idnits 2.17.1 draft-ietf-kitten-rfc4402bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 6, 2015) is 3307 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETWORK WORKING GROUP S. Emery 3 Internet-Draft Oracle 4 Obsoletes: 4402 (if approved) N. Williams 5 Intended status: Standards Track Cryptonector 6 Expires: October 8, 2015 April 6, 2015 8 A Pseudo-Random Function (PRF) for the Kerberos V Generic Security 9 Service Application Program Interface (GSS-API) Mechanism 10 draft-ietf-kitten-rfc4402bis-01 12 Abstract 14 This document defines the Pseudo-Random Function (PRF) for the 15 Kerberos V mechanism for the Generic Security Service Application 16 Program Interface (GSS-API), based on the PRF defined for the 17 Kerberos V cryptographic framework, for keying application protocols 18 given an established Kerberos V GSS-API security context. 20 This document obsoletes RFC 4402 and reclassifies that document as 21 historic. RFC 4402 starts the PRF+ counter at 1, however a number of 22 implementations starts the counter at 0. As a result, the original 23 specification would not be interoperable with existing 24 implementations. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at http://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on October 8, 2015. 43 Copyright Notice 45 Copyright (c) 2015 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (http://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 62 3. Kerberos V GSS Mechanism PRF . . . . . . . . . . . . . . . . 2 63 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 64 5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 65 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 66 7. Normative References . . . . . . . . . . . . . . . . . . . . 4 67 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 5 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 70 1. Introduction 72 This document specifies the Kerberos V GSS-API mechanism's [RFC4121] 73 pseudo-random function corresponding to [RFC4401]. The function is a 74 "PRF+" style construction. For more information see [RFC4401], 75 [RFC2743], [RFC2744] and [RFC4121]. 77 This document obsoletes RFC 4402 and reclassifies that document as 78 historic. RFC 4402 starts the PRF+ counter at 1, however a number of 79 implementations starts the counter at 0. As a result, the original 80 specification would not be interoperable with existing 81 implementations. 83 2. Conventions Used in This Document 85 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 86 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 87 document are to be interpreted as described in [RFC2119]. 89 3. Kerberos V GSS Mechanism PRF 91 The GSS-API PRF [RFC4401] function for the Kerberos V mechanism 92 [RFC4121] shall be the output of a PRF+ function based on the 93 encryption type's PRF function keyed with the negotiated session key 94 of the security context corresponding to the 'prf_key' input 95 parameter of GSS_Pseudo_random(). 97 This PRF+ MUST be keyed with the key indicated by the 'prf_key' input 98 parameter as follows: 100 o GSS_C_PRF_KEY_FULL -- use the sub-session key asserted by the 101 acceptor, if any, or the sub-session asserted by the initiator, if 102 any, or the Ticket's session key 104 o GSS_C_PRF_KEY_PARTIAL -- use the sub-session key asserted by the 105 initiator, if any, or the Ticket's session key 107 The PRF+ function is a simple counter-based extension of the Kerberos 108 V pseudo-random function [RFC3961] for the encryption type of the 109 security context's keys: 111 PRF+(K, L, S) = truncate(L, T0 || T1 || .. || Tn) 113 Tn = pseudo-random(K, n || S) 115 where '||' is the concatenation operator, 'n' is encoded as a network 116 byte order 32-bit unsigned binary number, truncate(L, S) truncates 117 the input octet string S to length L, and pseudo-random() is the 118 Kerberos V pseudo-random function [RFC3961]. 