INTERNET DRAFT                                                K. Raeburn
Kerberos Working Group                                               MIT
Document: draft-ietf-krb-wg-crypto-01.txt                    May 3, 2002
                                                expires November 3, 2002

                 Encryption and Checksum Specifications
                             for Kerberos 5

Abstract

   This document describes a framework for defining encryption and
   checksum mechanisms for use with the Kerberos protocol [Kerb],
   defining an abstraction layer between the Kerberos protocol and
   related protocols, and the actual mechanisms themselves.  Several
   mechanisms are also defined in this document.  Some are taken from
   RFC 1510, modified in form to fit this new framework, and
   occasionally modified in content when the old specification was
   incorrect.  New mechanisms are presented here as well.  This document
   does NOT indicate which mechanisms may be considered "required to
   implement" or deprecated.

   Comments should be sent to the editor, or to the IETF Kerberos
   working group (ietf-krb-wg@anl.gov).

Status

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026 [RFC2026].  Internet-Drafts
   are working documents of the Internet Engineering Task Force (IETF),
   its areas, and its working groups.  Note that other groups may also
   distribute working documents as Internet-Drafts.  Internet-Drafts are
   draft documents valid for a maximum of six months and may be updated,
   replaced, or obsoleted by other documents at any time.  It is
   inappropriate to use Internet-Drafts as reference material or to cite
   them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.html.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.







Raeburn                                                         [Page 1]


INTERNET DRAFT                                                  May 2002


                           Table of Contents


Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   1
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   1
Table of Contents  . . . . . . . . . . . . . . . . . . . . . . . . .   2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
1. Concepts  . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
2. Encryption algorithm profile  . . . . . . . . . . . . . . . . . .   4
3. Checksum mechanism attributes . . . . . . . . . . . . . . . . . .   9
4. Simplified profile for CBC ciphers with key derivation  . . . . .  10
4.1. A key derivation function . . . . . . . . . . . . . . . . . . .  10
4.2. Simplified profile parameters . . . . . . . . . . . . . . . . .  12
4.3. Cryptosystem profile based on simplified profile  . . . . . . .  13
4.4. Checksum profiles based on simplified profile . . . . . . . . .  14
5. Profiles for Kerberos encryption systems  . . . . . . . . . . . .  15
5.1. null  . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
5.2. DES-based encryption systems  . . . . . . . . . . . . . . . . .  16
5.3. Triple-DES Encryption with Key Derivation . . . . . . . . . . .  22
6. Profiles for Kerberos checksums . . . . . . . . . . . . . . . . .  24
6.1. RSA MD4- and MD5-Based Checksums  . . . . . . . . . . . . . . .  24
6.2. CRC-32 Checksum . . . . . . . . . . . . . . . . . . . . . . . .  27
6.3. DES MAC checksums . . . . . . . . . . . . . . . . . . . . . . .  28
6.4. HMAC-SHA1-DES3-KD Checksum  . . . . . . . . . . . . . . . . . .  29
7. Use of Kerberos encryption outside this specification . . . . . .  29
8. Assigned Numbers  . . . . . . . . . . . . . . . . . . . . . . . .  30
9. Implementation Notes  . . . . . . . . . . . . . . . . . . . . . .  32
10. Security Considerations  . . . . . . . . . . . . . . . . . . . .  32
11. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . .  33
12. Editor's address . . . . . . . . . . . . . . . . . . . . . . . .  34
13. Full Copyright Statement . . . . . . . . . . . . . . . . . . . .  34
A. Test vectors  . . . . . . . . . . . . . . . . . . . . . . . . . .  35
A.1. n-fold  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  35
A.2. mit_des_string_to_key . . . . . . . . . . . . . . . . . . . . .  35
A.3. DES3 DR and DK  . . . . . . . . . . . . . . . . . . . . . . . .  37
A.4. DES3string_to_key . . . . . . . . . . . . . . . . . . . . . . .  38
A.5. Modified CRC-32 . . . . . . . . . . . . . . . . . . . . . . . .  39
B. Significant Changes from RFC 1510 . . . . . . . . . . . . . . . .  39
C. Document History (delete before publication)  . . . . . . . . . .  40
Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  42
Normative References . . . . . . . . . . . . . . . . . . . . . . . .  43
Informative References . . . . . . . . . . . . . . . . . . . . . . .  44









Raeburn                                                         [Page 2]


INTERNET DRAFT                                                  May 2002


Introduction

   The Kerberos protocols are designed to encrypt messages of arbitrary
   sizes, using block encryption ciphers, or less commonly, stream
   encryption ciphers.  Encryption is used to prove the identities of
   the network entities participating in message exchanges.  However,
   nothing in the Kerberos protocol requires any specific encryption
   algorithm be used, as long as certain operations are available in the
   algorithm that is used.

   The following sections specify the encryption and checksum mechanisms
   currently defined for Kerberos, as well as a framework for defining
   future mechanisms.  The encoding, chaining, padding and other
   requirements for each are described.  Test vectors for several
   functions are given in appendix A.

1. Concepts

   Both encryption and checksum mechanisms are defined in terms of
   profiles, detailed in later sections.  Each specifies a collection of
   operations and attributes that must be defined for a mechanism.  A
   Kerberos encryption or checksum mechanism specification is not
   complete if it does not define all of these operations and
   attributes.

   An encryption mechanism must provide for confidentiality and
   integrity of the original plaintext.  (Integrity checking may be
   achieved by incorporating a checksum, if the encryption mode does not
   provide an integrity check itself.)  It must also provide non-
   malleability [Bellare98, Dolev91].  Use of a random confounder
   prepended to the plaintext is recommended.  It should not be possible
   to determine if two ciphertexts correspond to the same plaintext,
   without knowledge of the key.

   A checksum mechanism [1] must provide proof of the integrity of the
   associated message, and must preserve the confidentiality of the
   message in case it is not sent in the clear.  It should be infeasible
   to find two plaintexts which have the same checksum.  It is NOT
   required that an eavesdropper be unable to determine if two checksums
   are for the same message; it is assumed that the messages themselves
   will be visible to any such eavesdropper.

   Due to advances in cryptography, it is considered unwise by some
   cryptographers to use the same key for multiple purposes.  Since keys
   are used in performing a number of different functions in Kerberos,
   it is desirable to use different keys for each of these purposes,
   even though we start with a single long-term or session key.




Raeburn                                                         [Page 3]


INTERNET DRAFT                                                  May 2002


   We do this by enumerating the different uses of keys within Kerberos,
   and making the "usage number" an input to the encryption or checksum
   mechanisms; this enumeration is outside the scope of this document.
   Later sections of this document define simplified profile templates
   for encryption and checksum mechanisms that use a key derivation
   function applied to a CBC mode (or similar) cipher and a checksum or
   hash algorithm.

   We distinguish the "base key" specified by other documents from the
   "specific key" to be used for a particular instance of encryption or
   checksum operations.  It is expected but not required that the
   specific key will be one or more separate keys derived from the
   original protocol key and the key usage number.  The specific key
   should not be explicitly referenced outside of this document.  The
   typical language used in other documents should be something like,
   "encrypt this octet string using this key and this usage number";
   generation of the specific key and cipher state (described in the
   next section) are implicit.  The creation of a new cipher-state
   object, or the re-use of one from a previous encryption operation,
   may also be explicit.

   New protocols defined in terms of the Kerberos encryption and
   checksum types should use their own key usage values.  Key usages are
   unsigned 32 bit integers; zero is not permitted.

   All data is assumed to be in the form of strings of octets or 8-bit
   bytes.  Environments with other byte sizes will have to emulate this
   behavior in order to get correct results.

2. Encryption algorithm profile

   An encryption mechanism profile must define the following attributes
   and operations.  The operations must be defined as functions in the
   mathematical sense: no additional or implicit inputs (such as
   Kerberos principal names or message sequence numbers) are permitted.

   protocol key format
      This describes what octet string values represent valid keys.  For
      encryption mechanisms that don't have perfectly dense key spaces,
      this will describe the representation used for encoding keys.  It
      need not describe specific values that are not valid or desirable
      for use; such values should be avoid by all key generation
      routines.

   specific key structure
      This is not a protocol format at all, but a description of the
      keying material derived from the chosen key and used to encrypt or
      decrypt data or compute or verify a checksum.  It may, for



Raeburn                                                         [Page 4]


INTERNET DRAFT                                                  May 2002


      example, be a single key, a set of keys, or a combination of the
      original key with additional data.  The authors recommend using
      one or more keys derived from the original key via one-way
      functions.

   required checksum mechanism
      This indicates a checksum mechanism that must be available when
      this encryption mechanism is used.  Since Kerberos has no built in
      mechanism for negotiating checksum mechanisms, once an encryption
      mechanism has been decided upon, the corresponding checksum
      mechanism can simply be used.

   key-generation seed length, K
      This is the length of the random bitstring needed to generate a
      key with the encryption scheme's random-to-key function (described
      below).  This must be a fixed value so that various techniques for
      producing a random bitstring of a given length may be used with
      key generation functions.

   key generation functions
      Keys must be generated in a number of cases, from different types
      of inputs.  All function specifications must indicate how to
      generate keys in the proper wire format, and must avoid generation
      of keys that significantly compromise the confidentiality of
      encrypted data, if the cryptosystem has such.  Entropy from each
      source should be preserved as much as possible.  Many of the
      inputs, while unknown, may be at least partly predictable (e.g., a
      password string is likely to be entirely in the ASCII subset and
      of fairly short length in many environments; a semi-random string
      may include timestamps); the benefit of such predictability to an
      attacker must be minimized.

      string-to-key (UTF-8 string, UTF-8 string, opaque)->(protocol-key)
         This function generates a key from two UTF-8 strings and an
         opaque octet string.  One of the strings is normally the
         principal's pass phrase, but is in general merely a secret
         string.  The other string is a "salt" string intended to
         produce different keys from the same password for different
         users or realms.  While the strings provided will use UTF-8
         encoding, no specific version of Unicode should be assumed; all
         valid UTF-8 strings should be allowed.

