Internet-Draft                                                K. Raeburn
Kerberos Working Group                                               MIT
Updates: RFC 1964                                        August 13, 2003
Document: draft-ietf-krb-wg-gss-crypto-00.txt  expires February 13, 2004

                 General Kerberos Cryptosystem Support
                  for the Kerberos 5 GSSAPI Mechanism

Abstract

   This document describes an update to the Kerberos 5 mechanism for
   GSSAPI to allow the use of Kerberos-defined cryptosystems directly in
   GSSAPI messages, without requiring further changes for each new
   encryption or checksum algorithm that complies with the Kerberos
   crypto framework specifications.

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [RFC2026]. Internet-Drafts
   are working documents of the Internet Engineering Task Force (IETF),
   its areas, and its working groups. Note that other groups may also
   distribute working documents as Internet-Drafts. Internet-Drafts are
   draft documents valid for a maximum of six months and may be updated,
   replaced, or obsoleted by other documents at any time. It is
   inappropriate to use Internet-Drafts as reference material or to cite
   them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

1. Introduction

   Kerberos defines an encryption and checksum framework [KCRYPTO] that
   provides for complete specification and enumeration of cryptosystem
   specifications in a general way, to be used within Kerberos and
   associated protocols.  The GSSAPI Kerberos 5 mechanism definition
   [GSSAPI-KRB5] sets up a framework for enumerating encryption and
   checksum types, independently of how such schemes may be used in
   Kerberos, thus requiring updates for any new encryption or checksum
   algorithm not directly compatible with those already defined.




Raeburn                                                         [Page 1]


INTERNET DRAFT                                               August 2003


   This document describes an update to [GSSAPI-KRB5] to allow the use
   of any Kerberos-defined cryptosystems directly in GSSAPI messages,
   without requiring further changes for each new encryption or checksum
   algorithm that complies with the framework specifications, and
   without making assumptions concerning block sizes or other
   characteristics of the underlying encryption operations.

2. Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119.

3. New Algorithm Identifiers

   Two new sealing algorithm numbers and one new signing algorithm
   number are defined, for use in MIC, Wrap and Delete tokens.


                 type          name          octet values
                 -----------------------------------------
                 seal   KERBEROS5-ENCRYPT       00 01
                 sign   KERBEROS5-CHECKSUM      00 01
                 sign          NONE             ff ff


   The KERBEROS5-ENCRYPT algorithm encrypts using the Kerberos
   encryption type [KCRYPTO] indicated by the encryption key type (using
   the session key or initiator's subkey, as described in [GSSAPI-
   KRB5]), with a key usage value KG_USAGE_SEAL, defined below.  All
   Kerberos encryption types provide for integrity protection, and
   specify any padding that might be required; neither needs to be done
   at the GSS mechanism level when KERBEROS5-ENCRYPT is used.  When
   KERBEROS5-ENCRYPT is used as the seal algorithm, the sign algorithm
   MUST be NONE.

   The signing algorithm value NONE MUST be used only with a sealing
   algorithm that incorporates integrity protection; currently,
   KERBEROS5-ENCRYPT is the only such sealing algorithm.

   The KERBEROS5-CHECKSUM signing algorithm MAY be used in other cases.
   The contents of the SGN_CKSUM field are determined by computing a
   Kerberos checksum [KCRYPTO], using the session key or subkey, and a
   key usage value of KG_USAGE_SIGN.  The Kerberos checksum algorithm to
   be used is the required-to-implement checksum algorithm associated
   with the encryption key type.  It should be noted that the checksum
   input data in this case is not the same as the "to-be-signed data"
   described in section 1.2.1.1 of [GSSAPI-KRB5]; see below.



Raeburn                                                         [Page 2]


INTERNET DRAFT                                               August 2003


   The encryption or checksum output incorporated in the MIC and Wrap
   tokens is the octet string output from the corresponding operation in
   [KCRYPTO]; it should not be confused with the EncryptedData or
   Checksum object in [KrbClar].

