idnits 2.17.1 

draft-ietf-kitten-gssapi-prf-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 13.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 331.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 308.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 315.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 321.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

  == No 'Intended status' indicated for this document; assuming Proposed
     Standard


  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (May 12, 2005) is 6924 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Unused Reference: 'RFC2743' is defined on line 269, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC1750' is defined on line 283, but no explicit
     reference was found in the text

  -- Possible downref: Non-RFC (?) normative reference: ref. 'GGM1'

  ** Obsolete normative reference: RFC 2853 (Obsoleted by RFC 5653)

  -- Obsolete informational reference (is this intentional?): RFC 1750
     (Obsoleted by RFC 4086)


     Summary: 4 errors (**), 0 flaws (~~), 4 warnings (==), 10 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------

1	NETWORK WORKING GROUP                                        N. Williams
2	Internet-Draft                                                       Sun
3	Expires: November 13, 2005                                  May 12, 2005

5	                  A PRF API extension for the GSS-API
6	                  draft-ietf-kitten-gssapi-prf-03.txt

8	Status of this Memo

10	   By submitting this Internet-Draft, each author represents that any
11	   applicable patent or other IPR claims of which he or she is aware
12	   have been or will be disclosed, and any of which he or she becomes
13	   aware will be disclosed, in accordance with Section 6 of BCP 79.

15	   Internet-Drafts are working documents of the Internet Engineering
16	   Task Force (IETF), its areas, and its working groups.  Note that
17	   other groups may also distribute working documents as Internet-
18	   Drafts.

20	   Internet-Drafts are draft documents valid for a maximum of six months
21	   and may be updated, replaced, or obsoleted by other documents at any
22	   time.  It is inappropriate to use Internet-Drafts as reference
23	   material or to cite them other than as "work in progress."

25	   The list of current Internet-Drafts can be accessed at
26	   http://www.ietf.org/ietf/1id-abstracts.txt.

28	   The list of Internet-Draft Shadow Directories can be accessed at
29	   http://www.ietf.org/shadow.html.

31	   This Internet-Draft will expire on November 13, 2005.

33	Copyright Notice

35	   Copyright (C) The Internet Society (2005).

37	Abstract

39	   This document defines a Pseudo-Random Function (PRF) extension to the
40	   Generic Security Service Application Programming Interface (GSS-API)
41	   for keying application protocols given an established GSS-API
42	   security context.  The primary intended use of this function is to
43	   key secure session layers that don't or cannot use GSS-API per-
44	   message MIC (message integrity check) and wrap tokens for session
45	   protection.

47	Table of Contents

49	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
50	   1.1 Conventions used in this document  . . . . . . . . . . . . . .  3
51	   2.  GSS_Pseudo_random()  . . . . . . . . . . . . . . . . . . . . .  3
52	   2.1 C-Bindings . . . . . . . . . . . . . . . . . . . . . . . . . .  5
53	   2.2 Java Bindings  . . . . . . . . . . . . . . . . . . . . . . . .  6
54	   3.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  6
55	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  6
56	   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  7
57	   5.1 Normative References . . . . . . . . . . . . . . . . . . . . .  7
58	   5.2 Informative References . . . . . . . . . . . . . . . . . . . .  7
59	       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  7
60	       Intellectual Property and Copyright Statements . . . . . . . .  8

62	1.  Introduction

64	   A need has arisen for users of the GSS-API to key applications'
65	   cryptographic protocols using established GSS-API security contexts.
66	   Such applications can use the GSS-API for authentication, but not for
67	   transport security (for whatever reasons), and since the GSS-API does
68	   not provide a method for obtaining keying material from established
69	   security contexts such applications cannot make effective use of the
70	   GSS-API.

72	   To address this need we define a pseudo-random function (PRF)
73	   extension to the GSS-API.

75	1.1  Conventions used in this document

77	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
78	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
79	   document are to be interpreted as described in [RFC2119].

81	2.  GSS_Pseudo_random()

83	   Inputs:

85	   o  context CONTEXT handle,

87	   o  prf_key INTEGER,

89	   o  prf_in OCTET STRING,

91	   o  desired_output_len INTEGER

93	   Outputs:

95	   o  major_status INTEGER,

97	   o  minor_status INTEGER,

99	   o  prf_out OCTET STRING

101	   Return major_status codes:

103	   o  GSS_S_COMPLETE indicates no error.

105	   o  GSS_S_NO_CONTEXT indicates that a null context has been provided
106	      as input.

