diff options
Diffstat (limited to 'third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-gss-crypto-00.txt')
-rw-r--r-- | third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-gss-crypto-00.txt | 562 |
1 files changed, 562 insertions, 0 deletions
diff --git a/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-gss-crypto-00.txt b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-gss-crypto-00.txt new file mode 100644 index 00000000000..a1466b8e5e7 --- /dev/null +++ b/third_party/heimdal/doc/standardisation/draft-ietf-krb-wg-gss-crypto-00.txt @@ -0,0 +1,562 @@ + + + + + + + + + +Internet-Draft K. Raeburn +Kerberos Working Group MIT +Updates: RFC 1964 August 13, 2003 +Document: draft-ietf-krb-wg-gss-crypto-00.txt expires February 13, 2004 + + General Kerberos Cryptosystem Support + for the Kerberos 5 GSSAPI Mechanism + +Abstract + + This document describes an update to the Kerberos 5 mechanism for + GSSAPI to allow the use of Kerberos-defined cryptosystems directly in + GSSAPI messages, without requiring further changes for each new + encryption or checksum algorithm that complies with the Kerberos + crypto framework specifications. + +Status of this Memo + + This document is an Internet-Draft and is in full conformance with + all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts + are working documents of the Internet Engineering Task Force (IETF), + its areas, and its working groups. Note that other groups may also + distribute working documents as Internet-Drafts. Internet-Drafts are + draft documents valid for a maximum of six months and may be updated, + replaced, or obsoleted by other documents at any time. It is + inappropriate to use Internet-Drafts as reference material or to cite + them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + +1. Introduction + + Kerberos defines an encryption and checksum framework [KCRYPTO] that + provides for complete specification and enumeration of cryptosystem + specifications in a general way, to be used within Kerberos and + associated protocols. The GSSAPI Kerberos 5 mechanism definition + [GSSAPI-KRB5] sets up a framework for enumerating encryption and + checksum types, independently of how such schemes may be used in + Kerberos, thus requiring updates for any new encryption or checksum + algorithm not directly compatible with those already defined. + + + + +Raeburn [Page 1] + +INTERNET DRAFT August 2003 + + + This document describes an update to [GSSAPI-KRB5] to allow the use + of any Kerberos-defined cryptosystems directly in GSSAPI messages, + without requiring further changes for each new encryption or checksum + algorithm that complies with the framework specifications, and + without making assumptions concerning block sizes or other + characteristics of the underlying encryption operations. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119. + +3. New Algorithm Identifiers + + Two new sealing algorithm numbers and one new signing algorithm + number are defined, for use in MIC, Wrap and Delete tokens. + + + type name octet values + ----------------------------------------- + seal KERBEROS5-ENCRYPT 00 01 + sign KERBEROS5-CHECKSUM 00 01 + sign NONE ff ff + + + The KERBEROS5-ENCRYPT algorithm encrypts using the Kerberos + encryption type [KCRYPTO] indicated by the encryption key type (using + the session key or initiator's subkey, as described in [GSSAPI- + KRB5]), with a key usage value KG_USAGE_SEAL, defined below. All + Kerberos encryption types provide for integrity protection, and + specify any padding that might be required; neither needs to be done + at the GSS mechanism level when KERBEROS5-ENCRYPT is used. When + KERBEROS5-ENCRYPT is used as the seal algorithm, the sign algorithm + MUST be NONE. + + The signing algorithm value NONE MUST be used only with a sealing + algorithm that incorporates integrity protection; currently, + KERBEROS5-ENCRYPT is the only such sealing algorithm. + + The KERBEROS5-CHECKSUM signing algorithm MAY be used in other cases. + The contents of the SGN_CKSUM field are determined by computing a + Kerberos checksum [KCRYPTO], using the session key or subkey, and a + key usage value of KG_USAGE_SIGN. The Kerberos checksum algorithm to + be used is the required-to-implement checksum algorithm associated + with the encryption key type. It should be noted that the checksum + input data in this