krb-aead-id.lyx

#LyX 2.0 created this file. For more info see http://www.lyx.org/
\lyxformat 413
\begin_document
\begin_header
\textclass docbook
\use_default_options true
\maintain_unincluded_children false
\begin_local_layout
Format 31

InsetLayout Flex:PI_Strict
    LyXType Custom
    HTMLTag div
    LabelString PI_Strict
End

InsetLayout Flex:PI
    LyXType Custom
    HTMLTag div
    LabelString PI
End

InsetLayout Flex:PI_SymRefs
    LyXType Custom
    HTMLTag div
    LabelString PI_SymRefs
End

InsetLayout Flex:PI_SortRefs
    LyXType Custom
    HTMLTag div
    LabelString PI_SortRefs
End

InsetLayout Flex:PI_TOC
    LyXType Custom
    HTMLTag div
    LabelString PI_TOC
End

InsetLayout Flex:PI_TOCIndent
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCIndent
End

InsetLayout Flex:PI_TOCDepth
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCDepth
End

InsetLayout Flex:PI_TOCNarrow
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCNarrow
End

InsetLayout Flex:PI_TOCCompact
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCCompact
End

InsetLayout Flex:PI_TOCAppendix
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCAppendix
End

InsetLayout Flex:DocName
    LyXType Custom
    HTMLTag div
    LabelString DocName
End

InsetLayout Flex:IntendedStatus
    LyXType Custom
    HTMLTag div
    LabelString IntendedStatus
End

InsetLayout Flex:Updates
    LyXType Custom
    HTMLTag div
    LabelString Updates
End

InsetLayout Flex:Obsoletes
    LyXType Custom
    HTMLTag div
    LabelString Obsoletes
End

InsetLayout Flex:SeriesNo
    LyXType Custom
    HTMLTag div
    LabelString SeriesNo
End

InsetLayout Flex:RFCNumber
    LyXType Custom
    HTMLTag div
    LabelString RFCNumber
End

InsetLayout Flex:IPR
    LyXType Custom
    HTMLTag div
    LabelString IPR
End

InsetLayout Flex:IETFArea
    LyXType Custom
    HTMLTag div
    LabelString IETFArea
End

InsetLayout Flex:IETFWorkingGroup
    LyXType Custom
    HTMLTag div
    LabelString IETFWorkingGroup
End

InsetLayout Flex:XML2RFCKeyword
    LyXType Custom
    HTMLTag div
    LabelString XML2RFCKeyword
End

InsetLayout Flex:TitleAbbrev
    LyXType Custom
    HTMLTag div
    LabelString TitleAbbrev
End

InsetLayout Flex:AuthorRole
    LyXType Custom
    HTMLTag div
    LabelString AuthRole
End

InsetLayout Flex:AuthorInitials
    LyXType Custom
    HTMLTag div
    LabelString AuthInitials
End

InsetLayout Flex:AuthorSurname
    LyXType Custom
    HTMLTag div
    LabelString AuthSurname
End

InsetLayout Flex:AuthorOrg
    LyXType Custom
    HTMLTag div
    LabelString AuthOrg
End

InsetLayout Flex:AuthorOrgAbbrev
    LyXType Custom
    HTMLTag div
    LabelString AuthOrgAbbrev
End

InsetLayout Flex:AuthorEmailAddr
    LyXType Custom
    HTMLTag div
    LabelString AuthEmailAddr
End

InsetLayout Flex:AuthorAddrStreet
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrStreet
End

InsetLayout Flex:AuthorAddrCity
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCity
End

InsetLayout Flex:AuthorAddrRegion
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrRegion
End

InsetLayout Flex:AuthorAddrCode
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCode
End

InsetLayout Flex:AuthorAddrCountry
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCountry
End

InsetLayout Flex:EntityXRef
    LyXType Custom
    HTMLTag div
    LabelString EntityXRef
End

InsetLayout Flex:BibXML
    LyXType Custom
    HTMLTag div
    LabelString BibXML
End