         The third argument, the octet string, may be used to pass
         mechanism-specific parameters in to this function.  Since doing
         so implies knowledge of the specific encryption system, it is
         intended that generating non-default parameter values be an
         uncommon operation, and that normal Kerberos applications be
         able to treat this parameter block as an opaque object supplied



Raeburn                                                         [Page 5]


INTERNET DRAFT                                                  May 2002


         by the KDC or defaulted to some mechanism-specific constant
         value.

         This should be a one-way function, so that compromising a
         user's key in one realm does not compromise the user's key in
         another realm, even if the same password (but a different salt)
         is used.

      random-to-key (bitstring[K])->(protocol-key)
         This function generates a key from a random bit string of a
         specific size.  It may be assumed that all the bits of the
         input string are equally random, even though the entropy
         present in the random source may be limited.

      key-derivation (protocol-key, integer)->(specific-key)
         In this function, the integer input is the key usage value as
         described above; the usage values must be assumed to be known
         to an attacker.  The specific-key output value was described in
         section 1.

   string-to-key parameter format
      This describes the format of the block of data that can be passed
      to the string-to-key function above to configure additional
      parameters for that function.  Along with the mechanism of
      encoding parameter values, bounds on the allowed parameters should
      also be described to avoid allowing a spoofed KDC to compromise
      the user's password.  It may be desirable to construct the
      encoding such that values weakening the resulting key unacceptably
      cannot be encoded, if practical.

      Tighter bounds might be permitted by local security policy, or to
      avoid excess resource consumption; if so, recommended defaults for
      those bounds should be given in the specification.  The
      description should also outline possible weaknesses that may be
      caused by not applying bounds checks or other validation to a
      parameter string received from the network.

      As emntioned above, this should be considered opaque to most
      normal applications.

   default string-to-key parameters (octet string)
      This default value for the "params" argument to the string-to-key
      function is to be used when the application protocol (Kerberos or
      otherwise) does not explicitly set the parameter value.  As
      indicated above, this parameter block should be treated as an
      opaque object in most cases.





Raeburn                                                         [Page 6]


INTERNET DRAFT                                                  May 2002


   cipher state
      This describes any information that can be carried over from one
      encryption or decryption operation to the next, for use in
      conjunction with a given specific key.  For example, a block
      cipher used in CBC mode may put an initial vector of one block in
      the cipher state.

      This state must be non-empty, and must influence encryption so as
      to require that messages be decrypted in the same order they were
      encrypted, if the cipher state is carried over from one encryption
      to the next.  Distinguishing out-of-order or missing messages from
      corrupted messages is not required; if desired, this can be done
      at a higher level by including sequence numbers and not "chaining"
      the cipher state between encryption operations.

      The cipher state may not be reused in multiple encryption or
      decryption operations; these operations all generate a new cipher
      state that may be used for following operations using the same key
      and operation.

      The contents of the cipher state must be treated as opaque outside
      of encryption system specifications.

   initial cipher state (specific-key, direction)->(state)
      This describes the generation of the initial value for the cipher
      state if it is not being carried over from a previous encryption
      or decryption operation.

      This describes any initial state setup needed before encrypting
      arbitrary amounts of data with a given specific key; the specific
      key and the direction of operations to be performed (encrypt
      versus decrypt) must be the only input needed for this
      initialization.

      This state should be treated as opaque in any uses outside of an
      encryption algorithm definition.

      IMPLEMENTATION NOTE: [Kerb1510] was vague on whether and to what
      degree an application protocol could exercise control over the
      initial vector used in DES CBC operations.  Some existing
      implementations permit the setting of the initial vector.  This
      new specification does not permit application control of the
      cipher state (beyond "initialize" and "carry over from previous
      encryption"), since the form and content of the initial cipher
      state can vary between encryption systems, and may not always be a
      single block of random data.

      New Kerberos application protocols should not assume that they can



Raeburn                                                         [Page 7]


INTERNET DRAFT                                                  May 2002


      control the initial vector, or that one even exists.  However, a
      general-purpose implementation may wish to provide the capability,
      in case applications explicitly setting it are encountered.

   encrypt (specific-key, state, octet string)->(state, octet string)
      This function takes the specific key, cipher state, and plaintext
      as input, and generates ciphertext and a new cipher state as
      outputs.  If the basic encryption algorithm itself does not
      provide for integrity protection (as DES in CBC mode does not do),
      then some form of MAC or checksum must be included that can be
      verified by the receiver.  Some random factor such as a confounder
      should be included so that an observer cannot know if two messages
      contain the same plaintext, even if the cipher state and specific
      keys are the same.  The exact length of the plaintext need not be
      encoded, but if it is not and if padding is required, the padding
      must be added at the end of the string so that the decrypted
      version may be parsed from the beginning.

      The specification of the encryption function must not only
      indicate the precise contents of the output octet string, but also
      the output cipher state, if that state is not empty.  The
      application protocol may carry forward the output cipher state
      from one encryption with a given specific key to another; the
      effect of this "chaining" must be defined.

      Assuming correctly-produced values for the specific key and cipher
      state, no input octet string may result in an error indication.

   decrypt (specific-key, state, octet string)->(state, octet string)
      This function takes the specific key, cipher state, and ciphertext
      as inputs, and verifies the integrity of the supplied ciphertext.
      If the ciphertext's integrity is intact, this function produces
      the plaintext and a new cipher state as outputs; otherwise, an
      error indication must be returned, and the data discarded.

      The result of the decryption may be longer than the original
      plaintext, for example if the encryption mode adds padding to
      reach a multiple of a block size.  If this is the case, any extra
      octets must be after the decoded plaintext.  An application
      protocol which needs to know the exact length of the message must
      encode a length or recognizable "end of message" marker within the
      plaintext.  [2]

      As with the encryption function, a correct specification for this
      function must indicate not only the contents of the output octet
      string, but also the resulting cipher state.

   These operations and attributes are all that should be required to



Raeburn                                                         [Page 8]


INTERNET DRAFT                                                  May 2002


   support Kerberos and various proposed preauthentication schemes.

   A document defining a new encryption type should also describe known
   weaknesses or attacks, so that its security may be fairly assessed,
   and should include test vectors or other validation procedures for
   the operations defined.  Specific references to information readily
   available elsewhere are sufficient.

3. Checksum mechanism attributes

   A checksum mechanism profile must define the following attributes and
   operations:

   associated encryption algorithm(s)
      This essentially indicates the type of encryption key this
      checksum mechanism can be used with.  A single checksum mechanism
      may have more than one associated encryption algorithm if they
      share the same wire key format, string-to-key function, and key
      derivation function. (This combination means that, for example, a
      checksum type and password are adequate to get the specific key
      used to compute a checksum.)

   get_mic function
      This function generates a MIC token for a given specific key (see
      section 2), and message (represented as an octet string), that may
      be used to verify the integrity of the associated message.  This
      function is not required to return the same deterministic result
      on every use; it need only generate a token that the verify_mic
      routine can check.

      The output of this function will also dictate the size of the
      checksum.

   verify_mic function
      Given a specific key, message, and MIC token, this function
      ascertains whether the message integrity has been compromised.
      For a deterministic get_mic routine, the corresponding verify_mic
      may simply generate another checksum and compare them.

   The get_mic and verify_mic operations must be able to handle inputs
   of arbitrary length; if any padding is needed, the padding scheme
   must be specified as part of these functions.

   These operations and attributes are all that should be required to
   support Kerberos and various proposed preauthentication schemes.

   As with encryption mechanism definition documents, documents defining
   new checksum mechanisms should indicate validation processes and



Raeburn                                                         [Page 9]


INTERNET DRAFT                                                  May 2002


   known weaknesses.

4. Simplified profile for CBC ciphers with key derivation

   The profile outlines in sections 2 and 3 describes a large number of
   operations that must be defined for encryption and checksum
   algorithms to be used with Kerberos.  We describe here a simpler
   profile from which both encryption and checksum mechanism definitions
   can be generated, filling in uses of key derivation in appropriate
   places, providing integrity protection, and defining multiple
   operations for the cryptosystem profile based on a smaller set of
   operations given in the simplified profile.  Not all of the existing
   cryptosystems for Kerberos fit into this simplified profile, but we
   recommend that future cryptosystems use it or something based on it.
   [3]

   Not all of the operations in the complete profiles are defined
   through this mechanism; several must still be defined for each new
   algorithm pair.

4.1. A key derivation function

   Rather than define some scheme by which a "protocol key" is composed
   of a large number of encryption keys, we use keys derived from a base
   key to perform cryptographic operations.  The base key must be used
   only for generating the derived keys, and this derivation must be
   non-invertible and entropy-preserving.  Given these restrictions,
   compromise of one derived key does not compromise the other subkeys.
   Attack of the base key is limited, since it is only used for
   derivation, and is not exposed to any user data.

   Since the derived key has as much entropy as the base keys (if the
   cryptosystem is good), password-derived keys have the full benefit of
   all the entropy in the password.

   To generate a derived key from a base key, we generate a pseudorandom
   octet string, using an algorithm DR described below, and generate a
   key from that octet string using a function dependent on the
   encryption algorithm; the input length needed for that function,
   which is also dependent on the encryption algorithm, dictates the
   length of the string to be generated by the DR algorithm (the value
   "k" below).

