| blob | 2e37988086dbac127c4968c7efce123306eff57a |
7 Network Working Group K. Jaganathan
8 Request for Comments: 4757 L. Zhu
9 Category: Informational J. Brezak
10 Microsoft Corporation
11 December 2006
14 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
16 Status of This Memo
18 This memo provides information for the Internet community. It does
19 not specify an Internet standard of any kind. Distribution of this
20 memo is unlimited.
22 Copyright Notice
24 Copyright (C) The IETF Trust (2006).
26 IESG Note
28 This document documents the RC4 Kerberos encryption types first
29 introduced in Microsoft Windows 2000. Since then, these encryption
30 types have been implemented in a number of Kerberos implementations.
31 The IETF Kerberos community supports publishing this specification as
32 an informational document in order to describe this widely
33 implemented technology. However, while these encryption types
34 provide the operations necessary to implement the base Kerberos
35 specification [RFC4120], they do not provide all the required
36 operations in the Kerberos cryptography framework [RFC3961]. As a
37 result, it is not generally possible to implement potential
38 extensions to Kerberos using these encryption types. The Kerberos
39 encryption type negotiation mechanism [RFC4537] provides one approach
40 for using such extensions even when a Kerberos infrastructure uses
41 long-term RC4 keys. Because this specification does not implement
42 operations required by RFC 3961 and because of security concerns with
43 the use of RC4 and MD4 discussed in Section 8, this specification is
44 not appropriate for publication on the standards track.
58 Jaganathan, et al. Informational [Page 1]
59 \f
60 RFC 4757 RC4-HMAC December 2006
63 Abstract
65 The Microsoft Windows 2000 implementation of Kerberos introduces a
66 new encryption type based on the RC4 encryption algorithm and using
67 an MD5 HMAC for checksum. This is offered as an alternative to using
68 the existing DES-based encryption types.
70 The RC4-HMAC encryption types are used to ease upgrade of existing
71 Windows NT environments, provide strong cryptography (128-bit key
72 lengths), and provide exportable (meet United States government
73 export restriction requirements) encryption. This document describes
74 the implementation of those encryption types.
76 Table of Contents
78 1. Introduction ....................................................3
79 1.1. Conventions Used in This Document ..........................3
80 2. Key Generation ..................................................3
81 3. Basic Operations ................................................4
82 4. Checksum Types ..................................................5
83 5. Encryption Types ................................................6
84 6. Key Strength Negotiation ........................................8
85 7. GSS-API Kerberos V5 Mechanism Type ..............................8
86 7.1. Mechanism Specific Changes .................................8
87 7.2. GSS-API MIC Semantics ......................................9
88 7.3. GSS-API WRAP Semantics ....................................11
89 8. Security Considerations ........................................15
90 9. IANA Considerations ............................................15
91 10. Acknowledgements ..............................................15
92 11. References ....................................................16
93 11.1. Normative References .....................................16
94 11.2. Informative References ...................................16
114 Jaganathan, et al. Informational [Page 2]
115 \f
116 RFC 4757 RC4-HMAC December 2006
119 1. Introduction
121 The Microsoft Windows 2000 implementation of Kerberos contains new
122 encryption and checksum types for two reasons. First, for export
123 reasons early in the development process, 56-bit DES encryption could
124 not be exported, and, second, upon upgrade from Windows NT 4.0 to
125 Windows 2000, accounts will not have the appropriate DES keying
126 material to do the standard DES encryption. Furthermore, 3DES was
127 not available for export when Windows 2000 was released, and there
128 was a desire to use a single flavor of encryption in the product for
129 both US and international products.
131 As a result, there are two new encryption types and one new checksum
132 type introduced in Microsoft Windows 2000.
134 Note that these cryptosystems aren't intended to be complete,
135 general-purpose Kerberos encryption or checksum systems as defined in
136 [RFC3961]: there is no one-one mapping between the operations in this
137 documents and the primitives described in [RFC3961].