InsetLayout Flex:EmbeddedBibXML
    LyXType Custom
    HTMLTag div
    LabelString EmbeddedBibXML
End
\end_local_layout
\language english
\language_package default
\inputencoding auto
\fontencoding global
\font_roman cmr
\font_sans cmss
\font_typewriter cmtt
\font_default_family ttdefault
\use_non_tex_fonts false
\font_sc false
\font_osf false
\font_sf_scale 100
\font_tt_scale 100

\graphics default
\default_output_format default
\output_sync 0
\bibtex_command default
\index_command default
\paperfontsize default
\spacing single
\use_hyperref false
\papersize default
\use_geometry false
\use_amsmath 1
\use_esint 1
\use_mhchem 1
\use_mathdots 1
\cite_engine basic
\use_bibtopic false
\use_indices false
\paperorientation portrait
\suppress_date false
\use_refstyle 1
\index Index
\shortcut idx
\color #008000
\end_index
\secnumdepth 3
\tocdepth 3
\paragraph_separation indent
\paragraph_indentation default
\quotes_language english
\papercolumns 1
\papersides 1
\paperpagestyle default
\tracking_changes false
\output_changes false
\html_math_output 0
\html_css_as_file 0
\html_be_strict false
\end_header

\begin_body

\begin_layout Title
AEAD Encryption Types for Kerberos 5
\end_layout

\begin_layout Standard
\begin_inset Flex DocName
status open

\begin_layout Plain Layout
draft-howard-krb-aead-01
\end_layout

\end_inset


\begin_inset Flex IPR
status open

\begin_layout Plain Layout
trust200902
\end_layout

\end_inset


\begin_inset Flex IntendedStatus
status open

\begin_layout Plain Layout
exp
\end_layout

\end_inset


\begin_inset Flex TitleAbbrev
status open

\begin_layout Plain Layout
AEAD Encryption Types for Kerberos 5
\end_layout

\end_inset


\begin_inset Flex IETFArea
status open

\begin_layout Plain Layout
Security Area
\end_layout

\end_inset


\begin_inset Flex XML2RFCKeyword
status open

\begin_layout Plain Layout
Internet-Draft
\end_layout

\end_inset


\begin_inset Flex Updates
status open

\begin_layout Plain Layout

\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex PI TOC
status open

\begin_layout Plain Layout
yes
\end_layout

\end_inset


\begin_inset Flex PI SymRefs
status open

\begin_layout Plain Layout
yes
\end_layout

\end_inset


\begin_inset Flex PI TOCIndent
status open

\begin_layout Plain Layout
no
\end_layout

\end_inset


\begin_inset Flex PI
status open

\begin_layout Plain Layout
comments="yes"
\end_layout

\end_inset


\begin_inset Flex PI
status open

\begin_layout Plain Layout
inline="yes"
\end_layout

\end_inset


\end_layout

\begin_layout Author
Luke Howard 
\begin_inset Flex AuthorOrg
status open

\begin_layout Plain Layout
PADL Software
\end_layout

\end_inset

 
\begin_inset Flex AuthorOrgAbbrev
status open

\begin_layout Plain Layout
PADL
\end_layout

\end_inset

 
\begin_inset Flex AuthorInitials
status open

\begin_layout Plain Layout
L.
\end_layout

\end_inset

 
\begin_inset Flex AuthorSurname
status open

\begin_layout Plain Layout
Howard
\end_layout

\end_inset

 
\begin_inset Flex AuthorAddrStreet
status open

\begin_layout Plain Layout
PO Box 59
\end_layout

\end_inset


\begin_inset Flex AuthorAddrCity
status open

\begin_layout Plain Layout
Central Park
\end_layout

\end_inset

 
\begin_inset Flex AuthorAddrRegion
status open

\begin_layout Plain Layout
VIC
\end_layout

\end_inset

 
\begin_inset Flex AuthorAddrCountry
status open

\begin_layout Plain Layout
Australia
\end_layout

\end_inset

 
\begin_inset Flex AuthorAddrCode
status open

\begin_layout Plain Layout
3145
\end_layout

\end_inset

 
\begin_inset Flex AuthorEmailAddr
status open

\begin_layout Plain Layout
lukeh@padl.com
\end_layout

\end_inset


\end_layout

\begin_layout Abstract
This document updates 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 to support encryption mechanisms that can authenticate associated data,
 such as Counter with CBC-MAC (CCM) and Galois/Counter Mode (GCM).
 These mechanisms are often more performant and need not expand the message
 as much as conventional modes.
\end_layout

