draft-ietf-kitten-gssapi-prf-07.txt   rfc4401.txt 
NETWORK WORKING GROUP N. Williams Network Working Group N. Williams
Internet-Draft Sun Request for Comments: 4401 Sun Microsystems
Expires: February 27, 2006 August 26, 2005 Category: Standards Track February 2006
A PRF API extension for the GSS-API
draft-ietf-kitten-gssapi-prf-07.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at A Pseudo-Random Function (PRF) API Extension for the
http://www.ietf.org/ietf/1id-abstracts.txt. Generic Security Service Application Program Interface (GSS-API)
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on February 27, 2006. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document defines a Pseudo-Random Function (PRF) extension to the This document defines a Pseudo-Random Function (PRF) extension to the
Generic Security Service Application Programming Interface (GSS-API) Generic Security Service Application Program Interface (GSS-API) for
for keying application protocols given an established GSS-API keying application protocols given an established GSS-API security
security context. The primary intended use of this function is to context. The primary intended use of this function is to key secure
key secure session layers that don't or cannot use GSS-API per- session layers that do not or cannot use GSS-API per-message message
message MIC (message integrity check) and wrap tokens for session integrity check (MIC) and wrap tokens for session protection.
protection.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................2
1.1 Conventions used in this document . . . . . . . . . . . . . . 3 1.1. Conventions Used in This Document ..........................2
2. GSS_Pseudo_random() . . . . . . . . . . . . . . . . . . . . . 3 2. GSS_Pseudo_random() .............................................2
2.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. C-Bindings .................................................5
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 3. IANA Considerations .............................................5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Security Considerations .........................................5
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. References ......................................................7
5.1 Normative References . . . . . . . . . . . . . . . . . . . . . 7 5.1. Normative References .......................................7
5.2 Informative References . . . . . . . . . . . . . . . . . . . . 7 5.2. Informative References .....................................7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . 9
1. Introduction 1. Introduction
A need has arisen for users of the GSS-API to key applications' A need has arisen for users of the GSS-API to key applications'
cryptographic protocols using established GSS-API security contexts. cryptographic protocols using established GSS-API security contexts.
Such applications can use the GSS-API for authentication, but not for Such applications can use the GSS-API [RFC2743] for authentication,
transport security (for whatever reasons), and since the GSS-API does but not for transport security (for whatever reasons), and since the
not provide a method for obtaining keying material from established GSS-API does not provide a method for obtaining keying material from
security contexts such applications cannot make effective use of the established security contexts, such applications cannot make
GSS-API. effective use of the GSS-API.
To address this need we define a pseudo-random function (PRF) To address this need, we define a pseudo-random function (PRF)
extension to the GSS-API. extension to the GSS-API.
Though this document specifies an abstract API as an extension to the Though this document specifies an abstract API as an extension to the
GSS-API version 2, update 1, and though it specifies the bindings of GSS-API version 2, update 1, and though it specifies the bindings of
this extension for the C programming language, it does not specify a this extension for the C programming language, it does not specify a
revision of the GSS-API and so does not address the matter of how revision of the GSS-API and so does not address the matter of how
portable applications detect support for and ensure access to this portable applications detect support for and ensure access to this
extension. We defer this matter to an expected, comprehensive update extension. We defer this matter to an expected, comprehensive update
to the GSS-API. to the GSS-API.
1.1 Conventions used in this document 1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. GSS_Pseudo_random() 2. GSS_Pseudo_random()
Inputs: Inputs:
o context CONTEXT handle, o context CONTEXT handle,
skipping to change at page 4, line 43 skipping to change at page 3, line 43
that is 2^14 or fewer octets. that is 2^14 or fewer octets.
If a mechanism cannot consume as much input data as provided by the If a mechanism cannot consume as much input data as provided by the
caller, then GSS_Pseudo_random() MUST return GSS_S_FAILURE. caller, then GSS_Pseudo_random() MUST return GSS_S_FAILURE.
The minimum desired_output_len is one. The minimum desired_output_len is one.
Mechanisms MUST be able to output at least up to 2^14 octets. Mechanisms MUST be able to output at least up to 2^14 octets.
If the implementation cannot produce the desired output due to lack If the implementation cannot produce the desired output due to lack
of resources then it MUST return GSS_S_FAILURE and MUST set a of resources, then it MUST return GSS_S_FAILURE and MUST set a
suitable minor status code. suitable minor status code.
