draft-ietf-kitten-aes-cts-hmac-sha2-02.txt | draft-ietf-kitten-aes-cts-hmac-sha2-03.txt | |||
---|---|---|---|---|

Network Working Group M. Jenkins | Network Working Group M. Jenkins | |||

Internet Draft National Security Agency | Internet Draft National Security Agency | |||

Intended Status: Informational M. Peck | Intended Status: Informational M. Peck | |||

Expires: November 7, 2014 The MITRE Corporation | Expires: January 3, 2015 The MITRE Corporation | |||

K. Burgin | K. Burgin | |||

May 6, 2014 | July 2, 2014 | |||

AES Encryption with HMAC-SHA2 for Kerberos 5 | AES Encryption with HMAC-SHA2 for Kerberos 5 | |||

draft-ietf-kitten-aes-cts-hmac-sha2-02 | draft-ietf-kitten-aes-cts-hmac-sha2-03 | |||

Abstract | Abstract | |||

This document specifies two encryption types and two corresponding | This document specifies two encryption types and two corresponding | |||

checksum types for Kerberos 5. The new types use AES in CTS mode | checksum types for Kerberos 5. The new types use AES in CTS mode | |||

(CBC mode with ciphertext stealing) for confidentiality and HMAC with | (CBC mode with ciphertext stealing) for confidentiality and HMAC with | |||

a SHA-2 hash for integrity. | a SHA-2 hash for integrity. | |||

Status of this Memo | Status of this Memo | |||

skipping to change at page 2, line 15 | skipping to change at page 2, line 15 | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||

2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | 2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3 | |||

3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 | 3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3 | |||

4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 | 4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4 | |||

5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | 5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5 | |||

6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 | 6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 6 | |||

7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 | |||

8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | |||

8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 7 | 8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 8 | |||

9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 | |||

10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||

10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 10.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||

10.2. Informative References . . . . . . . . . . . . . . . . . 8 | 10.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||

Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 | Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||

1. Introduction | 1. Introduction | |||

This document defines two encryption types and two corresponding | This document defines two encryption types and two corresponding | |||

checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. | checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys. | |||

To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode | To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode | |||

defined in [SP800-38A+], also referred to as ciphertext stealing or | defined in [SP800-38A+], also referred to as ciphertext stealing or | |||

skipping to change at page 4, line 18 | skipping to change at page 4, line 18 | |||

When the encryption type is aes128-cts-hmac-sha256-128, the output | When the encryption type is aes128-cts-hmac-sha256-128, the output | |||

key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, | key length k is 128 bits for all applications of KDF-HMAC-SHA2(key, | |||

constant) which is computed as follows: | constant) which is computed as follows: | |||

K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) | K1 = HMAC-SHA-256(key, 00 00 00 01 | constant | 00 | 00 00 00 80) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

When the encryption type is aes256-cts-hmac-sha384-192, the output | When the encryption type is aes256-cts-hmac-sha384-192, the output | |||

key length k is 256 bits when deriving the base-key (from a | key length k is 256 bits when deriving the base-key (from a | |||

passphrase as described in Section 4) and Ke, and the output key | passphrase as described in Section 4), Ke, and Kp. The output key | |||

length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, | length k is 192 bits when deriving Kc and Ki. KDF-HMAC-SHA2(key, | |||

constant) is computed as follows: | constant) is computed as follows: | |||

If deriving Kc or Ki (the constant ends with 0x99 or 0x55): | If deriving Kc or Ki (the constant ends with 0x99 or 0x55): | |||

k = 192 | k = 192 | |||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) | K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 00 C0) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

If deriving the base-key (the constant is "kerberos", the byte | If deriving the base-key (the constant is "kerberos", the byte | |||

string 0x6B65726265726F73) or Ke (the constant ends with 0xAA): | string 0x6B65726265726F73), Ke (the constant ends with 0xAA), | |||

or Kp (the constant is "prf", the byte string 0x707266): | ||||

k = 256 | k = 256 | |||

K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) | K1 = HMAC-SHA-384(key, 00 00 00 01 | constant | 00 | 00 00 01 00) | |||

KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | KDF-HMAC-SHA2(key, constant) = random-to-key(k-truncate(K1)) | |||