case is not the same as the "to-be-signed data" + described in section 1.2.1.1 of [GSSAPI-KRB5]; see below. + + + +Raeburn [Page 2] + +INTERNET DRAFT August 2003 + + + The encryption or checksum output incorporated in the MIC and Wrap + tokens is the octet string output from the corresponding operation in + [KCRYPTO]; it should not be confused with the EncryptedData or + Checksum object in [KrbClar]. + + For purposes of key derivation, we add two new usage values to the + list defined in [KrbClar]; one for signing messages, and one for + sealing messages: + + + name value + ---------------------- + KG_USAGE_SEAL 22 + KG_USAGE_SIGN 23 + + +4. Adjustments to Previous Definitions + +4.1. Quality of Protection + + The GSSAPI specification [GSSAPI] says that a zero QOP value + indicates the "default". The original specification for the Kerberos + 5 mechanism says that a zero QOP value (or a QOP value with the + appropriate bits clear) means DES encryption. + + Since the quality of protection cannot be improved without fully + reauthenticating with a stronger key type, the QOP value is now + ignored. + +4.2. Message Layout + + The definitions of the MIC and Wrap tokens in [GSSAPI-KRB5] assumed + an 8-byte checksum size, and a CBC-mode block cipher with an 8-byte + block size, without integrity protection. In the crypto framework + described in [KCRYPTO], integrity protection is built into the + encryption operations. CBC mode is not assumed, and indeed there may + be no initial vector to supply. While the operations are performed + on messages of specific sizes, the underlying cipher may be a stream + cipher. + + We modify the message definitions such that the portions after the + first 8 bytes (which specify the token identification and the signing + and sealing algorithms) are defined by the algorithms chosen. The + remaining bytes must convey sequence number and direction + information, and must protect the integrity of the token id and + algorithm indicators. For the DES-based algorithms specified in + [GSSAPI-KRB5], the definition for the remaining data is backwards + compatible. + + + +Raeburn [Page 3] + +INTERNET DRAFT August 2003 + + + The revised message descriptions are thus as follows: + + + MIC token + Byte # Name Description + ------------------------------------------------------- + 0..1 TOK_ID Identification field (01 01). + 2..3 SGN_ALG Integrity algorithm indicator. + 4..7 Filler Contains ff ff ff ff + 8..N Dependent on SGN_ALG. + + If SGN_ALG is 0000, 0100, 0200: + 8..15 SND_SEQ Sequence number/direction + field, encrypted. + 16..23 SGN_CKSUM Checksum of bytes 0..7 and + application data, as described + in [GSSAPI-KRB5]. + If SGN_ALG is 0001: + 8..15 SND_SEQ Sequence number/direction + field, NOT encrypted. + 16..N SGN_CKSUM Checksum of bytes 0..15 and + application data, with key + usage KG_USAGE_SIGN. + + + Suggestions from Microsoft: Moving to 64-bit sequence numbers + would be better for long sessions with many messages. Using the + direction flag to perturb the encryption or integrity protection + is safer than simply including a flag which a buggy but mostly + working implementation might fail to check. + + I am considering changing to use 64-bit sequence numbers, and + omitting the direction flag from the transmitted cleartext data. + How it would factor into the encrypted Wrap token, I haven't + figured out yet. + + - Change the key usage values based on the direction? It's + suggested in [KCRYPTO], perhaps not strongly enough, that the key + usage numbers should perturb the key, but DES ignores them, + although DES shouldn't use this extension. + + - Add a direction flag byte in encrypted data? Either depends on + an implementor remembering to add the check. Adding it to + checksummed data requires that the implementor get it right. + + - Generate one or two new keys using PRF and random-to-key + operations, using different keys for each direction? Pulling the + DK function out of the simplified profile is probably not a good + + + +Raeburn [Page 4] + +INTERNET DRAFT August 2003 + + + way to do this. + + The filler bytes are included in the checksum calculation for + simplicity. There is no security benefit from including them. + + In the Wrap token, the initial bytes, sequence number and direction + are incorporated into the data to be encrypted. In most cases, this + is likely