139 1.1. Conventions Used in This Document
141 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
142 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to
143 be interpreted as described in [RFC2119].
145 2. Key Generation
147 On upgrade from existing Windows NT domains, the user accounts would
148 not have a DES-based key available to enable the use of DES base
149 encryption types specified in [RFC4120] and [RFC3961]. The key used
150 for RC4-HMAC is the same as the existing Windows NT key (NT Password
151 Hash) for compatibility reasons. Once the account password is
152 changed, the DES-based keys are created and maintained. Once the DES
153 keys are available, DES-based encryption types can be used with
154 Kerberos.
156 The RC4-HMAC string to key function is defined as follows:
158 String2Key(password)
160 K = MD4(UNICODE(password))
162 The RC4-HMAC keys are generated by using the Windows UNICODE version
163 of the password. Each Windows UNICODE character is encoded in
164 little-endian format of 2 octets each. Then an MD4 [RFC1320] hash
165 operation is performed on just the UNICODE characters of the password
166 (not including the terminating zero octets).
170 Jaganathan, et al. Informational [Page 3]
171 \f
172 RFC 4757 RC4-HMAC December 2006
175 For an account with a password of "foo", this String2Key("foo") will
176 return:
178 0xac, 0x8e, 0x65, 0x7f, 0x83, 0xdf, 0x82, 0xbe,
179 0xea, 0x5d, 0x43, 0xbd, 0xaf, 0x78, 0x00, 0xcc
181 3. Basic Operations
183 The MD5 HMAC function is defined in [RFC2104]. It is used in this
184 encryption type for checksum operations. Refer to [RFC2104] for
185 details on its operation. In this document, this function is
186 referred to as HMAC(Key, Data) returning the checksum using the
187 specified key on the data.
189 The basic MD5 hash operation is used in this encryption type and
190 defined in [RFC1321]. In this document, this function is referred to
191 as MD5(Data) returning the checksum of the data.
193 RC4 is a stream cipher licensed by RSA Data Security. In this
194 document, the function is referred to as RC4(Key, Data) returning the
195 encrypted data using the specified key on the data.
197 These encryption types use key derivation. With each message, the
198 message type (T) is used as a component of the keying material. The
199 following table summarizes the different key derivation values used
200 in the various operations. Note that these differ from the key
201 derivations used in other Kerberos encryption types. T = the message
202 type, encoded as a little-endian four-byte integer.
204 1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the
205 client key (T=1)
206 2. AS-REP Ticket and TGS-REP Ticket (includes TGS session key or
207 application session key), encrypted with the service key (T=2)
208 3. AS-REP encrypted part (includes TGS session key or application
209 session key), encrypted with the client key (T=8)
210 4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS
211 session key (T=4)
212 5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the TGS
213 authenticator subkey (T=5)
214 6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed
215 with the TGS session key (T=6)
216 7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes TGS
217 authenticator subkey), encrypted with the TGS session key T=7)
218 8. TGS-REP encrypted part (includes application session key),
219 encrypted with the TGS session key (T=8)
220 9. TGS-REP encrypted part (includes application session key),
221 encrypted with the TGS authenticator subkey (T=8)
226 Jaganathan, et al. Informational [Page 4]
227 \f
228 RFC 4757 RC4-HMAC December 2006
231 10. AP-REQ Authenticator cksum, keyed with the application session
232 key (T=10)
233 11. AP-REQ Authenticator (includes application authenticator
234 subkey), encrypted with the application session key (T=11)
235 12. AP-REP encrypted part (includes application session subkey),
236 encrypted with the application session key (T=12)
237 13. KRB-PRIV encrypted part, encrypted with a key chosen by the
238 application. Also for data encrypted with GSS Wrap (T=13)
239 14. KRB-CRED encrypted part, encrypted with a key chosen by the
240 application (T=14)
241 15. KRB-SAFE cksum, keyed with a key chosen by the application.