      Derived Key = DK(Base Key, Well-Known Constant)

      DK(Key, Constant) = random-to-key(DR(Key, Constant))

      DR(Key, Constant) = k-truncate(E(Key, Constant))



Raeburn                                                        [Page 10]


INTERNET DRAFT                                                  May 2002


   Here DR is the random-octet generation function described below, and
   DK is the key-derivation function produced from it.  In this
   construction, E(Key, Plaintext) is a block cipher, Constant is a
   well-known constant determined by the specific usage of this
   function, and k-truncate truncates its argument by taking the first k
   bits.  Here, k is the key generation seed length needed for the
   encryption system.

   The output of the DR function is a string of bits; the actual key is
   produced by applying the cryptosystem's random-to-key operation on
   this bitstring.

   If the output of E is shorter than k bits, then some entropy in the
   key will be lost.  If the Constant is smaller than the block size of
   E, then it must be padded so it may be encrypted.

   In either of these situations, a variation of the above construction
   is used, where the folded Constant is encrypted, and the resulting
   output is fed back into the encryption as necessary (the | indicates
   concatentation):

      K1 = E(Key, n-fold(Constant))
      K2 = E(Key, K1)
      K3 = E(Key, K2)
      K4 = ...

      DR(Key, Constant) = k-truncate(K1 | K2 | K3 | K4 ...)

   n-fold is an algorithm which takes m input bits and ``stretches''
   them to form n output bits with equal contribution from each input
   bit to the output, as described in [Blumenthal96]:

      We first define a primitive called n-folding, which takes a
      variable-length input block and produces a fixed-length output
      sequence.  The intent is to give each input bit approximately
      equal weight in determining the value of each output bit.  Note
      that whenever we need to treat a string of octets as a number, the
      assumed representation is Big-Endian -- Most Significant Byte
      first.

      To n-fold a number X, replicate the input value to a length that
      is the least common multiple of n and the length of X.  Before
      each repetition, the input is rotated to the right by 13 bit
      positions.  The successive n-bit chunks are added together using
      1's-complement addition (that is, with end-around carry) to yield
      a n-bit result....





Raeburn                                                        [Page 11]


INTERNET DRAFT                                                  May 2002


   Test vectors for n-fold are supplied in Appendix A.  [4]

   In this document, n-fold is always used to produce n bits of output,
   where n is the block size of E.

   The size of the Constant must not be larger than the block size of E,
   because reducing the length of the Constant by n-folding can cause
   collisions.

   If the size of the Constant is smaller than the block size of E, then
   the Constant must be n-folded to the block size of E.  This string is
   used as input to E.  If the block size of E is less than the key
   size, then the output from E is taken as input to a second invocation
   of E.  This process is repeated until the number of bits accumulated
   is greater than or equal to the key size of E.  When enough bits have
   been computed, the first k are taken as the derived key.

   Since the derived key is the result of one or more encryptions in the
   base key, deriving the base key from the derived key is equivalent to
   determining the key from a very small number of plaintext/ciphertext
   pairs.  Thus, this construction is as strong as the cryptosystem
   itself.

4.2. Simplified profile parameters

   These are the operations and attributes that must be defined:

   protocol key format
   string-to-key function
   default string-to-key parameters
   key-generation seed length, k
   random-to-key function
      As above for the normal encryption mechanism profile.

   unkeyed hash algorithm, H
      This should be a collision-resistant hash algorithm with fixed-
      size output, suitable for use in an HMAC [HMAC].  It must support
      inputs of arbitrary length.

   encryption block size, n
   encryption/decryption functions, E and D
      These are basic encryption and decryption functions for messages
      of sizes that are multiples of the block size.  No integrity
      checking or confounder should be included here.  They take as
      input the IV or similar data, a protocol-format key, and a octet
      string, returning a new IV and octet string.

      The encryption function is not required to use CBC mode, but is



Raeburn                                                        [Page 12]


INTERNET DRAFT                                                  May 2002


      assumed to be using something with similar properties.  In
      particular, prepending a one-block confounder to the plaintext
      should alter the entire ciphertext (comparable to choosing and
      including a random initial vector for CBC mode).

   While there are still a number of properties to specify, they are
   fewer and simpler than in the full profile.

4.3. Cryptosystem profile based on simplified profile

   The above key derivation function is used to produce three
   intermediate keys.  One is used for computing checksums of
   unencrypted data.  The other two are used for encrypting and
   checksumming plaintext to be sent encrypted.

   The ciphertext output is the concatenation of the output of the basic
   encryption function E and an HMAC using the specified hash function
   H, both applied to the plaintext with a one-block random confounder
   prefix and sufficient padding to bring it to a multiple of the
   encryption algorithm's block size.  Decryption is performed by
   stripping off the HMAC, decrypting the remainder, and verifying the
   HMAC.  The cipher state is an initial vector, initialized to zero.


                      cryptosystem from simplified profile
---------------------------------------------------------------------------------
protocol key format       As given.

specific key structure    Three protocol-format keys: { Kc, Ke, Ki }.

key-generation seed       As given.
length

required checksum         The checksum mechanism defined by the
mechanism                 simplified checksum profile given later.

cipher state              CBC initial vector (one block), initialized
                          to all zero.

encryption function
                            C1 =    E(Ke, conf | plaintext | pad, oldstate.ivec)
                            H1 = HMAC(Ki, conf | plaintext | pad)
                            ciphertext =  C1 | H1
                            newstate.ivec = last block of C1







Raeburn                                                        [Page 13]


INTERNET DRAFT                                                  May 2002


                      cryptosystem from simplified profile
---------------------------------------------------------------------------------
decryption function         P1 =    D(Ke, C1, oldstate.ivec)
                            if (H1 != HMAC(Ki, P1)) report error
                            newstate.ivec = last block of C1

default string-to-key     As given.
params

key generation functions:

string-to-key function    As given.

random-to-key function    As given.

key-derivation function   The "well-known constant" used for the DK function is
                          the key usage number, expressed as four octets in big-
                          endian order, followed by one octet indicated below.

                            Kc = DK(base-key, usage | 0x99);
                            Ke = DK(base-key, usage | 0xAA);
                            Ki = DK(base-key, usage | 0x55);




4.4. Checksum profiles based on simplified profile

   When an encryption system is defined using the simplified profile
   given in section 4.2, a checksum algorithm may be defined for it as
   follows:


                checksum mechanism from simplified profile
               ----------------------------------------------
               associated cryptosystem   as defined above

               get_mic                   HMAC(Kc, message)

               verify_mic                get_mic and compare


   The HMAC function and key Kc are as described in section 4.3.








Raeburn                                                        [Page 14]


INTERNET DRAFT                                                  May 2002


5. Profiles for Kerberos encryption systems

   These are the currently defined encryption systems for Kerberos.  The
   astute reader will notice that some of them do not fulfill all of the
   requirements outlined above.  These weaker encryption systems are
   defined for backwards compatibility; newer implementations should
   attempt to make use of the stronger encryption systems when possible.

   The full list of current encryption type number assignments is given
   in section 8.

5.1. null

   If no encryption is in use, the encryption system is said to be the
   NULL encryption system.  In the NULL encryption system there is no
   checksum, confounder or padding.  The ciphertext is simply the
   plaintext.  The null Key is used by the null encryption system and is
   zero octets in length.

   This encryption system should not be used for protection of data.  It
   exists primarily to associate with the rsa-md5 checksum type, but may
   also be useful for testing protocol implementations.

                                   null
              ------------------------------------------------
              protocol key format      zero-length bit string

              specific key structure   empty

              required checksum        rsa-md5
              mechanism

              key-generation seed      0
              length

              cipher state             none

              initial cipher state     none

              encryption function      identity

              decryption function      identity, no integrity
                                       check

              default string-to-key    none
              params





Raeburn                                                        [Page 15]


INTERNET DRAFT                                                  May 2002


                                   null
              ------------------------------------------------
              key generation functions:

              string-to-key            empty string

              random-to-key            empty string

              key-derivation           empty string


   The null encryption algorithm is assigned the etype value zero (0).

5.2. DES-based encryption systems

   These encryption systems encrypt information under the Data
   Encryption Standard [DES77] using the cipher block chaining mode
   [DESM80].  A checksum is computed as described below and placed in
   the cksum field.  DES blocks are 8 bytes.  As a result, the data to
   be encrypted (the concatenation of confounder, checksum, and message)
   must be padded to an 8 byte boundary before encryption.  The values
   of the padding bytes are unspecified.

   Plaintext and DES ciphertext are encoded as blocks of 8 octets which
   are concatenated to make the 64-bit inputs for the DES algorithms.
   The first octet supplies the 8 most significant bits (with the
   octet's MSB used as the DES input block's MSB, etc.), the second
   octet the next 8 bits, ..., and the eighth octet supplies the 8 least
   significant bits.

   Encryption under DES using cipher block chaining requires an
   additional input in the form of an initialization vector; this vector
   is specified for each encryption system, below.

   The DES specifications identify some 'weak' and 'semi-weak' keys;
   those keys shall not be used for encrypting messages for use in
   Kerberos.  Additionally, because of the way that keys are derived for
   the encryption of checksums, keys shall not be used that yield 'weak'
   or 'semi-weak' keys when eXclusive-ORed with the hexadecimal constant
   0xF0F0F0F0F0F0F0F0.

