[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 3962

Kerberos Working Group                                        K. Raeburn
Updates: Kerberos-revisions                                          MIT
Document: draft-raeburn-krb-rijndael-krb-00.txt        November 17, 2000

              Rijndael, Twofish, and Serpent Cryptosystems
                             for Kerberos 5

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
   are working documents of the Internet Engineering Task Force (IETF),
   its areas, and its working groups. Note that other groups may also
   distribute working documents as Internet-Drafts. Internet-Drafts are
   draft documents valid for a maximum of six months and may be updated,
   replaced, or obsoleted by other documents at any time. It is
   inappropriate to use Internet-Drafts as reference material or to cite
   them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

1. Abstract

   The AES competition in the US [AES] has prompted the submission and
   analysis of a number of new ciphers intended to be significantly
   stronger and faster than the old DES algorithm.  This document
   describes the addition of some of these algorithms to the Kerberos
   cryptosystem suite.

   Comments should be sent to the author, or to the IETF Kerberos
   working group (ietf-krb-wg@anl.gov).

2. Conventions Used in this Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119.

3. New Encryption and Checksum Types

   This document defines encryption key and checksum types for Kerberos
   5 to be used with the Rijndael (chosen by NIST as the AES cipher),
   Twofish and Serpent encryption algorithms.  The other AES finalists

Raeburn                                                         [Page 1]

INTERNET DRAFT                                             November 2000

   appear more problematic from an intellectual property perspective
   (involving licenses or patents), and so are not being addressed by
   the author.

   Each of these algorithms, as required by the AES specifications,
   supports 128-bit block encryption.  Longer block sizes are also
   supported by some of these algorithms, but will not be used in

   Each of these algorithms permits 128-, 192- and 256-bit keys.  Their
   use in Kerberos will permit all of these key sizes.

   The Twofish specification also describes a means for handling other
   key sizes in between.  Keys of these other sizes are effectively
   converted into 192- or 256-bit keys.  In order to avoid having
   multiple representations of a single key causing potential confusion,
   and to simplify the key derivation specification, Twofish keys in
   Kerberos will always be 128, 192, or 256 bits long.

   The EncryptedData objects are generated as described in [Kerb] for
   des3-cbc-hmac-sha1, using one of the above encryption algorithms in
   CBC mode, and a checksum algorithm of HMAC-SHA256.  Unless otherwise
   specified, a zero initial vector must be used for CBC mode.

   (Q: Will NIST's new modes of operation include anything we might
   prefer over CBC-encrypt plus checksum?  Should we go ahead with this

   These new cryptosystems will use key derivation as described in
   [Kerb], with derived keys having the same length as the original
   keys.  The new keys will be the byte sequences generated from the key
   derivation algorithm; no adjustments (such as creating parity bits
   for triple-DES) are needed.  Thus the number of bits required as
   output are the same as the key size.

   (Open question: Should we drop key derivation?  The author is
   somewhat but not overwhelmingly or, he likes to think, blindly in
   favor of keeping it.  Should we revive the argument the author
   completely missed when it came up in regard to triple-DES?  Perhaps

   The confounder is one block, prepended to the data.  The input data
   is padded with zero to fifteen trailing zero-valued octets to make it
   a multiple of the block size.

   Since the Kerberos protocol always passes around the key type and
   length as part of the EncryptionKey data, we can take advantage of
   this when defining checksum types, such that a checksum algorithm can

Raeburn                                                         [Page 2]

INTERNET DRAFT                                             November 2000

   accept any length of key, and in the case of key derivation, use the
   encryption algorithm specified by the key type when deriving a new
   key.  Thus we define only one new value for the sumtype field, for an
   HMAC using the SHA-256 algorithm.

   assigned numbers (Cliff?):

   |                         encryption types                           |
   |         type name               etype value          key sizes     |
   |   rijndael-hmac-sha256-kd           TBD            128, 192, 256   |
   |   twofish-hmac-sha256-kd            TBD            128, 192, 256   |
   |   serpent-hmac-sha256-kd            TBD            128, 192, 256   |

   The alias "aes-hmac-sha256-kd" may be used for whichever of the above
   types uses the algorithm chosen as the AES, if any.  Currently,
   Rijndael has been chosen, and the final AES will probably be Rijndael
   in its current form, but the AES FIPS is not completed.  We recommend
   not using this alias until the final AES FIPS is published.  (Q: Or,
   is it definite that there will be no changes?)

   |                          checksum types                            |
   |     type name             sumtype value          checksum length   |
   |   hmac-sha256-kd               TBD                     256         |

   (Q: Better to just define hmac-sha256, and say that it uses key
   derivation when the specified key type demands it?)

   The checksum type hmac-sha256-kd will be used with the encryption
   types defined above.

   (Similarly, the hmac-sha1-des3 and hmac-sha1-des3-kd checksum types
   in [Kerb] could be extended to be generic hmac-sha1 and hmac-sha1-kd
   checksums, making use of as much key data as is supplied, and the
   specified encryption algorithm.  Since this document isn't making use
   of SHA-1, such changes are outside its scope.)