\begin_layout Standard
\begin_inset CommandInset toc
LatexCommand tableofcontents

\end_inset


\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Introduction"

\end_inset

Introduction
\end_layout

\begin_layout Standard
This document updates 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 for encryption mechanisms that support Authenticated Encryption with Associated
 Data (AEAD), such as Counter with CBC-MAC (CCM) and Galois/Counter Mode
 (GCM).
 These mechanisms provide the ability to authenticate additional data associated
 with a plaintext.
\end_layout

\begin_layout Standard
In addition, these mechanisms often have performance advantage over conventional
 encryption modes such as Cipher Block Chaining (CBC) and Ciphertext Stealing
 (CTS) as they can be efficiently parallelized and the absence of a confounder
 allows for shorter messages.
 For example, the ciphertext output by the AEAD encryption mechanisms described
 in this document is 28 bytes shorter than those specified in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3962
\end_layout

\end_inset

.
\end_layout

\begin_layout Section
Requirements notation
\end_layout

\begin_layout Standard
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
 "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are
 to be interpreted as described in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC2119
\end_layout

\end_inset

.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:AEAD"

\end_inset

Authenticated Encryption with Associated Data (AEAD) Overview
\end_layout

\begin_layout Standard
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 provides for authenticated encryption of plaintext in Kerberos 5, that
 is, it provides both for confidentiality and a way to check the for integrity
 and authenticity of a message.
 Some applications can benefit from protecting the integrity and authenticity
 of unencrypted data accompanying a ciphertext: this is termed Authenticated
 Encryption with Associated Data (AEAD).
 (A general description of AEAD is given in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

.)
\end_layout

\begin_layout Standard
Existing encryption and checksum mechanisms can provide AEAD through generic
 composition, where the checksum is made over both the associated data and
 plaintext.
 Alternatively, modern encryption mechanisms such as those profiled in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

 explicitly provide for AEAD.
 Both approaches are discussed in this document.
\end_layout

\begin_layout Standard
Algorithms that are specifically designed for AEAD may have additional constrain
ts to be imposed on cryptosystems that would otherwise be definable in terms
 of 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

.
 We term these algorithms native AEAD, to distinguish them from the generic
 composition of non-AEAD encryption and checksum types.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Updates"

\end_inset

Updates to RFC 3961
\end_layout

\begin_layout Standard
The changes described below amend 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 for use with native AEAD encryption types.
\end_layout

\begin_layout Subsection
Additional Requirements
\end_layout

\begin_layout Standard
The native AEAD algorithms profiled in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

 and 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC7539
\end_layout

\end_inset

 have the property where the reuse of a particular combination of secret
 key and initialization vector destroys all security guarantees of the underlyin
g mechanism.
 This contrasts with existing Kerberos ciphers such as those defined in
 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3962
\end_layout

\end_inset

 where the random confounder (used instead of an initialization vector)
 need not be non-repeating.
\end_layout

\begin_layout Standard
To accommodate the use of native AEAD cryptosystems with Kerberos, we allow
 an encryption mechanism profile to adjust its behavior depending on whether
 a long-term is being used.
 It is valid for a profile to not support long-term keys.
\end_layout

\begin_layout Standard
Where an ephemeral key is used, applications MUST guarantee that each invocation
 of the encryption function with a particular key will use a unique cipherstate.
 (An example of an ephemeral key is the subkey present in an AP-REP message.)
\end_layout

\begin_layout Standard
Native AEAD encryption types share the same namespace as existing Kerberos
 algorithms so they may take advantage of existing cryptosystem negotiation
 facilities such as 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC4537
\end_layout

\end_inset

.
 Encryption types that only support ephemeral keys SHALL NOT be advertised
 in protocols that require the use of long-term keys.
\end_layout

\begin_layout Subsection
Removal of Mandatory Requirements
\end_layout

\begin_layout Standard
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 requires that an encryption mechanism profile define both an associated
 checksum type and a string-to-key function.
\end_layout