   A DES key is 8 octets of data.  This consists of 56 bits of actual
   key data, and 8 parity bits, one per octet.  The key is encoded as a
   series of 8 octets written in MSB-first order.  The bits within the
   key are also encoded in MSB order.  For example, if the encryption
   key is (B1,B2,...,B7,P1,B8,...,B14,P2,B15,...,B49,P7,B50,...,B56,P8)
   where B1,B2,...,B56 are the key bits in MSB order, and P1,P2,...,P8
   are the parity bits, the first octet of the key would be



Raeburn                                                        [Page 16]


INTERNET DRAFT                                                  May 2002


   B1,B2,...,B7,P1 (with B1 as the most significant bit).  See the
   [DESM80] introduction for reference.

   Encryption data format

   The format for the data to be encrypted includes a one-block
   confounder, a checksum, the encoded plaintext, and any necessary
   padding, as described in the following diagram.  The msg-seq field
   contains the part of the protocol message which is to be encrypted.

                  +-----------+----------+---------+-----+
                  |confounder | checksum | msg-seq | pad |
                  +-----------+----------+---------+-----+

   One generates a random confounder of one block, placing it in
   confounder; zeroes out the checksum field (of length appropriate to
   exactly hold the checksum to be computed); calculates the appropriate
   checksum over the whole sequence, placing the result in check; adds
   the necessary padding; then encrypts using the specified encryption
   type and the appropriate key.

   String to key transformation

   To generate a DES key from a UTF-8 text string (password), a "salt"
   is concatenated to the text string, and then padded with zero-valued
   octets to a multiple of 8 octets.

   This string is then fan-folded and eXclusive-ORed with itself to form
   an 8 byte DES key.  Before eXclusive-ORing a block, every byte is
   shifted one bit to the left to leave the lowest bit zero.  The key is
   the "corrected" by correcting the parity on the key, and if the key
   matches a 'weak' or 'semi-weak' key as described in the DES
   specification, it is eXclusive-ORed with the constant
   0x00000000000000F0.  This key is then used to generate a DES CBC
   checksum on the initial string with the salt appended.  The result of
   the CBC checksum is the "corrected" as described above to form the
   result which is returned as the key.

   Pseudocode follows:

        key_correction(key) {
             fixparity(key);
             if (is_weak_key_key(key))
                  key = key XOR 0xF0;
             return(key);
        }





Raeburn                                                        [Page 17]


INTERNET DRAFT                                                  May 2002


        mit_des_string_to_key(string,salt) {
             odd = 1;
             s = string | salt;
             tempkey = NULL;
             pad(s); /* with nulls to 8 byte boundary */
             for (8byteblock in s) {
                  if (odd == 0)  {
                      odd = 1;
                      reverse(8byteblock)
                  }
                  else odd = 0;
                  left shift every byte in 8byteblock one bit;
                  tempkey = tempkey XOR 8byteblock;
             }
             tempkey = key_correction(tempkey);
             key = key_correction(DES-CBC-check(s,tempkey));
             return(key);
        }

        des_string_to_key(string,salt,params) {
             if (length(params) == 0)
                  type = 0;
             else if (length(params) == 1)
                  type = params[0];
             else
                  error("invalid params");
             if (type == 0)
                  mit_des_string_to_key(string,salt);
             else if (type == 1)
                  afs_des_string_to_key(string,salt);
             else
                  error("invalid params");
        }

   The AFS string-to-key algorithm is not defined here, but a parameter
   block containing a byte value of one (1) is reserved for its use.

5.2.1. DES with MD5

   The des-cbc-md5 encryption mode encrypts information under DES in CBC
   mode with an all-zero initial vector, with an MD5 checksum (described
   in [MD5-92]) computed and placed in the checksum field.









Raeburn                                                        [Page 18]


INTERNET DRAFT                                                  May 2002


   The encryption system parameters for des-cbc-md5 are:

                                des-cbc-md5
    --------------------------------------------------------------------
    protocol key format      8 bytes, parity in low bit of each

    specific key structure   copy of original key

    required checksum        rsa-md5-des
    mechanism

    key-generation seed      8 bytes
    length

    cipher state             8 bytes (CBC initial vector)

    initial cipher state     all-zero

    encryption function      des-cbc(confounder | checksum | msg | pad,
                                     ivec=oldstate)
                             where
                             checksum = md5(confounder | 0000...
                                            | msg | pad)

                             newstate = last block of des-cbc output

    decryption function      decrypt encrypted text and verify checksum

                             newstate = last block of ciphertext

    default string-to-key    empty string
    params

    key generation functions:

    string-to-key            des_string_to_key

    random-to-key            copy input, then fix parity bits (discards
                             low bit of each input byte)

    key-derivation           identity


   The des-cbc-md5 encryption type is assigned the etype value three
   (3).






Raeburn                                                        [Page 19]


INTERNET DRAFT                                                  May 2002


5.2.2. DES with MD4

   The des-cbc-md4 encryption mode also encrypts information under DES
   in CBC mode, with an all-zero initial vector.  An MD4 checksum
   (described in [MD4-92]) is computed and placed in the checksum field.

                                des-cbc-md4
    --------------------------------------------------------------------
    protocol key format      8 bytes, parity in low bit of each

    specific key structure   copy of original key

    required checksum        rsa-md4-des
    mechanism

    key-generation seed      8 bytes
    length

    cipher state             8 bytes (CBC initial vector)

    initial cipher state     all-zero

    encryption function      des-cbc(confounder | checksum | msg | pad,
                                     ivec=oldstate)
                             where
                             checksum = md4(confounder | 0000...
                                            | msg | pad)

                             newstate = last block of des-cbc output

    decryption function      decrypt encrypted text and verify checksum

                             newstate = last block of ciphertext

    default string-to-key    empty string
    params

    key generation functions:

    string-to-key            des_string_to_key

    random-to-key            copy input, then fix parity bits

    key-derivation           identity


   The des-cbc-md4 encryption algorithm is assigned the etype value two
   (2).



Raeburn                                                        [Page 20]


INTERNET DRAFT                                                  May 2002


5.2.3. DES with CRC

   The des-cbc-crc encryption type uses DES in CBC mode, with a 4-octet
   CRC-based checksum computed as described in section 6.2.  Note that
   this is not a standard CRC-32 checksum, but a slightly modified one.

   Unless otherwise specified, the key should be used as the
   initialization vector, unlike for the other Kerberos DES encryption
   schemes.  The other details of the encryption of this data are
   identical to those for the des-cbc-md5 encryption mode.

                                des-cbc-crc
    --------------------------------------------------------------------
    protocol key format      8 bytes, parity in low bit of each

    specific key structure   copy of original key

    required checksum        rsa-md5-des
    mechanism

    key-generation seed      8 bytes
    length

    cipher state             8 bytes (CBC initial vector)

    initial cipher state     copy of original key

    encryption function      des-cbc(confounder | checksum | msg | pad,
                                     ivec=oldstate)
                             where
                             checksum = crc(confounder | 00000000
                                            | msg | pad)

                             newstate = last block of des-cbc output

    decryption function      decrypt encrypted text and verify checksum

                             newstate = last block of ciphertext

    default string-to-key    empty string
    params

    key generation functions:

    string-to-key            des_string_to_key

    random-to-key            copy input, then fix parity bits




Raeburn                                                        [Page 21]


INTERNET DRAFT                                                  May 2002


                                des-cbc-crc
    --------------------------------------------------------------------

    key-derivation           identity


   The des-cbc-crc encryption algorithm is assigned the etype value one
   (1).

5.3. Triple-DES Encryption with Key Derivation

   This encryption type is based on the Triple DES cryptosystem in
   Outer-CBC mode, and the HMAC-SHA1 message authentication algorithm.

   A Triple DES key is the concatenation of three DES keys as described
   above for des-cbc-md5.  A Triple DES key is generated from random
   data by creating three DES keys from separate sequences of random
   data.

   Encrypted data using this type must be generated as described in
   section 4.3.  If the length of the input data is not a multiple of
   the block size, zero octets must be used to pad the plaintext to the
   next eight-octet boundary.  The confounder must be eight random
   octets (one block).

   The simplified profile for Triple DES, with key derivation as defined
   in section 4, is as follows:

                           des3-cbc-hmac-sha1-kd
              ------------------------------------------------
              protocol key format     24 bytes, parity in low
                                      bit of each

              key-generation seed     21 bytes
              length

              hash function           SHA-1

              block size              8 bytes

              default string-to-key   none
              params

              encryption and          triple-DES encrypt and
              decryption functions    decrypt, in outer-CBC
                                      mode





Raeburn                                                        [Page 22]


INTERNET DRAFT                                                  May 2002


                           des3-cbc-hmac-sha1-kd
              ------------------------------------------------
              key generation functions:

              random-to-key           see below

              string-to-key           DES3string-to-key (see
                                      below)


   The des3-cbc-hmac-sha1-kd encryption type is assigned the value
   sixteen (16).

5.3.1. Triple DES Key Production (random-to-key, string-to-key)

   The 168 bits of random key data are converted to a protocol key value
   as follows.  First, the 168 bits are divided into three groups of 56
   bits, which are expanded individually into 64 bits as follows:

         1  2  3  4  5  6  7  p
         9 10 11 12 13 14 15  p
        17 18 19 20 21 22 23  p
        25 26 27 28 29 30 31  p
        33 34 35 36 37 38 39  p
        41 42 43 44 45 46 47  p
        49 50 51 52 53 54 55  p
        56 48 40 32 24 16  8  p

   The "p" bits are parity bits computed over the data bits.  The output
   of the three expansions are concatenated to form the protocol key
   value.

   When the HMAC-SHA1 of a string is computed, the key is used in the
   protocol key form.

