Skip to main content

AES Encryption with HMAC-SHA2 for Kerberos 5
RFC 8009

Revision differences

Document history

Date Rev. By Action
2016-10-28
11 Jean Mahoney Closed request for Telechat review by GENART with state 'No Response'
2016-10-27
11 (System)
Received changes through RFC Editor sync (created alias RFC 8009, changed abstract to 'This document specifies two encryption types and two corresponding checksum types …
Received changes through RFC Editor sync (created alias RFC 8009, changed abstract to 'This document specifies two encryption types and two corresponding checksum types for Kerberos 5.  The new types use AES in CTS mode (CBC mode with ciphertext stealing) for confidentiality and HMAC with a SHA-2 hash for integrity.', changed pages to 19, changed standardization level to Informational, changed state to RFC, added RFC published event at 2016-10-27, changed IESG state to RFC Published)
2016-10-27
11 (System) RFC published
2016-10-25
11 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2016-10-19
11 (System) RFC Editor state changed to AUTH48 from RFC-EDITOR
2016-10-19
11 (System) RFC Editor state changed to RFC-EDITOR from EDIT
2016-09-15
11 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2016-09-15
11 (System) IANA Action state changed to Waiting on RFC Editor from Waiting on Authors
2016-09-14
11 (System) IANA Action state changed to Waiting on Authors from In Progress
2016-09-14
11 (System) IANA Action state changed to In Progress from On Hold
2016-09-01
11 (System) IANA Action state changed to On Hold from In Progress
2016-09-01
11 (System) RFC Editor state changed to EDIT
2016-09-01
11 (System) IESG state changed to RFC Ed Queue from Approved-announcement sent
2016-09-01
11 (System) Announcement was received by RFC Editor
2016-09-01
11 (System) IANA Action state changed to In Progress
2016-09-01
11 Amy Vezza IESG state changed to Approved-announcement sent from IESG Evaluation::AD Followup
2016-09-01
11 Amy Vezza IESG has approved the document
2016-09-01
11 Amy Vezza Closed "Approve" ballot
2016-09-01
11 Amy Vezza Ballot approval text was generated
2016-09-01
11 Amy Vezza Ballot writeup was changed
2016-09-01
11 Stephen Farrell RFC Editor Note was changed
2016-09-01
11 Stephen Farrell RFC Editor Note for ballot was generated
2016-09-01
11 Stephen Farrell RFC Editor Note for ballot was generated
2016-08-30
11 Jari Arkko [Ballot Position Update] Position for Jari Arkko has been changed to No Objection from Discuss
2016-08-26
11 Michael Jenkins IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed
2016-08-26
11 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-11.txt
2016-08-18
10 Cindy Morgan IESG state changed to IESG Evaluation::AD Followup from IESG Evaluation
2016-08-18
10 Joel Jaeggli [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli
2016-08-18
10 Jari Arkko
[Ballot discuss]
There was a Gen-ART review from Vijay, with a question about the contents of the Context field. I don't think the document necessarily …
[Ballot discuss]
There was a Gen-ART review from Vijay, with a question about the contents of the Context field. I don't think the document necessarily needs a change or even new text here, but at the very least we need an answer from the authors. I got the same question as Vijay when reading the draft.
2016-08-18
10 Jari Arkko [Ballot Position Update] New position, Discuss, has been recorded for Jari Arkko
2016-08-17
10 Alvaro Retana [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana
2016-08-17
10 Terry Manderson [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson
2016-08-17
10 Kathleen Moriarty [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty
2016-08-17
10 Ben Campbell [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell
2016-08-17
10 Alissa Cooper [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper
2016-08-16
10 Suresh Krishnan [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan
2016-08-16
10 Deborah Brungard [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard
2016-08-16
10 Alia Atlas [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas
2016-08-16
10 Alexey Melnikov [Ballot comment]
First mention of UTF-8 needs a reference to RFC 3629.
2016-08-16
10 Alexey Melnikov [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov
2016-08-15
10 Mirja Kühlewind [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind
2016-08-15
10 Spencer Dawkins [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins
2016-08-11
10 Jean Mahoney Request for Telechat review by GENART is assigned to Vijay Gurbani
2016-08-11
10 Jean Mahoney Request for Telechat review by GENART is assigned to Vijay Gurbani
2016-08-08
10 Gunter Van de Velde Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Scott Bradner.
2016-08-05
10 Stephen Farrell Placed on agenda for telechat - 2016-08-18
2016-08-05
10 Stephen Farrell Changed consensus to Yes from Unknown
2016-08-05
10 Stephen Farrell IESG state changed to IESG Evaluation from Waiting for Writeup
2016-08-05
10 Stephen Farrell Ballot has been issued
2016-08-05
10 Stephen Farrell [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell
2016-08-05
10 Stephen Farrell Created "Approve" ballot
2016-08-05
10 Stephen Farrell Ballot writeup was changed
2016-08-02
10 Sabrina Tanamal IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK
2016-07-29
10 Vijay Gurbani Request for Last Call review by GENART Completed: Ready. Reviewer: Vijay Gurbani.
2016-07-21
10 (System) IESG state changed to Waiting for Writeup from In Last Call
2016-07-20
10 (System) IANA Review state changed to IANA - Not OK from IANA - Review Needed
2016-07-20
10 Sabrina Tanamal
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-kitten-aes-cts-hmac-sha2-10.txt. If any part of this review is inaccurate, please let us know.

