1Kerberos Working Group K. Raeburn 2Document: draft-raeburn-krb-rijndael-krb-07.txt MIT 3 July 19, 2004 4 expires January 19, 2005 5 6 7 AES Encryption for Kerberos 5 8 9 10Status of this Memo 11 12 13 This document is an Internet-Draft and is subject to all provisions 14 of Section 10 of RFC2026. Internet-Drafts are working documents of 15 the Internet Engineering Task Force (IETF), its areas, and its 16 working groups. Note that other groups may also distribute working 17 documents as Internet-Drafts. Internet-Drafts are draft documents 18 valid for a maximum of six months and may be updated, replaced, or 19 obsoleted by other documents at any time. It is inappropriate to use 20 Internet-Drafts as reference material or to cite them other than as 21 "work in progress." 22 23 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt 26 27 28 The list of Internet-Draft Shadow Directories can be accessed at 29 http://www.ietf.org/shadow.html. 30 31 32Abstract 33 34 35 The US National Institute of Standards and Technology has chosen a 36 new Advanced Encryption Standard, which is significantly faster and 37 (it is believed) more secure than the old DES algorithm. This 38 document is a specification for the addition of this algorithm to the 39 Kerberos cryptosystem suite. 40 41 421. Introduction 43 44 45 This document defines encryption key and checksum types for Kerberos 46 5 using the AES algorithm recently chosen by NIST. These new types 47 support 128-bit block encryption, and key sizes of 128 or 256 bits. 48 49 50 Using the "simplified profile" of [KCRYPTO], we can define a pair of 51 encryption and checksum schemes. AES is used with cipher text 52 stealing to avoid message expansion, and SHA-1 [SHA1] is the 53 associated checksum function. 54 55 56 57 58 59 60Raeburn [Page 1] 61INTERNET DRAFT July 2004 62 63 64 652. Conventions Used in this Document 66 67 68 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 69 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 70 document are to be interpreted as described in RFC 2119 [KEYWORDS]. 71 72 733. Protocol Key Representation 74 75 76 The profile in [KCRYPTO] treats keys and random octet strings as 77 conceptually different. But since the AES key space is dense, we can 78 use any bit string of appropriate length as a key. We use the byte 79 representation for the key described in [AES], where the first bit of 80 the bit string is the high bit of the first byte of the byte string 81 (octet string) representation. 82 83 844. Key Generation From Pass Phrases or Random Data 85 86 87 Given the above format for keys, we can generate keys from the 88 appropriate amounts of random data (128 or 256 bits) by simply 89 copying the input string. 90 91 92 To generate an encryption key from a pass phrase and salt string, we 93 use the PBKDF2 function from PKCS #5 v2.0 ([PKCS5]), with parameters 94 indicated below, to generate an intermediate key (of the same length 95 as the desired final key), which is then passed into the DK function 96 with the 8-octet ASCII string "kerberos" as is done for des3-cbc- 97 hmac-sha1-kd in [KCRYPTO]. (In [KCRYPTO] terms, the PBKDF2 function 98 produces a "random octet string", hence the application of the 99 random-to-key function even though it's effectively a simple identity 100 operation.) The resulting key is the user's long-term key for use 101 with the encryption algorithm in question. 102 103 104 tkey = random2key(PBKDF2(passphrase, salt, iter_count, keylength)) 105 key = DK(tkey, "kerberos") 106 107 108 The pseudorandom function used by PBKDF2 will be a SHA-1 HMAC of the 109 passphrase and salt, as described in Appendix B.1 to PKCS#5. 110 111 112 The number of iterations is specified by the string-to-key parameters 113 supplied. The parameter string is four octets indicating an unsigned 114 number in big-endian order. This is the number of iterations to be 115 performed. If the value is 00 00 00 00, the number of iterations to 116 be performed is 4294967296 (2**32). (Thus the minimum expressable 117 iteration count is 1.) 118 119 120 For environments where slower hardware is the norm, implementations 121 of protocols such as Kerberos may wish to limit the number of 122 iterations to prevent a spoofed response supplied by an attacker from 123 124 125 126 127Raeburn [Page 2] 128INTERNET DRAFT July 2004 129 130 131 132 consuming lots of client-side CPU time; if such a limit is 133 implemented, it SHOULD be no less than 50000. Even for environments 134 with fast hardware, 4 billion iterations is likely to take a fairly 135 long time; much larger bounds might still be enforced, and it might 136 be wise for implementations to permit interruption of this operation 137 by the user if the environment allows for it. 138 139 140 If the string-to-key parameters are not supplied, the value used is 141 00 00 10 00 (decimal 4096, indicating 4096 iterations). 