   The string-to-key function is used to transform UTF-8 passwords into
   DES3 keys.  The DES3 string-to-key function relies on the "N-fold"
   algorithm and DK function, described in section 4.

   The n-fold algorithm is applied to the password string concatenated
   with a salt value.  For 3-key triple DES, the operation will involve
   a 168-fold of the input password string, to generate an intermediate
   key, from which the user's long-term key will be derived with the DK
   function.  The DES3 string-to-key function is shown here in
   pseudocode:






Raeburn                                                        [Page 23]


INTERNET DRAFT                                                  May 2002


         DES3string-to-key(passwordString, salt, params)
             if (params != emptyString)
              error("invalid params");
             s = passwordString + salt
             tmpKey = random-to-key(168-fold(s))
             key = DK (tmpKey, KerberosConstant)

   No weak-key checking is performed.  The KerberosConstant value is the
   byte string {0x6b 0x65 0x72 0x62 0x65 0x72 0x6f 0x73}.  These values
   correspond to the ASCII encoding for the string "kerberos".

6. Profiles for Kerberos checksums

   These are the checksum types currently defined for Kerberos.  The
   full list of current checksum type number assignments is given in
   section 8.

6.1. RSA MD4- and MD5-Based Checksums

6.1.1. RSA MD4 Cryptographic Checksum Using DES

   The RSA-MD4-DES checksum calculates a keyed collision-proof checksum
   by prepending an 8 octet confounder before the text, applying the RSA
   MD4 checksum algorithm [MD4-92], and encrypting the confounder and
   the checksum using DES in cipher-block-chaining (CBC) mode using a
   variant of the key, where the variant is computed by eXclusive-ORing
   the key with the constant 0xF0F0F0F0F0F0F0F0.  [5] The initialization
   vector should be zero.  The resulting checksum is 24 octets long.
   This checksum is tamper-proof and believed to be collision-proof.

   The DES specifications identify some weak keys' and 'semi-weak keys';
   those keys shall not be used for generating RSA-MD4 checksums for use
   in Kerberos.

                                rsa-md4-des
      ----------------------------------------------------------------
      associated cryptosystem   des-cbc-md5, des-cbc-md4, des-cbc-crc

      get_mic                   des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
                                        conf | rsa-md4(conf | msg),
                                        ivec=0)

      verify_mic                decrypt and verify rsa-md4 checksum


   The rsa-md4-des checksum algorithm is assigned a checksum type number
   of three (3).




Raeburn                                                        [Page 24]


INTERNET DRAFT                                                  May 2002


6.1.2. The RSA MD5 Checksum

   The RSA-MD5 checksum calculates a checksum using the RSA MD5
   algorithm [MD5-92].  The algorithm takes as input an input message of
   arbitrary length and produces as output a 128-bit (16 octet)
   checksum.  RSA-MD5 is believed to be collision-proof.  However, since
   it is unkeyed, it must be used with caution.  Currently it is used by
   some implementations in places where the checksum itself is part of a
   larger message that will be encrypted.  Its use is not recommended.

                                  rsa-md5
               ----------------------------------------------
               associated cryptosystem   null

               get_mic                   rsa-md5(msg)

               verify_mic                get_mic and compare


   The rsa-md5 checksum algorithm is assigned a checksum type number of
   seven (7).

6.1.3. RSA MD5 Cryptographic Checksum Using DES

   The RSA-MD5-DES checksum calculates a keyed collision-proof checksum
   by prepending an 8 octet confounder before the text, applying the RSA
   MD5 checksum algorithm, and encrypting the confounder and the
   checksum using DES in cipher-block-chaining (CBC) mode using a
   variant of the key, where the variant is computed by eXclusive-ORing
   the key with the hexadecimal constant 0xF0F0F0F0F0F0F0F0.  The
   initialization vector should be zero.  The resulting checksum is 24
   octets long.  This checksum is tamper-proof and believed to be
   collision-proof.

   The DES specifications identify some 'weak keys' and 'semi-weak
   keys'; those keys shall not be used for encrypting RSA-MD5 checksums
   for use in Kerberos.


                                rsa-md5-des
      ----------------------------------------------------------------
      associated cryptosystem   des-cbc-md5, des-cbc-md4, des-cbc-crc

      get_mic                   des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
                                        conf | rsa-md5(conf | msg))

      verify_mic                decrypt and verify rsa-md5 checksum




Raeburn                                                        [Page 25]


INTERNET DRAFT                                                  May 2002


                                rsa-md5-des
      ----------------------------------------------------------------



   The rsa-md5-des checksum algorithm is assigned a checksum type number
   of eight (8).

6.1.4. The RSA MD4 Checksum

   The RSA-MD4 checksum calculates a checksum using the RSA MD4
   algorithm [MD4-92].  The algorithm takes as input an input message of
   arbitrary length and produces as output a 128-bit (16 octet)
   checksum.  RSA-MD4 is believed to be collision-proof.


                                  rsa-md4
              ------------------------------------------------
              associated cryptosystem   des-cbc-md5, des-cbc-
                                        md4, des-cbc-crc

              get_mic                   md4(msg)

              verify_mic                compute checksum and
                                        compare



   The rsa-md4 checksum algorithm is assigned a checksum type number of
   two (2).

6.1.5. RSA MD4 Cryptographic Checksum Using DES alternative

   The RSA-MD4-DES-K checksum calculates a keyed collision-proof
   checksum by applying the RSA MD4 checksum algorithm and encrypting
   the results using DES in cipher block chaining (CBC) mode using a DES
   key as both key and initialization vector.  The resulting checksum is
   16 octets long.  This checksum is tamper-proof and believed to be
   collision-proof.  Note that this checksum type is the old method for
   encoding the RSA-MD4-DES checksum and it is no longer recommended.











Raeburn                                                        [Page 26]


INTERNET DRAFT                                                  May 2002


                               rsa-md4-des-k
      ----------------------------------------------------------------
      associated cryptosystem   des-cbc-md5, des-cbc-md4, des-cbc-crc

      get_mic                   des-cbc(key, md4(msg), ivec=key)

      verify_mic                decrypt, compute checksum and compare



   The rsa-md4-des-k checksum algorithm is assigned a checksum type
   number of six (6).

6.2. CRC-32 Checksum

   This CRC-32 checksum calculates a checksum based on a cyclic
   redundancy check as described in ISO 3309 [CRC], modified as
   described below.  The resulting checksum is four (4) octets in
   length.  The CRC-32 is neither keyed nor collision-proof; thus, the
   use of this checksum is not recommended.  An attacker using a
   probabilistic chosen-plaintext attack as described in [SG92] might be
   able to generate an alternative message that satisfies the checksum.
   The use of collision-proof checksums is recommended for environments
   where such attacks represent a significant threat.

   The CRC-32 checksum used in the des-cbc-crc encryption mode is
   identical to the 32-bit FCS described in ISO 3309 with two
   exceptions: the sum with the all-ones polynomial times x**k is
   omitted, and the final remainder is not ones-complemented.  ISO 3309
   describes the FCS in terms of bits, while this document describes the
   Kerberos protocol in terms of octets.  To disambiguate the ISO 3309
   definition for the purpose of computing the CRC-32 in the des-cbc-crc
   encryption mode, the ordering of bits in each octet shall be assumed
   to be LSB-first.  Given this assumed ordering of bits within an
   octet, the mapping of bits to polynomial coefficients shall be
   identical to that specified in ISO 3309.


                                   crc32
              ------------------------------------------------
              associated cryptosystem   des-cbc-md5, des-cbc-
                                        md4, des-cbc-crc

              get_mic                   crc32(msg)

              verify_mic                compute checksum and
                                        compare




Raeburn                                                        [Page 27]


INTERNET DRAFT                                                  May 2002


   The crc32 checksum algorithm is assigned a checksum type number of
   one (1).

6.3. DES MAC checksums

6.3.1. DES CBC checksum

   The DES-MAC checksum is computed by prepending an 8 octet confounder
   to the plaintext, performing a DES CBC-mode encryption on the result
   using the key and an initialization vector of zero, taking the last
   block of the ciphertext, prepending the same confounder and
   encrypting the pair using DES in cipher-block-chaining (CBC) mode
   using a a variant of the key, where the variant is computed by
   eXclusive-ORing the key with the constant 0xF0F0F0F0F0F0F0F0.  The
   initialization vector should be zero.  The resulting checksum is 128
   bits (16 octets) long, 64 bits of which are redundant.  This checksum
   is tamper-proof and collision-proof.

   The DES specifications identify some "weak" and "semiweak" keys;
   those keys shall not be used for generating DES-MAC checksums for use
   in Kerberos, nor shall a key be used whose variant is "weak" or
   "semi-weak".


                                  des-mac
      ----------------------------------------------------------------
      associated     des-cbc-md5, des-cbc-md4, des-cbc-crc
      cryptosystem

      get_mic        des-cbc(key XOR 0xF0F0F0F0F0F0F0F0,
                             conf | des-mac(key, conf | msg, ivec=0),
                             ivec=0)

      verify_mic     decrypt, compute DES MAC using confounder,
                     compare



   The des-mac checksum algorithm is assigned a checksum type number of
   four (4).

6.3.2. DES CBC checksum alternative

   The DES-MAC-K checksum is computed by performing a DES CBC-mode
   encryption of the plaintext, and using the last block of the
   ciphertext as the checksum value.  It is keyed with an encryption key
   and an initialization vector; any uses which do not specify an
   additional initialization vector will use the key as both key and



Raeburn                                                        [Page 28]


INTERNET DRAFT                                                  May 2002


   initialization vector.  The resulting checksum is 64 bits (8 octets)
   long.  This checksum is tamper-proof and collision-proof.  Note that
   this checksum type is the old method for encoding the DESMAC checksum
   and it is no longer recommended.

