1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
|
INTERNET DRAFT K. Raeburn
Kerberos Working Group MIT
Document: draft-ietf-krb-wg-crypto-07.txt February 10, 2004
expires August 10, 2004
Encryption and Checksum Specifications
for Kerberos 5
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
are working documents of the Internet Engineering Task Force (IETF),
its areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts. Internet-Drafts are
draft documents valid for a maximum of six months and may be updated,
replaced, or obsoleted by other documents at any time. It is
inappropriate to use Internet-Drafts as reference material or to cite
them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.html.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes a framework for defining encryption and
checksum mechanisms for use with the Kerberos protocol, defining an
abstraction layer between the Kerberos protocol and related
protocols, and the actual mechanisms themselves. Several mechanisms
are also defined in this document. Some are taken from RFC 1510,
modified in form to fit this new framework, and occasionally modified
in content when the old specification was incorrect. New mechanisms
are presented here as well. This document does NOT indicate which
mechanisms may be considered "required to implement".
Comments should be sent to the editor, or to the IETF Kerberos
working group (ietf-krb-wg@anl.gov).
Raeburn [Page 1]
�
INTERNET DRAFT February 2004
1mTable of Contents0m
Status of this Memo . . . . . . . . . . . . . . . . . . . . . . . . 1
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . 2
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Encryption algorithm profile . . . . . . . . . . . . . . . . . . 4
4. Checksum algorithm profile . . . . . . . . . . . . . . . . . . . 9
5. Simplified profile for CBC ciphers with key derivation . . . . . 10
5.1. A key derivation function . . . . . . . . . . . . . . . . . . . 11
5.2. Simplified profile parameters . . . . . . . . . . . . . . . . . 13
5.3. Cryptosystem profile based on simplified profile . . . . . . . 14
5.4. Checksum profiles based on simplified profile . . . . . . . . . 16
6. Profiles for Kerberos encryption and checksum algorithms . . . . 16
6.1. Unkeyed checksums . . . . . . . . . . . . . . . . . . . . . . . 17
6.2. DES-based encryption and checksum types . . . . . . . . . . . . 18
6.3. Triple-DES based encryption and checksum types . . . . . . . . 28
7. Use of Kerberos encryption outside this specification . . . . . . 30
8. Assigned Numbers . . . . . . . . . . . . . . . . . . . . . . . . 31
9. Implementation Notes . . . . . . . . . . . . . . . . . . . . . . 33
10. Security Considerations . . . . . . . . . . . . . . . . . . . . 33
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 35
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 36
A. Test vectors . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.1. n-fold . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
A.2. mit_des_string_to_key . . . . . . . . . . . . . . . . . . . . . 39
A.3. DES3 DR and DK . . . . . . . . . . . . . . . . . . . . . . . . 43
A.4. DES3string_to_key . . . . . . . . . . . . . . . . . . . . . . . 44
A.5. Modified CRC-32 . . . . . . . . . . . . . . . . . . . . . . . . 45
B. Significant Changes from RFC 1510 . . . . . . . . . . . . . . . . 45
Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Intellectual Property Statement . . . . . . . . . . . . . . . . . . 47
Normative References . . . . . . . . . . . . . . . . . . . . . . . . 48
Informative References . . . . . . . . . . . . . . . . . . . . . . . 49
Editor's address . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . . 50
Raeburn [Page 2]
�
INTERNET DRAFT February 2004
1. Introduction
The Kerberos protocols [Kerb] are designed to encrypt messages of
arbitrary sizes, using block encryption ciphers, or less commonly,
stream encryption ciphers. Encryption is used to prove the
identities of the network entities participating in message
exchanges. However, nothing in the Kerberos protocol requires any
specific encryption algorithm be used, as long as certain operations
are available in the algorithm that is used.
The following sections specify the encryption and checksum mechanisms
currently defined for Kerberos, as well as a framework for defining
future mechanisms. The encoding, chaining, padding and other
requirements for each are described. Test vectors for several
functions are given in appendix A.
2. Concepts
Both encryption and checksum mechanisms are defined in terms of
profiles, detailed in later sections. Each specifies a collection of
operations and attributes that must be defined for a mechanism. A
Kerberos encryption or checksum mechanism specification is not
complete if it does not define all of these operations and
attributes.
An encryption mechanism must provide for confidentiality and
integrity of the original plaintext. (Integrity checking may be
achieved by incorporating a checksum, if the encryption mode does not
provide an integrity check itself.) It must also provide non-
malleability [Bellare98, Dolev91]. Use of a random confounder
prepended to the plaintext is recommended. It should not be possible
to determine if two ciphertexts correspond to the same plaintext,
without knowledge of the key.
A checksum mechanism [1] must provide proof of the integrity of the
associated message, and must preserve the confidentiality of the
message in case it is not sent in the clear. It should be infeasible
to find two plaintexts which have the same checksum. It is NOT
required that an eavesdropper be unable to determine if two checksums
are for the same message; it is assumed that the messages themselves
will be visible to any such eavesdropper.
Due to advances in cryptography, it is considered unwise by some
cryptographers to use the same key for multiple purposes. Since keys
are used in performing a number of different functions in Kerberos,
it is desirable to use different keys for each of these purposes,
even though we start with a single long-term or session key.
Raeburn [Page 3]
�
INTERNET DRAFT February 2004
We do this by enumerating the different uses of keys within Kerberos,
and making the "usage number" an input to the encryption or checksum
mechanisms; this enumeration is outside the scope of this document.
Later sections of this document define simplified profile templates
for encryption and checksum mechanisms that use a key derivation
function applied to a CBC mode (or similar) cipher and a checksum or
hash algorithm.
We distinguish the "base key" specified by other documents from the
"specific key" to be used for a particular instance of encryption or
checksum operations. It is expected but not required that the
specific key will be one or more separate keys derived from the
original protocol key and the key usage number. The specific key
should not be explicitly referenced outside of this document. The
typical language used in other documents should be something like,
"encrypt this octet string using this key and this usage number";
generation of the specific key and cipher state (described in the
next section) are implicit. The creation of a new cipher-state
object, or the re-use of one from a previous encryption operation,
may also be explicit.
New protocols defined in terms of the Kerberos encryption and
checksum types should use their own key usage values. Key usages are
unsigned 32 bit integers; zero is not permitted.
All data is assumed to be in the form of strings of octets or 8-bit
bytes. Environments with other byte sizes will have to emulate this
behavior in order to get correct results.
Each algorithm is assigned an encryption type (or "etype") or
checksum type number, for algorithm identification within the
Kerberos protocol. The full list of current type number assignments
is given in section 8.
3. Encryption algorithm profile
An encryption mechanism profile must define the following attributes
and operations. The operations must be defined as functions in the
mathematical sense: no additional or implicit inputs (such as
Kerberos principal names or message sequence numbers) are permitted.
protocol key format
This describes what octet string values represent valid keys. For
encryption mechanisms that don't have perfectly dense key spaces,
this will describe the representation used for encoding keys. It
need not describe specific values that are not valid or desirable
for use; such values should be avoid by all key generation
routines.
Raeburn [Page 4]
�
INTERNET DRAFT February 2004
specific key structure
This is not a protocol format at all, but a description of the
keying material derived from the chosen key and used to encrypt or
decrypt data or compute or verify a checksum. It may, for
example, be a single key, a set of keys, or a combination of the
original key with additional data. The authors recommend using
one or more keys derived from the original key via one-way key
derivation functions.
required checksum mechanism
This indicates a checksum mechanism that must be available when
this encryption mechanism is used. Since Kerberos has no built in
mechanism for negotiating checksum mechanisms, once an encryption
mechanism has been decided upon, the corresponding checksum
mechanism can simply be used.
key-generation seed length, K
This is the length of the random bitstring needed to generate a
key with the encryption scheme's random-to-key function (described
below). This must be a fixed value so that various techniques for
producing a random bitstring of a given length may be used with
key generation functions.
key generation functions
Keys must be generated in a number of cases, from different types
of inputs. All function specifications must indicate how to
generate keys in the proper wire format, and must avoid generation
of keys that significantly compromise the confidentiality of
encrypted data, if the cryptosystem has such. Entropy from each
source should be preserved as much as possible. Many of the
inputs, while unknown, may be at least partly predictable (e.g., a
password string is likely to be entirely in the ASCII subset and
of fairly short length in many environments; a semi-random string
may include timestamps); the benefit of such predictability to an
attacker must be minimized.
string-to-key (UTF-8 string, UTF-8 string, opaque)->(protocol-key)
This function generates a key from two UTF-8 strings and an
opaque octet string. One of the strings is normally the
principal's pass phrase, but is in general merely a secret
string. The other string is a "salt" string intended to
produce different keys from the same password for different
users or realms. While the strings provided will use UTF-8
encoding, no specific version of Unicode should be assumed; all
valid UTF-8 strings should be allowed. Strings provided in
other encodings MUST first be converted to UTF-8 before
applying this function.
Raeburn [Page 5]
�
INTERNET DRAFT February 2004
The third argument, the octet string, may be used to pass
mechanism-specific parameters in to this function. Since doing
so implies knowledge of the specific encryption system, it is
intended that generating non-default parameter values be an
uncommon operation, and that normal Kerberos applications be
able to treat this parameter block as an opaque object supplied
by the Key Distribution Center or defaulted to some mechanism-
specific constant value.
The string-to-key function should be a one-way function, so
that compromising a user's key in one realm does not compromise
the user's key in another realm, even if the same password (but
a different salt) is used.
random-to-key (bitstring[K])->(protocol-key)
This function generates a key from a random bitstring of a
specific size. It may be assumed that all the bits of the
input string are equally random, even though the entropy
present in the random source may be limited.
key-derivation (protocol-key, integer)->(specific-key)
In this function, the integer input is the key usage value as
described above; the usage values must be assumed to be known
to an attacker. The specific-key output value was described in
section 2.
string-to-key parameter format
This describes the format of the block of data that can be passed
to the string-to-key function above to configure additional
parameters for that function. Along with the mechanism of
encoding parameter values, bounds on the allowed parameters should
also be described to avoid allowing a spoofed KDC to compromise
the user's password. It may be desirable to construct the
encoding such that values weakening the resulting key unacceptably
cannot be encoded, if practical.
Tighter bounds might be permitted by local security policy, or to
avoid excess resource consumption; if so, recommended defaults for
those bounds should be given in the specification. The
description should also outline possible weaknesses that may be
caused by not applying bounds checks or other validation to a
parameter string received from the network.
