draft-ietf-kitten-rfc4402bis-02.txt   rfc7802.txt 
NETWORK WORKING GROUP S. Emery Internet Engineering Task Force (IETF) S. Emery
Internet-Draft Oracle Request for Comments: 7802 Oracle
Obsoletes: 4402 (if approved) N. Williams Obsoletes: 4402 N. Williams
Intended status: Standards Track Cryptonector Category: Standards Track Cryptonector
Expires: June 13, 2016 December 11, 2015 ISSN: 2070-1721 March 2016
A Pseudo-Random Function (PRF) for the Kerberos V Generic Security A Pseudo-Random Function (PRF) for the Kerberos V Generic Security
Service Application Program Interface (GSS-API) Mechanism Service Application Program Interface (GSS-API) Mechanism
draft-ietf-kitten-rfc4402bis-02
Abstract Abstract
This document defines the Pseudo-Random Function (PRF) for the This document defines the Pseudo-Random Function (PRF) for the
Kerberos V mechanism for the Generic Security Service Application Kerberos V mechanism for the Generic Security Service Application
Program Interface (GSS-API), based on the PRF defined for the Program Interface (GSS-API), based on the PRF defined for the
Kerberos V cryptographic framework, for keying application protocols Kerberos V cryptographic framework, for keying application protocols
given an established Kerberos V GSS-API security context. given an established Kerberos V GSS-API security context.
This document obsoletes RFC 4402 and reclassifies that document as This document obsoletes RFC 4402 and reclassifies that document as
historic. RFC 4402 starts the PRF+ counter at 1, however a number of Historic. RFC 4402 starts the PRF+ counter at 1; however, a number
implementations starts the counter at 0. As a result, the original of implementations start the counter at 0. As a result, the original
specification would not be interoperable with existing specification would not be interoperable with existing
implementations. implementations.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This is an Internet Standards Track document.
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
This Internet-Draft will expire on June 13, 2016. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7802.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 2
3. Kerberos V GSS Mechanism PRF . . . . . . . . . . . . . . . . 2 3. Kerberos V GSS Mechanism PRF . . . . . . . . . . . . . . . . 3
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 3
5. Security Considerations . . . . . . . . . . . . . . . . . . . 3 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 6. Normative References . . . . . . . . . . . . . . . . . . . . 4
7. Normative References . . . . . . . . . . . . . . . . . . . . 4
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 6 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 6
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
This document specifies the Kerberos V GSS-API mechanism's [RFC4121] This document specifies the Kerberos V GSS-API mechanism's [RFC4121]
pseudo-random function corresponding to [RFC4401]. The function is a pseudo-random function corresponding to [RFC4401]. The function is a
"PRF+" style construction. For more information see [RFC4401], "PRF+" style construction. For more information, see [RFC4401],
[RFC2743], [RFC2744] and [RFC4121]. [RFC2743], [RFC2744], and [RFC4121].
This document obsoletes RFC 4402 and reclassifies that document as This document obsoletes RFC 4402 and reclassifies that document as
historic. RFC 4402 starts the PRF+ counter at 1, however a number of Historic. RFC 4402 starts the PRF+ counter at 1; however, a number
implementations starts the counter at 0. As a result, the original of implementations start the counter at 0. As a result, the original
specification would not be interoperable with existing specification would not be interoperable with existing
implementations. implementations.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Kerberos V GSS Mechanism PRF 3. Kerberos V GSS Mechanism PRF
skipping to change at page 3, line 9 skipping to change at page 3, line 17
The GSS-API PRF [RFC4401] function for the Kerberos V mechanism The GSS-API PRF [RFC4401] function for the Kerberos V mechanism
[RFC4121] shall be the output of a PRF+ function based on the [RFC4121] shall be the output of a PRF+ function based on the
encryption type's PRF function keyed with the negotiated session key encryption type's PRF function keyed with the negotiated session key
of the security context corresponding to the 'prf_key' input of the security context corresponding to the 'prf_key' input
parameter of GSS_Pseudo_random(). parameter of GSS_Pseudo_random().
This PRF+ MUST be keyed with the key indicated by the 'prf_key' input This PRF+ MUST be keyed with the key indicated by the 'prf_key' input
parameter as follows: parameter as follows:
o GSS_C_PRF_KEY_FULL -- use the sub-session key asserted by the o GSS_C_PRF_KEY_FULL -- use the sub-session key asserted by the
acceptor, if any exists, or the sub-session asserted by the acceptor (if any exists), or the sub-session asserted by the
initiator, if any exists, or the Ticket's session key initiator (if any exists), or the Ticket's session key.
o GSS_C_PRF_KEY_PARTIAL -- use the sub-session key asserted by the o GSS_C_PRF_KEY_PARTIAL -- use the sub-session key asserted by the
initiator, if any exists, or the Ticket's session key initiator (if any exists) or the Ticket's session key.
