| blob | 6b9989f871acfe96c3d0277ec771a122f12dee2c |
10 Kerberos Working Group K. Raeburn
11 Document: draft-raeburn-krb-rijndael-krb-02.txt MIT
12 November 1, 2002
13 expires May 1, 2003
15 AES Encryption for Kerberos 5
17 Abstract
19 Recently the US National Institute of Standards and Technology chose
20 a new Advanced Encryption Standard [AES], which is significantly
21 faster and (it is believed) more secure than the old DES algorithm.
22 This document is a specification for the addition of this algorithm
23 to the Kerberos cryptosystem suite [KCRYPTO].
25 Comments should be sent to the author, or to the IETF Kerberos
26 working group (ietf-krb-wg@anl.gov).
28 Status of this Memo
30 This document is an Internet-Draft and is in full conformance with
31 all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
32 are working documents of the Internet Engineering Task Force (IETF),
33 its areas, and its working groups. Note that other groups may also
34 distribute working documents as Internet-Drafts. Internet-Drafts are
35 draft documents valid for a maximum of six months and may be updated,
36 replaced, or obsoleted by other documents at any time. It is
37 inappropriate to use Internet-Drafts as reference material or to cite
38 them other than as "work in progress."
40 The list of current Internet-Drafts can be accessed at
41 http://www.ietf.org/ietf/1id-abstracts.txt
43 The list of Internet-Draft Shadow Directories can be accessed at
44 http://www.ietf.org/shadow.html.
46 1. Introduction
48 This document defines encryption key and checksum types for Kerberos
49 5 using the AES algorithm recently chosen by NIST. These new types
50 support 128-bit block encryption, and key sizes of 128 or 256 bits.
52 Using the "simplified profile" of [KCRYPTO], we can define a pair of
53 encryption and checksum schemes. AES is used with cipher text
54 stealing to avoid message expansion, and SHA-1 [SHA1] is the
58 Raeburn [Page 1]
59 \f
60 INTERNET DRAFT November 2002
63 associated checksum function.
65 2. Conventions Used in this Document
67 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
68 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
69 document are to be interpreted as described in RFC 2119.
71 3. Protocol Key Representation
73 The profile in [KCRYPTO] treats keys and random octet strings as
74 conceptually different. But since the AES key space is dense, we can
75 use any bit string as a key. We use the byte representation for the
76 key described in [AES], where the first bit of the bit string is the
77 high bit of the first byte of the byte string (octet string)
78 representation.
80 4. Key Generation From Pass Phrases or Random Data
82 Given the above format for keys, we can generate keys from the
83 appropriate amounts of random data (128 or 256 bits) by simply
84 copying the input string.
86 To generate an encryption key from a pass phrase and salt string, we
87 use the PBKDF2 function from PKCS #5 v2.0 ([PKCS5]), with parameters
88 indicated below, to generate an intermediate key (of the same length
89 as the desired final key), which is then passed into the DK function
90 with the 8-octet ASCII string "kerberos" as is done for des3-cbc-
91 hmac-sha1-kd in [KCRYPTO]. (In [KCRYPTO] terms, the PBKDF2 function
92 produces a "random octet string", hence the application of the
93 random-to-key function even though it's effectively a simple identity
94 operation.) The resulting key is the user's long-term key for use
95 with the encryption algorithm in question.
97 tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength))
98 key = DK(tkey, "kerberos")
100 The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the
101 passphrase and salt, as described in Appendix B.1 to PKCS#5.
103 The number of iterations is specified by the string-to-key parameters
104 supplied. The parameter string is four octets indicating an unsigned
105 number in big-endian order. This is the number of iterations to be
106 performed. If the value is 00 00 00 00, the number of iterations to
107 be performed is 4294967296 (2**32). (Thus the minimum expressable
108 iteration count is 1.)
110 For environments where slower hardware is the norm, implementations
114 Raeburn [Page 2]
115 \f
116 INTERNET DRAFT November 2002
119 may wish to limit the number of iterations to prevent a spoofed
120 response from consuming lots of client-side CPU time; it is
121 recommended that this bound be no less than 50000. Even for
122 environments with fast hardware, 4 billion iterations is likely to
123 take a fairly long time; much larger bounds might still be enforced,
124 and it might be wise for implementations to permit interruption of
125 this operation by the user if the environment allows for it.
