Luke Howard
2015-12-07 08:52:35 UTC
I had a bit of a play with adding support for AES-GCM to Heimdal. Notes:
* GCM is added as a RFC 3961 enctype, but itâs really a pseudo-enctype â were it to be documented, it might not be at the 3961 layer at all (except camping on the enctype namespace for negotiation).
* The target application is only GSS, and itâs assumed it'd be negotiated using RFC4537.
* Encryption/decryption functions are extended to support associated data (this was already there in the implementation, but 3961 would need to be updated).
* KDF is SP800-108 in counter/feedback mode with CMAC, this is used both for key derivation and for RFC4401 PRF. (Wasnât sure if was safe to use GMAC here?)
Ke = KDF-CMAC(base-key, usage | 0xAA)
PRF = KDF-CMAC(base-key, "prf" | octet-string)
There is no Ki/Kc because there is no separate checksum or integrity usage.
* No string-to-key function is defined.
* No checksum types are defined, instead MIC tokens are constructed using the encryption function with an empty plaintext. I figured this was less intrusive than extending the checksum function to take a cipher state parameter, but comments are welcome.
* The cipher state is the GCM initialisation vector length; the length is 96 bits (excluding counter). A (key, IV) combination must never be reused. TOK_ID || Flags || 0xFF || SND_SEQ is used as the initialisation vector for all RFC 4121 tokens.
* The encrypted copy of the 4121 token header is removed (it is protected by the IV, except for the EC field which implementations must validate independently). We could additionally protect it as associated data.
Implementation (forked off aes-sha2 work):
https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm <https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm>
â Luke
* GCM is added as a RFC 3961 enctype, but itâs really a pseudo-enctype â were it to be documented, it might not be at the 3961 layer at all (except camping on the enctype namespace for negotiation).
* The target application is only GSS, and itâs assumed it'd be negotiated using RFC4537.
* Encryption/decryption functions are extended to support associated data (this was already there in the implementation, but 3961 would need to be updated).
* KDF is SP800-108 in counter/feedback mode with CMAC, this is used both for key derivation and for RFC4401 PRF. (Wasnât sure if was safe to use GMAC here?)
Ke = KDF-CMAC(base-key, usage | 0xAA)
PRF = KDF-CMAC(base-key, "prf" | octet-string)
There is no Ki/Kc because there is no separate checksum or integrity usage.
* No string-to-key function is defined.
* No checksum types are defined, instead MIC tokens are constructed using the encryption function with an empty plaintext. I figured this was less intrusive than extending the checksum function to take a cipher state parameter, but comments are welcome.
* The cipher state is the GCM initialisation vector length; the length is 96 bits (excluding counter). A (key, IV) combination must never be reused. TOK_ID || Flags || 0xFF || SND_SEQ is used as the initialisation vector for all RFC 4121 tokens.
* The encrypted copy of the 4121 token header is removed (it is protected by the IV, except for the EC field which implementations must validate independently). We could additionally protect it as associated data.
Implementation (forked off aes-sha2 work):
https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm <https://github.com/heimdal/heimdal/tree/lukeh/aes-gcm>
â Luke