242 Also for data signed in GSS MIC (T=15)
244 Relative to RFC-1964 key uses:
246 T = 0 in the generation of sequence number for the MIC token
247 T = 0 in the generation of sequence number for the WRAP token
248 T = 0 in the generation of encrypted data for the WRAPPED token
250 All strings in this document are ASCII unless otherwise specified.
251 The lengths of ASCII-encoded character strings include the trailing
252 terminator character (0). The concat(a,b,c,...) function will return
253 the logical concatenation (left to right) of the values of the
254 arguments. The nonce(n) function returns a pseudo-random number of
255 "n" octets.
257 4. Checksum Types
259 There is one checksum type used in this encryption type. The
260 Kerberos constant for this type is:
262 #define KERB_CHECKSUM_HMAC_MD5 (-138)
264 The function is defined as follows:
266 K = the Key
267 T = the message type, encoded as a little-endian four-byte integer
269 CHKSUM(K, T, data)
271 Ksign = HMAC(K, "signaturekey") //includes zero octet at end
272 tmp = MD5(concat(T, data))
273 CHKSUM = HMAC(Ksign, tmp)
282 Jaganathan, et al. Informational [Page 5]
283 \f
284 RFC 4757 RC4-HMAC December 2006
287 5. Encryption Types
289 There are two encryption types used in these encryption types. The
290 Kerberos constants for these types are:
292 #define KERB_ETYPE_RC4_HMAC 23
293 #define KERB_ETYPE_RC4_HMAC_EXP 24
295 The basic encryption function is defined as follows:
297 T = the message type, encoded as a little-endian four-byte integer.
299 OCTET L40[14] = "fortybits";
301 The header field on the encrypted data in KDC messages is:
303 typedef struct _RC4_MDx_HEADER {
304 OCTET Checksum[16];
305 OCTET Confounder[8];
306 } RC4_MDx_HEADER, *PRC4_MDx_HEADER;
309 ENCRYPT (K, export, T, data)
310 {
311 struct EDATA {
312 struct HEADER {
313 OCTET Checksum[16];
314 OCTET Confounder[8];
315 } Header;
316 OCTET Data[0];
317 } edata;
319 if (export){
320 *((DWORD *)(L40+10)) = T;
321 K1 = HMAC(K, L40); // where the length of L40 in
322 // octets is 14
323 }
324 else
325 {
326 K1 = HMAC(K, &T); // where the length of T in octets
327 // is 4
328 }
329 memcpy (K2, K1, 16);
330 if (export) memset (K1+7, 0xAB, 9);
332 nonce (edata.Confounder, 8);
333 memcpy (edata.Data, data);
338 Jaganathan, et al. Informational [Page 6]
339 \f
340 RFC 4757 RC4-HMAC December 2006
343 edata.Checksum = HMAC (K2, edata);
344 K3 = HMAC (K1, edata.Checksum);
346 RC4 (K3, edata.Confounder);
347 RC4 (K3, data.Data);
348 }
350 DECRYPT (K, export, T, edata)
351 {
352 // edata looks like
353 struct EDATA {
354 struct HEADER {
355 OCTET Checksum[16];
356 OCTET Confounder[8];
357 } Header;
358 OCTET Data[0];
359 } edata;
361 if (export){
362 *((DWORD *)(L40+10)) = T;
363 HMAC (K, L40, 14, K1);
364 }
365 else
366 {
367 HMAC (K, &T, 4, K1);
368 }
369 memcpy (K2, K1, 16);
370 if (export) memset (K1+7, 0xAB, 9);
372 K3 = HMAC (K1, edata.Checksum);
373 RC4 (K3, edata.Confounder);
374 RC4 (K3, edata.Data);
377 // verify generated and received checksums
378 checksum = HMAC (K2, concat(edata.Confounder, edata.Data));
379 if (checksum != edata.Checksum)
380 printf("CHECKSUM ERROR !!!!!!\n");
381 }
383 The KDC message is encrypted using the ENCRYPT function not including
384 the Checksum in the RC4_MDx_HEADER.