   The DES specifications identify some "weak keys"; those keys shall
   not be used for generating DES-MAC checksums for use in Kerberos.


                                 des-mac-k
      ----------------------------------------------------------------
      associated cryptosystem   des-cbc-md5, des-cbc-md4, des-cbc-crc

      get_mic                   des-mac(key, msg, ivec=key or given)

      verify_mic                compute MAC and compare



   The des-mac-k checksum algorithm is assigned a checksum type number
   of five (5).

6.4. HMAC-SHA1-DES3-KD Checksum

   This checksum type is defined as outlined in section 4.2 above, using
   the des3-hmac-sha1-kd encryption algorithm parameters from section
   5.3.  The checksum is thus a SHA-1 HMAC using the computed key Kc
   over the message to be protected.

   The hmac-sha1-des3-kd checksum algorithm is assigned a checksum type
   number of twelve (12).

7. Use of Kerberos encryption outside this specification

   Several Kerberos-based application protocols and preauthentication
   systems have been designed and deployed that perform encryption and
   message integrity checks in various ways.  While in some cases there
   may be good reason for specifying these protocols in terms of
   specific encryption or checksum algorithms, we anticipate that in
   many cases this will not be true, and more generic approaches
   independent of particular algorithms will be desirable.  Rather than
   having each protocol designer reinvent schemes for protecting data,
   using multiple keys, etc, we have attempted to present in this
   section a general framework that should be sufficient not only for
   the Kerberos protocol itself but also for many preauthentication
   systems and application protocols, while trying to avoid some of the
   assumptions that can work their way into such protocol designs.




Raeburn                                                        [Page 29]


INTERNET DRAFT                                                  May 2002


   Some problematic assumptions we've seen (and sometimes made) include:
   that a random bitstring is always valid as a key (not true for DES
   keys with parity); that the basic block encryption chaining mode
   provides no integrity checking, or can easily be separated from such
   checking (not true for many modes in development that do both
   simultaneously); that a checksum for a message always results in the
   same value (not true if a confounder is incorporated); that an
   initial vector is used (may not be true if a block cipher in CBC mode
   is not in use).

   Such assumptions, while they may hold for any given set of encryption
   and checksum algorithms, may not be true of the next algorithms to be
   defined, leaving the application protocol unable to make use of those
   algorithms without updates to its specification.

   The Kerberos protocol uses only the attributes and operations
   described in sections 2 and 3.  Preauthentication systems and
   application protocols making use of Kerberos are encouraged to use
   them as well.  The specific key and string-to-key parameters should
   generally be treated as opaque.  While the string-to-key parameters
   are manipulated as an octet string, the representation for the
   specific key structure is implementation-defined; it may not even be
   a single object.

   While we don't recommend it, some application protocols will
   undoubtedly continue to use the key data directly, even if only in
   some of the currently existing protocol specifications.  An
   implementation intended to support general Kerberos applications may
   therefore need to make the key data available, as well as the
   attributes and operations described in sections 2 and 3.  [6]

8. Assigned Numbers

   The following encryption type numbers are already assigned or
   reserved for use in Kerberos and related protocols.


   Encryption type    etype    block    minimum    confounder    section
                      value    size     pad size      size
   ----------------------------------------------------------------------
   NULL                   0      1         0           0           5.1
   des-cbc-crc            1      8         4           8          5.2.3
   des-cbc-md4            2      8         0           8          5.2.2
   des-cbc-md5            3      8         0           8          5.2.1
   des3-cbc-sha1-kd      16      8         0           8           5.3


   Other numbers have been reserved for use in encryption systems not



Raeburn                                                        [Page 30]


INTERNET DRAFT                                                  May 2002


   defined here.  Encryption type numbers are unfortunately overloaded
   on occasion in Kerberos-related protocols, so some of the reserved
   numbers do not and will not correspond to encryption systems fitting
   the profile presented here.


   Encryption type               etype value            comment
   ----------------------------------------------------------------------
   [reserved]                              4
   des3-cbc-md5                            5
   [reserved]                              6
   des3-cbc-sha1                           7
   dsaWithSHA1-CmsOID                      9           (pkinit)
   md5WithRSAEncryption-CmsOID            10           (pkinit)
   sha1WithRSAEncryption-CmsOID           11           (pkinit)
   rc2CBC-EnvOID                          12           (pkinit)
   rsaEncryption-EnvOID                   13   (pkinit from PKCS#1 v1.5)
   rsaES-OAEP-ENV-OID                     14   (pkinit from PKCS#1 v2.0)
   des-ede3-cbc-Env-OID                   15           (pkinit)
   rc4-hmac                               23            (swift)
   rc4-hmac-exp                           24            (swift)
   subkey-keynaterial                     65         (opaque mhur)


   The following checksum type numbers are assigned or reserved.  As
   with encryption type numbers, some overloading of checksum numbers
   has occurred.


   Checksum type             sumtype         checksum          section
                               value             size
   ----------------------------------------------------------------------
   CRC32                           1                4            6.2
   rsa-md4                         2               16           6.1.4
   rsa-md4-des                     3               24           6.1.1
   des-mac                         4               16           6.3.1
   des-mac-k                       5                8           6.3.2
   rsa-md4-des-k                   6               16           6.1.5
   rsa-md5                         7               16           6.1.2
   rsa-md5-des                     8               24           6.1.3
   rsa-md5-des3                    9               24
   hmac-sha1-des3-kd              12               20            6.4
   hmac-sha1-des3                 13               20
   sha1 (unkeyed)                 14               20
   [reserved]                 0x8003                ?         [GSS-KRB5]


   Management of these assignments is not being delegated to IANA at



Raeburn                                                        [Page 31]


INTERNET DRAFT                                                  May 2002


   this time.

9. Implementation Notes

   The "interface" described here is the minimal information that must
   be defined to make a cryptosystem useful within Kerberos in an
   interoperable fashion.  It is not an attempt to define a complete API
   for cryptographic functionality within Kerberos.  Actual
   implementations providing clean APIs will probably find it useful to
   make additional information available, which should be possible to
   derive from a specification written to the framework given here.  For
   example, an application designer may wish to determine the largest
   number of bytes that can be encrypted without overflowing a certain
   size output buffer, or conversely, the maximum number of bytes that
   might be obtained by decrypting a given ciphertext message.  (In
   fact, an implementation of the GSS-API Kerberos mechanism [GSS-KRB5]
   will require some of these.)

   The presence of a mechanism in this document should not be taken as
   an indication that it must be implemented for compliance with any
   specification; required mechanisms will be specified elsewhere.
   Indeed, some of the mechanisms described here for backwards
   compatibility are now considered rather weak for protecting critical
   data.

10. Security Considerations

   Recent years have brought advancements in the ability to perform
   large-scale attacks against DES, to such a degree that it is not
   considered a strong encryption mechanism any longer; triple-DES is
   generally preferred in its place, despite the poorer performance.
   See [ESP-DES] for a summary of some of the potential attacks, and
   [EFF-DES] for a detailed discussion of the implementation of
   particular attack.  However, most Kerberos implementations still have
   DES as their primary interoperable encryption type.

   DES has a small number of "weak" and "semiweak" keys, but the use of
   triple-DES makes no effort to avoid them.  The nature of the weak
   keys is such that it is extremely unlikely that they will weaken the
   triple-DES encryption -- only slightly more likely than having the
   middle of the three sub-keys match one of the other two, which
   effectively converts the encryption to single-DES.  (Which is another
   case we make no effort to avoid.)

   The true CRC-32 checksum is not collision-proof; an attacker could
   use a probabilistic chosen-plaintext attack to generate a valid
   message even if a confounder is used [SG92].  The use of collision-
   proof checksums is of course recommended for environments where such



Raeburn                                                        [Page 32]


INTERNET DRAFT                                                  May 2002


   attacks represent a significant threat.  The "simplifications" (read:
   bugs) introduced when CRC-32 was implemented for Kerberos cause
   leading zeros to effectively be ignored, so messages differing only
   in leading zero bits will have the same checksum.

   [HMAC] and [IPSEC-HMAC] discuss weaknesses of the HMAC algorithm.
   Unlike [IPSEC-HMAC], this specification does not use the suggested
   truncation of the HMAC output.  As pointed out in [IPSEC-HMAC], SHA-1
   was not developed to be used as a keyed hash function, which is a
   criterion of HMAC.  [HMAC-TEST] contains test vectors for HMAC-SHA-1.

   The mit_des_string_to_key function was originally constructed with
   the assumption that all input would be ASCII; it ignores the top bit
   of each input byte.  Folding with XOR is also not an especially good
   mixing mechanism in terms of preserving randomness.

   The n-fold function used in the string-to-key operation for des3-cbc-
   hmac-sha1-kd was designed to cause each bit of input to contribute
   equally to the output; it was not designed to maximize or equally
   distribute randomness in the input, and there are conceivable cases
   of partially structured input where randomness may be lost.  This
   should only be an issue for highly structured passwords, however.

   [RFC1851] discusses the relative strength of triple-DES encryption.
   The relative slow speed of triple-DES encryption may also be an issue
   for some applications.

   This document, like the Kerberos protocol, completely ignores the
   notion of limiting the amount of data a key may be used with to a
   quantity based on the robustness of the algorithm or size of the key.
   It is assumed that any defined algorithms and key sizes will be
   strong enough to support very large amounts of data, or they will be
   deprecated once significant attacks are known.