\begin_layout Standard
Native AEAD algorithms do not provide for integrity protection outside of
 authenticated encryption, so we remove the requirement for an associated
 checksum type.
 (An application that only requires integrity protection may invoke the
 authenticated encryption function with a zero length plaintext.)
\end_layout

\begin_layout Standard
These ciphers are not required to support long-term keys, so we remove the
 requirement that a string-to-key function be defined.
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:Application-managed-Cipherstate"

\end_inset

Application-managed Cipherstate
\end_layout

\begin_layout Standard
Whilst 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 requires that the cipherstate be opaque to the application, we relax this
 so that the application may manage some or all of the cipherstate explicitly.
 Native AEAD ciphers SHALL nominate how many bits of their cipherstate may
 be deterministic and, by extension, may be managed by the application.
 (The encryption types defined in this document allow all bits of the cipherstat
e to be managed by the application.)
\end_layout

\begin_layout Standard
In order to meet the security requirements of the underlying cryptosystems,
 applications using ephemeral keys MUST NOT invoke the authenticated encryption
 function with a previously used (key, cipherstate) combination.
\end_layout

\begin_layout Standard
Applications that support native AEAD ciphers MAY impose a minimum deterministic
 octet length requirement on the cipherstate.
 Such applications MUST NOT be used with ciphers with a shorter cipherstate
 length.
\end_layout

\begin_layout Standard
Applications MAY set the deterministic cipherstate component directly on
 each invocation of the authenticated encryption function.
 This allows a non-repeating counter such as a sequence number to be embedded
 in the cipherstate, without preventing the application from processing
 out-of-order messages.
 Alternatively, an application MAY set the initial cipherstate to a random
 value and pass the cipherstate output from the authenticated encryption
 and decryption functions to subsequent invocations.
 Using a randomly generated cipherstate on each invocation may place a limit
 on the number of invocations of the authenticated encryption function when
 compared with a deterministic construction.
\end_layout

\begin_layout Subsection
Encrypt/decrypt with Associated Data
\end_layout

\begin_layout Standard
We define the following functions for encrypting and decrypting with associated
 data:
\end_layout

\begin_layout Itemize
encrypt-with-ad (specific-key, state, associated data, octet string, is-longterm
)->(state, octet string)
\end_layout

\begin_layout Itemize
decrypt-with-ad (specific-key, state, associated data, octet string, is-longterm
)->(state, octet string)
\end_layout

\begin_layout Standard
The associated data parameter is input only and contains data that is to
 be authenticated, but not encrypted.
 If the associated data or plaintext are zero length strings, then these
 functions are equivalent respectively to the checksum and encryption functions
 described in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

.
\end_layout

\begin_layout RevisionRemark
NB: these functions only allow a single associated data and plaintext buffer
 to be supplied, which is not compatible with applications such as DCE RPC
 that interleave the associated data and plaintext buffers.
 Support for such applications is implementation dependent and not guaranteed
 to work with native AEAD ciphers that only take a single buffer of each.
\end_layout

\begin_layout Standard
The boolean is-longterm parameter indicates whether specific-key is a long-term
 key or a session key.
\end_layout

\begin_layout Standard
Correspondingly, the encrypt and decrypt functions are updated to take the
 is-longterm parameter:
\end_layout

\begin_layout Itemize
encrypt (specific-key, state, octet string, is-longterm)->(state, octet
 string)
\end_layout

\begin_layout Itemize
decrypt (specific-key, state, octet string, is-longterm)->(state, octet
 string)
\end_layout

\begin_layout Standard
A profile that specifices encrypt-with-ad and decrypt-with-ad need not explicitl
y specify encrypt and decrypt functions.
 Profiles that adhere to 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 take an implicit value of TRUE for is-longterm.
\end_layout

\begin_layout Subsection
AEAD with Simplified Profile
\end_layout

\begin_layout Standard
We allow the authentication of associated data with existing cryptosystems
 that follow the Simplified Profile defined in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 through the generic composition of the encryption and checksum functions.
 The is-longterm parameter is ignored.
 For consistency with 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 the following definition uses 1-based indexing.
\end_layout