386 The character constant "fortybits" evolved from the time when a
387 40-bit key length was all that was exportable from the United States.
388 It is now used to recognize that the key length is of "exportable"
389 length. In this description, the key size is actually 56 bits.
394 Jaganathan, et al. Informational [Page 7]
395 \f
396 RFC 4757 RC4-HMAC December 2006
399 The pseudo-random operation [RFC3961] for both enctypes above is
400 defined as follows:
402 pseudo-random(K, S) = HMAC-SHA1(K, S)
404 where K is the protocol key and S is the input octet string.
405 HMAC-SHA1 is defined in [RFC2104] and the output of HMAC-SHA1 is the
406 20-octet digest.
408 6. Key Strength Negotiation
410 A Kerberos client and server can negotiate over key length if they
411 are using mutual authentication. If the client is unable to perform
412 full-strength encryption, it may propose a key in the "subkey" field
413 of the authenticator, using a weaker encryption type. The server
414 must then either return the same key or suggest its own key in the
415 subkey field of the AP reply message. The key used to encrypt data
416 is derived from the key returned by the server. If the client is
417 able to perform strong encryption but the server is not, it may
418 propose a subkey in the AP reply without first being sent a subkey in
419 the authenticator.
421 7. GSS-API Kerberos V5 Mechanism Type
423 7.1. Mechanism Specific Changes
425 The Generic Security Service Application Program Interface (GSS-API)
426 per-message tokens also require new checksum and encryption types.
427 The GSS-API per-message tokens are adapted to support these new
428 encryption types. See [RFC1964] Section 1.2.2.
430 The only support quality of protection is:
432 #define GSS_KRB5_INTEG_C_QOP_DEFAULT 0x0
434 When using this RC4-based encryption type, the sequence number is
435 always sent in big-endian rather than little-endian order.
437 The Windows 2000 implementation also defines new GSS-API flags in the
438 initial token passed when initializing a security context. These
439 flags are passed in the checksum field of the authenticator. See
440 [RFC1964] Section 1.1.1.
442 GSS_C_DCE_STYLE - This flag was added for use with Microsoft's
443 implementation of Distributed Computing Environment Remote Procedure
444 Call (DCE RPC), which initially expected three legs of
445 authentication. Setting this flag causes an extra AP reply to be
446 sent from the client back to the server after receiving the server's
450 Jaganathan, et al. Informational [Page 8]
451 \f
452 RFC 4757 RC4-HMAC December 2006
455 AP reply. In addition, the context negotiation tokens do not have
456 GSS-API per-message tokens -- they are raw AP messages that do not
457 include object identifiers.
459 #define GSS_C_DCE_STYLE 0x1000
461 GSS_C_IDENTIFY_FLAG - This flag allows the client to indicate to the
462 server that it should only allow the server application to identify
463 the client by name and ID, but not to impersonate the client.
465 #define GSS_C_IDENTIFY_FLAG 0x2000
467 GSS_C_EXTENDED_ERROR_FLAG - Setting this flag indicates that the
468 client wants to be informed of extended error information. In
469 particular, Windows 2000 status codes may be returned in the data
470 field of a Kerberos error message. This allows the client to
471 understand a server failure more precisely. In addition, the server
472 may return errors to the client that are normally handled at the
473 application layer in the server, in order to let the client try to
474 recover. After receiving an error message, the client may attempt to
475 resubmit an AP request.
477 #define GSS_C_EXTENDED_ERROR_FLAG 0x4000
479 These flags are only used if a client is aware of these conventions
480 when using the Security Support Provider Interface (SSPI) on the
481 Windows platform; they are not generally used by default.
483 When NetBIOS addresses are used in the GSS-API, they are identified
484 by the GSS_C_AF_NETBIOS value. This value is defined as:
486 #define GSS_C_AF_NETBIOS 0x14
488 NetBios addresses are 16-octet addresses typically composed of 1 to
489 15 characters, trailing blank (ASCII char 20) filled, with a 16th
490 octet of 0x0.