The prf_key can take on the following values: GSS_C_PRF_KEY_FULL, The prf_key can take on the following values: GSS_C_PRF_KEY_FULL,
GSS_C_PRF_KEY_PARTIAL or mechanism-specific values, if any. This GSS_C_PRF_KEY_PARTIAL, or mechanism-specific values, if any. This
parameter is intended to distinguish between the best cryptographic parameter is intended to distinguish between the best cryptographic
keys that may be available only after full security context keys that may be available only after full security context
establishment and keys that may be available prior to full security establishment and keys that may be available prior to full security
context establishment. For some mechanisms, or contexts, those two context establishment. For some mechanisms, or contexts, those two
prf_key values MAY refer to the same cryptographic keys; for prf_key values MAY refer to the same cryptographic keys; for
mechanisms like the Kerberos V GSS-API mechanism [RFC1964] where one mechanisms like the Kerberos V GSS-API mechanism [RFC1964] where one
peer may assert a key that may be considered better than the others peer may assert a key that may be considered better than the others
they MAY be different keys. they MAY be different keys.
GSS_C_PRF_KEY_PARTIAL corresponds to a key that would be have been GSS_C_PRF_KEY_PARTIAL corresponds to a key that would have been used
used while the security context was partially established, even if it while the security context was partially established, even if it is
is fully established when GSS_Pseudo_random() is actually called. fully established when GSS_Pseudo_random() is actually called.
Mechanism-specific prf_key values are intended to refer to any other Mechanism-specific prf_key values are intended to refer to any other
keys that may be available. keys that may be available.
The GSS_C_PRF_KEY_FULL value corresponds to the best key available The GSS_C_PRF_KEY_FULL value corresponds to the best key available
for fully-established security contexts. for fully-established security contexts.
GSS_Pseudo_random() has the following properties: GSS_Pseudo_random() has the following properties:
o its output string MUST be a pseudo-random function [GGM1] [GGM2] o its output string MUST be a pseudo-random function [GGM1] [GGM2]
of the input keyed with key material from the given security of the input keyed with key material from the given security
context -- the chances of getting the same output given different context -- the chances of getting the same output given different
input parameters should be exponentially small. input parameters should be exponentially small.
o when successfully applied to the same inputs by an initiator and o when successfully applied to the same inputs by an initiator and
acceptor using the same security context, it MUST produce the acceptor using the same security context, it MUST produce the
_same results_ for both, the initiator and acceptor, even if _same results_ for both, the initiator and acceptor, even if
called multiple times (as long as the security context is not called multiple times (as long as the security context is not
expired). expired).
o upon full establishment of a security context all cryptographic o upon full establishment of a security context, all cryptographic
keys and/or negotiations used for computing the PRF with any keys and/or negotiations used for computing the PRF with any
prf_key MUST be authenticated (mutually, if mutual authentication prf_key MUST be authenticated (mutually, if mutual authentication
is in effect for the given security context). is in effect for the given security context).
o the outputs of the mechanism's GSS_Pseudo_random() (for different o the outputs of the mechanism's GSS_Pseudo_random() (for different
inputs) and its per-message tokens for the given security context inputs) and its per-message tokens for the given security context
MUST be "cryptographically separate;" in other words, it must not MUST be "cryptographically separate"; in other words, it must not
be feasible to recover key material for one mechanism operation or be feasible to recover key material for one mechanism operation or
transform its tokens and PRF outputs from one to the other given transform its tokens and PRF outputs from one to the other given
only said tokens and PRF outputs. [This is a fancy way of saying only said tokens and PRF outputs. (This is a fancy way of saying
that key derivation and strong cryptographic operations and that key derivation and strong cryptographic operations and
constructions must be used.] constructions must be used.)
o as implied by the above requirement, it MUST NOT be possible to o as implied by the above requirement, it MUST NOT be possible to
access any raw keys of a security context through access any raw keys of a security context through
GSS_Pseudo_random(), no matter what inputs are given. GSS_Pseudo_random(), no matter what inputs are given.
Mechanisms MAY limit the output of the PRF, possibly in ways related 2.1. C-Bindings
to the types of cryptographic keys available for the PRF function,
thus the prf_out output of GSS_Pseudo_random() MAY be smaller than
requested.
2.1 C-Bindings
#define GSS_C_PRF_KEY_FULL 0 #define GSS_C_PRF_KEY_FULL 0
#define GSS_C_PRF_KEY_PARTIAL 1 #define GSS_C_PRF_KEY_PARTIAL 1
OM_uint32 gss_pseudo_random( OM_uint32 gss_pseudo_random(
OM_uint32 *minor_status, OM_uint32 *minor_status,
gss_ctx_id_t context, gss_ctx_id_t context,
int prf_key, int prf_key,
const gss_buffer_t prf_in, const gss_buffer_t prf_in,
ssize_t desired_output_len, ssize_t desired_output_len,
skipping to change at page 6, line 31 skipping to change at page 5, line 30
o GSS_S_CALL_INACCESSIBLE_READ o GSS_S_CALL_INACCESSIBLE_READ
o GSS_S_CALL_INACCESSIBLE_WRITE o GSS_S_CALL_INACCESSIBLE_WRITE
See [RFC2744]. See [RFC2744].