108	   o  GSS_S_CONTEXT_EXPIRED indicates that an expired context has been
109	      provided as input.

111	   o  GSS_S_UNAVAILABLE indicates that the mechanism lacks support for
112	      this function or, if the security context is not fully
113	      established, that the context is not ready to compute the PRF with
114	      the given prf_key, or that the given prf_key is not available.

116	   o  GSS_S_FAILURE indicates general failure, possibly due to the given
117	      input data being too large or of zero length, or due to the
118	      desired_output_len being zero; the minor status code may provide
119	      additional information.

121	   This function applies the established context's mechanism's keyed
122	   pseudo-random function (PRF) to the input data ('prf_in'), keyed with
123	   key material associated with the given security context and
124	   identified by 'prf_key', and outputs the resulting octet string
125	   ('prf_out') of desired_output_len length.

127	   The minimum input data length is one octet.

129	   Mechanisms MUST be able to consume all the provided prf_in input data
130	   that is 2^14 or fewer octets.

132	   If a mechanism cannot consume as much input data as provided by the
133	   caller, then GSS_Pseudo_random() MUST return GSS_S_FAILURE.

135	   The minimum desired_output_len is one.

137	   Mechanisms MUST be able to output at least up to 2^14 octets.

139	   If the implementation cannot produce the desired output due to lack
140	   of resources then it MUST output what it can and still return
141	   GSS_S_COMPLETE.

143	   The prf_key can take on the following values: GSS_C_PRF_KEY_FULL,
144	   GSS_C_PRF_KEY_PARTIAL or mechanism-specific values, if any.  This
145	   parameter is intended to distinguish between the best cryptographic
146	   keys that may be available only after full security context
147	   establishment and keys that may be available prior to full security
148	   context establishment.  For some mechanisms, or contexts, those two
149	   prf_key values MAY refer to the same cryptographic keys; for
150	   mechanisms like the Kerberos V GSS-API mechanism [RFC1964] where one
151	   peer may assert a key that may be considered better than the others
152	   they MAY be different keys.

154	   GSS_C_PRF_KEY_PARTIAL corresponds to a key that would be have been
155	   used while the security context was partially established, even if it
156	   is fully established when GSS_Pseudo_random() is actually called.
157	   Mechanism-specific prf_key values are intended to refer to any other
158	   keys that may be available.

160	   The GSS_C_PRF_KEY_FULL value corresponds to the best key available
161	   for fully-established security contexts.

163	   GSS_Pseudo_random() has the following properties:

165	   o  its output string MUST be a pseudo-random function [GGM1] [GGM2]
166	      of the input keyed with key material from the given security
167	      context -- the chances of getting the same output given different
168	      input parameters should be exponentially small.

170	   o  when successfully applied to the same inputs by an initiator and
171	      acceptor using the same security context, it MUST produce the
172	      _same results_ for both, the initiator and acceptor, even if
173	      called multiple times (as long as the security context is not
174	      expired).

176	   o  upon full establishment of a security context all cryptographic
177	      keys and/or negotiations used for computing the PRF with any
178	      prf_key MUST be authenticated (mutually, if mutual authentication
179	      is in effect for the given security context).

181	   o  the outputs of the mechanism's GSS_Pseudo_random() (for different
182	      inputs) and its per-message tokens for the given security context
183	      MUST be "cryptographically separate;" in other words, it must not
184	      be feasible to recover key material for one mechanism operation or
185	      transform its tokens and PRF outputs from one to the other given
186	      only said tokens and PRF outputs.  [This is a fancy way of saying
187	      that key derivation and strong cryptographic operations and
188	      constructions must be used.]

190	   o  as implied by the above requirement, it MUST NOT be possible to
191	      access any raw keys of a security context through
192	      GSS_Pseudo_random(), no matter what inputs are given.

194	   Mechanisms MAY limit the output of the PRF, possibly in ways related
195	   to the types of cryptographic keys available for the PRF function,
196	   thus the prf_out output of GSS_Pseudo_random() MAY be smaller than
197	   requested.

