AES Encryption with HMAC-SHA2 for Kerberos 5
draft-ietf-kitten-aes-cts-hmac-sha2-11
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2016-10-25
|
11 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2016-10-19
|
11 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2016-10-19
|
11 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2016-09-15
|
11 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2016-09-15
|
11 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2016-09-14
|
11 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2016-09-14
|
11 | (System) | IANA Action state changed to In Progress from On Hold |
2016-09-01
|
11 | (System) | IANA Action state changed to On Hold from In Progress |
2016-09-01
|
11 | (System) | RFC Editor state changed to EDIT |
2016-09-01
|
11 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2016-09-01
|
11 | (System) | Announcement was received by RFC Editor |
2016-09-01
|
11 | (System) | IANA Action state changed to In Progress |
2016-09-01
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup |
2016-09-01
|
11 | Amy Vezza | IESG has approved the document |
2016-09-01
|
11 | Amy Vezza | Closed "Approve" ballot |
2016-09-01
|
11 | Amy Vezza | Ballot approval text was generated |
2016-09-01
|
11 | Amy Vezza | Ballot writeup was changed |
2016-09-01
|
11 | Stephen Farrell | RFC Editor Note was changed |
2016-09-01
|
11 | Stephen Farrell | RFC Editor Note for ballot was generated |
2016-09-01
|
11 | Stephen Farrell | RFC Editor Note for ballot was generated |
2016-08-30
|
11 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss |
2016-08-26
|
11 | Michael Jenkins | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2016-08-26
|
11 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-11.txt |
2016-08-18
|
10 | Cindy Morgan | IESG state changed to IESG Evaluation::AD Followup from IESG Evaluation |
2016-08-18
|
10 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2016-08-18
|
10 | Jari Arkko | [Ballot discuss] There was a Gen-ART review from Vijay, with a question about the contents of the Context field. I don't think the document necessarily … [Ballot discuss] There was a Gen-ART review from Vijay, with a question about the contents of the Context field. I don't think the document necessarily needs a change or even new text here, but at the very least we need an answer from the authors. I got the same question as Vijay when reading the draft. |
2016-08-18
|
10 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded for Jari Arkko |
2016-08-17
|
10 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2016-08-17
|
10 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2016-08-17
|
10 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2016-08-17
|
10 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2016-08-17
|
10 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2016-08-16
|
10 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2016-08-16
|
10 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2016-08-16
|
10 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2016-08-16
|
10 | Alexey Melnikov | [Ballot comment] First mention of UTF-8 needs a reference to RFC 3629. |
2016-08-16
|
10 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2016-08-15
|
10 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2016-08-15
|
10 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2016-08-11
|
10 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2016-08-11
|
10 | Jean Mahoney | Request for Telechat review by GENART is assigned to Vijay Gurbani |
2016-08-08
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Scott Bradner. |
2016-08-05
|
10 | Stephen Farrell | Placed on agenda for telechat - 2016-08-18 |
2016-08-05
|
10 | Stephen Farrell | Changed consensus to Yes from Unknown |
2016-08-05
|
10 | Stephen Farrell | IESG state changed to IESG Evaluation from Waiting for Writeup |
2016-08-05
|
10 | Stephen Farrell | Ballot has been issued |
2016-08-05
|
10 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2016-08-05
|
10 | Stephen Farrell | Created "Approve" ballot |
2016-08-05
|
10 | Stephen Farrell | Ballot writeup was changed |
2016-08-02
|
10 | Sabrina Tanamal | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2016-07-29
|
10 | Vijay Gurbani | Request for Last Call review by GENART Completed: Ready. Reviewer: Vijay Gurbani. |
2016-07-21
|
10 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2016-07-20
|
10 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2016-07-20
|