As mentioned above, this should be considered opaque to most
normal applications.
Raeburn [Page 6]
�
INTERNET DRAFT February 2004
default string-to-key parameters (octet string)
This default value for the "params" argument to the string-to-key
function is to be used when the application protocol (Kerberos or
otherwise) does not explicitly set the parameter value. As
indicated above, this parameter block should be treated as an
opaque object in most cases.
cipher state
This describes any information that can be carried over from one
encryption or decryption operation to the next, for use in
conjunction with a given specific key. For example, a block
cipher used in CBC mode may put an initial vector of one block in
the cipher state. Other encryption modes may track nonces or
other data.
This state must be non-empty, and must influence encryption so as
to require that messages be decrypted in the same order they were
encrypted, if the cipher state is carried over from one encryption
to the next. Distinguishing out-of-order or missing messages from
corrupted messages is not required; if desired, this can be done
at a higher level by including sequence numbers and not "chaining"
the cipher state between encryption operations.
The cipher state may not be reused in multiple encryption or
decryption operations; these operations all generate a new cipher
state that may be used for following operations using the same key
and operation.
The contents of the cipher state must be treated as opaque outside
of encryption system specifications.
initial cipher state (specific-key, direction)->(state)
This describes the generation of the initial value for the cipher
state if it is not being carried over from a previous encryption
or decryption operation.
This describes any initial state setup needed before encrypting
arbitrary amounts of data with a given specific key; the specific
key and the direction of operations to be performed (encrypt
versus decrypt) must be the only input needed for this
initialization.
This state should be treated as opaque in any uses outside of an
encryption algorithm definition.
IMPLEMENTATION NOTE: [Kerb1510] was vague on whether and to what
degree an application protocol could exercise control over the
initial vector used in DES CBC operations. Some existing
Raeburn [Page 7]
�
INTERNET DRAFT February 2004
implementations permit the setting of the initial vector. This
framework does not provide for application control of the cipher
state (beyond "initialize" and "carry over from previous
encryption"), since the form and content of the initial cipher
state can vary between encryption systems, and may not always be a
single block of random data.
New Kerberos application protocols should not assume that they can
control the initial vector, or that one even exists. However, a
general-purpose implementation may wish to provide the capability,
in case applications explicitly setting it are encountered.
encrypt (specific-key, state, octet string)->(state, octet string)
This function takes the specific key, cipher state, and a non-
empty plaintext string as input, and generates ciphertext and a
new cipher state as outputs. If the basic encryption algorithm
itself does not provide for integrity protection (as DES in CBC
mode does not do), then some form of MAC or checksum must be
included that can be verified by the receiver. Some random factor
such as a confounder should be included so that an observer cannot
know if two messages contain the same plaintext, even if the
cipher state and specific keys are the same. The exact length of
the plaintext need not be encoded, but if it is not and if padding
is required, the padding must be added at the end of the string so
that the decrypted version may be parsed from the beginning.
The specification of the encryption function must not only
indicate the precise contents of the output octet string, but also
the output cipher state. The application protocol may carry
forward the output cipher state from one encryption with a given
specific key to another; the effect of this "chaining" must be
defined. [2]
Assuming correctly-produced values for the specific key and cipher
state, no input octet string may result in an error indication.
decrypt (specific-key, state, octet string)->(state, octet string)
This function takes the specific key, cipher state, and ciphertext
as inputs, and verifies the integrity of the supplied ciphertext.
If the ciphertext's integrity is intact, this function produces
the plaintext and a new cipher state as outputs; otherwise, an
error indication must be returned, and the data discarded.
The result of the decryption may be longer than the original
plaintext, for example if the encryption mode adds padding to
reach a multiple of a block size. If this is the case, any extra
octets must be after the decoded plaintext. An application
protocol which needs to know the exact length of the message must
Raeburn [Page 8]
�
INTERNET DRAFT February 2004
encode a length or recognizable "end of message" marker within the
plaintext. [3]
As with the encryption function, a correct specification for this
function must indicate not only the contents of the output octet
string, but also the resulting cipher state.
pseudo-random (protocol-key, octet-string)->(octet-string)
This pseudo-random function should generate an octet string of
some size that independent of the octet string input. The PRF
output string should be suitable for use in key generation, even
if the octet string input is public. It should not reveal the
input key, even if the output is made public.
These operations and attributes are all that is required to support
Kerberos and various proposed preauthentication schemes.
For convenience of certain application protocols that may wish to use
the encryption profile, we add the constraint that, for any given
plaintext input size, there must be a message size between that given
size and that size plus 65535 such that the length of such that the
decrypted version of the ciphertext for any message of that size will
never have extra octets added at the end.
Expressed mathematically, for every message length L1, there exists a
message size L2 such that:
L2 >= L1
L2 < L1 + 65536
for every message M with |M| = L2, decrypt(encrypt(M)) = M
A document defining a new encryption type should also describe known
weaknesses or attacks, so that its security may be fairly assessed,
and should include test vectors or other validation procedures for
the operations defined. Specific references to information readily
available elsewhere are sufficient.
4. Checksum algorithm profile
A checksum mechanism profile must define the following attributes and
operations:
associated encryption algorithm(s)
This indicates the types of encryption keys this checksum
mechanism can be used with.
A keyed checksum mechanism may have more than one associated
encryption algorithm if they share the same wire key format,
Raeburn [Page 9]
�
INTERNET DRAFT February 2004
string-to-key function, and key derivation function. (This
combination means that, for example, a checksum type, key usage
value and password are adequate to get the specific key used to
compute a checksum.)
An unkeyed checksum mechanism can be used in conjunction with any
encryption type, since the key is ignored, but its use must be
limited to cases where the checksum itself is protected, to avoid
trivial attacks.
get_mic function
This function generates a MIC token for a given specific key (see
section 3), and message (represented as an octet string), that may
be used to verify the integrity of the associated message. This
function is not required to return the same deterministic result
on every use; it need only generate a token that the verify_mic
routine can check.
The output of this function will also dictate the size of the
checksum. It must be no larger than 65535 octets.
verify_mic function
Given a specific key, message, and MIC token, this function
ascertains whether the message integrity has been compromised.
For a deterministic get_mic routine, the corresponding verify_mic
may simply generate another checksum and compare them.
The get_mic and verify_mic operations must be able to handle inputs
of arbitrary length; if any padding is needed, the padding scheme
must be specified as part of these functions.
These operations and attributes are all that should be required to
support Kerberos and various proposed preauthentication schemes.
As with encryption mechanism definition documents, documents defining
new checksum mechanisms should indicate validation processes and
known weaknesses.
5. Simplified profile for CBC ciphers with key derivation
The profile outlines in sections 3 and 4 describes a large number of
operations that must be defined for encryption and checksum
algorithms to be used with Kerberos. We describe here a simpler
profile from which both encryption and checksum mechanism definitions
can be generated, filling in uses of key derivation in appropriate
places, providing integrity protection, and defining multiple
operations for the cryptosystem profile based on a smaller set of
operations given in the simplified profile. Not all of the existing
Raeburn [Page 10]
�
INTERNET DRAFT February 2004
cryptosystems for Kerberos fit into this simplified profile, but we
recommend that future cryptosystems use it or something based on it.
[4]
Not all of the operations in the complete profiles are defined
through this mechanism; several must still be defined for each new
algorithm pair.
5.1. A key derivation function
Rather than define some scheme by which a "protocol key" is composed
of a large number of encryption keys, we use keys derived from a base
key to perform cryptographic operations. The base key must be used
only for generating the derived keys, and this derivation must be
non-invertible and entropy-preserving. Given these restrictions,
compromise of one derived key does not compromise the other subkeys.
Attack of the base key is limited, since it is only used for
derivation, and is not exposed to any user data.
Since the derived key has as much entropy as the base keys (if the
cryptosystem is good), password-derived keys have the full benefit of
all the entropy in the password.
To generate a derived key from a base key, we generate a pseudorandom
octet string, using an algorithm DR described below, and generate a
key from that octet string using a function dependent on the
encryption algorithm; the input length needed for that function,
which is also dependent on the encryption algorithm, dictates the
length of the string to be generated by the DR algorithm (the value
"k" below). These procedures are based on the key derivation in
[Blumenthal96].
Derived Key = DK(Base Key, Well-Known Constant)
DK(Key, Constant) = random-to-key(DR(Key, Constant))
DR(Key, Constant) = k-truncate(E(Key, Constant,
initial-cipher-state))
Here DR is the random-octet generation function described below, and
DK is the key-derivation function produced from it. In this
construction, E(Key, Plaintext, CipherState) is a cipher, Constant is
a well-known constant determined by the specific usage of this
function, and k-truncate truncates its argument by taking the first k
bits. Here, k is the key generation seed length needed for the
encryption system.
The output of the DR function is a string of bits; the actual key is
Raeburn [Page 11]
�
INTERNET DRAFT February 2004
produced by applying the cryptosystem's random-to-key operation on
this bitstring.
If the Constant is smaller than the cipher block size of E, then it
must be expanded with n-fold() so it can be encrypted. If the output
of E is shorter than k bits it is fed back into the encryption as
many times as necessary. The construct is as follows (where |
indicates concatentation):
K1 = E(Key, n-fold(Constant), initial-cipher-state)
K2 = E(Key, K1, initial-cipher-state)
K3 = E(Key, K2, initial-cipher-state)
K4 = ...
DR(Key, Constant) = k-truncate(K1 | K2 | K3 | K4 ...)
n-fold is an algorithm which takes m input bits and ``stretches''
them to form n output bits with equal contribution from each input
bit to the output, as described in [Blumenthal96]:
We first define a primitive called n-folding, which takes a
variable-length input block and produces a fixed-length output
sequence. The intent is to give each input bit approximately
equal weight in determining the value of each output bit. Note
that whenever we need to treat a string of octets as a number, the
assumed representation is Big-Endian -- Most Significant Byte
first.
To n-fold a number X, replicate the input value to a length that
is the least common multiple of n and the length of X. Before
each repetition, the input is rotated to the right by 13 bit
positions. The successive n-bit chunks are added together using
1's-complement addition (that is, with end-around carry) to yield
a n-bit result....
Test vectors for n-fold are supplied in Appendix A. [5]
In this section, n-fold is always used to produce c bits of output,
where c is the cipher block size of E.
The size of the Constant must not be larger than c, because reducing
the length of the Constant by n-folding can cause collisions.
