[AFS3-std] rxgk and the RFC 4402 PRF+ function
Benjamin Kaduk
kaduk@MIT.EDU
Mon, 24 Feb 2014 14:02:22 -0500 (EST)
On Fri, 21 Feb 2014, Michael Meffie wrote:
> On Wed, 19 Feb 2014 16:23:36 -0500
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
>> Hi all,
>>
>> The core rxgk document (which just had a last call period) has a normative
>> reference to RFC 4402 for the PRF+ construction, which is an algorithm to
>> get variable-length pseudo-random bytestrings from the RFC 3961 enctype's
>> pseudo_random() function. The construction is basically just to invoke
>> the underlying pseudo_random() function in counter mode.
>>
>> However, there is an erratum [1] filed against RFC 4402, which notes that
>> the implementors of that specification for krb5 gss_pseudo_random()
>> started the counter at 0, even though the text of RFC 4402 mandates that
>> the counter start at 1.
>>
>> Because of this ambiguity about what value the counter starts at, in order
>> to ensure interoperability of rxgk implementations, we should note/clarify
>> what behavior rxgk expects. It's probably easiest to do this by noting
>> directly in the document, i.e., issue a new I-D with just this change.
>> It's my understanding that if we have agreement on the list for the
>> clarification, no additional last call period is necessary.
>
> Thanks Ben,
>
> So if I understand; This is not a change (or errata), but a clarification?
>
> The clarification is to say the RFC 4402 mandate of starting the counter
> at 1 is correct for afs3-rxgk (even though other impementations of 4402
> start at 0)?
That's my thinking, yes.
> Can you suggest the correct wording?
My current proposal is to apply this patch (a4d36684 on my github):
epoch || cid || start_time || key_number))
</artwork>
</figure>
+ <t>[[The PRF+ function defined in RFC 4402 specifies that the values
+ of the counter 'n' should begin at 1, for T1, T2, ... Tn.
+ However, implementations of that PRF+ function for the
+ gss_pseudo_random() implementation for the krb5 mechanism have
+ disregarded that specification and started the counter 'n' from 0.
+ Since there is no interoperability concern between krb5
+ gss_pseudo_random() and rxgk key derivation, implementations of
+ the RFC 4402 PRF+ function for rxgk key derivation should use the
+ RFC 4402 version as specified, that is, with the counter 'n' beginning
+ at 1.]]</t>
<t>L is the key generation seed length as specified in the RFC3961
profile.</t>
<t>epoch, cid and key_number are passed as 32 bit quantities; start_time
-Ben