142 143 144 Note that this is not a requirement, nor even a recommendation, for 145 this value to be used in "optimistic preauthentication" (e.g., 146 attempting timestamp-based preauthentication using the user's long- 147 term key, without having first communicated with the KDC) in the 148 absence of additional information, nor as a default value for sites 149 to use for their principals' long-term keys in their Kerberos 150 database. It is simply the interpretation of the absence of the 151 string-to-key parameter field when the KDC has had an opportunity to 152 provide it. 153 154 155 Sample test vectors are given in appendix B. 156 157 1585. Cipher Text Stealing 159 160 161 Cipher block chaining is used to encrypt messages. Unlike previous 162 Kerberos cryptosystems, we use cipher text stealing to handle the 163 possibly partial final block of the message. 164 165 166 Cipher text stealing is described on pages 195-196 of [AC], and 167 section 8 of [RC5]; it has the advantage that no message expansion is 168 done during encryption of messages of arbitrary sizes as is typically 169 done in CBC mode with padding. Some errata for [RC5] are listed in 170 appendix A, and are considered part of the cipher text stealing 171 technique as used here. 172 173 174 Cipher text stealing, as defined in [RC5], assumes that more than one 175 block of plain text is available. If exactly one block is to be 176 encrypted, that block is simply encrypted with AES (also known as ECB 177 mode). Input of less than one block is padded at the end to one 178 block; the values of the padding bits are unspecified. 179 (Implementations MAY use all-zero padding, but protocols MUST NOT 180 rely on the result being deterministic. Implementations MAY use 181 random padding, but protocols MUST NOT rely on the result not being 182 deterministic. Note that in most cases, the Kerberos encryption 183 profile will add a random confounder independent of this padding.) 184 185 186 For consistency, cipher text stealing is always used for the last two 187 blocks of the data to be encrypted, as in [RC5]. If the data length 188 189 190 191 192Raeburn [Page 3] 193INTERNET DRAFT July 2004 194 195 196 197 is a multiple of the block size, this is equivalent to plain CBC mode 198 with the last two cipher text blocks swapped. 199 200 201 A test vector is given in appendix B. 202 203 204 The initial vector carried out from one encryption for use in a 205 following encryption is the next to last block of the encryption 206 output; this is the encrypted form of the last plaintext block. When 207 decrypting, the next to last block of the supplied ciphertext is 208 carried forward as the next initial vector. 209 210 2116. Kerberos Algorithm Profile Parameters 212 213 214 This is a summary of the parameters to be used with the simplified 215 algorithm profile described in [KCRYPTO]: 216 217 218 +--------------------------------------------------------------------+ 219 | protocol key format 128- or 256-bit string | 220 | | 221 | string-to-key function PBKDF2+DK with variable | 222 | iteration count (see | 223 | above) | 224 | | 225 | default string-to-key parameters 00 00 10 00 | 226 | | 227 | key-generation seed length key size | 228 | | 229 | random-to-key function identity function | 230 | | 231 | hash function, H SHA-1 | 232 | | 233 | HMAC output size, h 12 octets (96 bits) | 234 | | 235 | message block size, m 1 octet | 236 | | 237 | encryption/decryption functions, AES in CBC-CTS mode | 238 | E and D (cipher block size 16 | 239 | octets), with next to | 240 | last block as CBC-style | 241 | ivec | 242 +--------------------------------------------------------------------+ 243 244 245 Using this profile with each key size gives us two each of encryption 246 and checksum algorithm definitions. 