to be more efficient in terms of space and computing power + than using unencrypted sequence number and direction fields, adding a + checksum, and doing the additional work to authenticate that the + checksum and encrypted data are part of the same message. (The + framework in [KCRYPTO] has no support for integrity protection of a + block of data only some of which is encrypted, except by treating the + two portions independently and using some additional means to ensure + that the two parts continue to be associated with one another.) + + The length is also included, as a 4-byte value in network byte order, + because the decryption operation in the Kerberos crypto framework + does not recover the exact length of the original input. Thus, + messages with application data larger than 4 gigabytes are not + supported. + + [Q: Should this length be 8 bytes? ASN.1 wrapper?] + + + Wrap token + Byte # Name Description + ------------------------------------------------------------- + 0..1 TOK_ID Identification field (02 01). + 2..3 SGN_ALG Integrity algorithm indicator. + 4..5 SEAL_ALG Sealing algorithm indicator. + 6..7 Filler Contains ff ff + 8..last Dependent on SEAL_ALG and SGN_ALG. + + If SEAL_ALG is 0000: + 8..15 SND_SEQ Encrypted sequence number field. + 16..23 SGN_CKSUM Checksum of plaintext padded data, + calculated according to algorithm + specified in SGN_ALG field. (RFC + 1964) + 24..last Data Encrypted padded data. + + If SEAL_ALG is 0001 and SGN_ALG is ffff: + 8..last Data Encrypted bytes 0..5, 2-byte + direction flag, sequence number, + 4-byte data length, and data. + + + + + +Raeburn [Page 5] + +INTERNET DRAFT August 2003 + + + If SEAL_ALG is ffff, and SGN_ALG is 0000, 0100, 0200: + 8..15 SND_SEQ Encrypted sequence number field. + 16..23 SGN_CKSUM Checksum of plaintext padded data, + as in RFC 1964. + 24..last Data plaintext padded data + + If SEAL_ALG if ffff, and SGN_ALG is 0001: + 8..15 SND_SEQ Sequence number/direction field, + NOT encrypted. + 16..N SGN_CKSUM Checksum of bytes 0..15 and + application data, with key usage + KG_USAGE_SIGN. + N+1..last Data plaintext data + + + The direction flag, as in [GSSAPI-KRB5], is made up of bytes + indicating the party sending the token: 00 for the context initiator, + or hex FF for the context acceptor. In the KERBEROS5-ENCRYPT case, + only two bytes are used, and they replace the fixed filler bytes of + the token header, which need no protection; this reduces slightly the + redundancy of the data transmitted. + + The context-deletion token is essentially a MIC token with no user + data and a different TOK_ID value. Thus, its modification is + straightforward. + + + Context deletion token + Byte # Name Description + ------------------------------------------------------- + 0..1 TOK_ID Identification field (01 02). + 2..3 SGN_ALG Integrity algorithm indicator. + 4..7 Filler Contains ff ff ff ff + + If SGN_ALG is 0000, 0100, 0200: + 8..15 SND_SEQ Sequence number/direction + field, encrypted. + 16..23 SGN_CKSUM Checksum of bytes 0..7, as + described in [GSSAPI-KRB5]. + + If SGN_ALG is 0001: + 8..15 SND_SEQ Sequence number/direction + field, NOT encrypted. + 16..N SGN_CKSUM Checksum of bytes 0..15, with + key usage KG_USAGE_SIGN. + + + + + + +Raeburn [Page 6] + +INTERNET DRAFT August 2003 + + +5. Backwards Compatibility Considerations + + The context initiator should request of the KDC credentials using + session-key cryptosystem types supported by that implementation; if + the only types returned by the KDC are not supported by the mechanism + implementation, it should indicate a failure. This may seem obvious, + but early implementations of both Kerberos and the GSSAPI Kerberos + mechanism supported only DES keys, so the cryptosystem compatibility + question was easy to overlook. + + Under the current mechanism, no negotiation of algorithm types + occurs, so server-side (acceptor) implementations cannot request that + clients not use algorithm types not understood by the server. + However, administration of the server's Kerberos data (e.g., the + service key) has to be done in communication with the KDC, and it is + from the KDC that the client will request credentials. The KDC could + therefore be given the task of limiting session keys for a given + service to types actually supported by the Kerberos and GSSAPI + software on the server. + + This