   This document also places no bounds on the amount of data that can be
   handled in various operations.  In order to avoid denial of service
   attacks, implementations will probably want to restrict message sizes
   at some higher level.

11. Acknowledgments

   This document is an extension of the encryption specification
   included in [Kerb1510] by B. Clifford Neuman and John Kohl, and much
   of the text of the background, concepts, and DES specifications are
   drawn directly from that document.

   The abstract framework presented in this document was put together by
   Jeff Altman, Sam Hartman, Jeff Hutzelman, Cliff Neuman, Ken Raeburn,



Raeburn                                                        [Page 33]


INTERNET DRAFT                                                  May 2002


   and Tom Yu, and the details were refined several times based on
   comments from John Brezak and others.

   Marc Horowitz wrote the original specification of triple-DES and key
   derivation in a pair of Internet Drafts (under the names draft-
   horowitz-key-derivation and draft-horowitz-kerb-key-derivation) which
   were later folded into a draft revision of [Kerb1510], from which
   this document was later split off.

   Tom Yu provided the text describing the modifications to the standard
   CRC algorithm as Kerberos implementations actually use it.

   Miroslav Jurisic provided information for one of the UTF-8 test cases
   for the string-to-key functions.

   Marcus Watts and Louis LeVay caught some errors in an earlier draft.

12. Editor's address

   Kenneth Raeburn
   Massachusetts Institute of Technology
   77 Massachusetts Avenue
   Cambridge, MA 02139
   raeburn@mit.edu


13. Full Copyright Statement

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an



Raeburn                                                        [Page 34]


INTERNET DRAFT                                                  May 2002


   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."

A. Test vectors

   This section provides test vectors for various functions defined or
   described in this document.  For convenience, most inputs are ASCII
   strings, though some UTF-8 samples are be provided for string-to-key
   functions.  Keys and other binary data are specified as hexadecimal
   strings.

A.1. n-fold

   The n-fold function is defined in section 4.1.  As noted there, the
   sample vector in the original paper defining the algorithm appears to
   be incorrect.  Here are values provided by Marc Horowitz:

      64-fold("012345") =
      64-fold(303132333435) = be072631276b1955

      56-fold("password") =
      56-fold(70617373776f7264) = 78a07b6caf85fa

      64-fold("Rough Consensus, and Running Code") =
      64-fold(526f75676820436f6e73656e7375732c20616e642052756e
              6e696e6720436f6465) = bb6ed30870b7f0e0

      168-fold("password") =
      168-fold(70617373776f7264) =
               59e4a8ca7c0385c3c37b3f6d2000247cb6e6bd5b3e

      192-fold("MASSACHVSETTS INSTITVTE OF TECHNOLOGY"
      192-fold(4d41535341434856534554545320494e5354495456544520
               4f4620544543484e4f4c4f4759) =
               db3b0d8f0b061e603282b308a50841229ad798fab9540c1b

A.2. mit_des_string_to_key

   The function mit_des_string_to_key is defined in section 5.2.  We
   present here several test values, with some of the intermediate
   results.  The fourth test demonstrates the use of UTF-8 with three
   characters.  The last two tests are specifically constructed so as to
   trigger the weak-key fixups for the intermediate key produced by fan-
   folding; we have no test cases that cause such fixups for the final
   key.



Raeburn                                                        [Page 35]


INTERNET DRAFT                                                  May 2002


   UTF-8 encodings used in test vector:
   eszett     C3 9F            s-caron     C5 A1      c-acute     C4 87
   g-clef     F0 9D 84 9E


   Test vector:


   salt:        "ATHENA.MIT.EDUraeburn"
                              415448454e412e4d49542e4544557261656275726e
   password:    "password"    70617373776f7264
   fan-fold result:           c01e38688ac86c2e
   intermediate key:          c11f38688ac86d2f
   DES key:                   cbc22fae235298e3



   salt:       "WHITEHOUSE.GOVdanny"   5748495445484f5553452e474f5664616e6e79
   password:   "potatoe"               706f7461746f65
   fan-fold result:                    a028944ee63c0416
   intermediate key:                   a129944fe63d0416
   DES key:                            df3d32a74fd92a01



   salt:      "EXAMPLE.COMpianist"  4558414D504C452E434F4D7069616E697374
   password:  g-clef                f09d849e
   fan-fold result:                 3c4a262c18fab090
   intermediate key:                3d4a262c19fbb091
   DES key:                         4ffb26bab0cd9413



   salt:        "ATHENA.MIT.EDUJuri" + s-caron + "i" + c-acute
                          415448454e412e4d49542e4544554a757269c5a169c487
   password:    eszett    c39f
   fan-fold result:       b8f6c40e305afc9e
   intermediate key:      b9f7c40e315bfd9e
   DES key:               62c81a5232b5e69d



   salt:       "AAAAAAAA"   4141414141414141
   password:   "11119999"   3131313139393939
   fan-fold result:         e0e0e0e0f0f0f0f0
   intermediate key:        e0e0e0e0f1f1f101
   DES key:                 984054d0f1a73e31




Raeburn                                                        [Page 36]


INTERNET DRAFT                                                  May 2002


   salt:       "FFFFAAAA"   4646464641414141
   password:   "NNNN6666"   4e4e4e4e36363636
   fan-fold result:         1e1e1e1e0e0e0e0e
   intermediate key:        1f1f1f1f0e0e0efe
   DES key:                 c4bf6b25adf7a4f8


A.3. DES3 DR and DK

   These tests show the derived-random and derived-key values for the
   des3-hmac-sha1-kd encryption scheme, using the DR and DK functions
   defined in section 5.3.1.  The input keys were randomly generated;
   the usage values are from this specification.


   key:                 dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92
   usage:               0000000155
   DR:                  935079d14490a75c3093c4a6e8c3b049c71e6ee705
   DK:                  925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd



   key:                 5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2
   usage:               00000001aa
   DR:                  9f58e5a047d894101c469845d67ae3c5249ed812f2
   DK:                  9e58e5a146d9942a101c469845d67a20e3c4259ed913f207



   key:                 98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc
   usage:               0000000155
   DR:                  12fff90c773f956d13fc2ca0d0840349dbd39908eb
   DK:                  13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf



   key:                 622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5
   usage:               00000001aa
   DR:                  f8debf05b097e7dc0603686aca35d91fd9a5516a70
   DK:                  f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e



   key:                 d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb
   usage:               6b65726265726f73
   DR:                  2270db565d2a3d64cfbfdc5305d4f778a6de42d9da
   DK:                  2370da575d2a3da864cebfdc5204d56df779a7df43d9da43




Raeburn                                                        [Page 37]


INTERNET DRAFT                                                  May 2002


   key:                 b55e983467e551b3e5d0e5b6c80d45769423a873dc62b30e
   usage:               636f6d62696e65
   DR:                  0127398bacc81a2a62bc45f8d4c151bbcdd5cb788a
   DK:                  0126388aadc81a1f2a62bc45f8d5c19151bacdd5cb798a3e



   key:                 c1081649ada74362e6a1459d01dfd30d67c2234c940704da
   usage:               0000000155
   DR:                  348056ec98fcc517171d2b4d7a9493af482d999175
   DK:                  348057ec98fdc48016161c2a4c7a943e92ae492c989175f7



   key:                 5d154af238f46713155719d55e2f1f790dd661f279a7917c
   usage:               00000001aa
   DR:                  a8818bc367dadacbe9a6c84627fb60c294b01215e5
   DK:                  a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1



   key:                 798562e049852f57dc8c343ba17f2ca1d97394efc8adc443
   usage:               0000000155
   DR:                  c813f88b3be2b2f75424ce9175fbc8483b88c8713a
   DK:                  c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49



   key:                 26dce334b545292f2feab9a8701a89a4b99eb9942cecd016
   usage:               00000001aa
   DR:                  f58efc6f83f93e55e695fd252cf8fe59f7d5ba37ec
   DK:                  f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d


A.4. DES3string_to_key

   These are the keys generated for some of the above input strings for
   triple-DES with key derivation as defined in section 5.3.1.

    salt:   "ATHENA.MIT.EDUraeburn"
    passwd: "password"
    key:    850bb51358548cd05e86768c313e3bfef7511937dcf72c3e

    salt:   "WHITEHOUSE.GOVdanny"
    passwd: "potatoe"
    key:    dfcd233dd0a43204ea6dc437fb15e061b02979c1f74f377a





Raeburn                                                        [Page 38]


INTERNET DRAFT                                                  May 2002


    salt:   "EXAMPLE.COMbuckaroo"
    passwd: "penny"
    key:    6d2fcdf2d6fbbc3ddcadb5da5710a23489b0d3b69d5d9d4a

    salt:   "ATHENA.MIT.EDUJuri" + s-caron + "i" + c-acute
    passwd: eszett
    key:    16d5a40e1ce3bacb61b9dce00470324c831973a7b952feb0

    salt:   "EXAMPLE.COMpianist"
    passwd: g-clef
    key:    85763726585dbc1cce6ec43e1f751f07f1c4cbb098f40b19

A.5. Modified CRC-32

   Below are modified-CRC32 values for various ASCII strings.  Only the
   printable ASCII characters are checksummed, no C-style trailing zero-
   valued octet.  The 32-bit modified CRC and the sequence of output
   bytes as used in Kerberos are shown.  (The octet values are separated
   here to emphasize that they are octet values and not 32-bit numbers,
   which will be the most convenient form for manipulation in some
   implementations.  The bit and byte order used internally for such a
   number is irrelevant; the octet sequence generated is what is
   important.)


