IETF Logo Mail Archive

Re: [kitten] Question about AES mode in Kerberos

Jeffrey Altman <jaltman@secure-endpoints.com> Tue, 03 January 2023 19:10 UTC

Return-Path: <prvs=1367d990b2=jaltman@secure-endpoints.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C5F8C1522C6 for <kitten@ietfa.amsl.com>; Tue, 3 Jan 2023 11:10:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=secure-endpoints.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EoCTnOwgGFRq for <kitten@ietfa.amsl.com>; Tue, 3 Jan 2023 11:10:36 -0800 (PST)
Received: from sequoia-grove.ad.secure-endpoints.com (sequoia-grove.secure-endpoints.com [IPv6:2001:470:1f07:f77:70f5:c082:a96a:5685]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 068FCC1522C2 for <kitten@ietf.org>; Tue, 3 Jan 2023 11:10:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=secure-endpoints.com; s=MDaemon; r=y; t=1672773032; x=1673377832; i=jaltman@secure-endpoints.com; q=dns/txt; h=Message-ID: Date:MIME-Version:User-Agent:Subject:Content-Language:To: References:From:Organization:In-Reply-To:Content-Type; bh=zOcFKa pg1uVb6u4JBLMbcHskVeULYU1OEBM/GG/nEas=; b=wlLNZlQGBCmNXSF+jxqzY8 fGkUxwifwxcCkWalgH5ivavODoTh/OjAAHIB6sYFKjVyoLdm0VKJQhN5c/jBhuz1 haur6eqIpS7vApw1bWIhEbeaO4SadYHz4DdHJfgPSzZcOzyAH320gbGeAAymXLgd cOO5Ikc6paj9ZmMS+05tk=
X-MDAV-Result: clean
X-MDAV-Processed: sequoia-grove.ad.secure-endpoints.com, Tue, 03 Jan 2023 14:10:32 -0500
Received: from [IPV6:2603:7000:73c:9c99:b983:9fa6:1d00:1080] by secure-endpoints.com (IPv6:2001:470:1f07:f77:28d9:68fb:855d:c2a5) (MDaemon PRO v22.5.0rc2) with ESMTPSA id md50003208383.msg; Tue, 03 Jan 2023 14:10:32 -0500
X-Spam-Processed: sequoia-grove.ad.secure-endpoints.com, Tue, 03 Jan 2023 14:10:32 -0500 (not processed: message from trusted or authenticated source)
X-MDRemoteIP: 2603:7000:73c:9c99:b983:9fa6:1d00:1080
X-MDHelo: [IPV6:2603:7000:73c:9c99:b983:9fa6:1d00:1080]
X-MDArrival-Date: Tue, 03 Jan 2023 14:10:32 -0500
X-MDOrigin-Country: US, NA
X-Authenticated-Sender: acct-jaltman@secure-endpoints.com
X-Return-Path: prvs=1367d990b2=jaltman@secure-endpoints.com
X-Envelope-From: jaltman@secure-endpoints.com
X-MDaemon-Deliver-To: kitten@ietf.org
Message-ID: <558f31de-7fac-26c7-fe81-8e486968f0ef@secure-endpoints.com>
Date: Tue, 03 Jan 2023 14:10:24 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: "Olga Kornievskaia (aglo@umich.edu)" <aglo@umich.edu>, kitten@ietf.org
References: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com>
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Organization: Secure Endpoints, Inc.
In-Reply-To: <CAN-5tyGGJXoo9RfKEGTsk8XeQDpZ--VSnO7nunzvnBBzrRB0WQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050701080000050607080002"
X-MDCFSigsAdded: secure-endpoints.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/IGkv2DZX7qC80CyFpFIDTanoFXE>
Subject: Re: [kitten] Question about AES mode in Kerberos
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 19:10:40 -0000

On 1/3/2023 1:43 PM, Olga Kornievskaia (aglo@umich.edu) wrote:
> A few points of that email were unclear to me.
> (1) it said that GCM is added as a RFC 3961 enctype ("Encryption and
> Checksum Specifications for Kerberos 5"). Yet I don't see it there (or
> in rfc 3962). Was it in a draft and then removed perhaps.

RFC3961 defines a framework.

RFC3962 is the specification of AES Encryption using the RFC3961 
Simplified Profile using CTS mode and SHA1.

RFC8009 is the specification of AES Encryption using the RFC3961 
Simplified Profile using CTS mode and SHA2.

In 2015 Luke experimented with designing AEAD encryption types for use 
by GSS-API within Heimdal.  Luke's experimental work is present at

   https://github.com/heimdal/heimdal/commits/lukeh/aes-gcm

Luke did not implement a complete RFC3961 profile for AEAD nor was an 
Internet-Draft published.  No enctype values have been assigned.

The e-mail thread you referenced

https://kitten.ietf.narkive.com/SI5Q7BDK/aes-gcm-for-kerberos-gss-api

indicates that participants believed that an implementation of AEAD 
using RFC3961 should be a complete profile so it can be used by 
non-GSS-API protocols.

In conclusion, there is no current implementation of AES-GCM for GSS-API 
applications using RFC3961 profiles.

I hope this clarifies the status.

Jeffrey Altman

v2.23.0 | Report a Bug | By Email