If the size of the Constant is smaller than c, then the Constant must
be n-folded to length c. This string is used as input to E. If the
block size of E is less than the random-to-key input size, then the
output from E is taken as input to a second invocation of E. This
Raeburn [Page 12]
�
INTERNET DRAFT February 2004
process is repeated until the number of bits accumulated is greater
than or equal to the random-to-key input size. When enough bits have
been computed, the first k are taken as the random data used to
create the key with the algorithm-dependent random-to-key function.
Since the derived key is the result of one or more encryptions in the
base key, deriving the base key from the derived key is equivalent to
determining the key from a very small number of plaintext/ciphertext
pairs. Thus, this construction is as strong as the cryptosystem
itself.
5.2. Simplified profile parameters
These are the operations and attributes that must be defined:
protocol key format
string-to-key function
default string-to-key parameters
key-generation seed length, k
random-to-key function
As above for the normal encryption mechanism profile.
unkeyed hash algorithm, H
This should be a collision-resistant hash algorithm with fixed-
size output, suitable for use in an HMAC [HMAC]. It must support
inputs of arbitrary length. Its output must be at least the
message block size (below).
HMAC output size, h
This indicates the size of the leading substring output by the
HMAC function that should be used in transmitted messages. It
should be at least half the output size of the hash function H,
and at least 80 bits; it need not match the output size.
message block size, m
This is the size of the smallest units the cipher can handle in
the mode in which it is being used. Messages will be padded to a
multiple of this size. If a block cipher is used in a mode that
can handle messages that are not multiples of the cipher block
size, such as CBC mode with cipher text stealing (CTS, see [RC5]),
this value would be one octet. For traditional CBC mode with
padding, it will be the underlying cipher's block size.
This value must be a multiple of 8 bits (one octet).
Raeburn [Page 13]
�
INTERNET DRAFT February 2004
encryption/decryption functions, E and D
These are basic encryption and decryption functions for messages
of sizes that are multiples of the message block size. No
integrity checking or confounder should be included here. These
functions take as input the IV or similar data, a protocol-format
key, and a octet string, returning a new IV and octet string.
The encryption function is not required to use CBC mode, but is
assumed to be using something with similar properties. In
particular, prepending a cipher-block-size confounder to the
plaintext should alter the entire ciphertext (comparable to
choosing and including a random initial vector for CBC mode).
The result of encrypting one cipher block (of size c, above) must
be deterministic, for the random octet generation function DR in
the previous section to work. For best security, it should also
be no larger than c.
cipher block size, c
This is the block size of the block cipher underlying the
encryption and decryption functions indicated above, used for key
derivation and for the size of the message confounder and initial
vector. (If a block cipher is not in use, some comparable
parameter should be determined.) It must be at least 5 octets.
This is not actually an independent parameter; rather, it is a
property of the functions E and D. It is listed here to clarify
the distinction between it and the message block size, m.
While there are still a number of properties to specify, they are
fewer and simpler than in the full profile.
5.3. Cryptosystem profile based on simplified profile
The above key derivation function is used to produce three
intermediate keys. One is used for computing checksums of
unencrypted data. The other two are used for encrypting and
checksumming plaintext to be sent encrypted.
The ciphertext output is the concatenation of the output of the basic
encryption function E and a (possibly truncated) HMAC using the
specified hash function H, both applied to the plaintext with a
random confounder prefix and sufficient padding to bring it to a
multiple of the message block size. When the HMAC is computed, the
key is used in the protocol key form.
Decryption is performed by removing the (partial) HMAC, decrypting
the remainder, and verifying the HMAC. The cipher state is an
Raeburn [Page 14]
�
INTERNET DRAFT February 2004
initial vector, initialized to zero.
The substring notation "[1..h]" in the following table should be read
as using 1-based indexing; leading substrings are used.
cryptosystem from simplified profile
----------------------------------------------------------------------------
protocol key format As given.
specific key structure Three protocol-format keys: { Kc, Ke, Ki }.
key-generation seed As given.
length
required checksum As defined below in section 5.4.
mechanism
cipher state initial vector (usually of length c)
initial cipher state all bits zero
encryption function conf = random string of length c
pad = shortest string to bring confounder
and plaintext to a length that's a
multiple of m
(C1, newIV) = E(Ke, conf | plaintext | pad,
oldstate.ivec)
H1 = HMAC(Ki, conf | plaintext | pad)
ciphertext = C1 | H1[1..h]
newstate.ivec = newIV
decryption function (C1,H1) = ciphertext
(P1, newIV) = D(Ke, C1, oldstate.ivec)
if (H1 != HMAC(Ki, P1)[1..h])
report error
newstate.ivec = newIV
default string-to-key As given.
params
pseudo-random function tmp1 = H(octet-string)
tmp2 = truncate tmp1 to multiple of m
PRF = E(protocol-key, tmp2, initial-cipher-state)
key generation functions:
Raeburn [Page 15]
�
INTERNET DRAFT February 2004
cryptosystem from simplified profile
----------------------------------------------------------------------------
string-to-key function As given.
random-to-key function As given.
key-derivation function The "well-known constant" used for the DK
function is the key usage number, expressed as
four octets in big-endian order, followed by one
octet indicated below.
Kc = DK(base-key, usage | 0x99);
Ke = DK(base-key, usage | 0xAA);
Ki = DK(base-key, usage | 0x55);
5.4. Checksum profiles based on simplified profile
When an encryption system is defined using the simplified profile
given in section 5.2, a checksum algorithm may be defined for it as
follows:
checksum mechanism from simplified profile
--------------------------------------------------
associated cryptosystem as defined above
get_mic HMAC(Kc, message)[1..h]
verify_mic get_mic and compare
The HMAC function and key Kc are as described in section 5.3.
6. Profiles for Kerberos encryption and checksum algorithms
These profiles describe the encryption and checksum systems defined
for Kerberos. The astute reader will notice that some of them do not
fulfull all of the requirements outlined in previous sections. These
systems are defined for backward compatibility; newer implementations
should (whenever possible) attempt to make use of encryption systems
which satisfy all of the profile requirements.
The full list of current encryption and checksum type number
assignments, including values currently reserved but not defined in
this document, is given in section 8.
Raeburn [Page 16]
�
INTERNET DRAFT February 2004
6.1. Unkeyed checksums
These checksum types use no encryption keys, and thus can be used in
combination with any encryption type, but may only be used with
caution, in limited circumstances where the lack of a key does not
provide a window for an attack, preferably as part of an encrypted
message. [6] Keyed checksum algorithms are recommended.
6.1.1. The RSA MD5 Checksum
The RSA-MD5 checksum calculates a checksum using the RSA MD5
algorithm [MD5-92]. The algorithm takes as input an input message of
arbitrary length and produces as output a 128-bit (16 octet)
checksum. RSA-MD5 is believed to be collision-proof.
rsa-md5
----------------------------------------------
associated cryptosystem any
get_mic rsa-md5(msg)
verify_mic get_mic and compare
The rsa-md5 checksum algorithm is assigned a checksum type number of
seven (7).
6.1.2. The RSA MD4 Checksum
The RSA-MD4 checksum calculates a checksum using the RSA MD4
algorithm [MD4-92]. The algorithm takes as input an input message of
arbitrary length and produces as output a 128-bit (16 octet)
checksum. RSA-MD4 is believed to be collision-proof.
rsa-md4
----------------------------------------------
associated cryptosystem any
get_mic md4(msg)
verify_mic get_mic and compare
The rsa-md4 checksum algorithm is assigned a checksum type number of
two (2).
Raeburn [Page 17]
�
INTERNET DRAFT February 2004
6.1.3. CRC-32 Checksum
This CRC-32 checksum calculates a checksum based on a cyclic
redundancy check as described in ISO 3309 [CRC], modified as
described below. The resulting checksum is four (4) octets in
length. The CRC-32 is neither keyed nor collision-proof; thus, the
use of this checksum is not recommended. An attacker using a
probabilistic chosen-plaintext attack as described in [SG92] might be
able to generate an alternative message that satisfies the checksum.
The CRC-32 checksum used in the des-cbc-crc encryption mode is
identical to the 32-bit FCS described in ISO 3309 with two
exceptions: the sum with the all-ones polynomial times x**k is
omitted, and the final remainder is not ones-complemented. ISO 3309
describes the FCS in terms of bits, while this document describes the
Kerberos protocol in terms of octets. To disambiguate the ISO 3309
definition for the purpose of computing the CRC-32 in the des-cbc-crc
encryption mode, the ordering of bits in each octet shall be assumed
to be LSB-first. Given this assumed ordering of bits within an
octet, the mapping of bits to polynomial coefficients shall be
identical to that specified in ISO 3309.
Test values for this modified CRC function are included in appendix
A.5.
crc32
----------------------------------------------
associated cryptosystem any
get_mic crc32(msg)
verify_mic get_mic and compare
The crc32 checksum algorithm is assigned a checksum type number of
one (1).
6.2. DES-based encryption and checksum types
These encryption systems encrypt information under the Data
Encryption Standard [DES77] using the cipher block chaining mode
[DESM80]. A checksum is computed as described below and placed in
the cksum field. DES blocks are 8 bytes. As a result, the data to
be encrypted (the concatenation of confounder, checksum, and message)
must be padded to an 8 byte boundary before encryption. The values
of the padding bytes are unspecified.
Raeburn [Page 18]
�
INTERNET DRAFT February 2004
Plaintext and DES ciphertext are encoded as blocks of 8 octets which
are concatenated to make the 64-bit inputs for the DES algorithms.
The first octet supplies the 8 most significant bits (with the
octet's MSB used as the DES input block's MSB, etc.), the second
octet the next 8 bits, ..., and the eighth octet supplies the 8 least
significant bits.
Encryption under DES using cipher block chaining requires an
additional input in the form of an initialization vector; this vector
is specified for each encryption system, below.
The DES specifications [DESI81] identify four 'weak' and twelve
'semi-weak' keys; those keys SHALL NOT be used for encrypting
messages for use in Kerberos. The "variant keys" generated for the
RSA-MD5-DES, RSA-MD4-DES and DES-MAC checksum types by an exclusive-
or of a DES key with a constant are not checked for this property.
A DES key is 8 octets of data. This consists of 56 bits of actual
key data, and 8 parity bits, one per octet. The key is encoded as a
series of 8 octets written in MSB-first order. The bits within the
key are also encoded in MSB order. For example, if the encryption
key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8
are the parity bits, the first octet of the key would be
B1,B2,...,B7,P1 (with B1 as the most significant bit). See the
[DESM80] introduction for reference.