247 248 249 250 251 252 253 254 255Raeburn [Page 4] 256INTERNET DRAFT July 2004 257 258 259 2607. Assigned Numbers 261 262 263 The following encryption type numbers are assigned: 264 265 266 +--------------------------------------------------------------------+ 267 | encryption types | 268 +--------------------------------------------------------------------+ 269 | type name etype value key size | 270 +--------------------------------------------------------------------+ 271 | aes128-cts-hmac-sha1-96 17 128 | 272 | aes256-cts-hmac-sha1-96 18 256 | 273 +--------------------------------------------------------------------+ 274 275 276 The following checksum type numbers are assigned: 277 278 279 +--------------------------------------------------------------------+ 280 | checksum types | 281 +--------------------------------------------------------------------+ 282 | type name sumtype value length | 283 +--------------------------------------------------------------------+ 284 | hmac-sha1-96-aes128 15 96 | 285 | hmac-sha1-96-aes256 16 96 | 286 +--------------------------------------------------------------------+ 287 288 289 These checksum types will be used with the corresponding encryption 290 types defined above. 291 292 2938. Security Considerations 294 295 296 This new algorithm has not been around long enough to receive the 297 decades of intense analysis that DES has received. It is possible 298 that some weakness exists that has not been found by the 299 cryptographers analyzing these algorithms before and during the AES 300 selection process. 301 302 303 The use of the HMAC function has drawbacks for certain pass phrase 304 lengths. For example, a pass phrase longer than the hash function 305 block size (64 bytes, for SHA-1) is hashed to a smaller size (20 306 bytes) before applying the main HMAC algorithm. However, entropy is 307 generally sparse in pass phrases, especially in long ones, so this 308 may not be a problem in the rare cases of users with long pass 309 phrases. 310 311 312 Also, generating a 256-bit key from a pass phrase of any length may 313 be deceptive, since the effective entropy in pass-phrase-derived key 314 cannot be nearly that large, given the properties of the string-to- 315 key function described here. 316 317 318 319 320 321Raeburn [Page 5] 322INTERNET DRAFT July 2004 323 324 325 326 The iteration count in PBKDF2 appears to be useful primarily as a 327 constant multiplier for the amount of work required for an attacker 328 using brute-force methods. Unfortunately, it also multiplies, by the 329 same amount, the work needed by a legitimate user with a valid 330 password. Thus the work factor imposed on an attacker (who may have 331 many powerful workstations at his disposal) must be balanced against 332 the work factor imposed on the legitimate user (who may have a PDA or 333 cell phone); the available computing power on either side increases 334 as time goes on, as well. A better way to deal with the brute-force 335 attack is through preauthentication mechanisms that provide better 336 protection of the user's long-term key. Use of such mechanisms is 337 out of scope for this document. 338 339 340 If a site does wish to use this means of protection against a brute- 341 force attack, the iteration count should be chosen based on the 342 facilities available to both attacker and legitimate user, and the 343 amount of work the attacker should be required to perform to acquire 344 the key or password. 345 346 347 As an example: 348 349 350 The author's tests on a 2GHz Pentium 4 system indicated that in 351 one second, nearly 90000 iterations could be done, producing a 352 256-bit key. This was using the SHA-1 assembly implementation 353 from OpenSSL, and a pre-release version of the PBKDF2 code for 354 MIT's Kerberos package, on a single system. No attempt was made 355 to do multiple hashes in parallel, so we assume an attacker doing 356 so can probably do at least 100000 iterations per second -- 357 rounded up to 2**17, for ease of calculation. For simplicity, we 358 also assume the final AES encryption step costs nothing. 359 360 361 Paul Leach estimates [LEACH] that a password-cracking dictionary 362 may have on the order of 2**21 entries, with capitalization, 363 punctuation, and other variations contributing perhaps a factor of 364 2**11, giving a ballpark estimate of 2**32. 