\begin_layout Standard
\begin_inset listings
inline false
status open

\begin_layout Plain Layout

encrypt-with-ad    conf = Random string of length c
\end_layout

\begin_layout Plain Layout

                   pad  = Shortest string to bring confounder
\end_layout

\begin_layout Plain Layout

                          and plaintext to a length that's a
\end_layout

\begin_layout Plain Layout

                          multiple of M
\end_layout

\begin_layout Plain Layout

                   (C1, newIV) = E(Ke, conf | plaintext | pad,
\end_layout

\begin_layout Plain Layout

                                   oldstate.ivec)
\end_layout

\begin_layout Plain Layout

                   H1 = HMAC(Ki, conf | associated data |
\end_layout

\begin_layout Plain Layout

                             plaintext | pad)
\end_layout

\begin_layout Plain Layout

                   ciphertext = C1 | H1[1..h]
\end_layout

\begin_layout Plain Layout

                   newstate.ivec = newIV
\end_layout

\begin_layout Plain Layout

\end_layout

\begin_layout Plain Layout

decrypt-with-ad    (C1, H1) = ciphertext
\end_layout

\begin_layout Plain Layout

                   (P1, newIV) = D(Ke, C1, oldstate.ivec)
\end_layout

\begin_layout Plain Layout

                   conf = P1[1..c]
\end_layout

\begin_layout Plain Layout

                   signdata = conf | associated data | P1[c+1..]
\end_layout

\begin_layout Plain Layout

                   if (H1 != HMAC(Ki, signdata)[1..h]))
\end_layout

\begin_layout Plain Layout

                       report error
\end_layout

\begin_layout Plain Layout

                   newstate.ivec = newIV
\end_layout

\end_inset


\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:AEAD-Profiles"

\end_inset

Native AEAD Algorithm Profiles
\end_layout

\begin_layout Standard
This section defines native AEAD profiles for using the AES-GCM, AES-CCM
 and chacha20-poly1305 algorithms with Kerberos.
 The profiles in this section do not define the encrypt-with-ad and decrypt-with
-ad functions for the case where is-longterm is TRUE; implementations MUST
 raise an error if invoked with a long-term key.
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:Protocol-Key-Representation"

\end_inset

Protocol Key Representation
\end_layout

\begin_layout Standard
Because the key spaces for the cryptosystems defined below are dense, random
 or pseudo-random octet strings are used directly as keys.
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:Key-Derivation-Function"

\end_inset

Key Derivation Functions
\end_layout

\begin_layout Subsubsection
Common Definitions for Key Derivation
\end_layout

\begin_layout Standard
The key derivation functions from 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
SP800-108
\end_layout

\end_inset

 Section 5 are used.
\end_layout

\begin_layout Description
key: The initial session key from which subsequent keys are derived
\end_layout

\begin_layout Description
label: An octet string describing the intended usage of the derived key
\end_layout

\begin_layout Description
i: A counter, expressed as four octets in big endian order
\end_layout

\begin_layout Description
k: The length in bits of the key to be outputted, identical to the length
 of the original key, expressed as four octets in big endian order.
\end_layout

\begin_layout Description
k-truncate: As defined in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 Section 5.1.
\end_layout

\begin_layout Standard
The | operator indicates concatenation.
\end_layout

\begin_layout Subsubsection
\begin_inset CommandInset label
LatexCommand label
name "sub:KDF-CMAC"

\end_inset

KDF for AES-GCM and AES-CCM
\end_layout

\begin_layout Standard
The GCM and CCM profiles defined below use the counter/feedback key derivation
 function from 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
SP800-108
\end_layout

\end_inset

 Section 5.2, using CMAC as the PRF with either AES-128 or AES-256 (depending
 on the input key).
 The composition is given below:
\end_layout

\begin_layout Description
K0: all zero bits
\end_layout

\begin_layout Description
Ki: CMAC(key, K(i-1) | i | label | 0x00 | k)
\end_layout

\begin_layout Standard
KDF-CMAC(key, label) = k-truncate(K1 | K2...)
\end_layout

\begin_layout Standard
The iteration count i is one for AES-128 keys and two for AES-256 keys.
\end_layout

\begin_layout Subsubsection
\begin_inset CommandInset label
LatexCommand label
name "sub:KDF-HMAC-SHA256"