Encryption data format
The format for the data to be encrypted includes a one-block
confounder, a checksum, the encoded plaintext, and any necessary
padding, as described in the following diagram. The msg-seq field
contains the part of the protocol message which is to be encrypted.
+-----------+----------+---------+-----+
|confounder | checksum | msg-seq | pad |
+-----------+----------+---------+-----+
One generates a random confounder of one block, placing it in
'confounder'; zeroes out the 'checksum' field (of length appropriate
to exactly hold the checksum to be computed); calculates the
appropriate checksum over the whole sequence, placing the result in
'checksum'; adds the necessary padding; then encrypts using the
specified encryption type and the appropriate key.
String or random-data to key transformation
To generate a DES key from two UTF-8 text strings (password and
Raeburn [Page 19]
�
INTERNET DRAFT February 2004
salt), the two strings are concatenated, password first, and the
result is then padded with zero-valued octets to a multiple of 8
octets.
The top bit of each octet (always zero if the password is plain
ASCII, as was assumed when the original specification was written) is
discarded, and a bitstring is formed of the remaining seven bits of
each octet. This bitstring is then fan-folded and eXclusive-ORed
with itself to produce a 56-bit string. An eight-octet key is formed
from this string, each octet using seven bits from the bitstring,
leaving the least significant bit unassigned. The key is then
"corrected" by correcting the parity on the key, and if the key
matches a 'weak' or 'semi-weak' key as described in the DES
specification, it is eXclusive-ORed with the constant
0x00000000000000F0. This key is then used to generate a DES CBC
checksum on the initial string with the salt appended. The result of
the CBC checksum is then "corrected" as described above to form the
result which is returned as the key.
For purposes of the string-to-key function, the DES CBC checksum is
calculated by CBC encrypting a string using the key as IV and using
the final 8 byte block as the checksum.
Pseudocode follows:
removeMSBits(8byteblock) {
/* Treats a 64 bit block as 8 octets and remove the MSB in
each octect (in big endian mode) and concatenates the
result. E.g., input octet string:
01110000 01100001 11110011 01110011 11110111 01101111
11110010 01100100
results in output bitstring:
1110000 1100001 1110011 1110011 1110111 1101111
1110010 1100100 */
}
reverse(56bitblock) {
/* Treats a 56-bit block as a binary string and reverse it.
E.g., input string:
1000001 1010100 1001000 1000101 1001110 1000001
0101110 1001101
results in output string:
1011001 0111010 1000001 0111001 1010001 0001001
0010101 1000001 */
}
Raeburn [Page 20]
�
INTERNET DRAFT February 2004
add_parity_bits(56bitblock) {
/* Copies a 56-bit block into a 64-bit block, left shift
content in each octet and add DES parity bit.
E.g., input string:
1100000 0001111 0011100 0110100 1000101 1100100
0110110 0010111
results in output string:
11000001 00011111 00111000 01101000 10001010 11001000
01101101 00101111 */
}
key_correction(key) {
fixparity(key);
if (is_weak_key(key))
key = key XOR 0xF0;
return(key);
}
mit_des_string_to_key(string,salt) {
odd = 1;
s = string | salt;
tempstring = 0; /* 56-bit string */
pad(s); /* with nulls to 8 byte boundary */
for (8byteblock in s) {
56bitstring = removeMSBits(8byteblock);
if (odd == 0) reverse(56bitstring);
odd = ! odd;
tempstring = tempstring XOR 56bitstring;
}
tempkey = key_correction(add_parity_bits(tempstring));
key = key_correction(DES-CBC-check(s,tempkey));
return(key);
}
des_string_to_key(string,salt,params) {
if (length(params) == 0)
type = 0;
else if (length(params) == 1)
type = params[0];
else
error("invalid params");
if (type == 0)
mit_des_string_to_key(string,salt);
else
error("invalid params");
}
One common extension is to support the "AFS string-to-key" algorithm,
Raeburn [Page 21]
�
INTERNET DRAFT February 2004
which is not defined here, if the type value above is one (1).
For generation of a key from a random bitstring, we start with a
56-bit string, and as with the string-to-key operation above, insert
parity bits, and if the result is a weak or semi-weak key, modify it
by exclusive-OR with the constart 0x00000000000000F0:
des_random_to_key(bitstring) {
return key_correction(add_parity_bits(bitstring));
}
6.2.1. DES with MD5
The des-cbc-md5 encryption mode encrypts information under DES in CBC
mode with an all-zero initial vector, with an MD5 checksum (described
in [MD5-92]) computed and placed in the checksum field.
The encryption system parameters for des-cbc-md5 are:
des-cbc-md5
--------------------------------------------------------------------
protocol key format 8 bytes, parity in low bit of each
specific key structure copy of original key
required checksum rsa-md5-des
mechanism
key-generation seed 8 bytes
length
cipher state 8 bytes (CBC initial vector)
initial cipher state all-zero
encryption function des-cbc(confounder | checksum | msg | pad,
ivec=oldstate)
where
checksum = md5(confounder | 0000...
| msg | pad)
newstate = last block of des-cbc output
decryption function decrypt encrypted text and verify checksum
newstate = last block of ciphertext
Raeburn [Page 22]
�
INTERNET DRAFT February 2004
des-cbc-md5
--------------------------------------------------------------------
default string-to-key empty string
params
pseudo-random function des-cbc(md5(input-string), ivec=0)
key generation functions:
string-to-key des_string_to_key
random-to-key des_random_to_key
key-derivation identity
The des-cbc-md5 encryption type is assigned the etype value three
(3).
6.2.2. DES with MD4
The des-cbc-md4 encryption mode also encrypts information under DES
in CBC mode, with an all-zero initial vector. An MD4 checksum
(described in [MD4-92]) is computed and placed in the checksum field.
des-cbc-md4
--------------------------------------------------------------------
protocol key format 8 bytes, parity in low bit of each
specific key structure copy of original key
required checksum rsa-md4-des
mechanism
key-generation seed 8 bytes
length
cipher state 8 bytes (CBC initial vector)
initial cipher state all-zero
encryption function des-cbc(confounder | checksum | msg | pad,
ivec=oldstate)
where
checksum = md4(confounder | 0000...
| msg | pad)
newstate = last block of des-cbc output
Raeburn [Page 23]
�
INTERNET DRAFT February 2004
des-cbc-md4
--------------------------------------------------------------------
decryption function decrypt encrypted text and verify checksum
newstate = last block of ciphertext
default string-to-key empty string
params
pseudo-random function des-cbc(md5(input-string), ivec=0)
key generation functions:
string-to-key des_string_to_key
random-to-key copy input, then fix parity bits
key-derivation identity
Note that des-cbc-md4 uses md5, not md4, in the PRF definition.
The des-cbc-md4 encryption algorithm is assigned the etype value two
(2).
6.2.3. DES with CRC
The des-cbc-crc encryption type uses DES in CBC mode with the key
used as the initialization vector, with a 4-octet CRC-based checksum
computed as described in section 6.1.3. Note that this is not a
standard CRC-32 checksum, but a slightly modified one.
des-cbc-crc
--------------------------------------------------------------------
protocol key format 8 bytes, parity in low bit of each
specific key structure copy of original key
required checksum rsa-md5-des
mechanism
key-generation seed 8 bytes
length
cipher state 8 bytes (CBC initial vector)
Raeburn [Page 24]
�
INTERNET DRAFT February 2004
des-cbc-crc
--------------------------------------------------------------------
initial cipher state copy of original key
encryption function des-cbc(confounder | checksum | msg | pad,
ivec=oldstate)
where
checksum = crc(confounder | 00000000
| msg | pad)
newstate = last block of des-cbc output
decryption function decrypt encrypted text and verify checksum
newstate = last block of ciphertext
default string-to-key empty string
params
pseudo-random function des-cbc(md5(input-string), ivec=0)
key generation functions:
string-to-key des_string_to_key
random-to-key copy input, then fix parity bits
key-derivation identity
The des-cbc-crc encryption algorithm is assigned the etype value one
(1).
6.2.4. RSA MD5 Cryptographic Checksum Using DES
The RSA-MD5-DES checksum calculates a keyed collision-proof checksum
by prepending an 8 octet confounder before the text, applying the RSA
MD5 checksum algorithm, and encrypting the confounder and the
checksum using DES in cipher-block-chaining (CBC) mode using a
variant of the key, where the variant is computed by eXclusive-ORing
the key with the hexadecimal constant 0xF0F0F0F0F0F0F0F0. The
initialization vector should be zero. The resulting checksum is 24
octets long. This checksum is tamper-proof and believed to be
collision-proof.
Raeburn [Page 25]
�
INTERNET DRAFT February 2004
rsa-md5-des
----------------------------------------------------------------
associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc
get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
conf | rsa-md5(conf | msg))
verify_mic decrypt and verify rsa-md5 checksum
The rsa-md5-des checksum algorithm is assigned a checksum type number
of eight (8).
6.2.5. RSA MD4 Cryptographic Checksum Using DES
The RSA-MD4-DES checksum calculates a keyed collision-proof checksum
by prepending an 8 octet confounder before the text, applying the RSA
MD4 checksum algorithm [MD4-92], and encrypting the confounder and
the checksum using DES in cipher-block-chaining (CBC) mode using a
variant of the key, where the variant is computed by eXclusive-ORing
the key with the constant 0xF0F0F0F0F0F0F0F0. [7] The initialization
vector should be zero. The resulting checksum is 24 octets long.
This checksum is tamper-proof and believed to be collision-proof.
rsa-md4-des
----------------------------------------------------------------
associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc
get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
conf | rsa-md4(conf | msg),
ivec=0)
verify_mic decrypt and verify rsa-md4 checksum
The rsa-md4-des checksum algorithm is assigned a checksum type number
of three (3).
6.2.6. RSA MD4 Cryptographic Checksum Using DES alternative
The RSA-MD4-DES-K checksum calculates a keyed collision-proof
checksum by applying the RSA MD4 checksum algorithm and encrypting
the results using DES in cipher block chaining (CBC) mode using a DES
key as both key and initialization vector. The resulting checksum is
16 octets long. This checksum is tamper-proof and believed to be
collision-proof. Note that this checksum type is the old method for
encoding the RSA-MD4-DES checksum and it is no longer recommended.
Raeburn [Page 26]
�
INTERNET DRAFT February 2004
rsa-md4-des-k
----------------------------------------------------------------
associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc
get_mic des-cbc(key, md4(msg), ivec=key)
verify_mic decrypt, compute checksum and compare
The rsa-md4-des-k checksum algorithm is assigned a checksum type
number of six (6).