   For purposes of key derivation, we add two new usage values to the
   list defined in [KrbClar]; one for signing messages, and one for
   sealing messages:


                               name        value
                           ----------------------
                           KG_USAGE_SEAL    22
                           KG_USAGE_SIGN    23


4. Adjustments to Previous Definitions

4.1. Quality of Protection

   The GSSAPI specification [GSSAPI] says that a zero QOP value
   indicates the "default".  The original specification for the Kerberos
   5 mechanism says that a zero QOP value (or a QOP value with the
   appropriate bits clear) means DES encryption.

   Since the quality of protection cannot be improved without fully
   reauthenticating with a stronger key type, the QOP value is now
   ignored.

4.2. Message Layout

   The definitions of the MIC and Wrap tokens in [GSSAPI-KRB5] assumed
   an 8-byte checksum size, and a CBC-mode block cipher with an 8-byte
   block size, without integrity protection.  In the crypto framework
   described in [KCRYPTO], integrity protection is built into the
   encryption operations.  CBC mode is not assumed, and indeed there may
   be no initial vector to supply.  While the operations are performed
   on messages of specific sizes, the underlying cipher may be a stream
   cipher.

   We modify the message definitions such that the portions after the
   first 8 bytes (which specify the token identification and the signing
   and sealing algorithms) are defined by the algorithms chosen.  The
   remaining bytes must convey sequence number and direction
   information, and must protect the integrity of the token id and
   algorithm indicators.  For the DES-based algorithms specified in
   [GSSAPI-KRB5], the definition for the remaining data is backwards
   compatible.



Raeburn                                                         [Page 3]


INTERNET DRAFT                                               August 2003


   The revised message descriptions are thus as follows:


                                MIC token
          Byte #    Name         Description
          -------------------------------------------------------
            0..1    TOK_ID       Identification field (01 01).
            2..3    SGN_ALG      Integrity algorithm indicator.
            4..7    Filler       Contains ff ff ff ff
            8..N                 Dependent on SGN_ALG.

          If SGN_ALG is 0000, 0100, 0200:
            8..15   SND_SEQ      Sequence number/direction
                                 field, encrypted.
           16..23   SGN_CKSUM    Checksum of bytes 0..7 and
                                 application data, as described
                                 in [GSSAPI-KRB5].
          If SGN_ALG is 0001:
            8..15   SND_SEQ      Sequence number/direction
                                 field, NOT encrypted.
           16..N    SGN_CKSUM    Checksum of bytes 0..15 and
                                 application data, with key
                                 usage KG_USAGE_SIGN.


      Suggestions from Microsoft: Moving to 64-bit sequence numbers
      would be better for long sessions with many messages.  Using the
      direction flag to perturb the encryption or integrity protection
      is safer than simply including a flag which a buggy but mostly
      working implementation might fail to check.

      I am considering changing to use 64-bit sequence numbers, and
      omitting the direction flag from the transmitted cleartext data.
      How it would factor into the encrypted Wrap token, I haven't
      figured out yet.

      - Change the key usage values based on the direction?  It's
      suggested in [KCRYPTO], perhaps not strongly enough, that the key
      usage numbers should perturb the key, but DES ignores them,
      although DES shouldn't use this extension.

      - Add a direction flag byte in encrypted data?  Either depends on
      an implementor remembering to add the check.  Adding it to
      checksummed data requires that the implementor get it right.

      - Generate one or two new keys using PRF and random-to-key
      operations, using different keys for each direction?  Pulling the
      DK function out of the simplified profile is probably not a good



Raeburn                                                         [Page 4]


INTERNET DRAFT                                               August 2003


      way to do this.

   The filler bytes are included in the checksum calculation for
   simplicity.  There is no security benefit from including them.

   In the Wrap token, the initial bytes, sequence number and direction
   are incorporated into the data to be encrypted.  In most cases, this
   is likely to be more efficient in terms of space and computing power
   than using unencrypted sequence number and direction fields, adding a
   checksum, and doing the additional work to authenticate that the
   checksum and encrypted data are part of the same message.  (The
   framework in [KCRYPTO] has no support for integrity protection of a
   block of data only some of which is encrypted, except by treating the
   two portions independently and using some additional means to ensure
   that the two parts continue to be associated with one another.)

   The length is also included, as a 4-byte value in network byte order,
   because the decryption operation in the Kerberos crypto framework
   does not recover the exact length of the original input.  Thus,
   messages with application data larger than 4 gigabytes are not
   supported.

      [Q: Should this length be 8 bytes?  ASN.1 wrapper?]


                                Wrap token
       Byte #      Name         Description
       -------------------------------------------------------------
         0..1      TOK_ID       Identification field (02 01).
         2..3      SGN_ALG      Integrity algorithm indicator.
         4..5      SEAL_ALG     Sealing algorithm indicator.
         6..7      Filler       Contains ff ff
         8..last                Dependent on SEAL_ALG and SGN_ALG.

       If SEAL_ALG is 0000:
         8..15     SND_SEQ      Encrypted sequence number field.
        16..23     SGN_CKSUM    Checksum of plaintext padded data,
                                calculated according to algorithm
                                specified in SGN_ALG field.  (RFC
                                1964)
        24..last   Data         Encrypted padded data.

       If SEAL_ALG is 0001 and SGN_ALG is ffff:
         8..last   Data         Encrypted bytes 0..5, 2-byte
                                direction flag, sequence number,
                                4-byte data length, and data.





Raeburn                                                         [Page 5]


INTERNET DRAFT                                               August 2003


       If SEAL_ALG is ffff, and SGN_ALG is 0000, 0100, 0200:
         8..15     SND_SEQ      Encrypted sequence number field.
        16..23     SGN_CKSUM    Checksum of plaintext padded data,
                                as in RFC 1964.
        24..last   Data         plaintext padded data

       If SEAL_ALG if ffff, and SGN_ALG is 0001:
         8..15     SND_SEQ      Sequence number/direction field,
                                NOT encrypted.
        16..N      SGN_CKSUM    Checksum of bytes 0..15 and
                                application data, with key usage
                                KG_USAGE_SIGN.
       N+1..last   Data         plaintext data


   The direction flag, as in [GSSAPI-KRB5], is made up of bytes
   indicating the party sending the token: 00 for the context initiator,
   or hex FF for the context acceptor.  In the KERBEROS5-ENCRYPT case,
   only two bytes are used, and they replace the fixed filler bytes of
   the token header, which need no protection; this reduces slightly the
   redundancy of the data transmitted.

   The context-deletion token is essentially a MIC token with no user
   data and a different TOK_ID value.  Thus, its modification is
   straightforward.


                          Context deletion token
          Byte #    Name         Description
          -------------------------------------------------------
            0..1    TOK_ID       Identification field (01 02).
            2..3    SGN_ALG      Integrity algorithm indicator.
            4..7    Filler       Contains ff ff ff ff

          If SGN_ALG is 0000, 0100, 0200:
            8..15   SND_SEQ      Sequence number/direction
                                 field, encrypted.
           16..23   SGN_CKSUM    Checksum of bytes 0..7, as
                                 described in [GSSAPI-KRB5].

          If SGN_ALG is 0001:
            8..15   SND_SEQ      Sequence number/direction
                                 field, NOT encrypted.
           16..N    SGN_CKSUM    Checksum of bytes 0..15, with
                                 key usage KG_USAGE_SIGN.






Raeburn                                                         [Page 6]


INTERNET DRAFT                                               August 2003


5. Backwards Compatibility Considerations

   The context initiator should request of the KDC credentials using
   session-key cryptosystem types supported by that implementation; if
   the only types returned by the KDC are not supported by the mechanism
   implementation, it should indicate a failure.  This may seem obvious,
   but early implementations of both Kerberos and the GSSAPI Kerberos
   mechanism supported only DES keys, so the cryptosystem compatibility
   question was easy to overlook.

   Under the current mechanism, no negotiation of algorithm types
   occurs, so server-side (acceptor) implementations cannot request that
   clients not use algorithm types not understood by the server.
   However, administration of the server's Kerberos data (e.g., the
   service key) has to be done in communication with the KDC, and it is
   from the KDC that the client will request credentials.  The KDC could
   therefore be given the task of limiting session keys for a given
   service to types actually supported by the Kerberos and GSSAPI
   software on the server.

   This does have a drawback for cases where a service principal name is
   used both for GSSAPI-based and non-GSSAPI-based communication (most
   notably the "host" service key), if the GSSAPI implementation does
   not understand (for example) AES but the Kerberos implementation
   does.  It means that AES session keys cannot be issued for that
   service principal, which keeps the protection of non-GSSAPI services
   weaker than necessary.

   It would also be possible to have clients attempt to get DES session
   keys before trying to get AES session keys, and have the KDC refuse
   to issue the DES keys only for the most critical of services, for
   which DES protection is considered inadequate.  However, that would
   eliminate the possibility of connecting with the more secure
   cryptosystem to any service that can be accessed with the weaker
   cryptosystem.  We thus recommend the former approach, putting the
   burden on the KDC administration and gaining the best protection
   possible for GSSAPI services, possibly at the cost of weaker
   protection of non-GSSAPI Kerberos services sharing service principal
   names with GSSAPI services that have not been updated to support this
   extension.

   [optional:]

   This mechanism extension MUST NOT be used with the DES encryption key
   types described in [KCRYPTO], which ignore the key usage values.






Raeburn                                                         [Page 7]


INTERNET DRAFT                                               August 2003


6. Implementation Note

   At least two implementations have been done of extensions to the RFC
   1964 mechanism for specific non-DES encryption types.  These are not
   standards-track extensions, but implementors may wish to implement
   them as well for compatibility with existing products.  No guidance
   is provided as to when an implementation may wish to use these non-
   standard extensions instead of the extension specified in this
   document.

7. Security Considerations

   Various tradeoffs arise regarding the mixing of new and old software,
   or GSSAPI-based and non-GSSAPI Kerberos authentication.  They are
   discussed in section 5.

   Remember to check direction flag.  Key usage numbers and direction
   checks?  Considerations depend on the approach taken....

8. Acknowledgements

   Larry Zhu...

9. Normative References

   [GSSAPI]
      Linn, J., "Generic Security Service Application Program Interface
      Version 2, Update 1", RFC 2743, January, 2000.

   [GSSAPI-KRB5]
      Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC 1964,
      June, 1996.

   [KCRYPTO]
      draft-ietf-krb-wg-crypto-XX -> RFC xxxx

   [KrbClar]
      draft-ietf-krb-wg-kerberos-clarifications-XX -> RFC xxxx

   [RFC2026]
      RFC 2026 ...

   [RFC2119]
      RFC 2119 ...







Raeburn                                                         [Page 8]


INTERNET DRAFT                                               August 2003


10. Author's Address

   Kenneth Raeburn
   Massachusetts Institute of Technology
   77 Massachusetts Avenue
   Cambridge, MA 02139

Full Copyright Statement

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."

Document Change History

Version -XX:

   Split up Abstract and create a real Introduction.  Fix RFC 2026
   reference in Status section.  Added Conventions, Acknowledgements and
   Implementation Note sections.  Updated References with more
   placeholders.  Capitalize some uses of "must" etc.

   Fill in case of Wrap token without integrity protection, using
   KERBEROS5-CHECKSUM for SGN_ALG.  Fix descriptions of which message
   layout is used for which algorithms.




Raeburn                                                         [Page 9]


INTERNET DRAFT                                               August 2003


   Remove discussion of authenticated encryption with additional data.

   Add discussion of 64-bit sequence numbers and data length, and
   alternate handling of the direction flag.


   Version -XX sent in early 2003 to Kerberos working group:

   Initial revision.










































Raeburn                                                        [Page 10]