4. Key Generation from Pass Phrases | 4. Key Generation from Pass Phrases | |||

PBKDF2 [RFC2898] is used to derive the base-key from a passphrase | PBKDF2 [RFC2898] is used to derive the base-key from a passphrase | |||

and salt. | and salt. | |||

If no string-to-key parameters are specified, the default number of | If no string-to-key parameters are specified, the default number of | |||

skipping to change at page 6, line 6 | skipping to change at page 6, line 6 | |||

random-to-key function: identity function. | random-to-key function: identity function. | |||

key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The | key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The | |||

key usage number is expressed as four octets in big-endian order. | key usage number is expressed as four octets in big-endian order. | |||

Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) | Kc = KDF-HMAC-SHA2(base-key, usage | 0x99) | |||

Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) | Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA) | |||

Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) | Ki = KDF-HMAC-SHA2(base-key, usage | 0x55) | |||

cipherstate: a 128-bit CBC initialization vector. | cipherstate: a 128-bit CBC initialization vector derived from | |||

the ciphertext. | ||||

initial cipherstate: all bits zero. | initial cipherstate: all bits zero. | |||

encryption function: as follows, where E() is AES encryption in | encryption function: as follows, where E() is AES encryption in | |||

CBC-CS3 mode, h is the size of truncated HMAC, and c is the AES | CBC-CS3 mode, and h is the size of truncated HMAC. | |||

block size. | ||||

N = random nonce of length c (128 bits) | N = random nonce of length 128 bits (the AES block size) | |||

IV = cipherstate | IV = cipherstate | |||

C = E(Ke, N | plaintext, IV) | C = E(Ke, N | plaintext, IV) | |||

H = HMAC(Ki, IV | C) | H = HMAC(Ki, IV | C) | |||

ciphertext = C | H[1..h] | ciphertext = C | H[1..h] | |||

cipherstate = next-to-last 128-bit block of C | cipherstate = the last full (128 bit) block of C | |||

Note: if C is only a single block, then cipherstate = C | (i.e. the next-to-last block if the last block | |||

is not a full 128 bits) | ||||

decryption function: as follows, where D() is AES encryption in | decryption function: as follows, where D() is AES decryption in | |||

CBC-CS3 mode, and h is the size of truncated HMAC. | CBC-CS3 mode, and h is the size of truncated HMAC. | |||

(C, H) = ciphertext | (C, H) = ciphertext | |||

IV = cipherstate | IV = cipherstate | |||

if H != HMAC(Ki, IV | C)[1..h] | if H != HMAC(Ki, IV | C)[1..h] | |||

stop, report error | stop, report error | |||

(N, P) = D(Ke, C, IV) | (N, P) = D(Ke, C, IV) | |||

Note: N is set to the first block of the decryption output, | Note: N is set to the first block of the decryption output, | |||

P is set to the rest of the output. | P is set to the rest of the output. | |||

cipherstate = next-to-last 128-bit block of C | cipherstate = the last full (128 bit) block of C | |||

Note: if C is only a single block, then cipherstate = C | (i.e. the next-to-last block if the last block | |||

is not a full 128 bits) | ||||

pseudo-random function: | pseudo-random function: | |||

Kp = KDF-HMAC-SHA2(protocol-key, "prf") | If the enctype is aes128-cts-hmac-sha256-128: | |||

PRF = HMAC(Kp, octet-string) | k = 128 | |||

6. Checksum Parameters | If the enctype is aes256-cts-hmac-sha384-192: | |||

k = 256 | ||||

Kp = KDF-HMAC-SHA2(base-key, "prf") | ||||

PRF = k-truncate(HMAC-SHA2(Kp, octet-string)) | ||||

where SHA2 is SHA-256 if the enctype is | ||||

aes128-cts-hmac-sha256-128, | ||||

and is SHA-384 if the enctype is aes256-cts-hmac-sha384-192. | ||||

6. Checksum Parameters | ||||

The following parameters apply to the checksum types hmac-sha256-128- | The following parameters apply to the checksum types hmac-sha256-128- | |||

aes128 and hmac-sha384-192-aes256, which are the associated checksums | aes128 and hmac-sha384-192-aes256, which are the associated checksums | |||

for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, | |||

respectively. | respectively. | |||

associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. | associated cryptosystem: AES-128-CTS or AES-256-CTS as appropriate. | |||

get_mic: HMAC(Kc, message)[1..h]. | get_mic: HMAC(Kc, message)[1..h]. | |||

verify_mic: get_mic and compare. | verify_mic: get_mic and compare. | |||

skipping to change at page 7, line 48 | skipping to change at page 8, line 10 | |||

