draft-ietf-kitten-aes-cts-hmac-sha2-05.txt   draft-ietf-kitten-aes-cts-hmac-sha2-06.txt 
Network Working Group M. Jenkins Network Working Group M. Jenkins
Internet Draft National Security Agency Internet Draft National Security Agency
Intended Status: Informational M. Peck Intended Status: Informational M. Peck
Expires: March 25, 2015 The MITRE Corporation Expires: August 13, 2015 The MITRE Corporation
K. Burgin K. Burgin
September 21, 2014 February 9, 2015
AES Encryption with HMAC-SHA2 for Kerberos 5 AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-05 draft-ietf-kitten-aes-cts-hmac-sha2-06
Abstract Abstract
This document specifies two encryption types and two corresponding This document specifies two encryption types and two corresponding
checksum types for Kerberos 5. The new types use AES in CTS mode checksum types for Kerberos 5. The new types use AES in CTS mode
(CBC mode with ciphertext stealing) for confidentiality and HMAC with (CBC mode with ciphertext stealing) for confidentiality and HMAC with
a SHA-2 hash for integrity. a SHA-2 hash for integrity.
Status of this Memo Status of this Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 22, 2015. This Internet-Draft will expire on August 13, 2015.
Copyright and License Notice Copyright and License Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3
3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3
4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4
5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5
6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 9
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9 10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 9 10.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
This document defines two encryption types and two corresponding This document defines two encryption types and two corresponding
checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.
To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode
defined in [SP800-38A+], also referred to as ciphertext stealing or defined in [SP800-38A+], also referred to as ciphertext stealing or
CTS mode. The new types conform to the framework specified in CTS mode. The new types conform to the framework specified in
skipping to change at page 8, line 50 skipping to change at page 9, line 5
following issues with some implementations: following issues with some implementations:
* Cross-realm TGTs are typically managed by entering the same * Cross-realm TGTs are typically managed by entering the same
password at two KDCs to get the same keys. If each KDC uses a random password at two KDCs to get the same keys. If each KDC uses a random
salt, they won't have the same keys. salt, they won't have the same keys.
* Random salts may interfere with password history checking. * Random salts may interfere with password history checking.
* ktutil's add_entry command assumes the default salt. * ktutil's add_entry command assumes the default salt.
8.2. Algorithm Rationale
This document has been written to be consistent with common
implementations of AES and SHA-2. The encryption and hash algorithm
sizes have been chosen to create a consistent level of protection,
with consideration to implementation efficiencies. So, for instance,
SHA-384, which would normally be matched to AES-192, is instead
matched to AES-256 to leverage the fact that there are efficient
hardware implementations of AES-256. Note that, as indicated by the
enc-type name "aes256-cts-hmac-sha384-192", the use of SHA-384 and
AES-256 with a 192-bit key provides only a 192-bit level of security.
9. Acknowledgements 9. Acknowledgements
Kelley Burgin was employed at the National Security Agency during Kelley Burgin was employed at the National Security Agency during
much of the work on this document. much of the work on this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2.0", RFC 2898, September 2000. Specification Version 2.0", RFC 2898, September 2000.
 End of changes. 9 change blocks. 
7 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/