492 7.2. GSS-API MIC Semantics
494 The GSS-API checksum type and algorithm are defined in Section 5.
495 Only the first 8 octets of the checksum are used. The resulting
496 checksum is stored in the SGN_CKSUM field. See [RFC1964] Section 1.2
497 for GSS_GetMIC() and GSS_Wrap(conf_flag=FALSE).
506 Jaganathan, et al. Informational [Page 9]
507 \f
508 RFC 4757 RC4-HMAC December 2006
511 The GSS_GetMIC token has the following format:
513 Byte no Name Description
514 0..1 TOK_ID Identification field.
515 Tokens emitted by GSS_GetMIC() contain
516 the hex value 01 01 in this field.
517 2..3 SGN_ALG Integrity algorithm indicator.
518 11 00 - HMAC
519 4..7 Filler Contains ff ff ff ff
520 8..15 SND_SEQ Sequence number field.
521 16..23 SGN_CKSUM Checksum of "to-be-signed data",
522 calculated according to algorithm
523 specified in SGN_ALG field.
525 The MIC mechanism used for GSS-MIC-based messages is as follows:
527 GetMIC(Kss, direction, export, seq_num, data)
528 {
529 struct Token {
530 struct Header {
531 OCTET TOK_ID[2];
532 OCTET SGN_ALG[2];
533 OCTET Filler[4];
534 };
535 OCTET SND_SEQ[8];
536 OCTET SGN_CKSUM[8];
537 } Token;
540 Token.TOK_ID = 01 01;
541 Token.SGN_SLG = 11 00;
542 Token.Filler = ff ff ff ff;
544 // Create the sequence number
546 if (direction == sender_is_initiator)
547 {
548 memset(Token.SEND_SEQ+4, 0xff, 4)
549 }
550 else if (direction == sender_is_acceptor)
551 {
552 memset(Token.SEND_SEQ+4, 0, 4)
553 }
554 Token.SEND_SEQ[0] = (seq_num & 0xff000000) >> 24;
555 Token.SEND_SEQ[1] = (seq_num & 0x00ff0000) >> 16;
556 Token.SEND_SEQ[2] = (seq_num & 0x0000ff00) >> 8;
557 Token.SEND_SEQ[3] = (seq_num & 0x000000ff);
562 Jaganathan, et al. Informational [Page 10]
563 \f
564 RFC 4757 RC4-HMAC December 2006
567 // Derive signing key from session key
569 Ksign = HMAC(Kss, "signaturekey");
570 // length includes terminating null
572 // Generate checksum of message - SGN_CKSUM
573 // Key derivation salt = 15
575 Sgn_Cksum = MD5((int32)15, Token.Header, data);
577 // Save first 8 octets of HMAC Sgn_Cksum
579 Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
580 memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
582 // Encrypt the sequence number
584 // Derive encryption key for the sequence number
585 // Key derivation salt = 0
587 if (exportable)
588 {
589 Kseq = HMAC(Kss, "fortybits", (int32)0);
590 // len includes terminating null
591 memset(Kseq+7, 0xab, 7)
592 }
593 else
594 {
595 Kseq = HMAC(Kss, (int32)0);
596 }
597 Kseq = HMAC(Kseq, Token.SGN_CKSUM);
599 // Encrypt the sequence number
601 RC4(Kseq, Token.SND_SEQ);
602 }
604 7.3. GSS-API WRAP Semantics
606 There are two encryption keys for GSS-API message tokens, one that is
607 128 bits in strength and one that is 56 bits in strength as defined
608 in Section 6.
610 All padding is rounded up to 1 byte. One byte is needed to say that
611 there is 1 byte of padding. The DES-based mechanism type uses 8-byte
612 padding. See [RFC1964] Section 1.2.2.3.
618 Jaganathan, et al. Informational [Page 11]
619 \f
620 RFC 4757 RC4-HMAC December 2006
623 The RC4-HMAC GSS_Wrap() token has the following format:
626 Byte no Name Description
627 0..1 TOK_ID Identification field.
