-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-howard-gssapi-aead-02.xml
268 lines (266 loc) · 16.3 KB
/
draft-howard-gssapi-aead-02.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
<?xml version="1.0" encoding="UTF-8"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2743 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2743.xml">
<!ENTITY RFC4121 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4121.xml">
<!ENTITY RFC4537 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4537.xml">
<!ENTITY RFC3961 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml">
<!ENTITY RFC5116 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
]>
<rfc docName="draft-howard-gssapi-aead-02" ipr="trust200902" category="exp" updates="">
<front>
<title abbrev="AEAD Modes for Kerberos GSS-API">AEAD Modes for Kerberos GSS-API</title>
<author initials="L." surname="Howard" fullname="Luke Howard">
<organization abbrev="PADL">PADL Software</organization>
<address>
<postal>
<street>PO Box 59</street>
<city>Central Park</city>
<region>VIC</region>
<code>3145</code>
<country>Australia</country>
</postal>
<email>[email protected]</email>
</address>
</author>
<date day="10" month="January" year="2023"/>
<area>
Security Area
</area>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
This document updates RFC4121 with support for encryption mechanisms that can authenticate associated data such as Counter with CBC-MAC (CCM), Galois/Counter Mode (GCM) and OCB. These mechanisms are often more performant and need not expand the message as much as conventional modes.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="sec_Introduction">
<t>
This document updates <xref target="RFC4121"/> with support for encryption mechanisms that support Authenticated Encryption with Associated Data (AEAD). These mechanisms often have performance advantage over conventional encryption modes as they can be efficiently parallelized and do not expand the plaintext when encrypting.</t>
<t>
In addition, this document defines new GSS-API functions for protecting associated data in addition to a plaintext.</t>
</section>
<section title="Requirements notation" anchor="d1e321">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>.</t>
</section>
<section title="Authenticated Encryption with Associated Data (AEAD) Overview" anchor="sec_AEAD">
<t>
The Kerberos 5 GSS-API mechanism specified in <xref target="RFC4121"/> provides for the authenticated encryption of plaintext, that is, it provides both for confidentiality and a way to check the for integrity and authenticity. </t>
<t>
It can be useful in many applications to provide for the integrity and authenticity of some additional unencrypted data; this is termed Authenticated Encryption with Associated Data (AEAD). This can be done by the generic composition of existing encryption and checksum mechanisms, or using algorithms which specifically provide for AEAD (see <xref target="RFC5116"/>). The latter class of algorithms, referred to as native AEAD, may have additional constraints (further described in <xref target="KRB-AEAD"/>).</t>
</section>
<section title="Updates to RFC 2743" anchor="sec_GSS_Updates">
<t><xref target="RFC2743"/> is updated with variations of GSS_Wrap() and GSS_Unwrap() that permit the inclusion of associated data to be authenticated along with a plaintext.</t>
<t>
<cref>
TBD: do we allow interleaved plaintext and associated data (which SSPI does and indeed requires for DCE), or do we limit it to a single octet string each? If the former, we need to define GSS_Wrap_IOV instead of GSS_Wrap_AEAD (and the Unwrap equivalents).</cref>
</t>
<section title="GSS_Wrap_AEAD" anchor="d1e389">
<t>
Inputs:</t>
<t>
<list style="symbols">
<t>
context_handle CONTEXT HANDLE,</t>
<t>
conf_req_flag BOOLEAN,</t>
<t>
qop_req INTEGER, -- 0 specifies default QOP</t>
<t>
input_assoc_data OCTET STRING, -- associated data</t>
<t>
input_message OCTET STRING -- plaintext</t>
</list>
</t>
<t>
Outputs:</t>
<t>
<list style="symbols">
<t>
major_status INTEGER,</t>
<t>
minor_status INTEGER,</t>
<t>
conf_state BOOLEAN,</t>
<t>
output_message OCTET STRING -- caller must release with GSS_Release_buffer()</t>
</list>
</t>
<t>
Performs the data origin authentication, data integrity and (optionally) data confidentiality functions of GSS_Wrap(), additionally integrity protecting the data in input_assoc_data. Return values are as for GSS_Wrap(). Note that output_message does not include the data in input_assoc_data.</t>
</section>
<section title="GSS_Unwrap_AEAD" anchor="d1e434">
<t>
Inputs:</t>
<t>
<list style="symbols">
<t>
context_handle CONTEXT HANDLE,</t>
<t>
input_message OCTET STRING, -- plaintext</t>
<t>
input_assoc_data OCTET STRING -- associated data</t>
</list>
</t>
<t>
Outputs:</t>
<t>
<list style="symbols">
<t>
conf_state BOOLEAN,</t>
<t>
qop_state INTEGER,</t>
<t>
major_status INTEGER,</t>
<t>
minor_status INTEGER,</t>
<t>
output_message OCTET STRING -- caller must release with GSS_Release_buffer()</t>