6.2.7. DES CBC checksum
The DES-MAC checksum is computed by prepending an 8 octet confounder
to the plaintext, padding with zero-valued octets if necessary to
bring the length to a multiple of 8 octets, performing a DES CBC-mode
encryption on the result using the key and an initialization vector
of zero, taking the last block of the ciphertext, prepending the same
confounder and encrypting the pair using DES in cipher-block-chaining
(CBC) mode using a variant of the key, where the variant is computed
by eXclusive-ORing the key with the constant 0xF0F0F0F0F0F0F0F0. The
initialization vector should be zero. The resulting checksum is 128
bits (16 octets) long, 64 bits of which are redundant. This checksum
is tamper-proof and collision-proof.
des-mac
----------------------------------------------------------------------
associated des-cbc-md5, des-cbc-md4, des-cbc-crc
cryptosystem
get_mic des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
conf | des-mac(key, conf | msg | pad, ivec=0),
ivec=0)
verify_mic decrypt, compute DES MAC using confounder, compare
The des-mac checksum algorithm is assigned a checksum type number of
four (4).
6.2.8. DES CBC checksum alternative
The DES-MAC-K checksum is computed by performing a DES CBC-mode
encryption of the plaintext, with zero-valued padding bytes if
necessary to bring the length to a multiple of 8 octets, and using
the last block of the ciphertext as the checksum value. It is keyed
Raeburn [Page 27]
�
INTERNET DRAFT February 2004
with an encryption key which is also used as the initialization
vector. The resulting checksum is 64 bits (8 octets) long. This
checksum is tamper-proof and collision-proof. Note that this
checksum type is the old method for encoding the DESMAC checksum and
it is no longer recommended.
des-mac-k
----------------------------------------------------------------
associated cryptosystem des-cbc-md5, des-cbc-md4, des-cbc-crc
get_mic des-mac(key, msg | pad, ivec=key)
verify_mic compute MAC and compare
The des-mac-k checksum algorithm is assigned a checksum type number
of five (5).
6.3. Triple-DES based encryption and checksum types
This encryption and checksum type pair is based on the Triple DES
cryptosystem in Outer-CBC mode, and the HMAC-SHA1 message
authentication algorithm.
A Triple DES key is the concatenation of three DES keys as described
above for des-cbc-md5. A Triple DES key is generated from random
data by creating three DES keys from separate sequences of random
data.
Encrypted data using this type must be generated as described in
section 5.3. If the length of the input data is not a multiple of
the block size, zero-valued octets must be used to pad the plaintext
to the next eight-octet boundary. The confounder must be eight
random octets (one block).
The simplified profile for Triple DES, with key derivation as defined
in section 5, is as follows:
des3-cbc-hmac-sha1-kd, hmac-sha1-des3-kd
------------------------------------------------
protocol key format 24 bytes, parity in low
bit of each
key-generation seed 21 bytes
length
Raeburn [Page 28]
�
INTERNET DRAFT February 2004
des3-cbc-hmac-sha1-kd, hmac-sha1-des3-kd
------------------------------------------------
hash function SHA-1
HMAC output size 160 bits
message block size 8 bytes
default string-to-key empty string
params
encryption and triple-DES encrypt and
decryption functions decrypt, in outer-CBC
mode (cipher block size
8 octets)
key generation functions:
random-to-key DES3random-to-key (see
below)
string-to-key DES3string-to-key (see
below)
The des3-cbc-hmac-sha1-kd encryption type is assigned the value
sixteen (16). The hmac-sha1-des3-kd checksum algorithm is assigned a
checksum type number of twelve (12).
6.3.1. Triple DES Key Production (random-to-key, string-to-key)
The 168 bits of random key data are converted to a protocol key value
as follows. First, the 168 bits are divided into three groups of 56
bits, which are expanded individually into 64 bits as follows:
DES3random-to-key:
1 2 3 4 5 6 7 p
9 10 11 12 13 14 15 p
17 18 19 20 21 22 23 p
25 26 27 28 29 30 31 p
33 34 35 36 37 38 39 p
41 42 43 44 45 46 47 p
49 50 51 52 53 54 55 p
56 48 40 32 24 16 8 p
The "p" bits are parity bits computed over the data bits. The output
of the three expansions, each corrected to avoid "weak" and "semi-
weak" keys as in section 6.2, are concatenated to form the protocol
key value.
Raeburn [Page 29]
�
INTERNET DRAFT February 2004
The string-to-key function is used to transform UTF-8 passwords into
DES3 keys. The DES3 string-to-key function relies on the "N-fold"
algorithm and DK function, described in section 5.
The n-fold algorithm is applied to the password string concatenated
with a salt value. For 3-key triple DES, the operation will involve
a 168-fold of the input password string, to generate an intermediate
key, from which the user's long-term key will be derived with the DK
function. The DES3 string-to-key function is shown here in
pseudocode:
DES3string-to-key(passwordString, salt, params)
if (params != emptyString)
error("invalid params");
s = passwordString + salt
tmpKey = random-to-key(168-fold(s))
key = DK (tmpKey, KerberosConstant)
Weak key checking is performed in the random-to-key and DK
operations. The KerberosConstant value is the byte string {0x6b 0x65
0x72 0x62 0x65 0x72 0x6f 0x73}. These values correspond to the ASCII
encoding for the string "kerberos".
7. Use of Kerberos encryption outside this specification
Several Kerberos-based application protocols and preauthentication
systems have been designed and deployed that perform encryption and
message integrity checks in various ways. While in some cases there
may be good reason for specifying these protocols in terms of
specific encryption or checksum algorithms, we anticipate that in
many cases this will not be true, and more generic approaches
independent of particular algorithms will be desirable. Rather than
having each protocol designer reinvent schemes for protecting data,
using multiple keys, etc, we have attempted to present in this
section a general framework that should be sufficient not only for
the Kerberos protocol itself but also for many preauthentication
systems and application protocols, while trying to avoid some of the
assumptions that can work their way into such protocol designs.
Some problematic assumptions we've seen (and sometimes made) include:
that a random bitstring is always valid as a key (not true for DES
keys with parity); that the basic block encryption chaining mode
provides no integrity checking, or can easily be separated from such
checking (not true for many modes in development that do both
simultaneously); that a checksum for a message always results in the
same value (not true if a confounder is incorporated); that an
initial vector is used (may not be true if a block cipher in CBC mode
is not in use).
Raeburn [Page 30]
�
INTERNET DRAFT February 2004
Such assumptions, while they may hold for any given set of encryption
and checksum algorithms, may not be true of the next algorithms to be
defined, leaving the application protocol unable to make use of those
algorithms without updates to its specification.
The Kerberos protocol uses only the attributes and operations
described in sections 3 and 4. Preauthentication systems and
application protocols making use of Kerberos are encouraged to use
them as well. The specific key and string-to-key parameters should
generally be treated as opaque. While the string-to-key parameters
are manipulated as an octet string, the representation for the
specific key structure is implementation-defined; it may not even be
a single object.
While we don't recommend it, some application protocols will
undoubtedly continue to use the key data directly, even if only in
some of the currently existing protocol specifications. An
implementation intended to support general Kerberos applications may
therefore need to make the key data available, as well as the
attributes and operations described in sections 3 and 4. [8]
8. Assigned Numbers
The following encryption type numbers are already assigned or
reserved for use in Kerberos and related protocols.
encryption type etype section or comment
-----------------------------------------------------------------
des-cbc-crc 1 6.2.3
des-cbc-md4 2 6.2.2
des-cbc-md5 3 6.2.1
[reserved] 4
des3-cbc-md5 5
[reserved] 6
des3-cbc-sha1 7
dsaWithSHA1-CmsOID 9 (pkinit)
md5WithRSAEncryption-CmsOID 10 (pkinit)
sha1WithRSAEncryption-CmsOID 11 (pkinit)
rc2CBC-EnvOID 12 (pkinit)
rsaEncryption-EnvOID 13 (pkinit from PKCS#1 v1.5)
rsaES-OAEP-ENV-OID 14 (pkinit from PKCS#1 v2.0)
des-ede3-cbc-Env-OID 15 (pkinit)
des3-cbc-sha1-kd 16 6.3
aes128-cts-hmac-sha1-96 17 [KRB5-AES]
aes256-cts-hmac-sha1-96 18 [KRB5-AES]
rc4-hmac 23 (Microsoft)
Raeburn [Page 31]
�
INTERNET DRAFT February 2004
rc4-hmac-exp 24 (Microsoft)
subkey-keymaterial 65 (opaque; PacketCable)
(The "des3-cbc-sha1" assignment is a deprecated version using no key
derivation. It should not be confused with des3-cbc-sha1-kd.)
Several numbers have been reserved for use in encryption systems not
defined here. Encryption type numbers have unfortunately been
overloaded on occasion in Kerberos-related protocols, so some of the
reserved numbers do not and will not correspond to encryption systems
fitting the profile presented here.
The following checksum type numbers are assigned or reserved. As
with encryption type numbers, some overloading of checksum numbers
has occurred.
Checksum type sumtype checksum section or
value size reference
----------------------------------------------------------------------
CRC32 1 4 6.1.3
rsa-md4 2 16 6.1.2
rsa-md4-des 3 24 6.2.5
des-mac 4 16 6.2.7
des-mac-k 5 8 6.2.8
rsa-md4-des-k 6 16 6.2.6
rsa-md5 7 16 6.1.1
rsa-md5-des 8 24 6.2.4
rsa-md5-des3 9 24 ??
sha1 (unkeyed) 10 20 ??
hmac-sha1-des3-kd 12 20 6.3
hmac-sha1-des3 13 20 ??
sha1 (unkeyed) 14 20 ??
hmac-sha1-96-aes128 15 20 [KRB5-AES]
hmac-sha1-96-aes256 16 20 [KRB5-AES]
[reserved] 0x8003 ? [GSS-KRB5]
Encryption and checksum type numbers are signed 32-bit values. Zero
is invalid, and negative numbers are reserved for local use. All
standardized values must be positive.
Raeburn [Page 32]
�
INTERNET DRAFT February 2004
9. Implementation Notes
The "interface" described here is the minimal information that must
be defined to make a cryptosystem useful within Kerberos in an
interoperable fashion. Despite the functional notation used in some
places, it is not an attempt to define an API for cryptographic
functionality within Kerberos. Actual implementations providing
clean APIs will probably find it useful to make additional
information available, which should be possible to derive from a
specification written to the framework given here. For example, an
application designer may wish to determine the largest number of
bytes that can be encrypted without overflowing a certain size output
buffer, or conversely, the maximum number of bytes that might be
obtained by decrypting a ciphertext message of a given size. (In
fact, an implementation of the GSS-API Kerberos mechanism [GSS-KRB5]
will require some of these.)