4. Key Generation From Pass Phrases

   As the des3-cbc-hmac-sha1-kd encryption type is specified in [Kerb],

Raeburn                                                         [Page 3]

INTERNET DRAFT                                             November 2000

   the recommended algorithm for generating a key from a pass phrase
   (primarily for users' long-term keys, as is assumed in the
   descriptive text here, but also occasionally for other purposes)
   involves n-folding the pass phrase to produce an intermediate
   encryption key, which is fed into the key derivation algorithm with a
   well-known constant to produce the final key of the user.  While the
   n-fold function does cause the bits of the input string to contribute
   equally to the output ([n-fold]), there are cases in which it does a
   poor job of entropy preservation, and indeed entropy preservation was
   never described as a property of the algorithm in the original paper.

   Thus for these algorithms we use the new NIST hash function SHA-256
   in generating the intermediate key.  The catenation of salt and UTF-8
   pass phrase is passed to the SHA-256 function.  The two halves of the
   hash function output are XORed together to get a 128-bit intermediate
   key.  This key is passed into the key derivation algorithm with the
   constant string "kerberos" as in [Kerb].  The resulting 128-bit key
   is the user's long-term key.

   Since in general memorable pass phrases will give nowhere near one
   block's worth of entropy, the author sees no need to make this
   algorithm capable of generating longer keys at this time.

   Sample test vectors are given in the appendix.

   (Q: Any weak keys?)

5. Recommendations

   Rijndael, as the proposed AES cipher, is strongly RECOMMENDED.

   Twofish and Serpent, described in the AES report as weaker that
   Rijndael in terms of performance or implementability in certain
   environments but stronger in terms of resistance to certain types of
   possible attacks, are OPTIONAL.

6. Implementation notes

   Preauthentication algorithms involving smart cards or other hardware
   may provide additional unpredictability that may be used to generate
   longer keys, or simply be factored into a stronger new 128-bit key.
   Such schemes are outside the scope of this document, but implementors
   should recognize that using longer keys with these algorithms for
   AS_REP messages and preauth data may be plausible.

7. Security Considerations

   These new algorithms have not been around long enough to receive the

Raeburn                                                         [Page 4]

INTERNET DRAFT                                             November 2000

   decades of intense analysis that DES has received.  It is possible
   that some weakness exists that has not been found by the
   cryptosystems' authors or other cryptographers analyzing these
   algorithms before and during the AES competition.  The AES report
   does indicate that arguments were put forth relating to this in favor
   of deploying multiple algorithms in case one is found to be
   significantly weaker than previously believed.

   The 256-bit SHA algorithm is a work in progress by the US National
   Institute of Standards and Technology.  To the best of the author's
   knowledge, the review process has not been completed.  The use of
   this algorithm in this document is with the assumption that the
   standardization process will go smoothly.

   The author is not a cryptographer.

8. References

   [AES] Nechvatal, J., Barker, E., Bassham, L., Burr, W., Dworkin, M.,
   Foti, J., Roback, E., "Report on the Development of the Advanced
   Encryption Standard (AES)", National Institute of Standards and
   Technology, October 2, 2000.

   [Kerb] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
   Authentication Service (V5)", draft-ietf-cat-kerberos-
   revisions-06.txt, July 14, 2000.  Work in progress.

   [Rijn] Daemen, J., Rijmen, V., "AES Proposal: Rijndael", September 3,
   1999. *

   [Twof] Schneier, B., Kelsey, J., Whiting, D., Wagner, D., Hall, C.,
   Ferguson, N., "The Twofish Encrytion Algorithm: A 128-Bit Block
   Cipher", Wiley Computer Publishing, 1999.

   [Serp] Anderson, R., Biham, E., Knudsen, L., "Serpent: A Proposal for
   the Advanced Encryption Standard", June 1998. *

   [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
   3", RFC 2026, October, 1996.

   [SHA256] NIST doc ... *

   [n-fold] Blumenthal & Bellovin ...

   * Need more substantial references (RFCs or published papers) if
   possible; web-accessible copy may not be a permanent reference.

9. Author's Address

Raeburn                                                         [Page 5]

INTERNET DRAFT                                             November 2000

   Kenneth Raeburn
   Massachusetts Institute of Technology
   77 Massachusetts Avenue
   Cambridge, MA 02139

10. Full Copyright Statement

   Copyright (C) The Internet Society (2000).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an

A. Sample test vectors

   Some sample test vectors for the string-to-key algorithm:

   (values to be filled in later)

   Salt: none
   Pass phrase: "test"
     74 65 73 74
   SHA-256 folded to intermediate key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Rijndael key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

Raeburn                                                         [Page 6]

INTERNET DRAFT                                             November 2000

   Twofish key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Serpent key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

   Salt: "ATHENA.MIT.EDUraeburn"
   Pass phrase: "password"
   SHA-256 folded to intermediate key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Rijndael key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Twofish key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Serpent key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

   Salt: none
   Pass phrase: something with a variety of non-ASCII characters
   SHA-256 folded to intermediate key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Rijndael key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Twofish key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
   Serpent key:
     xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx

Raeburn                                                         [Page 7]

Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/