199	2.1  C-Bindings

201	   #define GSS_C_PRF_KEY_FULL 0
202	   #define GSS_C_PRF_KEY_PARTIAL 1
203	   OM_uint32 gss_pseudo_random(
204	     OM_uint32                     *minor_status,
205	     gss_ctx_id_t                  context,
206	     int                           prf_key,
207	     const gss_buffer_t            prf_in,
208	     ssize_t                       desired_output_len,
209	     gss_buffer_t                  prf_out
210	   );

212	   Additional major status codes for the C-bindings:

214	   o  GSS_S_CALL_INACCESSIBLE_READ

216	   o  GSS_S_CALL_INACCESSIBLE_WRITE

218	   See [RFC2744].

220	2.2  Java Bindings

222	   For Java GSS_Pseudo_random() maps to a GSSContext method, 'prf':

224	   public static final int GSS_C_PRF_KEY_FULL = 0
225	   public static final int GSS_C_PRF_KEY_PARTIAL = 1

227	   public byte[] prf(int prf_key, byte inBuf[], int outlen)
228	      throws GSSException

230	   See [RFC2853].

232	3.  IANA Considerations

234	   This document has no IANA considerations currently.  If and when a
235	   relevant IANA registry of GSS-API symbols is created then the generic
236	   and language-specific function names, constant names and constant
237	   values described above should be added to such a registry.

239	4.  Security Considerations

241	   Care should be taken in properly designing a mechanism's PRF
242	   function.

244	   GSS mechanisms' PRF functions should use a key derived from contexts'
245	   authenticated session keys and should preserve the forward security
246	   properties of the mechanisms' key exchanges.

248	   Some mechanisms may support the GSS PRF function with security
249	   contexts that are not fully established, but applications MUST assume
250	   that authentication, mutual or otherwise, has not completed until the
251	   security context is fully established.

253	   Callers of GSS_Pseudo_random() should avoid accidentally calling it
254	   with the same inputs.  One useful technique is to prepend to the
255	   prf_in input string, by convention, a string indicating the intended
256	   purpose of the PRF output in such a way that unique contexts in which
257	   the function is called yield unique inputs to it.

259	5.  References

261	5.1  Normative References

263	   [GGM1]     Goldreich, O., Goldwasser, S., and S. Micali, "How to
264	              Construct Random Functions", October 1986.

266	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
267	              Requirement Levels", BCP 14, RFC 2119, March 1997.

269	   [RFC2743]  Linn, J., "Generic Security Service Application Program
270	              Interface Version 2, Update 1", RFC 2743, January 2000.

272	   [RFC2744]  Wray, J., "Generic Security Service API Version 2 :
273	              C-bindings", RFC 2744, January 2000.

275	   [RFC2853]  Kabat, J. and M. Upadhyay, "Generic Security Service API
276	              Version 2 : Java Bindings", RFC 2853, June 2000.

278	5.2  Informative References

280	   [GGM2]     Goldreich, O., Goldwasser, S., and S. Micali, "On the
281	              Cryptographic Applications of Random Functions", 1985.

283	   [RFC1750]  Eastlake, D., Crocker, S., and J. Schiller, "Randomness
284	              Recommendations for Security", RFC 1750, December 1994.

286	   [RFC1964]  Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
287	              RFC 1964, June 1996.

289	Author's Address

291	   Nicolas Williams
292	   Sun Microsystems
293	   5300 Riata Trace Ct
294	   Austin, TX  78727
295	   US

297	   Email: Nicolas.Williams@sun.com

299	Intellectual Property Statement

301	   The IETF takes no position regarding the validity or scope of any
302	   Intellectual Property Rights or other rights that might be claimed to
303	   pertain to the implementation or use of the technology described in
304	   this document or the extent to which any license under such rights
305	   might or might not be available; nor does it represent that it has
306	   made any independent effort to identify any such rights.  Information
307	   on the procedures with respect to rights in RFC documents can be
308	   found in BCP 78 and BCP 79.

310	   Copies of IPR disclosures made to the IETF Secretariat and any
311	   assurances of licenses to be made available, or the result of an
312	   attempt made to obtain a general license or permission for the use of
313	   such proprietary rights by implementers or users of this
314	   specification can be obtained from the IETF on-line IPR repository at
315	   http://www.ietf.org/ipr.

317	   The IETF invites any interested party to bring to its attention any
318	   copyrights, patents or patent applications, or other proprietary
319	   rights that may cover technology that may be required to implement
320	   this standard.  Please address the information to the IETF at
321	   ietf-ipr@ietf.org.

323	Disclaimer of Validity

325	   This document and the information contained herein are provided on an
326	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
327	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
328	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
329	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
330	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
331	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

333	Copyright Statement

335	   Copyright (C) The Internet Society (2005).  This document is subject
336	   to the rights, licenses and restrictions contained in BCP 78, and
337	   except as set forth therein, the authors retain all their rights.

339	Acknowledgment

341	   Funding for the RFC Editor function is currently provided by the
342	   Internet Society.