127 If the string-to-key parameters are not supplied, the default value
128 to be used is 00 00 b0 00 (decimal 45056, indicating 45056
129 iterations, which takes slightly under 1 second on a 300MHz Pentium
130 II in tests run by the author).
132 Sample test vectors are given in the appendix.
134 5. Cipher Text Stealing
136 Cipher block chaining is used to encrypt messages. Unlike previous
137 Kerberos cryptosystems, we use cipher text stealing to handle the
138 possibly partial final block of the message.
140 Cipher text stealing is described on pages 195-196 of [AC], and
141 section 8 of [RC5]; it has the advantage that no message expansion is
142 done during encryption of messages of arbitrary sizes as is typically
143 done in CBC mode with padding.
145 Cipher text stealing, as defined in [RC5], assumes that more than one
146 block of plain text is available. Since a one-block confounder is
147 added in the simplified profile of [KCRYPTO], and [KCRYPTO] requires
148 that the message to be encrypted cannot be empty, the minimum length
149 to be encrypted is one block plus one byte. Thus we do not need to
150 do anything special to meet this constraint.
152 For consistency, cipher text stealing is always used for the last two
153 blocks of the data to be encrypted, as in [RC5]. If the data length
154 is a multiple of the block size, this is equivalent to plain CBC mode
155 with the last two cipher text blocks swapped.
157 A test vector is given in the appendix.
159 6. Kerberos Algorithm Profile Parameters
161 This is a summary of the parameters to be used with the simplified
162 algorithm profile described in [KCRYPTO]:
170 Raeburn [Page 3]
171 \f
172 INTERNET DRAFT November 2002
175 +--------------------------------------------------------------------+
176 | protocol key format 128- or 256-bit string |
177 | |
178 | string-to-key function PBKDF2+DK with variable |
179 | iteration count (see |
180 | above) |
181 | |
182 | default string-to-key parameters 00 09 |
183 | |
184 | key-generation seed length key size |
185 | |
186 | random-to-key function identity function |
187 | |
188 | hash function, H SHA-1 |
189 | |
190 | HMAC output size, h 12 octets (96 bits) |
191 | |
192 | confounder size, c 16 octets |
193 | |
194 | message block size, m 1 octet |
195 | |
196 | encryption/decryption functions, AES in CBC-CTS mode with |
197 | E and D zero ivec |
198 +--------------------------------------------------------------------+
200 Using this profile with each key size gives us two each of encryption
201 and checksum algorithm definitions.
203 7. Assigned Numbers
205 The following encryption type numbers are assigned:
207 +--------------------------------------------------------------------+
208 | encryption types |
209 +--------------------------------------------------------------------+
210 | type name etype value key size |
211 +--------------------------------------------------------------------+
212 | aes128-cts-hmac-sha1-96 17 128 |
213 | aes256-cts-hmac-sha1-96 18 256 |
214 +--------------------------------------------------------------------+
216 The following checksum type numbers are assigned:
226 Raeburn [Page 4]
227 \f
228 INTERNET DRAFT November 2002
231 +--------------------------------------------------------------------+
232 | checksum types |
233 +--------------------------------------------------------------------+
234 | type name sumtype value length |
235 +--------------------------------------------------------------------+
236 | hmac-sha1-96-aes128 10 96 |
237 | hmac-sha1-96-aes256 11 96 |
238 +--------------------------------------------------------------------+
240 These checksum types will be used with the corresponding encryption
241 types defined above.
243 8. Recommendations
245 Both new cryptosystems are RECOMMENDED. They should be more secure
246 than DES cryptosystems, and much faster than triple-DES.
248 9. Security Considerations
250 This new algorithm has not been around long enough to receive the
251 decades of intense analysis that DES has received. It is possible
252 that some weakness exists that has not been found by the
253 cryptographers analyzing these algorithms before and during the AES
254 selection process.
256 The use of the HMAC function has drawbacks for certain pass phrase
257 lengths. For example, a pass phrase longer than the hash function
258 block size (64 bytes, for SHA-1) is hashed to a smaller size (20
259 bytes) before applying the main HMAC algorithm. However, entropy is
260 generally sparse in pass phrases, especially in long ones, so this
261 may not be a problem in the rare cases of users with long pass
262 phrases.
264 Also, generating a 256-bit key from a pass phrase of any length may
265 be deceptive, since the effective entropy in pass-phrase-derived key
266 cannot be nearly that large.
