idnits 2.17.1 draft-ietf-kitten-krb5-gssapi-prf-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 212. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 189. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 196. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 202. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 13, 2005) is 6885 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'CFX' is defined on line 150, but no explicit reference was found in the text == Unused Reference: 'RFC2743' is defined on line 161, but no explicit reference was found in the text == Unused Reference: 'RFC2744' is defined on line 164, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'CFX' -- Possible downref: Non-RFC (?) normative reference: ref. 'GSS-PRF' Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP N. Williams 3 Internet-Draft Sun 4 Expires: December 15, 2005 June 13, 2005 6 A PRF for the Kerberos V GSS-API Mechanism 7 draft-ietf-kitten-krb5-gssapi-prf-04.txt 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on December 15, 2005. 34 Copyright Notice 36 Copyright (C) The Internet Society (2005). 38 Abstract 40 This document defines the Pseudo-Random Function (PRF) for the 41 Kerberos V mechanism for the Generic Security Service Application 42 Programming Interface (GSS-API), based on the PRF defined for the 43 Kerberos V cryptographic framework, for keying application protocols 44 given an established Kerberos V GSS-API security context. 46 Table of Contents 48 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 49 1.1 Conventions used in this document . . . . . . . . . . . . . . 3 50 2. Kerberos V GSS Mechanism PRF . . . . . . . . . . . . . . . . . 3 51 3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 52 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 53 5. Normative References . . . . . . . . . . . . . . . . . . . . . 4 54 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 5 55 Intellectual Property and Copyright Statements . . . . . . . . 6 57 1. Introduction 59 This document specifies the Kerberos V GSS-API mechanism's pseudo- 60 random function corresponding to [GSS-PRF]. The function is a "PRF+" 61 style construction. 63 1.1 Conventions used in this document 65 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 66 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 67 document are to be interpreted as described in [RFC2119]. 69 2. Kerberos V GSS Mechanism PRF 71 The GSS-API PRF [GSS-PRF] function for the Kerberos V mechanism 72 [RFC1964] shall be the output of a PRF+ function based on the 73 encryption type's PRF function keyed with the negotiated session key 74 of the security context corresponding to the 'prf_key' input 75 parameter of GSS_Pseudo_random(). 77 This PRF+ MUST be keyed with the key indicated by the 'prf_key' input 78 parameter as follows: 80 o GSS_C_PRF_KEY_FULL -- use the sub-session key asserted by the 81 acceptor, if any, or the sub-session asserted by the initiator, if 82 any, or the Ticket's session key 84 o GSS_C_PRF_KEY_PARTIAL -- use the sub-session key asserted by the 85 initiator, if any, or the Ticket's session key 87 The PRF+ function is a simple counter-based extension of the Kerberos 88 V pseudo-random function [RFC3961] for the encryption type of the 89 security context's keys: 91 PRF+(K, L, S) = truncate(L, T1 || T2 || .. || Tn) 93 Tn = pseudo-random(K, n || S) 95 where '||' is the concatenation operator, 'n' is encoded as a network 96 byte order 32-bit unsigned binary number, truncate(L, S) truncates 97 the input octet string S to length L, and pseudo-random() is the 98 Kerberos V pseudo-random function [RFC3961]. 100 The maximum output size of the Kerberos V mechanism's GSS-API PRF 101 then is, necessarily, 2^32 times the output size of the pseudo- 102 random() function for the encryption type of the given key. 104 When the input size is longer than 2^14 octets as per [GSS-PRF] and 105 exceeds an implementation's resources then the mechanism MUST return 106 GSS_S_FAILURE and GSS_KRB5_S_KG_INPUT_TOO_LONG as the minor status 107 code. 109 3. IANA Considerations 111 This document has no IANA considerations currently. If and when a 112 relevant IANA registry of GSS-API symbols and constants is created 113 then the GSS_KRB5_S_KG_INPUT_TOO_LONG minor status code should be 114 added to such a registry. 116 4. Security Considerations 118 Kerberos V encryption types' PRF functions use a key derived from 119 contexts' session keys and should preserve the forward security 120 properties of the mechanisms' key exchanges. 122 Legacy Kerberos V encryption types may be weak, particularly the 123 single-DES encryption types. 125 See also [GSS-PRF] for generic security considerations of 126 GSS_Pseudo_random(). 128 See also [RFC3961] for generic security considerations of the 129 Kerberos V cryptographic framework. 131 Use of Ticket session keys, rather than sub-session keys, when 132 initiators and acceptors fail to assert sub-session keys, is 133 dangerous as ticket reuse can lead to key reuse, therefore initiators 134 should assert sub-session keys always, and acceptors should assert 135 sub-session keys at least when initiators fail to do so.. 137 The computational cost of computing this PRF+ may vary depending on 138 the Kerberos V encryption types being used, but generally the 139 computation of this PRF+ gets more expensive as the input and output 140 octet string lengths grow (note that the use of a counter in the PRF+ 141 construction allows for parallelization). This means that if an 142 application can be tricked into providing very large input octet 143 strings and requesting very long output octet strings then that may 144 constitute a denial of service attack on the application; therefore 145 applications SHOULD place appropriate limits on the size of any input 146 octet strings received from their peers without integrity protection. 148 5. Normative References 150 [CFX] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 151 Version 5 GSS-API Mechanism: Version 2". 153 [GSS-PRF] Williams, N., "A PRF API extension for the GSS-API". 155 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", 156 RFC 1964, June 1996. 158 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 159 Requirement Levels", BCP 14, RFC 2119, March 1997. 161 [RFC2743] Linn, J., "Generic Security Service Application Program 162 Interface Version 2, Update 1", RFC 2743, January 2000. 164 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 165 C-bindings", RFC 2744, January 2000. 167 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 168 Kerberos 5", RFC 3961, February 2005. 170 Author's Address 172 Nicolas Williams 173 Sun Microsystems 174 5300 Riata Trace Ct 175 Austin, TX 78727 176 US 178 Email: Nicolas.Williams@sun.com 180 Intellectual Property Statement 182 The IETF takes no position regarding the validity or scope of any 183 Intellectual Property Rights or other rights that might be claimed to 184 pertain to the implementation or use of the technology described in 185 this document or the extent to which any license under such rights 186 might or might not be available; nor does it represent that it has 187 made any independent effort to identify any such rights. Information 188 on the procedures with respect to rights in RFC documents can be 189 found in BCP 78 and BCP 79. 191 Copies of IPR disclosures made to the IETF Secretariat and any 192 assurances of licenses to be made available, or the result of an 193 attempt made to obtain a general license or permission for the use of 194 such proprietary rights by implementers or users of this 195 specification can be obtained from the IETF on-line IPR repository at 196 http://www.ietf.org/ipr. 198 The IETF invites any interested party to bring to its attention any 199 copyrights, patents or patent applications, or other proprietary 200 rights that may cover technology that may be required to implement 201 this standard. Please address the information to the IETF at 202 ietf-ipr@ietf.org. 204 Disclaimer of Validity 206 This document and the information contained herein are provided on an 207 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 208 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 209 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 210 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 211 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 212 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 214 Copyright Statement 216 Copyright (C) The Internet Society (2005). This document is subject 217 to the rights, licenses and restrictions contained in BCP 78, and 218 except as set forth therein, the authors retain all their rights. 220 Acknowledgment 222 Funding for the RFC Editor function is currently provided by the 223 Internet Society.