628 Tokens emitted by GSS_Wrap() contain
629 the hex value 02 01 in this field.
630 2..3 SGN_ALG Checksum algorithm indicator.
631 11 00 - HMAC
632 4..5 SEAL_ALG ff ff - none
633 00 00 - DES-CBC
634 10 00 - RC4
635 6..7 Filler Contains ff ff
636 8..15 SND_SEQ Encrypted sequence number field.
637 16..23 SGN_CKSUM Checksum of plaintext padded data,
638 calculated according to algorithm
639 specified in SGN_ALG field.
640 24..31 Confounder Random confounder.
641 32..last Data Encrypted or plaintext padded data.
643 The encryption mechanism used for GSS-wrap-based messages is as
644 follows:
647 WRAP(Kss, encrypt, direction, export, seq_num, data)
648 {
649 struct Token { // 32 octets
650 struct Header {
651 OCTET TOK_ID[2];
652 OCTET SGN_ALG[2];
653 OCTET SEAL_ALG[2];
654 OCTET Filler[2];
655 };
656 OCTET SND_SEQ[8];
657 OCTET SGN_CKSUM[8];
658 OCTET Confounder[8];
659 } Token;
662 Token.TOK_ID = 02 01;
663 Token.SGN_SLG = 11 00;
664 Token.SEAL_ALG = (no_encrypt)? ff ff : 10 00;
665 Token.Filler = ff ff;
667 // Create the sequence number
669 if (direction == sender_is_initiator)
670 {
674 Jaganathan, et al. Informational [Page 12]
675 \f
676 RFC 4757 RC4-HMAC December 2006
679 memset(&Token.SEND_SEQ[4], 0xff, 4)
680 }
681 else if (direction == sender_is_acceptor)
682 {
683 memset(&Token.SEND_SEQ[4], 0, 4)
684 }
685 Token.SEND_SEQ[0] = (seq_num & 0xff000000) >> 24;
686 Token.SEND_SEQ[1] = (seq_num & 0x00ff0000) >> 16;
687 Token.SEND_SEQ[2] = (seq_num & 0x0000ff00) >> 8;
688 Token.SEND_SEQ[3] = (seq_num & 0x000000ff);
690 // Generate random confounder
692 nonce(&Token.Confounder, 8);
694 // Derive signing key from session key
696 Ksign = HMAC(Kss, "signaturekey");
698 // Generate checksum of message -
699 // SGN_CKSUM + Token.Confounder
700 // Key derivation salt = 15
702 Sgn_Cksum = MD5((int32)15, Token.Header,
703 Token.Confounder);
705 // Derive encryption key for data
706 // Key derivation salt = 0
708 for (i = 0; i < 16; i++) Klocal[i] = Kss[i] ^ 0xF0;
709 // XOR
710 if (exportable)
711 {
712 Kcrypt = HMAC(Klocal, "fortybits", (int32)0);
713 // len includes terminating null
714 memset(Kcrypt+7, 0xab, 7);
715 }
716 else
717 {
718 Kcrypt = HMAC(Klocal, (int32)0);
719 }
721 // new encryption key salted with seq
723 Kcrypt = HMAC(Kcrypt, (int32)seq);
730 Jaganathan, et al. Informational [Page 13]
731 \f
732 RFC 4757 RC4-HMAC December 2006
735 // Encrypt confounder (if encrypting)
737 if (encrypt)
738 RC4(Kcrypt, Token.Confounder);
740 // Sum the data buffer
742 Sgn_Cksum += MD5(data); // Append to checksum
744 // Encrypt the data (if encrypting)
746 if (encrypt)
747 RC4(Kcrypt, data);
749 // Save first 8 octets of HMAC Sgn_Cksum
751 Sgn_Cksum = HMAC(Ksign, Sgn_Cksum);
752 memcpy(Token.SGN_CKSUM, Sgn_Cksum, 8);
754 // Derive encryption key for the sequence number
755 // Key derivation salt = 0
757 if (exportable)
758 {
759 Kseq = HMAC(Kss, "fortybits", (int32)0);
760 // len includes terminating null
761 memset(Kseq+7, 0xab, 7)
762 }
763 else
764 {
765 Kseq = HMAC(Kss, (int32)0);
766 }
767 Kseq = HMAC(Kseq, Token.SGN_CKSUM);
769 // Encrypt the sequence number
771 RC4(Kseq, Token.SND_SEQ);
773 // Encrypted message = Token + Data
774 }
776 The character constant "fortybits" evolved from the time when a
777 40-bit key length was all that was exportable from the United States.