does have a drawback for cases where a service principal name is + used both for GSSAPI-based and non-GSSAPI-based communication (most + notably the "host" service key), if the GSSAPI implementation does + not understand (for example) AES but the Kerberos implementation + does. It means that AES session keys cannot be issued for that + service principal, which keeps the protection of non-GSSAPI services + weaker than necessary. + + It would also be possible to have clients attempt to get DES session + keys before trying to get AES session keys, and have the KDC refuse + to issue the DES keys only for the most critical of services, for + which DES protection is considered inadequate. However, that would + eliminate the possibility of connecting with the more secure + cryptosystem to any service that can be accessed with the weaker + cryptosystem. We thus recommend the former approach, putting the + burden on the KDC administration and gaining the best protection + possible for GSSAPI services, possibly at the cost of weaker + protection of non-GSSAPI Kerberos services sharing service principal + names with GSSAPI services that have not been updated to support this + extension. + + [optional:] + + This mechanism extension MUST NOT be used with the DES encryption key + types described in [KCRYPTO], which ignore the key usage values. + + + + + + +Raeburn [Page 7] + +INTERNET DRAFT August 2003 + + +6. Implementation Note + + At least two implementations have been done of extensions to the RFC + 1964 mechanism for specific non-DES encryption types. These are not + standards-track extensions, but implementors may wish to implement + them as well for compatibility with existing products. No guidance + is provided as to when an implementation may wish to use these non- + standard extensions instead of the extension specified in this + document. + +7. Security Considerations + + Various tradeoffs arise regarding the mixing of new and old software, + or GSSAPI-based and non-GSSAPI Kerberos authentication. They are + discussed in section 5. + + Remember to check direction flag. Key usage numbers and direction + checks? Considerations depend on the approach taken.... + +8. Acknowledgements + + Larry Zhu... + +9. Normative References + + [GSSAPI] + Linn, J., "Generic Security Service Application Program Interface + Version 2, Update 1", RFC 2743, January, 2000. + + [GSSAPI-KRB5] + Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964, + June, 1996. + + [KCRYPTO] + draft-ietf-krb-wg-crypto-XX -> RFC xxxx + + [KrbClar] + draft-ietf-krb-wg-kerberos-clarifications-XX -> RFC xxxx + + [RFC2026] + RFC 2026 ... + + [RFC2119] + RFC 2119 ... + + + + + + + +Raeburn [Page 8] + +INTERNET DRAFT August 2003 + + +10. Author's Address + + Kenneth Raeburn + Massachusetts Institute of Technology + 77 Massachusetts Avenue + Cambridge, MA 02139 + +Full Copyright Statement + + Copyright (C) The Internet Society (2003). All Rights Reserved. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + The limited permissions granted above are perpetual and will not be + revoked by the Internet Society or its successors or assigns. + + This document and the information contained herein is provided on an + "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING + TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING + BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION + HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF + MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." + +Document Change History + +Version -XX: + + Split up Abstract and create a real Introduction. Fix RFC 2026 + reference in Status section. Added Conventions, Acknowledgements and + Implementation Note sections. Updated References with more + placeholders. Capitalize some uses of "must" etc. + + Fill in case of Wrap token without integrity protection, using + KERBEROS5-CHECKSUM for SGN_ALG. Fix descriptions of which message + layout is used for which algorithms. + + + + +Raeburn [Page 9] + +INTERNET DRAFT August 2003 + + + Remove discussion of authenticated encryption with additional data. + + Add discussion of 64-bit sequence numbers and data length, and + alternate handling of the direction flag. + + + Version -XX sent in early 2003 to Kerberos working group: + + Initial revision. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Raeburn [Page 10] |