NIST guidance in section 5.3 of [SP800-38A] requires CBC | NIST guidance in section 5.3 of [SP800-38A] requires CBC | |||

initialization vectors be unpredictable. This specification does not | initialization vectors be unpredictable. This specification does not | |||

formally comply with that guidance. However, the use of a confounder | formally comply with that guidance. However, the use of a confounder | |||

as the first block of plaintext fills the cryptographic role | as the first block of plaintext fills the cryptographic role | |||

typically played by an initialization vector. This approach was | typically played by an initialization vector. This approach was | |||

chosen to align with other Kerberos cryptosystem approaches. | chosen to align with other Kerberos cryptosystem approaches. | |||

8.1. Random Values in Salt Strings | 8.1. Random Values in Salt Strings | |||

NIST guidance in Section 5.1 of [SP800-132] requires the salt used as | NIST guidance in Section 5.1 of [SP800-132] requires that a portion | |||

input to the PBKDF to contain at least 128 bits of random. Some | of the salt of at least 128 bits shall be randomly generated. Some | |||

known issues with including random values in Kerberos encryption type | known issues with including random values in Kerberos encryption type | |||

salt strings are: | salt strings are: | |||

* Cross-realm TGTs are currently managed by entering the same | ||||

password at two KDCs to get the same keys. If each KDC uses a | ||||

random salt, they won't have the same keys. | ||||

* The string-to-key function as defined in [RFC3961] requires the | * The string-to-key function as defined in [RFC3961] requires the | |||

salt to be valid UTF-8 strings. Not every 128-bit random string | salt to be valid UTF-8 strings. Not every 128-bit random string | |||

will be valid UTF-8. | will be valid UTF-8. | |||

* Current implementations of password history checking will not | Further, using a salt containing a random portion may have the | |||

work. | following issues with some implementations: | |||

* Cross-realm TGTs are typically managed by entering the same | ||||

password at two KDCs to get the same keys. If each KDC uses a random | ||||

salt, they won't have the same keys. | ||||

* Random salts may interfere with password history checking. | ||||

* ktutil's add_entry command assumes the default salt. | * ktutil's add_entry command assumes the default salt. | |||

9. Acknowledgements | 9. Acknowledgements | |||

Kelley Burgin was employed at the National Security Agency during | Kelley Burgin was employed at the National Security Agency during | |||

much of the work on this document. | much of the work on this document. | |||

10. References | 10. References | |||

skipping to change at page 10, line 27 | skipping to change at page 10, line 39 | |||

EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 | |||

BA 41 F2 8F AF 69 E7 3D | BA 41 F2 8F AF 69 E7 3D | |||

Ke value for key usage 2 (constant = 0x00000002AA): | Ke value for key usage 2 (constant = 0x00000002AA): | |||

56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 | |||

A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 | |||

Ki value for key usage 2 (constant = 0x0000000255): | Ki value for key usage 2 (constant = 0x0000000255): | |||

69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 | |||

22 C4 D0 0F FC 23 ED 1F | 22 C4 D0 0F FC 23 ED 1F | |||

Sample encryptions (all using the default cipher state): | Sample encryptions (all using the default cipher state): | |||

---------------------------------------------------- | -------------------------------------------------------- | |||

The following test vectors are for | The following test vectors are for | |||

enctype aes128-cts-hmac-sha256-128: | enctype aes128-cts-hmac-sha256-128: | |||

Plaintext: (empty) | Plaintext: (empty) | |||

Confounder: | Confounder: | |||

7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 | |||

128-bit AES key: | 128-bit AES key: | |||

9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E | |||

128-bit HMAC key: | 128-bit HMAC key: | |||

End of changes. 20 change blocks. | ||||

29 lines changed or deleted | | 43 lines changed or added | ||

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |