AES Encryption with HMAC-SHA2 for Kerberos 5
RFC 8009

Document Type RFC - Informational (October 2016; No errata)
Last updated 2016-10-27
Replaces draft-ietf-kitten-aes-cbc-hmac-sha2
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Benjamin Kaduk
Shepherd write-up Show (last changed 2016-07-05)
IESG IESG state RFC 8009 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Stephen Farrell
Send notices to "Benjamin Kaduk" <kaduk@mit.edu>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Internet Engineering Task Force (IETF)                        M. Jenkins
Request for Comments: 8009                      National Security Agency
Category: Informational                                          M. Peck
ISSN: 2070-1721                                    The MITRE Corporation
                                                               K. Burgin
                                                            October 2016

              AES Encryption with HMAC-SHA2 for Kerberos 5

Abstract

   This document specifies two encryption types and two corresponding
   checksum types for Kerberos 5.  The new types use AES in CTS mode
   (CBC mode with ciphertext stealing) for confidentiality and HMAC with
   a SHA-2 hash for integrity.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc8009.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Jenkins, et al.               Informational                     [Page 1]
RFC 8009            AES-CTS HMAC-SHA2 For Kerberos 5        October 2016

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Protocol Key Representation  . . . . . . . . . . . . . . . . .  3
   3.  Key Derivation Function  . . . . . . . . . . . . . . . . . . .  3
   4.  Key Generation from Pass Phrases . . . . . . . . . . . . . . .  4
   5.  Kerberos Algorithm Protocol Parameters . . . . . . . . . . . .  5
   6.  Checksum Parameters  . . . . . . . . . . . . . . . . . . . . .  7
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
     8.1.  Random Values in Salt Strings  . . . . . . . . . . . . . .  9
     8.2.  Algorithm Rationale  . . . . . . . . . . . . . . . . . . .  9
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Appendix A.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 12
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19

1.  Introduction

   This document defines two encryption types and two corresponding
   checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.

   To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode
   defined in [SP800-38A+], also referred to as ciphertext stealing or
   CTS mode.  The new types conform to the framework specified in
   [RFC3961], but do not use the simplified profile, as the simplified
   profile is not compliant with modern cryptographic best practices
   such as calculating Message Authentication Codes (MACs) over
   ciphertext rather than plaintext.

   The encryption and checksum types defined in this document are
   intended to support environments that desire to use SHA-256 or
   SHA-384 (defined in [FIPS180]) as the hash algorithm.  Differences
   between the encryption and checksum types defined in this document
   and the pre-existing Kerberos AES encryption and checksum types
   specified in [RFC3962] are:

   *  The pseudorandom function (PRF) used by PBKDF2 is HMAC-SHA-256 or
      HMAC-SHA-384.  (HMAC is defined in [RFC2104].)

   *  A key derivation function from [SP800-108] using the SHA-256 or
      SHA-384 hash algorithm is used to produce keys for encryption,
      integrity protection, and checksum operations.

Jenkins, et al.               Informational                     [Page 2]
Show full document text