268 The iteration count in PBKDF2 appears to be useful primarily as a
269 constant multiplier for the amount of work required for an attacker
270 using brute-force methods. Unfortunately, it also multiplies, by the
271 same amount, the work needed by a legitimate user with a valid
272 password. Thus the work factor imposed on an attacker (who may have
273 many powerful workstations at his disposal) must be balanced against
274 the work factor imposed on the legitimate user (who may have a PDA or
275 cell phone); the available computing power on either side increases
276 as time goes on, as well. A better way to deal with the brute-force
277 attack is through preauthentication mechanisms that provide better
278 protection of, the user's long-term key. Use of such mechanisms is
282 Raeburn [Page 5]
283 \f
284 INTERNET DRAFT November 2002
287 out of scope for this document.
289 Any benefit against other attacks specific to the HMAC or SHA-1
290 algorithms is probably achieved with a fairly small number of
291 iterations.
293 Cipher text stealing mode, since it requires no additional padding,
294 will reveal the exact length of each message being encrypted, rather
295 than merely bounding it to a small range of possible lengths as in
296 CBC mode. Such obfuscation should not be relied upon at higher
297 levels in any case; if the length must be obscured from an outside
298 observer, it should be done by intentionally varying the length of
299 the message to be encrypted.
301 The author is not a cryptographer. Caveat emptor.
303 10. IANA Considerations
305 None.
307 11. Acknowledgements
309 Thanks to John Brezak, Gerardo Diaz Cuellar and Marcus Watts for
310 feedback on earlier versions of this document.
312 12. Normative References
314 [AC] Schneier, B., "Applied Cryptography", second edition, John Wiley
315 and Sons, New York, 1996.
317 [AES] National Institute of Standards and Technology, U.S. Department
318 of Commerce, "Advanced Encryption Standard", Federal Information
319 Processing Standards Publication 197, Washington, DC, November 2001.
321 [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for
322 Kerberos 5", draft-ietf-krb-wg-crypto-01.txt, May, 2002. Work in
323 progress.
325 [PKCS5] Kaliski, B., "PKCS #5: Password-Based Cryptography
326 Specification Version 2.0", RFC 2898, September 2000.
328 [RC5] Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and
329 RC5-CTS Algorithms", RFC 2040, October 1996.
331 [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
332 3", RFC 2026, October 1996.
334 [SHA1] National Institute of Standards and Technology, U.S.
338 Raeburn [Page 6]
339 \f
340 INTERNET DRAFT November 2002
343 Department of Commerce, "Secure Hash Standard", Federal Information
344 Processing Standards Publication 180-1, Washington, DC, April 1995.
346 13. Informative References
348 [PECMS] Gutmann, P., "Password-based Encryption for CMS", RFC 3211,
349 December 2001.
351 14. Author's Address
353 Kenneth Raeburn
354 Massachusetts Institute of Technology
355 77 Massachusetts Avenue
356 Cambridge, MA 02139
357 raeburn@mit.edu
359 15. Full Copyright Statement
361 Copyright (C) The Internet Society (2002). All Rights Reserved.
363 This document and translations of it may be copied and furnished to
364 others, and derivative works that comment on or otherwise explain it
365 or assist in its implementation may be prepared, copied, published
366 and distributed, in whole or in part, without restriction of any
367 kind, provided that the above copyright notice and this paragraph are
368 included on all such copies and derivative works. However, this
369 document itself may not be modified in any way, such as by removing
370 the copyright notice or references to the Internet Society or other
371 Internet organizations, except as needed for the purpose of
372 developing Internet standards in which case the procedures for
373 copyrights defined in the Internet Standards process must be
374 followed, or as required to translate it into languages other than
375 English.
377 The limited permissions granted above are perpetual and will not be
378 revoked by the Internet Society or its successors or assigns.