10 | Sabrina Tanamal | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-kitten-aes-cts-hmac-sha2-10.txt. If any part of this review is inaccurate, please let us know. IANA … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: IANA has completed its review of draft-ietf-kitten-aes-cts-hmac-sha2-10.txt. If any part of this review is inaccurate, please let us know. IANA understands that, upon approval of this document, there are two actions which IANA must complete. First, in the Kerberos Encryption Type Numbers subregistry of the Kerberos Parameters registry located at: https://www.iana.org/assignments/kerberos-parameters/ two new encryption type numbers are to be registered as follows: etype: [ TBD-at-registration ] encryption type: aes128-cts-hmac-sha256-128 Reference: [ RFC-to-be ] etype: [ TBD-at-registration ] encryption type: aes256-cts-hmac-sha384-192 Reference: [ RFC-to-be ] Second, in the Kerberos Checksum Type Numbers subregistry of the Kerberos Parameters registry located at: https://www.iana.org/assignments/kerberos-parameters/ two new checksum type numbers are to be registered as follows: sumtype value: [ TBD-at-registration ] Checksum type: hmac-sha256-128-aes128 checksum size: 16 Reference: [ RFC-to-be ] sumtype value: [ TBD-at-registration ] Checksum type: hmac-sha384-192-aes256 checksum size: 24 Reference: [ RFC-to-be ] As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC. IANA understands that the two actions above are the only ones required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. Thank you, Sabrina Tanamal IANA Specialist ICANN |
2016-07-14
|
10 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Watson Ladd. |
2016-07-11
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Scott Bradner |
2016-07-11
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Scott Bradner |
2016-07-07
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-07-07
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2016-07-06
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Watson Ladd |
2016-07-06
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Watson Ladd |
2016-07-06
|
10 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2016-07-06
|
10 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-kitten-aes-cts-hmac-sha2@ietf.org, kitten-chairs@ietf.org, "Benjamin Kaduk" , kitten@ietf.org, kaduk@mit.edu, … The following Last Call announcement was sent out: From: The IESG To: "IETF-Announce" CC: draft-ietf-kitten-aes-cts-hmac-sha2@ietf.org, kitten-chairs@ietf.org, "Benjamin Kaduk" , kitten@ietf.org, kaduk@mit.edu, stephen.farrell@cs.tcd.ie Reply-To: ietf@ietf.org Sender: Subject: Last Call: (AES Encryption with HMAC-SHA2 for Kerberos 5) to Informational RFC The IESG has received a request from the Common Authentication Technology Next Generation WG (kitten) to consider the following document: - 'AES Encryption with HMAC-SHA2 for Kerberos 5' as Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2016-07-20. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document specifies two encryption types and two corresponding checksum types for Kerberos 5. The new types use AES in CTS mode (CBC mode with ciphertext stealing) for confidentiality and HMAC with a SHA-2 hash for integrity. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-kitten-aes-cts-hmac-sha2/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-kitten-aes-cts-hmac-sha2/ballot/ No IPR declarations have been submitted directly on this I-D. |
2016-07-06
|
10 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2016-07-06
|
10 | Cindy Morgan | Last call announcement was generated |
2016-07-06
|
10 | Stephen Farrell | Last call was requested |
2016-07-06
|
10 | Stephen Farrell | IESG state changed to Last Call Requested from Publication Requested |
2016-07-05
|
10 | Benjamin Kaduk | 1. Summary Benjamin Kaduk is the document shepherd. Stephen Farrell is the responsible Area Director. This document specifies new Kerberos encryption types that use the … 1. Summary Benjamin Kaduk is the document shepherd. Stephen Farrell is the responsible Area Director. This document specifies new Kerberos encryption types that use the AES block cipher and cryptographic hashes from the SHA-2 family. They differ from the existing AES encryption types by using SHA-2 hashes instead of SHA-1 (and truncating at a longer length), using encrypt-then-MAC intsead of encrypt-and-MAC, and other changes to move closer towards current cryptographic best practices. It is expected that an updated Suite-B profile for Kerberos will make use of these new encryption types. This is a Informational document that specifies a new Kerberos encryption type; it does not need to update any Kerberos protocol elements. There will eventually be desire for another (set of) standards-track Kerberos encryption types, but it remains unclear whether that will be this set or some other cipher; there