The presence of a mechanism in this document should not be taken as
an indication that it must be implemented for compliance with any
specification; required mechanisms will be specified elsewhere.
Indeed, some of the mechanisms described here for backwards
compatibility are now considered rather weak for protecting critical
data.
10. Security Considerations
Recent years have brought advancements in the ability to perform
large-scale attacks against DES, to such a degree that it is not
considered a strong encryption mechanism any longer; triple-DES is
generally preferred in its place, despite the poorer performance.
See [ESP-DES] for a summary of some of the potential attacks, and
[EFF-DES] for a detailed discussion of the implementation of
particular attack. However, most Kerberos implementations still have
DES as their primary interoperable encryption type.
DES has four 'weak' keys and twelve 'semi-weak' keys, and the use of
single-DES here avoids them. However, DES also has 48 'possibly-
weak' keys [Schneier96] (note that the tables in many editions of the
reference contains errors) which are not avoided.
DES weak keys are keys with the property that E1(E1(P)) = P (where E1
denotes encryption of a single block with key 1). DES semi-weak keys
or "dual" keys are pairs of keys with the property that E1(P) =
D2(P), and thus E2(E1(P)) = P. Because of the use of CBC mode and
leading random confounder, however, these properties are unlikely to
present a security problem.
Many of the choices concerning when weak-key corrections are
Raeburn [Page 33]
�
INTERNET DRAFT February 2004
performed relate more to compatibility with existing implementations
than to any risk analysis.
While checks are also done for the component DES keys in a triple-DES
key, the nature of the weak keys is such that it is extremely
unlikely that they will weaken the triple-DES encryption -- only
slightly more likely than having the middle of the three sub-keys
match one of the other two, which effectively converts the encryption
to single-DES, which is a case we make no effort to avoid.
The true CRC-32 checksum is not collision-proof; an attacker could
use a probabilistic chosen-plaintext attack to generate a valid
message even if a confounder is used [SG92]. The use of collision-
proof checksums is of course recommended for environments where such
attacks represent a significant threat. The "simplifications" (read:
bugs) introduced when CRC-32 was implemented for Kerberos cause
leading zeros to effectively be ignored, so messages differing only
in leading zero bits will have the same checksum.
[HMAC] and [IPSEC-HMAC] discuss weaknesses of the HMAC algorithm.
Unlike [IPSEC-HMAC], the triple-DES specification here does not use
the suggested truncation of the HMAC output. As pointed out in
[IPSEC-HMAC], SHA-1 was not developed to be used as a keyed hash
function, which is a criterion of HMAC. [HMAC-TEST] contains test
vectors for HMAC-SHA-1.
The mit_des_string_to_key function was originally constructed with
the assumption that all input would be ASCII; it ignores the top bit
of each input byte. Folding with XOR is also not an especially good
mixing mechanism in terms of preserving randomness.
The n-fold function used in the string-to-key operation for des3-cbc-
hmac-sha1-kd was designed to cause each bit of input to contribute
equally to the output; it was not designed to maximize or equally
distribute randomness in the input, and there are conceivable cases
of partially structured input where randomness may be lost. This
should only be an issue for highly structured passwords, however.
[RFC1851] discusses the relative strength of triple-DES encryption.
The relative slow speed of triple-DES encryption may also be an issue
for some applications.
In [Bellovin91], there is a suggestion that analyses of encryption
schemes should include a model of an attacker capable of submitting
known plaintexts to be encrypted with an unknown key, as well as
being able to perform many types of operations on known protocol
messages. Recent experiences with the chosen-plaintext attacks on
Kerberos version 4 bear out the value of this suggestion.
Raeburn [Page 34]
�
INTERNET DRAFT February 2004
The use of unkeyed encrypted checksums, such as those used in the
single-DES cryptosystems specified in [Kerb1510], allows for cut-and-
paste attacks, especially if a confounder is not used. In addition,
unkeyed encrypted checksums are vulnerable to chosen-plaintext
attacks: an attacker with access to an encryption oracle can easily
encrypt the required unkeyed checksum along with the chosen
plaintext. [Bellovin99] These weaknesses, combined with a common
implementation design choice described below, allow for a cross-
protocol attack from version 4 to version 5.
The use of a random confounder is an important means of preventing an
attacker from making effective use of protocol exchanges as an
encryption oracle. In Kerberos version 4, the encryption of constant
plaintext to constant ciphertext makes an effective encryption oracle
for an attacker. The use of random confounders in [Kerb1510]
frustrates this sort of chosen-plaintext attack.
Using the same key for multiple purposes can enable or increase the
scope of chosen-plaintext attacks. Some software which implements
both versions 4 and 5 of the Kerberos protocol uses the same keys for
both versions of the protocol. This enables the encryption oracle of
version 4 to be used to attack version 5. Vulnerabilities such as
this cross-protocol attack reinforce the wisdom of not using a key
for multiple purposes.
This document, like the Kerberos protocol, completely ignores the
notion of limiting the amount of data a key may be used with to a
quantity based on the robustness of the algorithm or size of the key.
It is assumed that any defined algorithms and key sizes will be
strong enough to support very large amounts of data, or they will be
deprecated once significant attacks are known.
This document also places no bounds on the amount of data that can be
handled in various operations. In order to avoid denial of service
attacks, implementations will probably want to restrict message sizes
at some higher level.
11. IANA Considerations
Two registries for numeric values should be created: Kerberos
Encryption Type Numbers and Kerberos Checksum Type Numbers. These
are signed values ranging from -2147483648 to 2147483647. Positive
values should be assigned only for algorithms specified in accordance
with this specification for use with Kerberos or related protocols.
Negative values are for private use; local and experimental
algorithms should use these values. Zero is reserved and may not be
assigned.
Raeburn [Page 35]
�
INTERNET DRAFT February 2004
Positive encryption and checksum type numbers may be assigned
following either of two policies described in [BCP26].
Standards-track specifications may be assigned values under the
Standards Action policy.
Specifications in non-standards track RFCs may be assigned values
after Expert Review. A non-IETF specification may be assigned values
by publishing an Informational or standards-track RFC referencing the
external specification; that specification must be public and
published in some permanent record much like the IETF RFCs. It is
highly desirable, though not required, that the full specification be
published as an IETF RFC.
Smaller encryption type values should be used for IETF standards-
track mechanisms, and much higher values (16777216 and above) for
other mechanisms. (Rationale: In the Kerberos ASN.1 encoding,
smaller numbers encode to smaller octet sequences, so this favors
standards-track mechanisms with slightly smaller messages.) Aside
from that guideline, IANA may choose numbers as it sees fit.
Internet-Draft specifications should not include values for
encryption and checksum type numbers. Instead, they should indicate
that values would be assigned by IANA when the document is approved
as an RFC. For development and interoperability testing, values in
the private-use range (negative values) may be used, but should not
be included in the draft specification.
Each registered value should have an associated unique name to refer
to it by. The lists given in section 8 should be used as an initial
registry; they include reservations for specifications in progress in
parallel with this document, and for certain other values believed to
be in use already.
12. Acknowledgments
This document is an extension of the encryption specification
included in [Kerb1510] by B. Clifford Neuman and John Kohl, and much
of the text of the background, concepts, and DES specifications are
drawn directly from that document.
The abstract framework presented in this document was put together by
Jeff Altman, Sam Hartman, Jeff Hutzelman, Cliff Neuman, Ken Raeburn,
and Tom Yu, and the details were refined several times based on
comments from John Brezak and others.
Marc Horowitz wrote the original specification of triple-DES and key
derivation in a pair of Internet Drafts (under the names draft-
Raeburn [Page 36]
�
INTERNET DRAFT February 2004
horowitz-key-derivation and draft-horowitz-kerb-key-derivation) which
were later folded into a draft revision of [Kerb1510], from which
this document was later split off.
Tom Yu provided the text describing the modifications to the standard
CRC algorithm as Kerberos implementations actually use it, and some
of the Security Considerations section.
Miroslav Jurisic provided information for one of the UTF-8 test cases
for the string-to-key functions.
Marcus Watts noticed some errors in earlier drafts, and pointed out
that the simplified profile could easily be modified to support
cipher text stealing modes.
Simon Josefsson contributed some clarifications to the DES "CBC
checksum", string-to-key and weak key descriptions, and some test
vectors.
Simon Josefsson, Louis LeVay and others also caught some errors in
earlier drafts.
A. Test vectors
This section provides test vectors for various functions defined or
described in this document. For convenience, most inputs are ASCII
strings, though some UTF-8 samples are be provided for string-to-key
functions. Keys and other binary data are specified as hexadecimal
strings.
A.1. n-fold
The n-fold function is defined in section 5.1. As noted there, the
sample vector in the original paper defining the algorithm appears to
be incorrect. Here are some test cases provided by Marc Horowitz and
Simon Josefsson:
Raeburn [Page 37]
�
INTERNET DRAFT February 2004
64-fold("012345") =
64-fold(303132333435) = be072631276b1955
56-fold("password") =
56-fold(70617373776f7264) = 78a07b6caf85fa
64-fold("Rough Consensus, and Running Code") =
64-fold(526f75676820436f6e73656e7375732c20616e642052756e
6e696e6720436f6465) = bb6ed30870b7f0e0
168-fold("password") =
168-fold(70617373776f7264) =
59e4a8ca7c0385c3c37b3f6d2000247cb6e6bd5b3e
192-fold("MASSACHVSETTS INSTITVTE OF TECHNOLOGY"
192-fold(4d41535341434856534554545320494e5354495456544520
4f4620544543484e4f4c4f4759) =
db3b0d8f0b061e603282b308a50841229ad798fab9540c1b
168-fold("Q") =
168-fold(51) =
518a54a2 15a8452a 518a54a2 15a8452a
518a54a2 15
168-fold("ba") =
168-fold(6261) =
fb25d531 ae897449 9f52fd92 ea9857c4
ba24cf29 7e
Here are some additional values corresponding to folded values of the
string "kerberos"; the 64-bit form is used in the des3 string-to-key
(section 6.3.1).
64-fold("kerberos") =
6b657262 65726f73
128-fold("kerberos") =
6b657262 65726f73 7b9b5b2b 93132b93
168-fold("kerberos") =
8372c236 344e5f15 50cd0747 e15d62ca
7a5a3bce a4
256-fold("kerberos") =
6b657262 65726f73 7b9b5b2b 93132b93
5c9bdcda d95c9899 c4cae4de e6d6cae4
Note that the initial octets exactly match the input string when the
output length is a multiple of the input length.
