Network Working Group N. Williams
Request for Comments: 4401 Sun Microsystems
Category: Standards Track February 2006
A Pseudo-Random Function (PRF) API Extension for the
Generic Security Service Application Program Interface (GSS-API)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document defines a Pseudo-Random Function (PRF) extension to the
Generic Security Service Application Program Interface (GSS-API) for
keying application protocols given an established GSS-API security
context. The primary intended use of this function is to key secure
session layers that do not or cannot use GSS-API per-message message
integrity check (MIC) and wrap tokens for session protection.
Table of Contents
1. Introduction ....................................................2
1.1. Conventions Used in This Document ..........................2
2. GSS_Pseudo_random() .............................................2
2.1. C-Bindings .................................................5
3. IANA Considerations .............................................5
4. Security Considerations .........................................5
5. References ......................................................7
5.1. Normative References .......................................7
5.2. Informative References .....................................7
Williams Standards Track [Page 1]
RFC 4401 A PRF Extension for the GSS-API February 2006
1. Introduction
A need has arisen for users of the GSS-API to key applications'
cryptographic protocols using established GSS-API security contexts.
Such applications can use the GSS-API [RFC2743] for authentication,
but not for transport security (for whatever reasons), and since the
GSS-API does not provide a method for obtaining keying material from
established security contexts, such applications cannot make
effective use of the GSS-API.
To address this need, we define a pseudo-random function (PRF)
extension to the GSS-API.
Though this document specifies an abstract API as an extension to the
GSS-API version 2, update 1, and though it specifies the bindings of
this extension for the C programming language, it does not specify a
revision of the GSS-API and so does not address the matter of how
portable applications detect support for and ensure access to this
extension. We defer this matter to an expected, comprehensive update
to the GSS-API.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. GSS_Pseudo_random()
Inputs:
o context CONTEXT handle,
o prf_key INTEGER,
o prf_in OCTET STRING,
o desired_output_len INTEGER
Outputs:
o major_status INTEGER,
o minor_status INTEGER,
o prf_out OCTET STRING
Williams Standards Track [Page 2]
RFC 4401 A PRF Extension for the GSS-API February 2006
Return major_status codes:
o GSS_S_COMPLETE indicates no error.
o GSS_S_NO_CONTEXT indicates that a null context has been provided
as input.
o GSS_S_CONTEXT_EXPIRED indicates that an expired context has been
provided as input.
o GSS_S_UNAVAILABLE indicates that the mechanism lacks support for
this function or, if the security context is not fully
established, that the context is not ready to compute the PRF with
the given prf_key, or that the given prf_key is not available.
o GSS_S_FAILURE indicates general failure, possibly due to the given
input data being too large or of zero length, or due to the
desired_output_len being zero; the minor status code may provide
additional information.
This function applies the established context's mechanism's keyed
pseudo-random function (PRF) to the input data ('prf_in'), keyed with
datatracker.ietf.org