AES Encryption with HMAC-SHA2 for Kerberos 5
RFC 8009
Internet Engineering Task Force (IETF) M. Jenkins
Request for Comments: 8009 National Security Agency
Category: Informational M. Peck
ISSN: 2070-1721 The MITRE Corporation
K. Burgin
October 2016
AES Encryption with HMAC-SHA2 for Kerberos 5
Abstract
This document specifies two encryption types and two corresponding
checksum types for Kerberos 5. The new types use AES in CTS mode
(CBC mode with ciphertext stealing) for confidentiality and HMAC with
a SHA-2 hash for integrity.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc8009.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Jenkins, et al. Informational [Page 1]
RFC 8009 AES-CTS HMAC-SHA2 For Kerberos 5 October 2016
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Protocol Key Representation . . . . . . . . . . . . . . . . . 3
3. Key Derivation Function . . . . . . . . . . . . . . . . . . . 3
4. Key Generation from Pass Phrases . . . . . . . . . . . . . . . 4
5. Kerberos Algorithm Protocol Parameters . . . . . . . . . . . . 5
6. Checksum Parameters . . . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
8.1. Random Values in Salt Strings . . . . . . . . . . . . . . 9
8.2. Algorithm Rationale . . . . . . . . . . . . . . . . . . . 9
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . . 10
9.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 12
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction
This document defines two encryption types and two corresponding
checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.
To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode
defined in [SP800-38A+], also referred to as ciphertext stealing or
CTS mode. The new types conform to the framework specified in
[RFC3961], but do not use the simplified profile, as the simplified
profile is not compliant with modern cryptographic best practices
such as calculating Message Authentication Codes (MACs) over
ciphertext rather than plaintext.
The encryption and checksum types defined in this document are
intended to support environments that desire to use SHA-256 or
SHA-384 (defined in [FIPS180]) as the hash algorithm. Differences
between the encryption and checksum types defined in this document
and the pre-existing Kerberos AES encryption and checksum types
specified in [RFC3962] are:
* The pseudorandom function (PRF) used by PBKDF2 is HMAC-SHA-256 or
HMAC-SHA-384. (HMAC is defined in [RFC2104].)
* A key derivation function from [SP800-108] using the SHA-256 or
SHA-384 hash algorithm is used to produce keys for encryption,
integrity protection, and checksum operations.
Jenkins, et al. Informational [Page 2]
RFC 8009 AES-CTS HMAC-SHA2 For Kerberos 5 October 2016
* The HMAC is calculated over the cipher state concatenated with the
Show full document text