Raeburn [Page 38]
�
INTERNET DRAFT February 2004
A.2. mit_des_string_to_key
The function mit_des_string_to_key is defined in section 6.2. We
present here several test values, with some of the intermediate
results. The fourth test demonstrates the use of UTF-8 with three
characters. The last two tests are specifically constructed so as to
trigger the weak-key fixups for the intermediate key produced by fan-
folding; we have no test cases that cause such fixups for the final
key.
UTF-8 encodings used in test vector:
eszett U+00DF C3 9F s-caron U+0161 C5 A1
c-acute U+0107 C4 87 g-clef U+1011E F0 9D 84 9E
Test vector:
salt: "ATHENA.MIT.EDUraeburn"
415448454e412e4d49542e4544557261656275726e
password: "password" 70617373776f7264
fan-fold result: c01e38688ac86c2e
intermediate key: c11f38688ac86d2f
DES key: cbc22fae235298e3
salt: "WHITEHOUSE.GOVdanny"
5748495445484f5553452e474f5664616e6e79
password: "potatoe" 706f7461746f65
fan-fold result: a028944ee63c0416
intermediate key: a129944fe63d0416
DES key: df3d32a74fd92a01
salt: "EXAMPLE.COMpianist" 4558414D504C452E434F4D7069616E697374
password: g-clef (U+1011E) f09d849e
fan-fold result: 3c4a262c18fab090
intermediate key: 3d4a262c19fbb091
DES key: 4ffb26bab0cd9413
salt: "ATHENA.MIT.EDUJuri" + s-caron(U+0161) + "i" + c-acute(U+0107)
415448454e412e4d49542e4544554a757269c5a169c487
password: eszett(U+00DF)
c39f
fan-fold result:b8f6c40e305afc9e
intermediate key: b9f7c40e315bfd9e
DES key: 62c81a5232b5e69d
Raeburn [Page 39]
�
INTERNET DRAFT February 2004
salt: "AAAAAAAA" 4141414141414141
password: "11119999" 3131313139393939
fan-fold result: e0e0e0e0f0f0f0f0
intermediate key: e0e0e0e0f1f1f101
DES key: 984054d0f1a73e31
salt: "FFFFAAAA" 4646464641414141
password: "NNNN6666" 4e4e4e4e36363636
fan-fold result: 1e1e1e1e0e0e0e0e
intermediate key: 1f1f1f1f0e0e0efe
DES key: c4bf6b25adf7a4f8
This trace provided by Simon Josefsson shows the intermediate
processing stages of one of the test inputs:
string_to_key (des-cbc-md5, string, salt)
;; string:
;; `password' (length 8 bytes)
;; 70 61 73 73 77 6f 72 64
;; salt:
;; `ATHENA.MIT.EDUraeburn' (length 21 bytes)
;; 41 54 48 45 4e 41 2e 4d 49 54 2e 45 44 55 72 61
;; 65 62 75 72 6e
des_string_to_key (string, salt)
;; String:
;; `password' (length 8 bytes)
;; 70 61 73 73 77 6f 72 64
;; Salt:
;; `ATHENA.MIT.EDUraeburn' (length 21 bytes)
;; 41 54 48 45 4e 41 2e 4d 49 54 2e 45 44 55 72 61
;; 65 62 75 72 6e
odd = 1;
s = string | salt;
tempstring = 0; /* 56-bit string */
pad(s); /* with nulls to 8 byte boundary */
;; s = pad(string|salt):
;; `passwordATHENA.MIT.EDUraeburn\x00\x00\x00'
;; (length 32 bytes)
;; 70 61 73 73 77 6f 72 64 41 54 48 45 4e 41 2e 4d
;; 49 54 2e 45 44 55 72 61 65 62 75 72 6e 00 00 00
for (8byteblock in s) {
;; loop iteration 0
;; 8byteblock:
;; `password' (length 8 bytes)
;; 70 61 73 73 77 6f 72 64
;; 01110000 01100001 01110011 01110011 01110111 01101111
Raeburn [Page 40]
�
INTERNET DRAFT February 2004
;; 01110010 01100100
56bitstring = removeMSBits(8byteblock);
;; 56bitstring:
;; 1110000 1100001 1110011 1110011 1110111 1101111
;; 1110010 1100100
if (odd == 0) reverse(56bitstring); ;; odd=1
odd = ! odd
tempstring = tempstring XOR 56bitstring;
;; tempstring
;; 1110000 1100001 1110011 1110011 1110111 1101111
;; 1110010 1100100
for (8byteblock in s) {
;; loop iteration 1
;; 8byteblock:
;; `ATHENA.M' (length 8 bytes)
;; 41 54 48 45 4e 41 2e 4d
;; 01000001 01010100 01001000 01000101 01001110 01000001
;; 00101110 01001101
56bitstring = removeMSBits(8byteblock);
;; 56bitstring:
;; 1000001 1010100 1001000 1000101 1001110 1000001
;; 0101110 1001101
if (odd == 0) reverse(56bitstring); ;; odd=0
reverse(56bitstring)
;; 56bitstring after reverse
;; 1011001 0111010 1000001 0111001 1010001 0001001
;; 0010101 1000001
odd = ! odd
tempstring = tempstring XOR 56bitstring;
;; tempstring
;; 0101001 1011011 0110010 1001010 0100110 1100110
;; 1100111 0100101
for (8byteblock in s) {
;; loop iteration 2
;; 8byteblock:
;; `IT.EDUra' (length 8 bytes)
;; 49 54 2e 45 44 55 72 61
;; 01001001 01010100 00101110 01000101 01000100 01010101
;; 01110010 01100001
56bitstring = removeMSBits(8byteblock);
;; 56bitstring:
;; 1001001 1010100 0101110 1000101 1000100 1010101
;; 1110010 1100001
if (odd == 0) reverse(56bitstring); ;; odd=1
Raeburn [Page 41]
�
INTERNET DRAFT February 2004
odd = ! odd
tempstring = tempstring XOR 56bitstring;
;; tempstring
;; 1100000 0001111 0011100 0001111 1100010 0110011
;; 0010101 1000100
for (8byteblock in s) {
;; loop iteration 3
;; 8byteblock:
;; `eburn\x00\x00\x00' (length 8 bytes)
;; 65 62 75 72 6e 00 00 00
;; 01100101 01100010 01110101 01110010 01101110 00000000
;; 00000000 00000000
56bitstring = removeMSBits(8byteblock);
;; 56bitstring:
;; 1100101 1100010 1110101 1110010 1101110 0000000
;; 0000000 0000000
if (odd == 0) reverse(56bitstring); ;; odd=0
reverse(56bitstring)
;; 56bitstring after reverse
;; 0000000 0000000 0000000 0111011 0100111 1010111
;; 0100011 1010011
odd = ! odd
tempstring = tempstring XOR 56bitstring;
;; tempstring
;; 1100000 0001111 0011100 0110100 1000101 1100100
;; 0110110 0010111
for (8byteblock in s) {
}
;; for loop terminated
tempkey = key_correction(add_parity_bits(tempstring));
;; tempkey
;; `\xc1\x1f8h\x8a\xc8m\x2f' (length 8 bytes)
;; c1 1f 38 68 8a c8 6d 2f
;; 11000001 00011111 00111000 01101000 10001010 11001000
;; 01101101 00101111
Raeburn [Page 42]
�
INTERNET DRAFT February 2004
key = key_correction(DES-CBC-check(s,tempkey));
;; key
;; `\xcb\xc2\x2f\xae\x23R\x98\xe3' (length 8 bytes)
;; cb c2 2f ae 23 52 98 e3
;; 11001011 11000010 00101111 10101110 00100011 01010010
;; 10011000 11100011
;; string_to_key key:
;; `\xcb\xc2\x2f\xae\x23R\x98\xe3' (length 8 bytes)
;; cb c2 2f ae 23 52 98 e3
A.3. DES3 DR and DK
These tests show the derived-random and derived-key values for the
des3-hmac-sha1-kd encryption scheme, using the DR and DK functions
defined in section 6.3.1. The input keys were randomly generated;
the usage values are from this specification.
key: dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92
usage: 0000000155
DR: 935079d14490a75c3093c4a6e8c3b049c71e6ee705
DK: 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd
key: 5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2
usage: 00000001aa
DR: 9f58e5a047d894101c469845d67ae3c5249ed812f2
DK: 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207
key: 98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc
usage: 0000000155
DR: 12fff90c773f956d13fc2ca0d0840349dbd39908eb
DK: 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf
key: 622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5
usage: 00000001aa
DR: f8debf05b097e7dc0603686aca35d91fd9a5516a70
DK: f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e
key: d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb
usage: 6b65726265726f73 ("kerberos")
DR: 2270db565d2a3d64cfbfdc5305d4f778a6de42d9da
DK: 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43
key: c1081649ada74362e6a1459d01dfd30d67c2234c940704da
usage: 0000000155
Raeburn [Page 43]
�
INTERNET DRAFT February 2004
DR: 348056ec98fcc517171d2b4d7a9493af482d999175
DK: 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7
key: 5d154af238f46713155719d55e2f1f790dd661f279a7917c
usage: 00000001aa
DR: a8818bc367dadacbe9a6c84627fb60c294b01215e5
DK: a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1
key: 798562e049852f57dc8c343ba17f2ca1d97394efc8adc443
usage: 0000000155
DR: c813f88b3be2b2f75424ce9175fbc8483b88c8713a
DK: c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49
key: 26dce334b545292f2feab9a8701a89a4b99eb9942cecd016
usage: 00000001aa
DR: f58efc6f83f93e55e695fd252cf8fe59f7d5ba37ec
DK: f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d
A.4. DES3string_to_key
These are the keys generated for some of the above input strings for
triple-DES with key derivation as defined in section 6.3.1.
salt: "ATHENA.MIT.EDUraeburn"
passwd: "password"
key: 850bb51358548cd05e86768c313e3bfef7511937dcf72c3e
salt: "WHITEHOUSE.GOVdanny"
passwd: "potatoe"
key: dfcd233dd0a43204ea6dc437fb15e061b02979c1f74f377a
salt: "EXAMPLE.COMbuckaroo"
passwd: "penny"
key: 6d2fcdf2d6fbbc3ddcadb5da5710a23489b0d3b69d5d9d4a
salt: "ATHENA.MIT.EDUJuri" + s-caron(U+0161) + "i"
+ c-acute(U+0107)
passwd: eszett(U+00DF)
key: 16d5a40e1ce3bacb61b9dce00470324c831973a7b952feb0
salt: "EXAMPLE.COMpianist"
passwd: g-clef(U+1011E)
key: 85763726585dbc1cce6ec43e1f751f07f1c4cbb098f40b19
Raeburn [Page 44]
�
INTERNET DRAFT February 2004
A.5. Modified CRC-32
Below are modified-CRC32 values for various ASCII and octet strings.