778 It is now used to recognize that the key length is of "exportable"
779 length. In this description, the key size is actually 56 bits.
786 Jaganathan, et al. Informational [Page 14]
787 \f
788 RFC 4757 RC4-HMAC December 2006
791 8. Security Considerations
793 Care must be taken in implementing these encryption types because
794 they use a stream cipher. If a different IV is not used in each
795 direction when using a session key, the encryption is weak. By using
796 the sequence number as an IV, this is avoided.
798 There are two classes of attack on RC4 described in [MIRONOV].
799 Strong distinguishers distinguish an RC4 keystream from randomness at
800 the start of the stream. Weak distinguishers can operate on any part
801 of the keystream, and the best ones, described in [FMcG] and
802 [MANTIN05], can exploit data from multiple, different keystreams. A
803 consequence of these is that encrypting the same data (for instance,
804 a password) sufficiently many times in separate RC4 keystreams can be
805 sufficient to leak information to an adversary. The encryption types
806 defined in this document defend against these by constructing a new
807 keystream for every message. However, it is RECOMMENDED not to use
808 the RC4 encryption types defined in this document for high-volume
809 connections.
811 Weaknesses in MD4 [BOER91] were demonstrated by den Boer and
812 Bosselaers in 1991. In August 2004, Xiaoyun Wang, et al., reported
813 MD4 collisions generated using hand calculation [WANG04].
814 Implementations based on Wang's algorithm can find collisions in real
815 time. However, the intended usage of MD4 described in this document
816 does not rely on the collision-resistant property of MD4.
817 Furthermore, MD4 is always used in the context of a keyed hash in
818 this document. Although no evidence has suggested keyed MD4 hashes
819 are vulnerable to collision-based attacks, no study has directly
820 proved that the HMAC-MD4 is secure: the existing study simply assumed
821 that the hash function used in HMAC is collision proof. It is thus
822 RECOMMENDED not to use the RC4 encryption types defined in this
823 document if alternative stronger encryption types, such as
824 aes256-cts-hmac-sha1-96 [RFC3962], are available.
826 9. IANA Considerations
828 Section 5 of this document defines two Kerberos encryption types
829 rc4-hmac (23) and rc4-hmac-exp (24). The Kerberos parameters
830 registration page at <http://www.iana.org/assignments/kerberos-
831 parameters> has been updated to reference this document for these two
832 encryption types.
834 10. Acknowledgements
836 The authors wish to thank Sam Hartman, Ken Raeburn, and Qunli Li for
837 their insightful comments.
842 Jaganathan, et al. Informational [Page 15]
843 \f
844 RFC 4757 RC4-HMAC December 2006
847 11. References
849 11.1. Normative References
851 [RFC1320] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320,
852 April 1992.
854 [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
855 April 1992.
857 [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
858 RFC 1964, June 1996.
860 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
861 Hashing for Message Authentication", RFC 2104,
862 February 1997.
864 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
865 Requirement Levels", BCP 14, RFC 2119, March 1997.
867 [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for
868 Kerberos 5", RFC 3961, February 2005.
870 [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES)