365 366 367 Thus, for a known iteration count N and a known salt string, an 368 attacker with some number of computers comparable to the author's 369 would need roughly N*2**15 CPU seconds to convert the entire 370 dictionary plus variations into keys. 371 372 373 An attacker using a dozen such computers for a month would have 374 roughly 2**25 CPU seconds available. So using 2**12 (4096) 375 iterations would mean an attacker with a dozen such computers 376 dedicated to a brute-force attack against a single key (actually, 377 any password-derived keys sharing the same salt and iteration 378 count) would process all the variations of the dictionary entries 379 in four months, and on average, would likely find the user's 380 381 382 383 384Raeburn [Page 6] 385INTERNET DRAFT July 2004 386 387 388 389 password in two months. 390 391 392 Thus, if this form of attack is of concern, an iteration count a 393 few orders of magnitude higher should be chosen, and users should 394 be required to change their passwords every few months. Perhaps 395 several orders of magnitude, since many users will tend to use the 396 shorter and simpler passwords (as much as they can get away with, 397 given a site's password quality checks) that the attacker would 398 likely try first. 399 400 401 Since this estimate is based on currently available CPU power, the 402 iteration counts used for this mode of defense should be increased 403 over time, at perhaps 40%-60% each year or so. 404 405 406 Note that if the attacker has a large amount of storage available, 407 intermediate results could be cached, saving a lot of work for the 408 next attack with the same salt and a greater number of iterations 409 than had been run at the point where the intermediate results were 410 saved. Thus, it would be wise to generate a new random salt 411 string when passwords are changed. The default salt string, 412 derived from the principal name, only protects against the use of 413 one dictionary of keys against multiple users. 414 415 416 If the PBKDF2 iteration count can be spoofed by an intruder on the 417 network, and the limit on the accepted iteration count is very high, 418 the intruder may be able to introduce a form of denial of service 419 attack against the client by sending a very high iteration count, 420 causing the client to spend a great deal of CPU time computing an 421 incorrect key. 422 423 424 An intruder spoofing the KDC reply, providing a low iteration count, 425 and reading the client's reply from the network may be able to reduce 426 the work needed in the brute-force attack outlined above. Thus, 427 implementations may wish to enforce lower bounds on the number of 428 iterations that will be used. 429 430 431 Since threat models and typical end-user equipment will vary widely 432 from site to site, allowing site-specific configuration of such 433 bounds is recommended. 434 435 436 Any benefit against other attacks specific to the HMAC or SHA-1 437 algorithms is probably achieved with a fairly small number of 438 iterations. 439 440 441 In the "optimistic preauthentication" case mentioned in section 3, 442 the client may attempt to produce a key without first communicating 443 with the KDC. If the client has no additional information, it can 444 only guess as to the iteration count to be used. Even such 445 446 447 448 449Raeburn [Page 7] 450INTERNET DRAFT July 2004 451 452 453 454 heuristics as "iteration count X was used to acquire tickets for the 455 same principal only N hours ago" can be wrong. Given the 456 recommendation above for increasing the iteration counts used over 457 time, it is impossible to recommend any specific default value for 458 this case; allowing site-local configuration is recommended. (If the 459 lower and upper bound checks described above are implemented, the 460 default count for optimistic preauthentication should be between 461 those bounds.) 462 463 464 Cipher text stealing mode, since it requires no additional padding in 465 most cases, will reveal the exact length of each message being 466 encrypted, rather than merely bounding it to a small range of 467 possible lengths as in CBC mode. Such obfuscation should not be 468 relied upon at higher levels in any case; if the length must be 469 obscured from an outside observer, it should be done by intentionally 470 varying the length of the message to be encrypted. 471 472 4739. IANA Considerations 474 475 476 Kerberos encryption and checksum type values used in section 7 were 477 previously reserved in [KCRYPTO] for the mechanisms defined in this 478 document. The registries should be updated to list this document as 479 the reference. 480 481 48210. Acknowledgements 483 484 485 Thanks to John Brezak, Gerardo Diaz Cuellar, Ken Hornstein, Paul 486 Leach, Marcus Watts, Larry Zhu and others for feedback on earlier 487 versions of this document. 