</list>
</t>
<t>
Processes a data element generated (and optionally encrypted) by GSS_Wrap(), provided as input_message, additionally validating the data origin and integrity of input_assoc_data. Return values are as for GSS_Unwrap(). Note that output_message does not include the data in input_assoc_data.</t>
</section>
</section>
<section title="Updates to RFC 4121" anchor="sec_Krb_Updates">
<section title="Support for Associated Data" anchor="d1e483">
<t>
The generation of per-message tokens using the GSS_Wrap_AEAD() and GSS_Unwrap_AEAD() functions is identical to GSS_Wrap() and GSS_Unwrap(), except that:</t>
<t>
<list style="symbols">
<t>
the encrypt-with-ad and decrypt-with-ad functions are used instead of the encrypt and decrypt functions (respectively)</t>
<t>
the input_assoc_data parameter is passed as the associated data</t>
<t>
the is-longterm parameter is always false</t>
</list>
</t>
</section>
<section title="Existing Encryption Types" anchor="d1e503">
<t>
For existing encryption mechanisms that use a generic composition of encryption and checksum functions (such as the Simplified Profile in <xref target="RFC3961"/>), the only operative difference to <xref target="RFC4121"/> is that the associated data is prepended to the plaintext before invoking the checksum function. As such, for these encryption types GSS_Wrap_AEAD() with no associated data has an identical output to GSS_Wrap().</t>
</section>
<section title="Native AEAD Encryption Types" anchor="sub_AEAD_only">
<t>
When used with native AEAD encryption types as defined in <xref target="KRB-AEAD"/>, the generation of <xref target="RFC4121"/> per-message tokens is modified as described below.</t>
<section title="Restriction on Native AEAD Usage" anchor="d1e547">
<t>
Implementations SHALL NOT use native AEAD encryption types where the deterministic cipherstate length is less than 12 octets (96 bytes).</t>
<t>
<cref>
TBD: if we want to support CCM with a 32-bit counter, we could remove the Filler byte and reduce the required cipherstate length to 11 octets. However, this may make it more difficult to use TLS-oriented CCM implementations that expose the Fixed-Common and Fixed-Distinct nonce components independently.</cref>
</t>
<t>
Native AEAD encryption types not supporting long-term keys MUST NOT be used as ticket session keys, only as authenticator subkeys. <xref target="RFC4537"/> SHOULD be used to indicate initiator support.</t>
</section>
<section title="Application-provided Cipherstate" anchor="d1e568">
<t>
The cipherstate for each invocation of encrypt-with-ad or decrypt-with-ad is given as follows. (For consistency with <xref target="RFC4121"/> the following definition uses 0-based indexing.)</t>
<texttable>
<ttcol align="center">
Octet no</ttcol>
<ttcol align="center">
Name</ttcol>
<ttcol align="center">
Description</ttcol>
<c>
0..1</c>
<c>
TOK_ID</c>
<c>
Identification field, per
RFC4121
Section 4.2.6 </c>
<c>
2</c>
<c>
Flags</c>
<c>
Attributes field, per
RFC4121
Section 4.2.6 </c>
<c>
3</c>
<c>
Filler</c>
<c>
One octet of the hex value FF</c>
<c>
4..11</c>
<c>
SND_SEQ</c>
<c>
Sequence number field, per
RFC4121
Section 4.2.6 </c>
<c>
12..</c>
<c>
</c>
<c>
Remaining octets (if any) are set to zero</c>
</texttable>
<t>
The output cipherstate from the encrypt-with-ad and decrypt-with-ad functions is discarded as it is always specified explicitly as described above.</t>
<t>
The use of application-managed cipherstate allows the per-message token size be reduced by omitting the confounder and encrypted copy of the token header. There is no limit on the number or size of messages that can be protected beyond those imposed by the sequence number size and the underlying cryptosystem.</t>
</section>
<section title="Encryption and Checksum Operations" anchor="d1e710">
<t>
This text amends <xref target="RFC4121"/> Section 4.2.4.</t>
<t>
In Wrap tokens that provide for confidentiality, the first 16 octets of the token (the “header”, as defined in <xref target="RFC4121"/> Section 4.2.6) SHALL NOT be appended to the plaintext data before encryption. Instead, the TOK_ID, Flags and SND_SEQ fields of the token header are protected by the initialization vector (cipherstate). The EC field is unprotected, a change from <xref target="RFC4121"/>. For the native AEAD encryption types profiled in <xref target="KRB-AEAD"/> Section 5, EC SHALL be zero (except when GSS_C_DCE_STYLE is in use, see below). This specification does not support native AEAD encryption types that require the plaintext to be padded.</t>
<t>
In Wrap tokens that do not provide for confidentiality, the first 16 octets of the token SHALL NOT be appended to the to-be-signed plaintext data. As with Wrap tokens that do provide for confidentiality, all fields except EC and RRC are protected by the initialization vector. For the AEAD encryption types defined in <xref target="KRB-AEAD"/> Section 5, EC SHALL be sixteen, reflecting the tag length of 16 octets (128 bits).</t>
