test vectors are for
enctype aes128-cts-hmac-sha256-128: enctype aes128-cts-hmac-sha256-128:
Plaintext: (empty) Plaintext: (empty)
Confounder: Confounder:
7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48
128-bit AES key: 128-bit AES key:
9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E
128-bit HMAC key: 128-bit HMAC key:
 End of changes. 20 change blocks. 
29 lines changed or deleted 43 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/