    mod-crc-32("foo") =                                     33 bc 32 73

    mod-crc-32("test0123456789") =                          d6 88 3e b8

    mod-crc-32("MASSACHVSETTS INSTITVTE OF TECHNOLOGY") =   f7 80 41 e3

    mod-crc-32(8000) =                                      4b 98 83 3b

    mod-crc-32(0008) =                                      32 88 db 0e

    mod-crc-32(0080) =                                      20 83 b8 ed

    mod-crc-32(80) =                                        20 83 b8 ed

    mod-crc-32(80000000) =                                  3b b6 59 ed

    mod-crc-32(00000001) =                                  96 30 07 77


B. Significant Changes from RFC 1510

   The encryption and checksum mechanism profiles are new.  The old
   specification defined a few operations for various mechanisms, but



Raeburn                                                        [Page 39]


INTERNET DRAFT                                                  May 2002


   didn't outline what should be required of new mechanisms in terms of
   abstract properties, nor how to ensure that a mechanism specification
   is complete enough for interoperability between implementations.  The
   new profiles do differ from the old specification in a few ways:

      Some message definitions in [Kerb1510] could be read as permitting
      the initial vector to be specified by the application; the text
      was too vague.  It is specifically not permitted in this
      specification.  Some encryption algorithms may not use
      initialization vectors, so relying on chosen, secret
      initialization vectors for security is unwise.  Also, the
      prepended confounder in the existing algorithms is roughly
      equivalent to a per-message initialization vector that is revealed
      in encrypted form.  However, carrying state across from one
      encryption to another is explicitly permitted through the opaque
      "cipher state" object.

      The use of key derivation is new.

      Several new methods are introduced, including generation of a key
      in wire-protocol format from random input data.

      The means for influencing the string-to-key algorithm are laid out
      more clearly.

      other new methods?

   Triple-DES support is new.

   The des-cbc-crc and CRC descriptions have been updated to align them
   with existing implementations.

   [Kerb1510] had no indication what character set or encoding might be
   used for pass phrases and salts.

   In [Kerb1510], key types, encryption algorithms and checksum
   algorithms were only loosely associated, and the association was not
   well described.  In this specification, key types and encryption
   algorithms have a one-to-one correspondence, and associations between
   encryption and checksum algorithms are described so that checksums
   can be computed given negotiated keys, without requiring further
   negotiation for checksum types.

C. Document History (delete before publication)

   Changes from kerberos-revisions-## to crypto-00 draft:

   Collected DES encryption algorithms together under one subsection.



Raeburn                                                        [Page 40]


INTERNET DRAFT                                                  May 2002


   Replaced salt type number with string-to-key parameter octet-string.

   Incorporated Tom Yu's description of our "modified" (i.e., broken)
   CRC algorithm.

   Changes from -00 to -01:

   Added "Significant Changes from RFC 1510" and "Document History"
   appendixes.

   Fixed up some incorrect section number references.

   Collected RSA checksum algorithms together under one section, and
   likewise for DES MAC checksum algorithms.

   Changed DES encryption description to indicate that the trailing
   padding is included in the checksum calculation.

   Updated introduction.

   Dropped combine-keys function.  It'll be needed eventually, but this
   isn't the best place for it.

   Added request for weaknesses, attacks, test vectors in follow-on
   documents defining cipher suites, and references on weaknesses for
   suites defined here.

   We are not assigning the number registrations to IANA at this time.

   The get_mic function need not have a fixed size output.  (If it is
   required, someone remind me why.)  The hash function used in the
   simplified profile must, on the other hand.

   Cipher state description tightened up a bit: Split description into
   state and initial-state.  Added direction (encrypt vs decrypt) as an
   input parameter for initialization, operations performed must be
   consistent with that.  Cipher state can be used as input to
   encrypt/decrypt only once; operations output the new state to be used
   next time, if chaining at all.  Chaining is required to influence the
   output, to detect message stream modifications; previously this was
   explicitly not required.

   Moved some descriptive text out of tables.

   Fixed some speling probelms.






Raeburn                                                        [Page 41]


INTERNET DRAFT                                                  May 2002


Notes

   [1] While Message Authentication Code (MAC) or Message Integrity
       Check (MIC) would be more appropriate terms for many of the
       uses in this document, we continue to use the term "checksum"
       for historical reasons.

   [2] In the case of Kerberos, the encrypted objects will generally
       be ASN.1 DER encodings, which contain indications of their
       length in the first few octets.

   [3] As of the time of this writing, some new modes of operation
       have been proposed, some of which may permit encryption and
       integrity protection simultaneously.  After some of these
       proposals have been subjected to adequate analysis, we may
       wish to formulate a new simplified profile based on one of
       them.

   [4] It should be noted that the sample vector in Appendix B.2 of
       the original paper appears to be incorrect.  Two independent
       implementations from the specification (one in C by Marc
       Horowitz, and another in Scheme by Bill Sommerfeld) agree on
       a value different from that in [Blumenthal96].

   [5] A variant of the key is used to limit the use of a key to a
       particular function, separating the functions of generating a
       checksum from other encryption performed using the session
       key.  The constant 0xF0F0F0F0F0F0F0F0 was chosen because it
       maintains key parity.  The properties of DES precluded the
       use of the complement.  The same constant is used for similar
       purpose in the Message Integrity Check in the Privacy
       Enhanced Mail standard.

   [6] Perhaps one of the more common reasons for directly
       performing encryption is direct control over the negotiation
       and to select a "sufficiently strong" encryption algorithm
       (whatever that means in the context of a given application).
       While Kerberos directly provides no facility for negotiating
       encryption types between the application client and server,
       there are other means for accomplishing similar goals.  For
       example, requesting only "strong" session key types from the
       KDC, and assuming that the type actually returned by the KDC
       will be understood and supported by the application server.








Raeburn                                                        [Page 42]


INTERNET DRAFT                                                  May 2002


Normative References

   @@ NOTE: draft-rfc-editor-rfc2223bis-01 specifies separate "normative
   references" and "informative references" sections.  This draft has
   not yet become an RFC as of the time of this writing.

   This section copied from kerberos-revisions draft.  Drop the ones we
   don't need, add anything new that we do need.  Move informational-
   only references to the next section.  Update old I-D references to
   RFCs, or find other sources.


   [Bellare98]
      Bellare, M., Desai, A., Pointcheval, D., and P. Rogaway,
      "Relations Among Notions of Security for Public-Key Encryption
      Schemes".  Extended abstract published in Advances in Cryptology-
      Crypto 98 Proceedings, Lecture Notes in Computer Science Vol.
      1462, H. Krawcyzk ed., Springer-Verlag, 1998.
   [Blumenthal96]
      Blumenthal, U., "A Better Key Schedule for DES-Like Ciphers",
      Proceedings of PRAGOCRYPT '96, 1996.
   [CRC]
      International Organization for Standardization, "ISO Information
      Processing Systems - Data Communication - High-Level Data Link
      Control Procedure - Frame Structure," IS 3309, 3rd Edition,
      October 1984.
   [DES77]
      National Bureau of Standards, U.S. Department of Commerce, "Data
      Encryption Standard," Federal Information Processing Standards
      Publication 46, Washington, DC, 1977.
   [DESM80]
      National Bureau of Standards, U.S. Department of Commerce, "DES
      Modes of Operation," Federal Information Processing Standards
      Publication 81, Springfield, VA, December 1980.
   [Dolev91]
      Dolev, D., Dwork, C., Naor, M., "Non-malleable cryptography",
      Proceedings of the 23rd Annual Symposium on Theory of Computing,
      ACM, 1991.
   [HMAC]
      Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
      for Message Authentication", RFC 2104, February 1997.
   [MD4-92]
      Rivest, R., "The MD4 Message Digest Algorithm," RFC 1320, MIT
      Laboratory for Computer Science, April 1992.
   [MD5-92]
      Rivest, R., "The MD5 Message Digest Algorithm," RFC 1321, MIT
      Laboratory for Computer Science, April 1992.




Raeburn                                                        [Page 43]


INTERNET DRAFT                                                  May 2002


   [RFC2026]
      Bradner, S., "The Internet Standards Process -- Revisions 3," RFC
      2026, October 1996.
   [SG92]
      Stubblebine, S., and V. D. Gligor, "On Message Integrity in
      Cryptographic Protocols," in Proceedings of the IEEE Symposium on
      Research in Security and Privacy, Oakland, California, May 1992.

Informative References

   [EFF-DES]
      Electronic Frontier Foundation, "Cracking DES: Secrets of
      Encryption Research, Wiretap Politics, and Chip Design", O'Reilly
      & Associates, Inc., May 1998.
   [ESP-DES]
      Madson, C., and N. Doraswamy, "The ESP DES-CBC Cipher Algorithm
      With Explicit IV", RFC 2405, November 1998.
   [GSS-KRB5]
      Linn, J., "The Kerberos Version 5 GSS-API Mechanism," RFC 1964,
      June 1996.
   [HMAC-TEST]
      Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1",
      RFC 2202, September 1997.
   [IPSEC-HMAC]
      Madson, C., and R. Glenn, "The Use of HMAC-SHA-1-96 within ESP and
      AH", RFC 2404, November 1998.
   [Kerb]
      Neuman, C., Kohl, J., Ts'o, T., Yu, T., Hartman, S., and K.
      Raeburn, "The Kerberos Network Authentication Service (V5)",
      draft-ietf-krb-wg-kerberos-clarifications-00.txt, February 22,
      2002.  Work in progress.
   [Kerb1510]
      Kohl, J., and C. Neuman, "The Kerberos Network Authentication
      Service (V5)", RFC 1510, September 1993.

















Raeburn                                                        [Page 44]