3. IANA Considerations 3. IANA Considerations
This document has no IANA considerations currently. If and when a This document has no IANA considerations currently. If and when a
relevant IANA registry of GSS-API symbols is created then the generic relevant IANA registry of GSS-API symbols is created, then the
and language-specific function names, constant names and constant generic and language-specific function names, constant names, and
values described above should be added to such a registry. constant values described above should be added to such a registry.
4. Security Considerations 4. Security Considerations
Care should be taken in properly designing a mechanism's PRF Care should be taken in properly designing a mechanism's PRF
function. function.
GSS mechanisms' PRF functions should use a key derived from contexts' GSS mechanisms' PRF functions should use a key derived from contexts'
authenticated session keys and should preserve the forward security authenticated session keys and should preserve the forward security
properties of the mechanisms' key exchanges. properties of the mechanisms' key exchanges.
skipping to change at page 7, line 11 skipping to change at page 6, line 9
Callers of GSS_Pseudo_random() should avoid accidentally calling it Callers of GSS_Pseudo_random() should avoid accidentally calling it
with the same inputs. One useful technique is to prepend to the with the same inputs. One useful technique is to prepend to the
prf_in input string, by convention, a string indicating the intended prf_in input string, by convention, a string indicating the intended
purpose of the PRF output in such a way that unique contexts in which purpose of the PRF output in such a way that unique contexts in which
the function is called yield unique inputs to it. the function is called yield unique inputs to it.
Pseudo-random functions are, by their nature, capable of producing Pseudo-random functions are, by their nature, capable of producing
only limited amounts of cryptographically secure output. The exact only limited amounts of cryptographically secure output. The exact
amount of output that one can safely use, unfortunately, varies from amount of output that one can safely use, unfortunately, varies from
one PRF to another (which prevents us from recommending specific one PRF to another (which prevents us from recommending specific
numbers). Because of this we recommend that unless you really know numbers). Because of this, we recommend that unless you really know
what you are doing (i.e. you are a cryptographer and are qualified to what you are doing (i.e., you are a cryptographer and are qualified
pass judgement on cryptographic functions in areas of period, to pass judgement on cryptographic functions in areas of period,
presence of short cycles, etc), you limit the amount of the PRF presence of short cycles, etc.), you limit the amount of the PRF
output used to the necessary minimum. output used to the necessary minimum. See [RFC4086] for more
information about "Randomness Requirements for Security".
For some mechanisms the computational cost of computing For some mechanisms, the computational cost of computing
GSS_Pseudo_random() may increase significantly as the length of the GSS_Pseudo_random() may increase significantly as the length of the
prf_in data and/or the desired_output_length increase. This means prf_in data and/or the desired_output_length increase. This means
that if an application can be tricked into providing very large input that if an application can be tricked into providing very large input
octet strings and requesting very long output octet strings then that octet strings and requesting very long output octet strings, then
may constitute a denial of service attack on the application; that may constitute a denial of service attack on the application;
therefore applications SHOULD place appropriate limits on the size of therefore, applications SHOULD place appropriate limits on the size
any input octet strings received from their peers without integrity of any input octet strings received from their peers without
protection. integrity protection.
5. References 5. References
5.1 Normative References 5.1. Normative References
[GGM1] Goldreich, O., Goldwasser, S., and S. Micali, "How to [GGM1] Goldreich, O., Goldwasser, S., and S. Micali, "How to
Construct Random Functions", October 1986. Construct Random Functions", Journal of the ACM, October
1986.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, January 2000. Interface Version 2, Update 1", RFC 2743, January 2000.
[RFC2744] Wray, J., "Generic Security Service API Version 2 : [RFC2744] Wray, J., "Generic Security Service API Version 2 :
C-bindings", RFC 2744, January 2000. C-bindings", RFC 2744, January 2000.
5.2 Informative References 5.2. Informative References
[GGM2] Goldreich, O., Goldwasser, S., and S. Micali, "On the [GGM2] Goldreich, O., Goldwasser, S., and S. Micali, "On the
Cryptographic Applications of Random Functions", 1985. Cryptographic Applications of Random Functions",
Proceedings of CRYPTO 84 on Advances in cryptology, 1985.
[RFC1750] Eastlake, D., Crocker, S., and J. Schiller, "Randomness [RFC4086] Eastlake, D., 3rd, Schiller, J., and S. Crocker,
Recommendations for Security", RFC 1750, December 1994. "Randomness Requirements for Security", BCP 106, RFC 4086,
June 2005.
[RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
RFC 1964, June 1996. 1964, June 1996.
Author's Address Author's Address
Nicolas Williams Nicolas Williams
Sun Microsystems Sun Microsystems
5300 Riata Trace Ct 5300 Riata Trace Ct
Austin, TX 78727 Austin, TX 78727
US US
Email: Nicolas.Williams@sun.com EMail: Nicolas.Williams@sun.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 9, line 29 skipping to change at page 8, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity Acknowledgement
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 32 change blocks. 
109 lines changed or deleted 88 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/