IANA …
(Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-kitten-aes-cts-hmac-sha2-10.txt. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there are two actions which IANA must complete.

First, in the Kerberos Encryption Type Numbers subregistry of the Kerberos Parameters registry located at:

https://www.iana.org/assignments/kerberos-parameters/

two new encryption type numbers are to be registered as follows:

etype: [ TBD-at-registration ]
encryption type: aes128-cts-hmac-sha256-128
Reference: [ RFC-to-be ]

etype: [ TBD-at-registration ]
encryption type: aes256-cts-hmac-sha384-192
Reference: [ RFC-to-be ]

Second, in the Kerberos Checksum Type Numbers subregistry of the Kerberos Parameters registry located at:

https://www.iana.org/assignments/kerberos-parameters/

two new checksum type numbers are to be registered as follows:

sumtype value: [ TBD-at-registration ]
Checksum type: hmac-sha256-128-aes128
checksum size: 16
Reference: [ RFC-to-be ]

sumtype value: [ TBD-at-registration ]
Checksum type: hmac-sha384-192-aes256
checksum size: 24
Reference: [ RFC-to-be ]

As this document requests registrations in an Expert Review or Specification Required (see RFC 5226) registry, we will initiate the required Expert Review via a separate request. Expert review will need to be completed before your document can be approved for publication as an RFC.

IANA understands that the two actions above are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 


Thank you,

Sabrina Tanamal
IANA Specialist
ICANN
2016-07-14
10 Tero Kivinen Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Watson Ladd.
2016-07-11
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Scott Bradner
2016-07-11
10 Gunter Van de Velde Request for Last Call review by OPSDIR is assigned to Scott Bradner
2016-07-07
10 Jean Mahoney Request for Last Call review by GENART is assigned to Vijay Gurbani
2016-07-07
10 Jean Mahoney Request for Last Call review by GENART is assigned to Vijay Gurbani
2016-07-06
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Watson Ladd
2016-07-06
10 Tero Kivinen Request for Last Call review by SECDIR is assigned to Watson Ladd
2016-07-06
10 Cindy Morgan IANA Review state changed to IANA - Review Needed
2016-07-06
10 Cindy Morgan
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-kitten-aes-cts-hmac-sha2@ietf.org, kitten-chairs@ietf.org, "Benjamin Kaduk" , kitten@ietf.org, kaduk@mit.edu, …
The following Last Call announcement was sent out:

From: The IESG
To: "IETF-Announce"
CC: draft-ietf-kitten-aes-cts-hmac-sha2@ietf.org, kitten-chairs@ietf.org, "Benjamin Kaduk" , kitten@ietf.org, kaduk@mit.edu, stephen.farrell@cs.tcd.ie
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (AES Encryption with HMAC-SHA2 for Kerberos 5) to Informational RFC


The IESG has received a request from the Common Authentication Technology
Next Generation WG (kitten) to consider the following document:
- 'AES Encryption with HMAC-SHA2 for Kerberos 5'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2016-07-20. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies two encryption types and two corresponding
  checksum types for Kerberos 5.  The new types use AES in CTS mode
  (CBC mode with ciphertext stealing) for confidentiality and HMAC with
  a SHA-2 hash for integrity.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-kitten-aes-cts-hmac-sha2/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-kitten-aes-cts-hmac-sha2/ballot/


No IPR declarations have been submitted directly on this I-D.