<t>
The receiver MUST explicitly validate the EC field. Owing to this specification not supporting native AEAD encryption types that require padding and protecting the token header with the initialization vector, all encryption can be done in-place and there is no need to rotate the emitted token (see <xref target="RFC4121"/> Section 4.2.5). As such the RRC field SHALL contain the hex value 00 00.</t>
<t>
Because native AEAD encryption types lack an explicit checksum operation, MIC tokens are generated similarly to Wrap tokens, using the encrypt-with-ad function passing the to-be-signed data as the associated data and using a plaintext length of zero. The key usage and initialization vector serve to disambiguate MIC from Wrap tokens. The octet string output by the encrypt-with-ad function contains the authentication tag, which is placed in the SGN_CKSUM field of the token.</t>
</section>
<section title="DCE RPC Interoperability" anchor="sub_DCE">
<t>
Existing implementations that support the GSS_C_DCE_STYLE context flag will, when this flag is in set, set EC for Wrap tokens with confidentiality to the underlying cipher's block size and use an effective Right Rotation Count (RRC) of EC + RRC bytes. This document does not specify otherwise.</t>
<t>
When GSS_C_DCE_STYLE is set, receivers MUST verify that the otherwise unprotected EC field is the underlying cipher's block size for Wrap tokens with confidentiality. (For Wrap tokens without confidentiality, the EC field remains the length of the authentication tag.)</t>
<t>
DCE interleaves plaintext and associated data; because native AEAD algorithms may require associated data to be processed before any plaintext, any plaintext and associated data must each be coalesced before encrypting or decrypting. This document does not specify an API for processing interleaved plaintext and associated data.</t>
</section>
</section>
</section>
<section title="Security Considerations" anchor="d1e776">
<t>
The combination of a context-specific session key and the presence of the token header fields in the cipherstate guarantees that the key/IV combination is safe from reuse. The allows native AEAD modes such as <xref target="GCM"/>, <xref target="CCM"/> and <xref target="RFC7253"/> to be used securely.</t>
<t>
Because the initialization vector has a deterministic (but non-repeating) construction, it is safe for use with GCM without any limitation on the number of invocations of the authenticated encryption function other than that imposed by the requirement that the cipherstate not repeat. (Section 8.3 of <xref target="GCM"/> imposes an invocation limit of 2^32 where the cipherstate is randomly generated or is a length other than 96 bits.) </t>
<t>When using native AEAD encryption types, the EC and RRC fields are unprotected, however they are well known constants which can be validated by the peer.</t>
<t>
The reordering of plaintext and associated data for GSS_C_DCE_STYLE interoperability may be problematic where the plaintext and associated data lengths are variable.</t>
</section>
<section title="Acknowledgements" anchor="d1e809">
<t>
The author would like to thank the following individuals for their comments and suggestions: Nicolas Williams and Greg Hudson.</t>
</section>
</middle>
<back>
<references title="Normative References">&RFC2119;
&RFC2743;
&RFC4121;
&RFC4537;
<reference anchor="KRB-AEAD"><front><title>AEAD Encryption Types for Kerberos 5</title><author initials="L." surname="Howard" fullname="Luke Howard"><organization>PADL Software</organization></author><date month="December" year="2015"/><abstract><t>This document updates [RFC3961] to support encryption mechanisms that can authenticate associated data, such as Counter with CBC-MAC (CCM) and Galois/Counter Mode (GCM). These mechanisms are often more performant and need not expand the message as much as conventional modes.</t></abstract></front><seriesInfo name="Internet-Draft" value="draft-howard-krb-aead-00"/><format type="TXT" target="https://www.ietf.org/id/draft-howard-krb-aead-00.txt"/></reference></references>
<references title="Informative References">&RFC3961;
&RFC5116;
&RFC7253;
<reference anchor="CCM"><front><title>Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality</title><author initials="M." surname="Dworkin" fullname="Morris Dworkin"><organization>National Institute of Standards and Technology</organization></author><date year="2004" month="May"/></front><format type="HTML" target="http://csrc.nist.gov/publications/nistpubs/800-38C/SP-800-38C.pdf"/></reference>
<reference anchor="GCM"><front><title>Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</title><author initials="M." surname="Dworkin" fullname="Morris Dworkin"><organization>National Institute of Standards and Technology</organization></author><date year="2007" month="November"/></front><format type="HTML" target="http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf"/></reference></references>
</back>
</rfc>