380 This document and the information contained herein is provided on an
381 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
382 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
383 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
384 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
385 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
387 A. Sample test vectors
389 Sample values for the string-to-key function are included below.
394 Raeburn [Page 7]
395 \f
396 INTERNET DRAFT November 2002
399 Iteration count = 1
400 Pass phrase = "password"
401 Salt = "ATHENA.MIT.EDUraeburn"
402 128-bit PBKDF2 output:
403 cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15
404 128-bit AES key:
405 42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15
406 256-bit PBKDF2 output:
407 cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15
408 0a d1 f7 a0 4b b9 f3 a3 33 ec c0 e2 e1 f7 08 37
409 256-bit AES key:
410 fe 69 7b 52 bc 0d 3c e1 44 32 ba 03 6a 92 e6 5b
411 bb 52 28 09 90 a2 fa 27 88 39 98 d7 2a f3 01 61
413 Iteration count = 2
414 Pass phrase = "password"
415 Salt="ATHENA.MIT.EDUraeburn"
416 128-bit PBKDF2 output:
417 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d
418 128-bit AES key:
419 c6 51 bf 29 e2 30 0a c2 7f a4 69 d6 93 bd da 13
420 256-bit PBKDF2 output:
421 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d
422 a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86
423 256-bit AES key:
424 a2 e1 6d 16 b3 60 69 c1 35 d5 e9 d2 e2 5f 89 61
425 02 68 56 18 b9 59 14 b4 67 c6 76 22 22 58 24 ff
427 Iteration count = 1200
428 Pass phrase = "password"
429 Salt = "ATHENA.MIT.EDUraeburn"
430 128-bit PBKDF2 output:
431 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b
432 128-bit AES key:
433 4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a
434 256-bit PBKDF2 output:
435 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b
436 a7 e5 2d db c5 e5 14 2f 70 8a 31 e2 e6 2b 1e 13
437 256-bit AES key:
438 55 a6 ac 74 0a d1 7b 48 46 94 10 51 e1 e8 b0 a7
439 54 8d 93 b0 ab 30 a8 bc 3f f1 62 80 38 2b 8c 2a
450 Raeburn [Page 8]
451 \f
452 INTERNET DRAFT November 2002
455 Iteration count = 5
456 Pass phrase = "password"
457 Salt=0x1234567878563412
458 128-bit PBKDF2 output:
459 d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49
460 128-bit AES key:
461 e9 b2 3d 52 27 37 47 dd 5c 35 cb 55 be 61 9d 8e
462 256-bit PBKDF2 output:
463 d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49
464 3f 98 d2 03 e6 be 49 a6 ad f4 fa 57 4b 6e 64 ee
465 256-bit AES key:
466 97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c
467 ab cd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31
468 (This test is based on values given in [PECMS].)
470 Iteration count = 1200
471 Pass phrase = (64 characters)
472 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
473 Salt="pass phrase equals block size"
474 128-bit PBKDF2 output:
475 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
476 128-bit AES key:
477 59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed
478 256-bit PBKDF2 output:
479 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9
480 c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1
481 256-bit AES key:
482 89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0
483 56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34
485 Iteration count = 1200
486 Pass phrase = (65 characters)
487 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
488 Salt = "pass phrase exceeds block size"
489 128-bit PBKDF2 output:
490 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
491 128-bit AES key:
492 cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d
493 256-bit PBKDF2 output:
494 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61
495 1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a
496 256-bit AES key:
497 d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2
498 14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b
506 Raeburn [Page 9]
507 \f
508 INTERNET DRAFT November 2002
511 Iteration count = 50
512 Pass phrase = g-clef (0xf09d849e)
513 Salt = "EXAMPLE.COMpianist"
514 128-bit PBKDF2 output:
515 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39
516 128-bit AES key:
517 f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5
518 256-bit PBKDF2 output:
519 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39
520 e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52
521 256-bit AES key:
522 4b 6d 98 39 f8 44 06 df 1f 09 cc 16 6d b4 b8 3c
523 57 18 48 b7 84 a3 d6 bd c3 46 58 9a 3e 39 3f 9e
525 Some test vectors for CBC with cipher text stealing, using an initial
526 vector of all-zero.
528 AES 128-bit key:
529 63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69
531 Input:
532 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
533 20
534 Output:
535 c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f
536 97
538 Input:
539 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
540 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20
541 Output:
542 fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22
543 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5
545 Input:
546 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
547 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
548 Output:
549 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
550 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84
562 Raeburn [Page 10]
563 \f
564 INTERNET DRAFT November 2002
567 Input:
568 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
569 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
570 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c
571 Output:
572 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84
573 b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e
574 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5
576 Input:
577 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
578 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
579 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
580 Output:
581 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84
582 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
583 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
585 Input:
586 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65
587 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43
588 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20
589 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e
590 Output:
591 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84
592 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8
593 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40
594 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8
618 Raeburn [Page 11]