datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

A Pseudo-Random Function (PRF) API Extension for the Generic Security Service Application Program Interface (GSS-API)
RFC 4401

Document type: RFC - Proposed Standard (February 2006; No errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4401 (Proposed Standard)
Responsible AD: Sam Hartman
Send notices to: jaltman@columbia.edu, nicolas.williams@sun.com

Network Working Group                                        N. Williams
Request for Comments: 4401                              Sun Microsystems
Category: Standards Track                                  February 2006

         A Pseudo-Random Function (PRF) API Extension for the
    Generic Security Service Application Program Interface (GSS-API)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document defines a Pseudo-Random Function (PRF) extension to the
   Generic Security Service Application Program Interface (GSS-API) for
   keying application protocols given an established GSS-API security
   context.  The primary intended use of this function is to key secure
   session layers that do not or cannot use GSS-API per-message message
   integrity check (MIC) and wrap tokens for session protection.

Table of Contents

   1. Introduction ....................................................2
      1.1. Conventions Used in This Document ..........................2
   2. GSS_Pseudo_random() .............................................2
      2.1. C-Bindings .................................................5
   3. IANA Considerations .............................................5
   4. Security Considerations .........................................5
   5. References ......................................................7
      5.1. Normative References .......................................7
      5.2. Informative References .....................................7

Williams                    Standards Track                     [Page 1]
RFC 4401            A PRF Extension for the GSS-API        February 2006

1.  Introduction

   A need has arisen for users of the GSS-API to key applications'
   cryptographic protocols using established GSS-API security contexts.
   Such applications can use the GSS-API [RFC2743] for authentication,
   but not for transport security (for whatever reasons), and since the
   GSS-API does not provide a method for obtaining keying material from
   established security contexts, such applications cannot make
   effective use of the GSS-API.

   To address this need, we define a pseudo-random function (PRF)
   extension to the GSS-API.

   Though this document specifies an abstract API as an extension to the
   GSS-API version 2, update 1, and though it specifies the bindings of
   this extension for the C programming language, it does not specify a
   revision of the GSS-API and so does not address the matter of how
   portable applications detect support for and ensure access to this
   extension.  We defer this matter to an expected, comprehensive update
   to the GSS-API.

1.1.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  GSS_Pseudo_random()

   Inputs:

   o  context CONTEXT handle,

   o  prf_key INTEGER,

   o  prf_in OCTET STRING,

   o  desired_output_len INTEGER

   Outputs:

   o  major_status INTEGER,

   o  minor_status INTEGER,

   o  prf_out OCTET STRING

Williams                    Standards Track                     [Page 2]
RFC 4401            A PRF Extension for the GSS-API        February 2006

   Return major_status codes:

   o  GSS_S_COMPLETE indicates no error.

   o  GSS_S_NO_CONTEXT indicates that a null context has been provided
      as input.

   o  GSS_S_CONTEXT_EXPIRED indicates that an expired context has been
      provided as input.

   o  GSS_S_UNAVAILABLE indicates that the mechanism lacks support for
      this function or, if the security context is not fully
      established, that the context is not ready to compute the PRF with
      the given prf_key, or that the given prf_key is not available.

   o  GSS_S_FAILURE indicates general failure, possibly due to the given
      input data being too large or of zero length, or due to the
      desired_output_len being zero; the minor status code may provide
      additional information.

   This function applies the established context's mechanism's keyed
   pseudo-random function (PRF) to the input data ('prf_in'), keyed with

[include full document text]