The PRF+ function is a simple counter-based extension of the Kerberos The PRF+ function is a simple counter-based extension of the Kerberos
V pseudo-random function [RFC3961] for the encryption type of the V pseudo-random function [RFC3961] for the encryption type of the
security context's keys: security context's keys:
PRF+(K, L, S) = truncate(L, T0 || T1 || .. || Tn) PRF+(K, L, S) = truncate(L, T0 || T1 || .. || Tn)
Tn = pseudo-random(K, n || S) Tn = pseudo-random(K, n || S)
where K is the key indicated by the 'prf_key' parameter, where '||' where K is the key indicated by the 'prf_key' parameter, '||' is the
is the concatenation operator, 'n' is encoded as a network byte order concatenation operator, 'n' is encoded as a network byte order 32-bit
32-bit unsigned binary number, truncate(L, S) truncates the input unsigned binary number, truncate(L, S) truncates the input octet
octet string S to length L, and pseudo-random() is the Kerberos V string S to length L, and pseudo-random() is the Kerberos V pseudo-
pseudo-random function [RFC3961]. random function [RFC3961].
The maximum output size of the Kerberos V mechanism's GSS-API PRF The maximum output size of the Kerberos V mechanism's GSS-API PRF
then is, necessarily, 2^32 times the output size of the pseudo- then is, necessarily, 2^32 times the output size of the pseudo-
random() function for the encryption type of the given key. random() function for the encryption type of the given key.
When the input size is longer than 2^14 octets as per [RFC4401] and When the input size is longer than 2^14 octets as per [RFC4401] and
exceeds an implementation's resources, then the mechanism MUST return exceeds an implementation's resources, then the mechanism MUST return
GSS_S_FAILURE and GSS_KRB5_S_KG_INPUT_TOO_LONG as the minor status GSS_S_FAILURE and GSS_KRB5_S_KG_INPUT_TOO_LONG as the minor status
code. code.
skipping to change at page 4, line 24 skipping to change at page 4, line 33
initiators should assert sub-session keys always, and acceptors initiators should assert sub-session keys always, and acceptors
should assert sub-session keys at least when initiators fail to do should assert sub-session keys at least when initiators fail to do
so. so.
The computational cost of computing this PRF+ may vary depending on The computational cost of computing this PRF+ may vary depending on
the Kerberos V encryption types being used, but generally the the Kerberos V encryption types being used, but generally the
computation of this PRF+ gets more expensive as the input and output computation of this PRF+ gets more expensive as the input and output
octet string lengths grow (note that the use of a counter in the PRF+ octet string lengths grow (note that the use of a counter in the PRF+
construction allows for parallelization). construction allows for parallelization).
6. Acknowledgements 6. Normative References
This document is an update to Nico Williams' RFC. Greg Hudson has
provided the test vectors based on MIT's implementation.
7. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2743] Linn, J., "Generic Security Service Application Program [RFC2743] Linn, J., "Generic Security Service Application Program
Interface Version 2, Update 1", RFC 2743, Interface Version 2, Update 1", RFC 2743,
DOI 10.17487/RFC2743, January 2000, DOI 10.17487/RFC2743, January 2000,
<http://www.rfc-editor.org/info/rfc2743>. <http://www.rfc-editor.org/info/rfc2743>.
skipping to change at page 8, line 5 skipping to change at page 8, line 5
Input: (empty string) Input: (empty string)
Output: 9B30020634C10FDA28420CEE7B96B70A90A771CED43A Output: 9B30020634C10FDA28420CEE7B96B70A90A771CED43A
D8346554163E5949CBAE2FB8EF36AFB6B32CE75116A0 D8346554163E5949CBAE2FB8EF36AFB6B32CE75116A0
Enctype: camellia256-cts-cmac Enctype: camellia256-cts-cmac
Key: A171AD582C1AFBBAD52ABD622EE6B6A14D19BF95C6914B2BA40FFD99A88EC660 Key: A171AD582C1AFBBAD52ABD622EE6B6A14D19BF95C6914B2BA40FFD99A88EC660
Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789 Input: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789
Output: A47CBB6E104DCC77E4DB48A7A474B977F2FB6A7A1AB6 Output: A47CBB6E104DCC77E4DB48A7A474B977F2FB6A7A1AB6
52317D50508AE72B7BE2E4E4BA24164E029CBACF786B 52317D50508AE72B7BE2E4E4BA24164E029CBACF786B
Acknowledgements
This document is an update to RFC 4402, which was authored by Nico
Williams. Greg Hudson has provided the test vectors based on MIT's
implementation.
Authors' Addresses Authors' Addresses
Shawn Emery Shawn Emery
Oracle Corporation Oracle Corporation
500 Eldorado Blvd Bldg 1 500 Eldorado Blvd Bldg 1
Broomfield, CO 78727 Broomfield, CO 78727
US United States
EMail: shawn.emery@oracle.com EMail: shawn.emery@oracle.com
Nicolas Williams Nicolas Williams
Cryptonector, LLC Cryptonector, LLC
EMail: nico@cryptonector.com EMail: nico@cryptonector.com
 End of changes. 19 change blocks. 
45 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.43. The latest version is available from http://tools.ietf.org/tools/rfcdiff/