[AFS3-std] rxgk and the RFC 4402 PRF+ function

Benjamin Kaduk kaduk@MIT.EDU
Mon, 24 Feb 2014 14:02:22 -0500 (EST) 

On Fri, 21 Feb 2014, Michael Meffie wrote:

> On Wed, 19 Feb 2014 16:23:36 -0500
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>
>> Hi all,
>>
>> The core rxgk document (which just had a last call period) has a normative
>> reference to RFC 4402 for the PRF+ construction, which is an algorithm to
>> get variable-length pseudo-random bytestrings from the RFC 3961 enctype's
>> pseudo_random() function.  The construction is basically just to invoke
>> the underlying pseudo_random() function in counter mode.
>>
>> However, there is an erratum [1] filed against RFC 4402, which notes that
>> the implementors of that specification for krb5 gss_pseudo_random()
>> started the counter at 0, even though the text of RFC 4402 mandates that
>> the counter start at 1.
>>
>> Because of this ambiguity about what value the counter starts at, in order
>> to ensure interoperability of rxgk implementations, we should note/clarify
>> what behavior rxgk expects.  It's probably easiest to do this by noting
>> directly in the document, i.e., issue a new I-D with just this change.
>> It's my understanding that if we have agreement on the list for the
>> clarification, no additional last call period is necessary.
>
> Thanks Ben,
>
> So if I understand; This is not a change (or errata), but a clarification?
>
> The clarification is to say the RFC 4402 mandate of starting the counter
> at 1 is correct for afs3-rxgk (even though other impementations of 4402
> start at 0)?

That's my thinking, yes.

> Can you suggest the correct wording?

My current proposal is to apply this patch (a4d36684 on my github):
  	                  epoch || cid || start_time || key_number))
   </artwork>
           </figure>
  +        <t>[[The PRF+ function defined in RFC 4402 specifies that the values
  +         of the counter 'n' should begin at 1, for T1, T2, ... Tn.
  +         However, implementations of that PRF+ function for the
  +         gss_pseudo_random() implementation for the krb5 mechanism have
  +         disregarded that specification and started the counter 'n' from 0.
  +         Since there is no interoperability concern between krb5
  +         gss_pseudo_random() and rxgk key derivation, implementations of
  +         the RFC 4402 PRF+ function for rxgk key derivation should use the
  +         RFC 4402 version as specified, that is, with the counter 'n' beginning
  +         at 1.]]</t>
           <t>L is the key generation seed length as specified in the RFC3961
   	 profile.</t>
           <t>epoch, cid and key_number are passed as 32 bit quantities; start_time


-Ben