120 The maximum output size of the Kerberos V mechanism's GSS-API PRF 121 then is, necessarily, 2^32 times the output size of the pseudo- 122 random() function for the encryption type of the given key. 124 When the input size is longer than 2^14 octets as per [RFC4401] and 125 exceeds an implementation's resources, then the mechanism MUST return 126 GSS_S_FAILURE and GSS_KRB5_S_KG_INPUT_TOO_LONG as the minor status 127 code. 129 4. IANA Considerations 131 This document has no IANA considerations currently. If and when a 132 relevant IANA registry of GSS-API symbols and constants is created, 133 then the GSS_KRB5_S_KG_INPUT_TOO_LONG minor status code should be 134 added to such a registry. 136 5. Security Considerations 138 Kerberos V encryption types' PRF functions use a key derived from 139 contexts' session keys and should preserve the forward security 140 properties of the mechanisms' key exchanges. 142 Legacy Kerberos V encryption types may be weak, particularly the 143 single-DES encryption types. 145 See also [RFC4401] for generic security considerations of 146 GSS_Pseudo_random(). 148 See also [RFC3961] for generic security considerations of the 149 Kerberos V cryptographic framework. 151 Use of Ticket session keys, rather than sub-session keys, when 152 initiators and acceptors fail to assert sub-session keys, is 153 dangerous as ticket reuse can lead to key reuse; therefore, 154 initiators should assert sub-session keys always, and acceptors 155 should assert sub-session keys at least when initiators fail to do 156 so. 158 The computational cost of computing this PRF+ may vary depending on 159 the Kerberos V encryption types being used, but generally the 160 computation of this PRF+ gets more expensive as the input and output 161 octet string lengths grow (note that the use of a counter in the PRF+ 162 construction allows for parallelization). 164 6. Acknowledgements 166 This document is an update to Nico Williams' RFC. Greg Hudson has 167 provided the test vectors based on MIT's implementation. 169 7. Normative References 171 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 172 Requirement Levels", BCP 14, RFC 2119, March 1997. 174 [RFC2743] Linn, J., "Generic Security Service Application Program 175 Interface Version 2, Update 1", RFC 2743, January 2000. 177 [RFC2744] Wray, J., "Generic Security Service API Version 2 : 178 C-bindings", RFC 2744, January 2000. 180 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for 181 Kerberos 5", RFC 3961, February 2005. 183 [RFC4121] Zhu, L., Jaganathan, K., and S. Hartman, "The Kerberos 184 Version 5 Generic Security Service Application Program 185 Interface (GSS-API) Mechanism: Version 2", RFC 4121, July 186 2005. 188 [RFC4401] Williams, N., "A Pseudo-Random Function (PRF) API 189 Extension for the Generic Security Service Application 190 Program Interface (GSS-API)", RFC 4401, February 2006. 192 Appendix A. Test Vectors 194 Here are some test vectors from the MIT implementation provided by 195 Greg Hudson. Test cases used include input string lengths of 0 and 196 61 bytes, and an output length of 44 bytes. 61 bytes of input is 197 just enough to produce a partial second MD5 or SHA1 hash block with 198 the four-byte counter prefix. 