2016-07-06
10 Cindy Morgan IESG state changed to In Last Call from Last Call Requested
2016-07-06
10 Cindy Morgan Last call announcement was generated
2016-07-06
10 Stephen Farrell Last call was requested
2016-07-06
10 Stephen Farrell IESG state changed to Last Call Requested from Publication Requested
2016-07-05
10 Benjamin Kaduk
1. Summary

Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

This document specifies new Kerberos encryption types that use the …
1. Summary

Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

This document specifies new Kerberos encryption types that use the AES
block cipher and cryptographic hashes from the SHA-2 family.  They differ
from the existing AES encryption types by using SHA-2 hashes instead of
SHA-1 (and truncating at a longer length), using encrypt-then-MAC
intsead of encrypt-and-MAC, and other changes to move closer towards
current cryptographic best practices.  It is expected that an updated
Suite-B profile for Kerberos will make use of these new encryption types.

This is a Informational document that specifies a new Kerberos
encryption type; it does not need to update any Kerberos protocol
elements.  There will eventually be desire for another (set of)
standards-track Kerberos encryption types, but it remains unclear
whether that will be this set or some other cipher; there is no procedural
reason to target standards-track at this time. 

2. Review and Consensus

There is consensus for this document, which brings incremental improvements
to the cryptography available for use with Kerberos.  Initial individual
drafts attempted to combine a Suite B profile and new encryption types
into a single document, but the new encryption types have been split out
into this document appropriately, with the Suite B profile to follow
separately.

The two main issues that shaped this document's evolution were the
decision between the CBC and CTS cipher modes, and the use of a random
IV versus a random confounder.  CBC modes are simpler and more
typical for Suite-B deployments, but they bring a larger range of possible
ciphertext expansions; there are reportedly applications written against
Windows APIs that can only accomodate the 64-bit range of ciphertext
expansion that was possible with the DES CBC-mode ciphers, and would
fail badly for larger (128- or 256-bit) variable ciphertext expansion.
The desire to not break such existing software forced the use of a CTS
mode.  Similarly, explicit random IVs are more typical for Suite-B
deployments, but Kerberos has traditionally used an implicit random
confounder prepended to the plaintext, with an initial zero IV.
In this case, the confounder presents something of an advantage in that
it does not expose the raw output of a participant's PRNG on the wire,
which could potentially limit certain attacks against the PRNG
algorithm in certain circumstances.  Given that advantage and the
Kerberos tradition, this document continues the use of a random confounder
with initial zero IV, since they fulfil the same cryptographic purpose.

This document (and its predecessors) has received a large amount of attention
and review from essentially all of the prominent WG contributors, spread out
over a few years, and there are multiple implementations that are able to
reproduce the supplied test vectors. 

3. Intellectual Property

There are no intellectual property disclosures against this document,
and all three authors have confirmed compliance with BCPs 78 and 79.

4. Other Points

This document is a little old (~150 days, as noted by idnits) due to the
shepherd being preoccupied due to moving residences.

The IANA considerations are simple, just requesting assignment of
four numbers in tables that are only number, name, and reference.
2016-07-05
10 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-10.txt
2016-07-03
09 Stephen Farrell

The careless AD almost started IETF LC even though there was recent
traffic on the WG list that needs to be resolved first.

-09 is …

The careless AD almost started IETF LC even though there was recent
traffic on the WG list that needs to be resolved first.

-09 is fine from an AD review POV, so once the WG have resolved the
issue being discussed now, this'll be fine to go ahead.
2016-07-03
09 Stephen Farrell IESG state changed to Publication Requested from Last Call Requested
2016-07-03
09 Stephen Farrell Last call was requested
2016-07-03
09 Stephen Farrell Ballot approval text was generated
2016-07-03
09 Stephen Farrell Ballot writeup was generated
2016-07-03
09 Stephen Farrell IESG state changed to Last Call Requested from Publication Requested
2016-07-03
09 Stephen Farrell Last call announcement was changed
2016-07-03
09 Stephen Farrell Last call announcement was generated
2016-06-27
09 Benjamin Kaduk
1. Summary

Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

This document specifies new Kerberos encryption types that use the …
1. Summary

Benjamin Kaduk is the document shepherd.  Stephen Farrell is the
responsible Area Director.

This document specifies new Kerberos encryption types that use the AES
block cipher and cryptographic hashes from the SHA-2 family.  They differ
from the existing AES encryption types by using SHA-2 hashes instead of
SHA-1 (and truncating at a longer length), using encrypt-then-MAC
intsead of encrypt-and-MAC, and other changes to move closer towards
current cryptographic best practices.  It is expected that an updated
Suite-B profile for Kerberos will make use of these new encryption types.

This is a Informational document that specifies a new Kerberos
encryption type; it does not need to update any Kerberos protocol
elements.  There will eventually be desire for another (set of)
standards-track Kerberos encryption types, but it remains unclear
whether that will be this set or some other cipher; there is no procedural
reason to target standards-track at this time. 