\end_inset

KDF for chacha20-poly1305
\end_layout

\begin_layout Standard
The chacha20-poly1305 profile defined in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:chacha20-poly1305"

\end_inset

 uses the counter mode key derivation function from 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
SP800-108
\end_layout

\end_inset

 Section 5.1, using HMAC-SHA-256 as the PRF.
 The composition is given below:
\end_layout

\begin_layout Description
K0: all zero bits
\end_layout

\begin_layout Description
Ki: HMAC-SHA-256(key, i | label | 0x00 | k)
\end_layout

\begin_layout Standard
KDF-HMAC-SHA256(key, label) = k-truncate(K1)
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:Cipherstate-chaining"

\end_inset

Cipherstate Chaining
\end_layout

\begin_layout Standard
Kerberos applications using native AEAD cryptosystems may choose to explicitly
 compose the cipherstate (for example, from a sequence number).
 However the only requirement imposed by this profile is that the application
 guarantee that the combination of key and deterministic cipherstate be
 unique for a particular invocation of the authenticated encryption function.
 For the encryption types defined in this section, all bits of the cipherstate
 may be managed by the application.
\end_layout

\begin_layout Standard
An application MAY use the output cipherstate from encrypt-with-ad and decrypt-w
ith-ad in subsequent invocations of those functions.
 For the profiles defined in this section, the output cipherstate is composed
 as follows:
\end_layout

\begin_layout Description
D[N..M] M - N + 1 octets of D, starting at octet M (1-based)
\end_layout

\begin_layout Description
fixed oldstate[1..4]
\end_layout

\begin_layout Description
counter oldstate[5..12]
\end_layout

\begin_layout Description
newstate fixed | counter + 1
\end_layout

\begin_layout Standard
The + operator indicates addition of 64-bit integers expressed as eight
 octets in big endian order, raising an error after 2^64 invocations.
 (Note that the application may specify a non-zero initial cipherstate,
 so the implementation must check the invocation count for overflow rather
 than the cipherstate counter.) This composition is compatible with the recommend
ed nonce formation defined in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

 Section 3.2.
\end_layout

\begin_layout Standard
Note also that the invocation counter described above is independent of
 the block counter implemented by the underlying encryption function.
\end_layout

\begin_layout Subsection
Common Profile Definitions
\end_layout

\begin_layout Standard
The following parameters apply to all the encryption types defined below.
\end_layout

\begin_layout Standard
protocol key format: as defined in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:Protocol-Key-Representation"

\end_inset


\end_layout

\begin_layout Standard
specific key structure: one protocol format key, Ke
\end_layout

\begin_layout Standard
required checksum mechanism: none
\end_layout

\begin_layout Standard
key generation functions
\end_layout

\begin_layout Standard
string-to-key function: none
\end_layout

\begin_layout Standard
random-to-key function: identity function
\end_layout

\begin_layout Standard
cipherstate: a 96-bit initialization vector
\end_layout

\begin_layout Standard
initial cipherstate: all bits zero, or specified by application
\end_layout

\begin_layout Standard
subsequent cipherstate: the previous cipherstate incremented by one per
 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:Cipherstate-chaining"

\end_inset


\end_layout

\begin_layout Subsection
aes128-gcm-128
\end_layout

\begin_layout Standard
This profile is based on 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

 Section 5.1.
 The GCM authenticated encryption algorithm works as specified in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
GCM
\end_layout

\end_inset

 Section 7, using AES-128 as the block cipher.
 A key length of 16 octets (128 bits) is used, along with an authentication
 tag with a length of 16 octets (128 bits).
\end_layout

\begin_layout Standard
The following parameters apply to the aes128-gcm-128 encryption type:
\end_layout

\begin_layout Standard
key-generation seed length: key size (128 bits)
\end_layout

\begin_layout Standard
key-deriviation function: KDF-CMAC as defined in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:KDF-CMAC"

\end_inset

.
 The key usage number is expressed as four octets in big endian order.
\end_layout

\begin_layout Standard
Ke = KDF-CMAC(base-key, usage | 0xAA)
\end_layout

\begin_layout Standard
encrypt-with-ad function: AES encryption in GCM mode using Ke
\end_layout

\begin_layout Standard
decrypt-with-ad function: AES decryption in GCM mode using Ke
\end_layout