488 489 490A. Errata for RFC 2040 section 8 491 492 493 (Copied from the RFC Editor's errata web site on July 8, 2004.) 494 495 496 Reported By: Bob Baldwin; baldwin@plusfive.com 497 Date: Fri, 26 Mar 2004 06:49:02 -0800 498 499 500 In Section 8, Description of RC5-CTS, of the encryption method, it says: 501 502 503 1. Exclusive-or Pn-1 with the previous ciphertext 504 block, Cn-2, to create Xn-1. 505 506 507 It should say: 508 509 510 1. Exclusive-or Pn-1 with the previous ciphertext 511 block, Cn-2, to create Xn-1. For short messages where 512 Cn-2 does not exist, use IV. 513 514 515 516 517 518Raeburn [Page 8] 519INTERNET DRAFT July 2004 520 521 522 523 Reported By: Bob Baldwin; baldwin@plusfive.com 524 Date: Mon, 22 Mar 2004 20:26:40 -0800 525 526 527 In Section 8, first paragraph, second sentence says: 528 529 530 This mode handles any length of plaintext and produces ciphertext 531 whose length matches the plaintext length. 532 533 534 In Section 8, first paragraph, second sentence should read: 535 536 537 This mode handles any length of plaintext longer than one 538 block and produces ciphertext whose length matches the 539 plaintext length. 540 541 542 In Section 8, step 6 of the decryption method says: 543 544 545 6. Decrypt En to create Pn-1. 546 547 548 In Section 8, step 6 of the decryption method should read: 549 550 551 6. Decrypt En and exclusive-or with Cn-2 to create Pn-1. 552 For short messages where Cn-2 does not exist, use the IV. 553 554 555B. Sample test vectors 556 557 558 Sample values for the PBKDF2 HMAC-SHA1 string-to-key function are 559 included below. 560 561 562 Iteration count = 1 563 Pass phrase = "password" 564 Salt = "ATHENA.MIT.EDUraeburn" 565 128-bit PBKDF2 output: 566 cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 567 128-bit AES key: 568 42 26 3c 6e 89 f4 fc 28 b8 df 68 ee 09 79 9f 15 569 256-bit PBKDF2 output: 570 cd ed b5 28 1b b2 f8 01 56 5a 11 22 b2 56 35 15 571 0a d1 f7 a0 4b b9 f3 a3 33 ec c0 e2 e1 f7 08 37 572 256-bit AES key: 573 fe 69 7b 52 bc 0d 3c e1 44 32 ba 03 6a 92 e6 5b 574 bb 52 28 09 90 a2 fa 27 88 39 98 d7 2a f3 01 61 575 576 577 578 579 580 581 582 583 584 585 586Raeburn [Page 9] 587INTERNET DRAFT July 2004 588 589 590 591 Iteration count = 2 592 Pass phrase = "password" 593 Salt="ATHENA.MIT.EDUraeburn" 594 128-bit PBKDF2 output: 595 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d 596 128-bit AES key: 597 c6 51 bf 29 e2 30 0a c2 7f a4 69 d6 93 bd da 13 598 256-bit PBKDF2 output: 599 01 db ee 7f 4a 9e 24 3e 98 8b 62 c7 3c da 93 5d 600 a0 53 78 b9 32 44 ec 8f 48 a9 9e 61 ad 79 9d 86 601 256-bit AES key: 602 a2 e1 6d 16 b3 60 69 c1 35 d5 e9 d2 e2 5f 89 61 603 02 68 56 18 b9 59 14 b4 67 c6 76 22 22 58 24 ff 604 605 606 Iteration count = 1200 607 Pass phrase = "password" 608 Salt = "ATHENA.MIT.EDUraeburn" 609 128-bit PBKDF2 output: 610 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b 611 128-bit AES key: 612 4c 01 cd 46 d6 32 d0 1e 6d be 23 0a 01 ed 64 2a 613 256-bit PBKDF2 output: 614 5c 08 eb 61 fd f7 1e 4e 4e c3 cf 6b a1 f5 51 2b 615 a7 e5 2d db c5 e5 14 2f 70 8a 31 e2 e6 2b 1e 13 616 256-bit AES key: 617 55 a6 ac 74 0a d1 7b 48 46 94 10 51 e1 e8 b0 a7 618 54 8d 93 b0 ab 30 a8 bc 3f f1 62 80 38 2b 8c 2a 619 620 621 Iteration count = 5 622 Pass phrase = "password" 623 Salt=0x1234567878563412 624 128-bit PBKDF2 output: 625 d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 626 128-bit AES key: 627 e9 b2 3d 52 27 37 47 dd 5c 35 cb 55 be 61 9d 8e 628 256-bit PBKDF2 output: 629 d1 da a7 86 15 f2 87 e6 a1 c8 b1 20 d7 06 2a 49 630 3f 98 d2 03 e6 be 49 a6 ad f4 fa 57 4b 6e 64 ee 631 256-bit AES key: 632 97 a4 e7 86 be 20 d8 1a 38 2d 5e bc 96 d5 90 9c 633 ab cd ad c8 7c a4 8f 57 45 04 15 9f 16 c3 6e 31 634 (This test is based on values given in [PECMS].) 635 636 637 638 639 640 641 642 643 644 645Raeburn [Page 10] 646INTERNET DRAFT July 2004 647 648 649 650 Iteration count = 1200 651 Pass phrase = (64 characters) 652 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 653 Salt="pass phrase equals block size" 654 128-bit PBKDF2 output: 655 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 656 128-bit AES key: 657 59 d1 bb 78 9a 82 8b 1a a5 4e f9 c2 88 3f 69 ed 658 256-bit PBKDF2 output: 659 13 9c 30 c0 96 6b c3 2b a5 5f db f2 12 53 0a c9 660 c5 ec 59 f1 a4 52 f5 cc 9a d9 40 fe a0 59 8e d1 661 256-bit AES key: 662 89 ad ee 36 08 db 8b c7 1f 1b fb fe 45 94 86 b0 663 56 18 b7 0c ba e2 20 92 53 4e 56 c5 53 ba 4b 34 664 