is no procedural reason to target standards-track at this time. 2. Review and Consensus There is consensus for this document, which brings incremental improvements to the cryptography available for use with Kerberos. Initial individual drafts attempted to combine a Suite B profile and new encryption types into a single document, but the new encryption types have been split out into this document appropriately, with the Suite B profile to follow separately. The two main issues that shaped this document's evolution were the decision between the CBC and CTS cipher modes, and the use of a random IV versus a random confounder. CBC modes are simpler and more typical for Suite-B deployments, but they bring a larger range of possible ciphertext expansions; there are reportedly applications written against Windows APIs that can only accomodate the 64-bit range of ciphertext expansion that was possible with the DES CBC-mode ciphers, and would fail badly for larger (128- or 256-bit) variable ciphertext expansion. The desire to not break such existing software forced the use of a CTS mode. Similarly, explicit random IVs are more typical for Suite-B deployments, but Kerberos has traditionally used an implicit random confounder prepended to the plaintext, with an initial zero IV. In this case, the confounder presents something of an advantage in that it does not expose the raw output of a participant's PRNG on the wire, which could potentially limit certain attacks against the PRNG algorithm in certain circumstances. Given that advantage and the Kerberos tradition, this document continues the use of a random confounder with initial zero IV, since they fulfil the same cryptographic purpose. This document (and its predecessors) has received a large amount of attention and review from essentially all of the prominent WG contributors, spread out over a few years, and there are multiple implementations that are able to reproduce the supplied test vectors. 3. Intellectual Property There are no intellectual property disclosures against this document, and all three authors have confirmed compliance with BCPs 78 and 79. 4. Other Points This document is a little old (~150 days, as noted by idnits) due to the shepherd being preoccupied due to moving residences. The IANA considerations are simple, just requesting assignment of four numbers in tables that are only number, name, and reference. |
2016-07-05
|
10 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-10.txt |
2016-07-03
|
09 | Stephen Farrell | The careless AD almost started IETF LC even though there was recent traffic on the WG list that needs to be resolved first. -09 is … The careless AD almost started IETF LC even though there was recent traffic on the WG list that needs to be resolved first. -09 is fine from an AD review POV, so once the WG have resolved the issue being discussed now, this'll be fine to go ahead. |
2016-07-03
|
09 | Stephen Farrell | IESG state changed to Publication Requested from Last Call Requested |
2016-07-03
|
09 | Stephen Farrell | Last call was requested |
2016-07-03
|
09 | Stephen Farrell | Ballot approval text was generated |
2016-07-03
|
09 | Stephen Farrell | Ballot writeup was generated |
2016-07-03
|
09 | Stephen Farrell | IESG state changed to Last Call Requested from Publication Requested |
2016-07-03
|
09 | Stephen Farrell | Last call announcement was changed |
2016-07-03
|
09 | Stephen Farrell | Last call announcement was generated |
2016-06-27
|
09 | Benjamin Kaduk | 1. Summary Benjamin Kaduk is the document shepherd. Stephen Farrell is the responsible Area Director. This document specifies new Kerberos encryption types that use the … 1. Summary Benjamin Kaduk is the document shepherd. Stephen Farrell is the responsible Area Director. This document specifies new Kerberos encryption types that use the AES block cipher and cryptographic hashes from the SHA-2 family. They differ from the existing AES encryption types by using SHA-2 hashes instead of SHA-1 (and truncating at a longer length), using encrypt-then-MAC intsead of encrypt-and-MAC, and other changes to move closer towards current cryptographic best practices. It is expected that an updated Suite-B profile for Kerberos will make use of these new encryption types. This is a Informational document that specifies a new Kerberos encryption type; it does not need to update any Kerberos protocol elements. There will eventually be desire for another (set of) standards-track Kerberos encryption types, but it remains unclear whether that will be this set or some other cipher; there is no procedural reason to target standards-track at this time. 2. Review and Consensus There is consensus for this document, which