\begin_layout Standard
pseudo random function: PRF = KDF-CMAC(base-key, "prf" | octet-string)
\end_layout

\begin_layout Subsection
aes256-gcm-128
\end_layout

\begin_layout Standard
As for aes128-gcm-128, but using AES-256 as the block cipher and with key
 and key-generation seed lengths of 32 octets (256 bits).
\end_layout

\begin_layout Subsection
aes128-ccm-128
\end_layout

\begin_layout Standard
This profile is based on 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC5116
\end_layout

\end_inset

 Section 5.3.
 The CCM authenticated encryption algorithm works as specified in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
CCM
\end_layout

\end_inset

 Section 6, using AES-128 as the block cipher.
 A key length of 16 octets (128 bits) is used, along with an authentication
 tag with a length t of 16 octets (128 bits).
 The nonce length n is 12 octets, and the corresponding counter length q
 is 3 octets.
 (Note that this imposes a maximum message size of 2^24 blocks, which may
 be unacceptable to some applications.)
\end_layout

\begin_layout Standard
The following parameters apply to the aes128-ccm-128 encryption type:
\end_layout

\begin_layout Standard
key-generation seed length: key size (128 bits)
\end_layout

\begin_layout Standard
key-deriviation function: KDF-CMAC as defined in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:KDF-CMAC"

\end_inset

.
 The key usage number is expressed as four octets in big endian order.
\end_layout

\begin_layout Standard
Ke = KDF-CMAC(base-key, usage | 0xAA)
\end_layout

\begin_layout Standard
encrypt-with-ad function: AES encryption in CCM mode using Ke
\end_layout

\begin_layout Standard
decrypt-with-ad function: AES decryption in CCM mode using Ke
\end_layout

\begin_layout Standard
pseudo random function: PRF = KDF-CMAC(base-key, "prf" | octet-string)
\end_layout

\begin_layout RevisionRemark
TBD: It may be better to use a nonce length of 11 octets (n = 11, q = 4)
 so the counter length is 32 bits.
 This would put a more reasonable limit on message size and is compatible
 with the cipherstate requirements for GSS-API.
 On the other hand, it may make it more difficult to use TLS-oriented GCM
 implementations that expose the Fixed-Common and Fixed-Distinct nonce component
s independently.
\end_layout

\begin_layout Subsection
aes256-ccm-128
\end_layout

\begin_layout Standard
As for aes128-ccm-128, but using AES-256 as the block cipher and with key
 and key-generation seed lengths of 32 octets (256 bits).
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:chacha20-poly1305"

\end_inset

chacha20-poly1305
\end_layout

\begin_layout Standard
This profile is based on 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC7539
\end_layout

\end_inset

 Section 2.8.
 A key length of 32 octets (256 bits) is used, along with an authentication
 tag length of 16 octets (128 bits).
\end_layout

\begin_layout Standard
key-generation seed length: key size (256 bits)
\end_layout

\begin_layout Standard
key-deriviation function: KDF-HMAC-SHA256 as defined in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:KDF-HMAC-SHA256"

\end_inset

.
 The key usage number is expressed as four octets in big endian order.
\end_layout

\begin_layout Standard
Ke = KDF-HMAC-SHA256(base-key, usage | 0xAA)
\end_layout

\begin_layout Standard
encrypt-with-ad function: AEAD construction of chacha20 with poly1305 using
 Ke
\end_layout

\begin_layout Standard
decrypt-with-ad function: AEAD construction of chacha20 with poly1305 using
 Ke
\end_layout

\begin_layout Standard
pseudo random function: PRF = KDF-HMAC-SHA256(base-key, "prf" | octet-string)
\end_layout

\begin_layout Section
Security Considerations
\end_layout

\begin_layout Standard
This document defines encryption types that would be unsafe when used outside
 specific applications that are aware of the requirement for non-repeating
 cipherstate.
 Implementations that expose 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC3961
\end_layout

\end_inset

 programming interfaces may not be able to completely prevent misuse of
 these encryption types.
\end_layout

\begin_layout Standard
Whilst this document abstractly supports the use of native AEAD ciphers
 with long-term keys, no such encryption types are defined.
 A future document may specify this, perhaps by deriving unique keys for
 each invocation of the encryption function.
\end_layout