2. Review and Consensus

There is consensus for this document, which brings incremental improvements
to the cryptography available for use with Kerberos.  Initial individual
drafts attempted to combine a Suite B profile and new encryption types
into a single document, but the new encryption types have been split out
into this document appropriately, with the Suite B profile to follow
separately.

The two main issues that shaped this document's evolution were the
decision between the CBC and CTS cipher modes, and the use of a random
IV versus a random confounder.  CBC modes are simpler and more
typical for Suite-B deployments, but they bring a larger range of possible
ciphertext expansions; there are reportedly applications written against
Windows APIs that can only accomodate the 64-bit range of ciphertext
expansion that was possible with the DES CBC-mode ciphers, and would
fail badly for larger (128- or 256-bit) variable ciphertext expansion.
The desire to not break such existing software forced the use of a CTS
mode.  Similarly, explicit random IVs are more typical for Suite-B
deployments, but Kerberos has traditionally used an implicit random
confounder prepended to the plaintext, with an initial zero IV.
In this case, the confounder presents something of an advantage in that
it does not expose the raw output of a participant's PRNG on the wire,
which could potentially limit certain attacks against the PRNG
algorithm in certain circumstances.  Given that advantage and the
Kerberos tradition, this document continues the use of a random confounder
with initial zero IV, since they fulfil the same cryptographic purpose.

This document (and its predecessors) has received a large amount of attention
and review from essentially all of the prominent WG contributors, spread out
over a few years, and there are multiple implementations that are able to
reproduce the supplied test vectors. 

3. Intellectual Property

There are no intellectual property disclosures against this document,
and the authors have been asked to confirm compliance with BCPs 78 and 79.

4. Other Points

This document is a little old (~150 days, as noted by idnits) due to the
shepherd being preoccupied due to moving residences.

The IANA considerations are simple, just requesting assignment of
four numbers in tables that are only number, name, and reference.
2016-06-27
09 Benjamin Kaduk Responsible AD changed to Stephen Farrell
2016-06-27
09 Benjamin Kaduk IETF WG state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2016-06-27
09 Benjamin Kaduk IESG state changed to Publication Requested
2016-06-27
09 Benjamin Kaduk IESG process started in state Publication Requested
2016-06-27
09 Benjamin Kaduk Intended Status changed to Informational from None
2016-06-26
09 Benjamin Kaduk Changed document writeup
2016-06-26
09 Benjamin Kaduk Notification list changed to "Benjamin Kaduk" <kaduk@mit.edu>
2016-06-26
09 Benjamin Kaduk Document shepherd changed to Benjamin Kaduk
2016-04-16
09 Benjamin Kaduk Tag Revised I-D Needed - Issue raised by WGLC cleared.
2016-04-16
09 Benjamin Kaduk IETF WG state changed to WG Consensus: Waiting for Write-Up from In WG Last Call
2016-01-26
09 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-09.txt
2015-12-23
08 Benjamin Kaduk
The WG elected to go with CTS over CBC due to concerns about the inability of software in the Widows ecosystem to handle variable-length ciphertext …
The WG elected to go with CTS over CBC due to concerns about the inability of software in the Widows ecosystem to handle variable-length ciphertext expansion larger than 7 octets.
2015-12-23
08 Benjamin Kaduk This document now replaces draft-ietf-kitten-aes-cbc-hmac-sha2 instead of None
2015-12-09
08 Michael Peck New version available: draft-ietf-kitten-aes-cts-hmac-sha2-08.txt
2015-12-03
07 Michael Peck New version available: draft-ietf-kitten-aes-cts-hmac-sha2-07.txt
2015-04-27
06 Benjamin Kaduk Tag Revised I-D Needed - Issue raised by WGLC set.
2015-04-27
06 Benjamin Kaduk IETF WG state changed to In WG Last Call from WG Document
2015-02-10
06 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-06.txt
2014-09-23
05 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-05.txt
2014-07-21
04 Michael Jenkins New version available: draft-ietf-kitten-aes-cts-hmac-sha2-04.txt
2014-07-02
03 Michael Peck New version available: draft-ietf-kitten-aes-cts-hmac-sha2-03.txt
2014-05-06
02 Michael Peck New version available: draft-ietf-kitten-aes-cts-hmac-sha2-02.txt
2013-06-28
01 Kelley Burgin New version available: draft-ietf-kitten-aes-cts-hmac-sha2-01.txt
2013-04-19
00 Kelley Burgin New version available: draft-ietf-kitten-aes-cts-hmac-sha2-00.txt