brings incremental improvements to the cryptography available for use with Kerberos. Initial individual drafts attempted to combine a Suite B profile and new encryption types into a single document, but the new encryption types have been split out into this document appropriately, with the Suite B profile to follow separately. The two main issues that shaped this document's evolution were the decision between the CBC and CTS cipher modes, and the use of a random IV versus a random confounder. CBC modes are simpler and more typical for Suite-B deployments, but they bring a larger range of possible ciphertext expansions; there are reportedly applications written against Windows APIs that can only accomodate the 64-bit range of ciphertext expansion that was possible with the DES CBC-mode ciphers, and would fail badly for larger (128- or 256-bit) variable ciphertext expansion. The desire to not break such existing software forced the use of a CTS mode. Similarly, explicit random IVs are more typical for Suite-B deployments, but Kerberos has traditionally used an implicit random confounder prepended to the plaintext, with an initial zero IV. In this case, the confounder presents something of an advantage in that it does not expose the raw output of a participant's PRNG on the wire, which could potentially limit certain attacks against the PRNG algorithm in certain circumstances. Given that advantage and the Kerberos tradition, this document continues the use of a random confounder with initial zero IV, since they fulfil the same cryptographic purpose. This document (and its predecessors) has received a large amount of attention and review from essentially all of the prominent WG contributors, spread out over a few years, and there are multiple implementations that are able to reproduce the supplied test vectors. 3. Intellectual Property There are no intellectual property disclosures against this document, and the authors have been asked to confirm compliance with BCPs 78 and 79. 4. Other Points This document is a little old (~150 days, as noted by idnits) due to the shepherd being preoccupied due to moving residences. The IANA considerations are simple, just requesting assignment of four numbers in tables that are only number, name, and reference. |
2016-06-27
|
09 | Benjamin Kaduk | Responsible AD changed to Stephen Farrell |
2016-06-27
|
09 | Benjamin Kaduk | IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up |
2016-06-27
|
09 | Benjamin Kaduk | IESG state changed to Publication Requested |
2016-06-27
|
09 | Benjamin Kaduk | IESG process started in state Publication Requested |
2016-06-27
|
09 | Benjamin Kaduk | Intended Status changed to Informational from None |
2016-06-26
|
09 | Benjamin Kaduk | Changed document writeup |
2016-06-26
|
09 | Benjamin Kaduk | Notification list changed to "Benjamin Kaduk" <kaduk@mit.edu> |
2016-06-26
|
09 | Benjamin Kaduk | Document shepherd changed to Benjamin Kaduk |
2016-04-16
|
09 | Benjamin Kaduk | Tag Revised I-D Needed - Issue raised by WGLC cleared. |
2016-04-16
|
09 | Benjamin Kaduk | IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call |
2016-01-26
|
09 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-09.txt |
2015-12-23
|
08 | Benjamin Kaduk | The WG elected to go with CTS over CBC due to concerns about the inability of software in the Widows ecosystem to handle variable-length ciphertext … The WG elected to go with CTS over CBC due to concerns about the inability of software in the Widows ecosystem to handle variable-length ciphertext expansion larger than 7 octets. |
2015-12-23
|
08 | Benjamin Kaduk | This document now replaces draft-ietf-kitten-aes-cbc-hmac-sha2 instead of None |
2015-12-09
|
08 | Michael Peck | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-08.txt |
2015-12-03
|
07 | Michael Peck | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-07.txt |
2015-04-27
|
06 | Benjamin Kaduk | Tag Revised I-D Needed - Issue raised by WGLC set. |
2015-04-27
|
06 | Benjamin Kaduk | IETF WG state changed to In WG Last Call from WG Document |
2015-02-10
|
06 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-06.txt |
2014-09-23
|
05 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt |
2014-07-21
|
04 | Michael Jenkins | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-04.txt |
2014-07-02
|
03 | Michael Peck | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-03.txt |
2014-05-06
|
02 | Michael Peck | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-02.txt |
2013-06-28
|
01 | Kelley Burgin | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-01.txt |
2013-04-19
|
00 | Kelley Burgin | New version available: draft-ietf-kitten-aes-cts-hmac-sha2-00.txt |