\begin_layout Standard
Counter modes of encryption such as CCM and GCM require that the initialization
 vector never repeat.
 Where the application manages the cipherstate, the burden is on the application
 to ensure this.
 If the application uses a randomly generated initial cipherstate on each
 invocation of the authenticated encryption function, then to avoid a birthday
 attack the number of invocations should be limited to 2^48 (given a 96-bit
 initialization vector) or less.
 (Section 8.3 of 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
GCM
\end_layout

\end_inset

 limits the number of invocations to 2^32 when using GCM with a randomly
 generated initialization vector.)
\end_layout

\begin_layout Section
IANA Considerations
\end_layout

\begin_layout Standard
IANA is requested to assign:
\end_layout

\begin_layout Standard
\begin_inset Tabular
<lyxtabular version="3" rows="6" columns="3">
<features tabularvalignment="middle">
<column alignment="center" valignment="top" width="0">
<column alignment="center" valignment="top" width="0">
<column alignment="center" valignment="top" width="0">
<row>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
Etype
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
Encryption type
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
Reference
\end_layout

\end_inset
</cell>
</row>
<row>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
TBD1
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
aes128-gcm-128
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
[this document]
\end_layout

\end_inset
</cell>
</row>
<row>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
TBD2
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
aes256-gcm-128
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
[this document]
\end_layout

\end_inset
</cell>
</row>
<row>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
TBD3
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
aes128-ccm-128
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
[this document]
\end_layout

\end_inset
</cell>
</row>
<row>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
TBD4
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
aes256-ccm-128
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
[this document]
\end_layout

\end_inset
</cell>
</row>
<row>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
TBD4
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
chacha20-poly1305
\end_layout

\end_inset
</cell>
<cell alignment="center" valignment="top" topline="true" bottomline="true" leftline="true" rightline="true" usebox="none">
\begin_inset Text

\begin_layout Plain Layout
[this document]
\end_layout

\end_inset
</cell>
</row>
</lyxtabular>

\end_inset


\end_layout

\begin_layout Section
Acknowledgements
\end_layout

\begin_layout Standard
The author would like to thank the following individuals for their comments
 and suggestions: Nicolas Williams and Greg Hudson.
\end_layout

\begin_layout Section
Normative References
\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC2119"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC3961"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3961.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC5116"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC7539"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7539.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex EmbeddedBibXML
status open

\begin_layout Plain Layout
<reference anchor="CCM"><front><title>Recommendation for Block Cipher Modes
 of Operation: The CCM Mode for Authentication and Confidentiality</title><autho
r initials="M." surname="Dworkin" fullname="Morris Dworkin"><organization>Nationa
l Institute of Standards and Technology</organization></author><date year="2004"
 month="May"/></front><format type="HTML" target="http://csrc.nist.gov/publication
s/nistpubs/800-38C/SP-800-38C.pdf"/></reference>
\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex EmbeddedBibXML
status open

\begin_layout Plain Layout
<reference anchor="GCM"><front><title>Recommendation for Block Cipher Modes
 of Operation: Galois/Counter Mode (GCM) and GMAC</title><author initials="M."
 surname="Dworkin" fullname="Morris Dworkin"><organization>National Institute
 of Standards and Technology</organization></author><date year="2007" month="Nov
ember"/></front><format type="HTML" target="http://csrc.nist.gov/publications/nist
pubs/800-38D/SP-800-38D.pdf"/></reference>
\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex EmbeddedBibXML
status open

\begin_layout Plain Layout
<reference anchor="SP800-108"><front><title>Recommendation for Key Derivation
 Using Pseudorandom Functions</title><author initials="L." surname="Chen"
 fullname="Lily Chen"><organization>National Institute of Standards and
 Technology</organization></author><date year="2009" month="October"/></front><f
ormat type="HTML" target="http://csrc.nist.gov/publications/nistpubs/800-108/sp800
-108.pdf"/></reference>
\end_layout

\end_inset


\end_layout

\begin_layout Section
Informative References
\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC3962"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3962.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "RFC4537"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4537.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\end_body
\end_document