Only the printable ASCII characters are checksummed, no C-style
trailing zero-valued octet. The 32-bit modified CRC and the sequence
of output bytes as used in Kerberos are shown. (The octet values are
separated here to emphasize that they are octet values and not 32-bit
numbers, which will be the most convenient form for manipulation in
some implementations. The bit and byte order used internally for
such a number is irrelevant; the octet sequence generated is what is
important.)
mod-crc-32("foo") = 33 bc 32 73
mod-crc-32("test0123456789") = d6 88 3e b8
mod-crc-32("MASSACHVSETTS INSTITVTE OF TECHNOLOGY") = f7 80 41 e3
mod-crc-32(8000) = 4b 98 83 3b
mod-crc-32(0008) = 32 88 db 0e
mod-crc-32(0080) = 20 83 b8 ed
mod-crc-32(80) = 20 83 b8 ed
mod-crc-32(80000000) = 3b b6 59 ed
mod-crc-32(00000001) = 96 30 07 77
B. Significant Changes from RFC 1510
The encryption and checksum mechanism profiles are new. The old
specification defined a few operations for various mechanisms, but
didn't outline what should be required of new mechanisms in terms of
abstract properties, nor how to ensure that a mechanism specification
is complete enough for interoperability between implementations. The
new profiles do differ from the old specification in a few ways:
Some message definitions in [Kerb1510] could be read as permitting
the initial vector to be specified by the application; the text
was too vague. It is specifically not permitted in this
specification. Some encryption algorithms may not use
initialization vectors, so relying on chosen, secret
initialization vectors for security is unwise. Also, the
prepended confounder in the existing algorithms is roughly
equivalent to a per-message initialization vector that is revealed
in encrypted form. However, carrying state across from one
encryption to another is explicitly permitted through the opaque
"cipher state" object.
The use of key derivation is new.
Several new methods are introduced, including generation of a key
Raeburn [Page 45]
�
INTERNET DRAFT February 2004
in wire-protocol format from random input data.
The means for influencing the string-to-key algorithm are laid out
more clearly.
Triple-DES support is new.
The pseudo-random function is new.
The des-cbc-crc, DES string-to-key and CRC descriptions have been
updated to align them with existing implementations.
[Kerb1510] had no indication what character set or encoding might be
used for pass phrases and salts.
In [Kerb1510], key types, encryption algorithms and checksum
algorithms were only loosely associated, and the association was not
well described. In this specification, key types and encryption
algorithms have a one-to-one correspondence, and associations between
encryption and checksum algorithms are described so that checksums
can be computed given negotiated keys, without requiring further
negotiation for checksum types.
Notes
[1] While Message Authentication Code (MAC) or Message Integrity
Check (MIC) would be more appropriate terms for many of the
uses in this document, we continue to use the term "checksum"
for historical reasons.
[2] Extending CBC mode across messages would be one obvious
example of this chaining. Another might be the use of
counter mode, with a counter randomly initialized and
attached to the ciphertext; a second message could continue
incrementing the counter when chaining the cipher state, thus
avoiding having to transmit another counter value. However,
this chaining is only useful for uninterrupted, ordered
sequences of messages.
[3] In the case of Kerberos, the encrypted objects will generally
be ASN.1 DER encodings, which contain indications of their
length in the first few octets.
[4] As of the time of this writing, some new modes of operation
have been proposed, some of which may permit encryption and
integrity protection simultaneously. After some of these
proposals have been subjected to adequate analysis, we may
wish to formulate a new simplified profile based on one of
Raeburn [Page 46]
�
INTERNET DRAFT February 2004
them.
[5] It should be noted that the sample vector in Appendix B.2 of
the original paper appears to be incorrect. Two independent
implementations from the specification (one in C by Marc
Horowitz, and another in Scheme by Bill Sommerfeld) agree on
a value different from that in [Blumenthal96].
[6] For example, in MIT's implementation of [Kerb1510], the rsa-
md5 unkeyed checksum of application data may be included in
an authenticator encrypted in a service's key; since rsa-md5
is believed to be collision-proof, even if the application
data is exposed to an attacker, it cannot be modified without
causing the checksum verification to fail.
[7] A variant of the key is used to limit the use of a key to a
particular function, separating the functions of generating a
checksum from other encryption performed using the session
key. The constant 0xF0F0F0F0F0F0F0F0 was chosen because it
maintains key parity. The properties of DES precluded the
use of the complement. The same constant is used for similar
purpose in the Message Integrity Check in the Privacy
Enhanced Mail standard.
[8] Perhaps one of the more common reasons for directly
performing encryption is direct control over the negotiation
and to select a "sufficiently strong" encryption algorithm
(whatever that means in the context of a given application).
While Kerberos directly provides no facility for negotiating
encryption types between the application client and server,
there are other means for accomplishing similar goals. For
example, requesting only "strong" session key types from the
KDC, and assuming that the type actually returned by the KDC
will be understood and supported by the application server.
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
Raeburn [Page 47]
�
INTERNET DRAFT February 2004
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Normative References
[Bellare98]
Bellare, M., Desai, A., Pointcheval, D., and P. Rogaway,
"Relations Among Notions of Security for Public-Key Encryption
Schemes". Extended abstract published in Advances in Cryptology-
Crypto 98 Proceedings, Lecture Notes in Computer Science Vol.
1462, H. Krawcyzk ed., Springer-Verlag, 1998.
[Blumenthal96]
Blumenthal, U., and S. Bellovin, "A Better Key Schedule for DES-
Like Ciphers", Proceedings of PRAGOCRYPT '96, 1996.
[CRC]
International Organization for Standardization, "ISO Information
Processing Systems - Data Communication - High-Level Data Link
Control Procedure - Frame Structure," IS 3309, 3rd Edition,
October 1984.
[DES77]
National Bureau of Standards, U.S. Department of Commerce, "Data
Encryption Standard," Federal Information Processing Standards
Publication 46, Washington, DC, 1977.
[DESI81]
National Bureau of Standards, U.S. Department of Commerce,
"Guidelines for implementing and using NBS Data Encryption
Standard," Federal Information Processing Standards Publication
74, Washington, DC, 1981.
[DESM80]
National Bureau of Standards, U.S. Department of Commerce, "DES
Modes of Operation," Federal Information Processing Standards
Publication 81, Springfield, VA, December 1980.
[Dolev91]
Dolev, D., Dwork, C., Naor, M., "Non-malleable cryptography",
Proceedings of the 23rd Annual Symposium on Theory of Computing,
ACM, 1991.
[HMAC]
Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
Raeburn [Page 48]
�
INTERNET DRAFT February 2004
[KRB5-AES]
Raeburn, K., "AES Encyrption for Kerberos 5", RFC XXXX, Xxxxxxxx
2003.
[MD4-92]
Rivest, R., "The MD4 Message Digest Algorithm," RFC 1320, MIT
Laboratory for Computer Science, April 1992.
[MD5-92]
Rivest, R., "The MD5 Message Digest Algorithm," RFC 1321, MIT
Laboratory for Computer Science, April 1992.
[RFC2026]
Bradner, S., "The Internet Standards Process -- Revisions 3," RFC
2026, October 1996.
[SG92]
Stubblebine, S., and V. D. Gligor, "On Message Integrity in
Cryptographic Protocols," in Proceedings of the IEEE Symposium on
Research in Security and Privacy, Oakland, California, May 1992.
Informative References
[Bellovin91]
Bellovin, S. M., and M. Merrit, "Limitations of the Kerberos
Authentication System", in Proceedings of the Winter 1991 Usenix
Security Conference, January, 1991.
[Bellovin99]
Bellovin, S. M., and D. Atkins, private communications, 1999.
[EFF-DES]
Electronic Frontier Foundation, "Cracking DES: Secrets of
Encryption Research, Wiretap Politics, and Chip Design", O'Reilly
& Associates, Inc., May 1998.
[ESP-DES]
Madson, C., and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm
With Explicit IV", RFC 2405, November 1998.
[GSS-KRB5]
Linn, J., "The Kerberos Version 5 GSS-API Mechanism," RFC 1964,
June 1996.
[HMAC-TEST]
Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1",
RFC 2202, September 1997.
[IPSEC-HMAC]
Madson, C., and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and
AH", RFC 2404, November 1998.
[Kerb]
Neuman, C., Kohl, J., Ts'o, T., Yu, T., Hartman, S., and K.
Raeburn, "The Kerberos Network Authentication Service (V5)",
draft-ietf-krb-wg-kerberos-clarifications-00.txt, February 22,
2002. Work in progress.
Raeburn [Page 49]
�
INTERNET DRAFT February 2004
[Kerb1510]
Kohl, J., and C. Neuman, "The Kerberos Network Authentication
Service (V5)", RFC 1510, September 1993.
[RC5]
Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and
RC5-CTS Algorithms", RFC 2040, October 1996.
[Schneier96]
Schneier, B., "Applied Cryptography Second Edition", John Wiley &
Sons, New York, NY, 1996. ISBN 0-471-12845-7.
Editor's address
Kenneth Raeburn
Massachusetts Institute of Technology
77 Massachusetts Avenue
Cambridge, MA 02139
raeburn@mit.edu
Full Copyright Statement
Copyright (C) The Internet Society (2004). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
Raeburn [Page 50]
�
INTERNET DRAFT February 2004
Notes to RFC Editor
Before publication of this document as an RFC, the following changes
are needed:
Change the reference "[KRB5-AES]" in Normative References to indicate
the AES draft (draft-raeburn-krb-rijndael-krb-XX) that should be
advancing to RFC at the same time. The RFC number and publication
date are needed.
If draft-ietf-krb-wg-kerberos-clarifications advances to RFC at the
same time as this document, change the information for [Kerb] in the
Informative References section as well.
Change the first-page headers to indicate the RFC number, network
working group, etc, as appropriate for an RFC instead of an I-D.
Remove the contact-info paragraph from the Abstract.
Delete this section.
Raeburn [Page 51]
|