871 Encryption for Kerberos 5", RFC 3962, February 2005.
873 [RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
874 Kerberos Network Authentication Service (V5)", RFC 4120,
875 July 2005.
877 [RFC4537] Zhu, L., Leach, P., and K. Jaganathan, "Kerberos
878 Cryptosystem Negotiation Extension", RFC 4537, June 2006.
880 11.2. Informative References
882 [BOER91] den Boer, B. and A. Bosselaers, "An Attack on the Last Two
883 Rounds of MD4", Proceedings of the 11th Annual
884 International Cryptology Conference on Advances in
885 Cryptology, pages: 194 - 203, 1991.
887 [FMcG] Fluhrer, S. and D. McGrew, "Statistical Analysis of the
888 Alleged RC4 Keystream Generator", Fast Software
889 Encryption: 7th International Workshop, FSE 2000, April
890 2000, <http://www.mindspring.com/~dmcgrew/rc4-03.pdf>.
898 Jaganathan, et al. Informational [Page 16]
899 \f
900 RFC 4757 RC4-HMAC December 2006
903 [MANTIN05] Mantin, I., "Predicting and Distinguishing Attacks on RC4
904 Keystream Generator", Advances in Cryptology -- EUROCRYPT
905 2005: 24th Annual International Conference on the Theory
906 and Applications of Cryptographic Techniques, May 2005.
908 [MIRONOV] Mironov, I., "(Not So) Random Shuffles of RC4", Advances
909 in Cryptology -- CRYPTO 2002: 22nd Annual International
910 Cryptology Conference, August 2002,
911 <http://eprint.iacr.org/2002/067.pdf>.
913 [WANG04] Wang, X., Lai, X., Feng, D., Chen, H., and X. Yu,
914 "Cryptanalysis of Hash functions MD4 and RIPEMD", August
915 2004, <http://www.infosec.sdu.edu.cn/paper/md4-ripemd-
916 attck.pdf>.
918 Authors' Addresses
920 Karthik Jaganathan
921 Microsoft Corporation
922 One Microsoft Way
923 Redmond, WA 98052
924 US
926 EMail: karthikj@microsoft.com
929 Larry Zhu
930 Microsoft Corporation
931 One Microsoft Way
932 Redmond, WA 98052
933 US
935 EMail: lzhu@microsoft.com
938 John Brezak
939 Microsoft Corporation
940 One Microsoft Way
941 Redmond, WA 98052
942 US
944 EMail: jbrezak@microsoft.com
954 Jaganathan, et al. Informational [Page 17]
955 \f
956 RFC 4757 RC4-HMAC December 2006
959 Full Copyright Statement
961 Copyright (C) The IETF Trust (2006).
963 This document is subject to the rights, licenses and restrictions
964 contained in BCP 78, and except as set forth therein, the authors
965 retain all their rights.
967 This document and the information contained herein are provided on an
968 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
969 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST,
970 AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
971 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
972 THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
973 IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
974 PURPOSE.
976 Intellectual Property
978 The IETF takes no position regarding the validity or scope of any
979 Intellectual Property Rights or other rights that might be claimed to
980 pertain to the implementation or use of the technology described in
981 this document or the extent to which any license under such rights
982 might or might not be available; nor does it represent that it has
983 made any independent effort to identify any such rights. Information
984 on the procedures with respect to rights in RFC documents can be
985 found in BCP 78 and BCP 79.
987 Copies of IPR disclosures made to the IETF Secretariat and any
988 assurances of licenses to be made available, or the result of an
989 attempt made to obtain a general license or permission for the use of
990 such proprietary rights by implementers or users of this
991 specification can be obtained from the IETF on-line IPR repository at
992 http://www.ietf.org/ipr.
994 The IETF invites any interested party to bring to its attention any
995 copyrights, patents or patent applications, or other proprietary
996 rights that may cover technology that may be required to implement
997 this standard. Please address the information to the IETF at
998 ietf-ipr@ietf.org.
1000 Acknowledgement
1002 Funding for the RFC Editor function is currently provided by the
1003 Internet Society.
1010 Jaganathan, et al. Informational [Page 18]
1011 \f