665 666 Iteration count = 1200 667 Pass phrase = (65 characters) 668 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 669 Salt = "pass phrase exceeds block size" 670 128-bit PBKDF2 output: 671 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 672 128-bit AES key: 673 cb 80 05 dc 5f 90 17 9a 7f 02 10 4c 00 18 75 1d 674 256-bit PBKDF2 output: 675 9c ca d6 d4 68 77 0c d5 1b 10 e6 a6 87 21 be 61 676 1a 8b 4d 28 26 01 db 3b 36 be 92 46 91 5e c8 2a 677 256-bit AES key: 678 d7 8c 5c 9c b8 72 a8 c9 da d4 69 7f 0b b5 b2 d2 679 14 96 c8 2b eb 2c ae da 21 12 fc ee a0 57 40 1b 680 681 682 Iteration count = 50 683 Pass phrase = g-clef (0xf09d849e) 684 Salt = "EXAMPLE.COMpianist" 685 128-bit PBKDF2 output: 686 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 687 128-bit AES key: 688 f1 49 c1 f2 e1 54 a7 34 52 d4 3e 7f e6 2a 56 e5 689 256-bit PBKDF2 output: 690 6b 9c f2 6d 45 45 5a 43 a5 b8 bb 27 6a 40 3b 39 691 e7 fe 37 a0 c4 1e 02 c2 81 ff 30 69 e1 e9 4f 52 692 256-bit AES key: 693 4b 6d 98 39 f8 44 06 df 1f 09 cc 16 6d b4 b8 3c 694 57 18 48 b7 84 a3 d6 bd c3 46 58 9a 3e 39 3f 9e 695 696 697 Some test vectors for CBC with cipher text stealing, using an initial 698 vector of all-zero. 699 700 701 702 703 704 705Raeburn [Page 11] 706INTERNET DRAFT July 2004 707 708 709 710 AES 128-bit key: 711 0000: 63 68 69 63 6b 65 6e 20 74 65 72 69 79 61 6b 69 712 713 714 IV: 715 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 716 Input: 717 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 718 0010: 20 719 Output: 720 0000: c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f 721 0010: 97 722 Next IV: 723 0000: c6 35 35 68 f2 bf 8c b4 d8 a5 80 36 2d a7 ff 7f 724 725 726 IV: 727 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 728 Input: 729 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 730 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 731 Output: 732 0000: fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22 733 0010: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 734 Next IV: 735 0000: fc 00 78 3e 0e fd b2 c1 d4 45 d4 c8 ef f7 ed 22 736 737 738 IV: 739 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 740 Input: 741 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 742 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 743 Output: 744 0000: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 745 0010: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 746 Next IV: 747 0000: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 748 749 750 IV: 751 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 752 Input: 753 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 754 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 755 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 756 Output: 757 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 758 0010: b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e 759 0020: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 760 Next IV: 761 0000: b3 ff fd 94 0c 16 a1 8c 1b 55 49 d2 f8 38 02 9e 762 763 764 765 766Raeburn [Page 12] 767INTERNET DRAFT July 2004 768 769 770 771 IV: 772 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 773 Input: 774 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 775 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 776 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 777 Output: 778 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 779 0010: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 780 0020: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 781 Next IV: 782 0000: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 783 784 785 IV: 786 0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 787 Input: 788 0000: 49 20 77 6f 75 6c 64 20 6c 69 6b 65 20 74 68 65 789 0010: 20 47 65 6e 65 72 61 6c 20 47 61 75 27 73 20 43 790 0020: 68 69 63 6b 65 6e 2c 20 70 6c 65 61 73 65 2c 20 791 0030: 61 6e 64 20 77 6f 6e 74 6f 6e 20 73 6f 75 70 2e 792 Output: 793 0000: 97 68 72 68 d6 ec cc c0 c0 7b 25 e2 5e cf e5 84 794 0010: 39 31 25 23 a7 86 62 d5 be 7f cb cc 98 eb f5 a8 795 0020: 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 796 0030: 9d ad 8b bb 96 c4 cd c0 3b c1 03 e1 a1 94 bb d8 797 Next IV: 798 0000: 48 07 ef e8 36 ee 89 a5 26 73 0d bc 2f 7b c8 40 799 800 801Normative References 802 803 804 [AC] Schneier, B., "Applied Cryptography", second edition, John Wiley 805 and Sons, New York, 1996. 