draft-ietf-kitten-aes-cts-hmac-sha2-04.txt   draft-ietf-kitten-aes-cts-hmac-sha2-05.txt 
Network Working Group M. Jenkins Network Working Group M. Jenkins
Internet Draft National Security Agency Internet Draft National Security Agency
Intended Status: Informational M. Peck Intended Status: Informational M. Peck
Expires: January 22, 2015 The MITRE Corporation Expires: March 25, 2015 The MITRE Corporation
K. Burgin K. Burgin
July 21, 2014 September 21, 2014
AES Encryption with HMAC-SHA2 for Kerberos 5 AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-04 draft-ietf-kitten-aes-cts-hmac-sha2-05
Abstract Abstract
This document specifies two encryption types and two corresponding This document specifies two encryption types and two corresponding
checksum types for Kerberos 5. The new types use AES in CTS mode checksum types for Kerberos 5. The new types use AES in CTS mode
(CBC mode with ciphertext stealing) for confidentiality and HMAC with (CBC mode with ciphertext stealing) for confidentiality and HMAC with
a SHA-2 hash for integrity. a SHA-2 hash for integrity.
Status of this Memo Status of this Memo
skipping to change at page 2, line 12 skipping to change at page 2, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3
3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3
4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4
5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5
6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 8 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 9 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This document defines two encryption types and two corresponding This document defines two encryption types and two corresponding
checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.
To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode
skipping to change at page 3, line 46 skipping to change at page 3, line 46
2. Protocol Key Representation 2. Protocol Key Representation
The AES key space is dense, so we can use random or pseudorandom The AES key space is dense, so we can use random or pseudorandom
octet strings directly as keys. The byte representation for the key octet strings directly as keys. The byte representation for the key
is described in [FIPS197], where the first bit of the bit string is is described in [FIPS197], where the first bit of the bit string is
the high bit of the first byte of the byte string (octet string). the high bit of the first byte of the byte string (octet string).
3. Key Derivation Function 3. Key Derivation Function
We use a key derivation function from Section 5.1 of [SP800-108] We use a key derivation function from Section 5.1 of [SP800-108]
which uses the HMAC algorithm as the PRF. The counter i is expressed which uses the HMAC algorithm as the PRF. All octets are expressed
as four octets in big-endian order. The length of the output key in in big-endian order. The counter i is expressed as four octets and
bits (denoted as k) is also represented as four octets in big-endian in this document is always 0x00000001 since there is only a single
order. The "Label" input to the KDF is the usage constant supplied iteration of the PRF. The "Label" input to the NIST KDF is the
to the key derivation function, and the "Context" input is null. constant supplied to this key derivation function. When deriving Kc,
Each application of the KDF only requires a single iteration of the Ki, or Ke, the constant is the four octet key usage concatenated with
PRF, so n = 1 in the notation of [SP800-108]. 0x99, 0x55, or 0xAA respectively. When deriving the base-key, the
constant is the ASCII string "kerberos", also known as the byte
string 0x6B65726265726F73. When deriving Kp, the constant is the
ASCII string "prf", also known as the byte string 0x707266. The
"Context" input is omitted. The length of the output key in bits
(denoted as k) is also represented as four octets in big-endian
order. Each application of the KDF only requires a single iteration
of the PRF, so n = 1 in the notation of [SP800-108]. The purposes of
the Kc, Ki, Ke, base-key, and Kp keys are described in Section 5.
In the following summary, | indicates concatenation. The random-to- In the following summary, | indicates concatenation. The random-to-
key function is the identity function. The k-truncate function is key function is the identity function. The k-truncate function is
defined in [RFC3961], Section 5.1. defined in [RFC3961], Section 5.1.
When the encryption type is aes128-cts-hmac-sha256-128, the output When the encryption type is aes128-cts-hmac-sha256-128, the output
key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, key length k is 128 bits for all applications of KDF-HMAC-SHA2(key,
constant) which is computed as follows: constant) which is computed as follows:
K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80)
skipping to change at page 5, line 38 skipping to change at page 5, line 47
16 octets of the decryption output (the confounder) is discarded, and 16 octets of the decryption output (the confounder) is discarded, and
the remainder is returned as the plaintext decryption output. the remainder is returned as the plaintext decryption output.
The following parameters apply to the encryption types aes128-cts- The following parameters apply to the encryption types aes128-cts-
hmac-sha256-128 and aes256-cts-hmac-sha384-192. hmac-sha256-128 and aes256-cts-hmac-sha384-192.
protocol key format: as defined in Section 2. protocol key format: as defined in Section 2.
specific key structure: three protocol-format keys: { Kc, Ke, Ki }. specific key structure: three protocol-format keys: { Kc, Ke, Ki }.
Kc: the checksum key, inputted into HMAC to provide the checksum
mechanism defined in Section 6.
Ke: the encryption key, inputted into AES encryption and decryption
as defined in "encryption function" and "decryption function" below.
Ki: the integrity key, inputted into HMAC to provide authenticated
encryption as defined in "encryption function" and "decryption
function" below.
required checksum mechanism: as defined in Section 6. required checksum mechanism: as defined in Section 6.
key-generation seed length: key size (128 or 256 bits). key-generation seed length: key size (128 or 256 bits).
string-to-key function: as defined in Section 4. string-to-key function: as defined in Section 4.
default string-to-key parameters: 00 00 80 00. default string-to-key parameters: 00 00 80 00.
random-to-key function: identity function. random-to-key function: identity function.
 End of changes. 8 change blocks. 
14 lines changed or deleted 32 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/