44 bytes of output requires two full 199 and one partial RFC 3961 PRF output for all existing enctypes. All 200 keys were randomly generated. 202 Enctype: des-cbc-crc 203 Key: E607FE9DABB57AE0 204 Input: (empty string) 205 Output: 803C4121379FC4B87CE413B67707C4632EBED2C6D6B7 206 2A55E878836E35E21600D915D590DED5B6D77BB30A1F 208 Enctype: des-cbc-crc 209 Key: 54758316B6257A75 210 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 211 Output: 279E4105F7ADC9BD6EF28ABE31D89B442FE0058388BA 212 33264ACB5729562DC637950F6BD144B654BE7700B2D6 214 Enctype: des3-cbc-sha1 215 Key: 70378A19CD64134580C27C0115D6B34A1CF2FEECEF9886A2 216 Input: (empty string) 217 Output: 9F8D127C520BB826BFF3E0FE5EF352389C17E0C073D9 218 AC4A333D644D21BA3EF24F4A886D143F85AC9F6377FB 220 Enctype: des3-cbc-sha1 221 Key: 3452A167DF1094BA1089E0A20E9E51ABEF1525922558B69E 222 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 223 Output: 6BF24FABC858F8DD9752E4FCD331BB831F238B5BE190 224 4EEA42E38F7A60C588F075C5C96A67E7F8B7BD0AECF4 226 Enctype: rc4-hmac 227 Key: 3BB3AE288C12B3B9D06B208A4151B3B6 228 Input: (empty string) 229 Output: 9AEA11A3BCF3C53F1F91F5A0BA2132E2501ADF5F3C28 230 3C8A983AB88757CE865A22132D6100EAD63E9E291AFA 232 Enctype: rc4-hmac 233 Key: 6DB7B33A01BD2B72F7655CB7B3D5FA0B 234 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 235 Output: CDA9A544869FC84873B692663A82AFDA101C8611498B 236 A46138B01E927C9B95EEC953B562807434037837DDDF 238 Enctype: aes128-cts-hmac-sha1-96 239 Key: 6C742096EB896230312B73972FA28B5D 240 Input: (empty string) 241 Output: 94208D982FC1BB7778128BDD77904420B45C9DA699F3 242 117BCE66E39602128EF0296611A6D191A5828530F20F 244 Enctype: aes128-cts-hmac-sha1-96 245 Key: FA61138C109D834A477D24C7311BE6DA 246 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 247 Output: 0FAEDF0F842CC834FEE750487E1B622739286B975FE5 248 B7F45AB053143C75CA0DF5D3D4BBB80F6A616C7C9027 250 Enctype: aes256-cts-hmac-sha1-96 251 Key: 08FCDAFD5832611B73BA7B497FEBFF8C954B4B58031CAD9B977C3B8C25192FD6 252 Input: (empty string) 253 Output: E627EFC14EF5B6D629F830C7109DEA0D3D7D36E8CD57 254 A1F301C5452494A1928F05AFFBEE3360232209D3BE0D 256 Enctype: aes256-cts-hmac-sha1-96 257 Key: F5B68B7823D8944F33F41541B4E4D38C9B2934F8D16334A796645B066152B4BE 258 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 259 Output: 112F2B2D878590653CCC7DE278E9F0AA46FA5A380B62 260 59F774CB7C134FCD37F61A50FD0D9F89BF8FE1A6B593 262 Enctype: camellia128-cts-cmac 263 Key: 866E0466A178279A32AC0BDA92B72AEB 264 Input: (empty string) 265 Output: 97FBB354BF341C3A160DCC86A7A910FDA824601DF677 266 68797BACEEBF5D250AE929DEC9760772084267F50A54 268 Enctype: camellia128-cts-cmac 269 Key: D4893FD37DA1A211E12DD1E03E0F03B7 270 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 271 Output: 1DEE2FF126CA563A2A2326B9DD3F0095013257414C83 272 FAD4398901013D55F367C82681186B7B2FE62F746BA4 274 Enctype: camellia256-cts-cmac 275 Key: 203071B1AE77BD3D6FCE70174AF95C225B1CED46B35CF52B6479EFEB47E6B063 276 Input: (empty string) 277 Output: 9B30020634C10FDA28420CEE7B96B70A90A771CED43A 278 D8346554163E5949CBAE2FB8EF36AFB6B32CE75116A0 280 Enctype: camellia256-cts-cmac 281 Key: A171AD582C1AFBBAD52ABD622EE6B6A14D19BF95C6914B2BA40FFD99A88EC660 282 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 283 Output: A47CBB6E104DCC77E4DB48A7A474B977F2FB6A7A1AB6 284 52317D50508AE72B7BE2E4E4BA24164E029CBACF786B 286 Authors' Addresses 288 Shawn Emery 289 Oracle Corporation 290 500 Eldorado Blvd Bldg 1 291 Broomfield, CO 78727 292 US 294 EMail: shawn.emery@oracle.com 296 Nicolas Williams 297 Cryptonector, LLC 299 EMail: nico@cryptonector.com