806 807 808 [AES] National Institute of Standards and Technology, U.S. Department 809 of Commerce, "Advanced Encryption Standard", Federal Information 810 Processing Standards Publication 197, Washington, DC, November 2001. 811 812 813 [KCRYPTO] Raeburn, K., "Encryption and Checksum Specifications for 814 Kerberos 5", draft-ietf-krb-wg-crypto-01.txt, May, 2002. Work in 815 progress. 816 817 818 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 819 Requirement Levels", RFC 2119, March 1997. 820 821 822 [PKCS5] Kaliski, B., "PKCS #5: Password-Based Cryptography 823 Specification Version 2.0", RFC 2898, September 2000. 824 825 826 [RC5] Baldwin, R, and R. Rivest, "The RC5, RC5-CBC, RC5-CBC-Pad, and 827 828 829 830 831Raeburn [Page 13] 832INTERNET DRAFT July 2004 833 834 835 836 RC5-CTS Algorithms", RFC 2040, October 1996. 837 838 839 [SHA1] National Institute of Standards and Technology, U.S. 840 Department of Commerce, "Secure Hash Standard", Federal Information 841 Processing Standards Publication 180-1, Washington, DC, April 1995. 842 843 844Informative References 845 846 847 [LEACH] Leach, P., email to IETF Kerberos working group mailing list, 848 5 May 2003, ftp://ftp.ietf.org/ietf-mail-archive/krb-wg/2003-05.mail. 849 850 851 [PECMS] Gutmann, P., "Password-based Encryption for CMS", RFC 3211, 852 December 2001. 853 854 855Author's Address 856 857 858 Kenneth Raeburn 859 Massachusetts Institute of Technology 860 77 Massachusetts Avenue 861 Cambridge, MA 02139 862 raeburn@mit.edu 863 864 865IPR notices 866 867 868 The IETF takes no position regarding the validity or scope of any 869 intellectual property or other rights that might be claimed to 870 pertain to the implementation or use of the technology described in 871 this document or the extent to which any license under such rights 872 might or might not be available; neither does it represent that it 873 has made any effort to identify any such rights. Information on the 874 IETF's procedures with respect to rights in standards-track and 875 standards-related documentation can be found in BCP-11. Copies of 876 claims of rights made available for publication and any assurances of 877 licenses to be made available, or the result of an attempt made to 878 obtain a general license or permission for the use of such 879 proprietary rights by implementors or users of this specification can 880 be obtained from the IETF Secretariat. 881 882 883 The IETF invites any interested party to bring to its attention any 884 copyrights, patents or patent applications, or other proprietary 885 rights which may cover technology that may be required to practice 886 this standard. Please address the information to the IETF Executive 887 Director. 888 889 890 891 892 893 894 895 896 897Raeburn [Page 14] 898INTERNET DRAFT July 2004 899 900 901 902Full Copyright Statement 903 904 905 Copyright (C) The Internet Society (2004). All Rights Reserved. 906 907 908 This document and translations of it may be copied and furnished to 909 others, and derivative works that comment on or otherwise explain it 910 or assist in its implementation may be prepared, copied, published 911 and distributed, in whole or in part, without restriction of any 912 kind, provided that the above copyright notice and this paragraph are 913 included on all such copies and derivative works. However, this 914 document itself may not be modified in any way, such as by removing 915 the copyright notice or references to the Internet Society or other 916 Internet organizations, except as needed for the purpose of 917 developing Internet standards in which case the procedures for 918 copyrights defined in the Internet Standards process must be 919 followed, or as required to translate it into languages other than 920 English. 921 922 923 The limited permissions granted above are perpetual and will not be 924 revoked by the Internet Society or its successors or assigns. 925 926 927 This document and the information contained herein is provided on an 928 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 929 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 930 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 931 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 932 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 933 934 935Notes to RFC Editor 936 937 938 The reference entry for [KCRYPTO] lists the draft name, not the RFC 939 number. This should be replaced with the RFC info when available. 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959Raeburn [Page 15]