Internet Engineering Task Force (IETF)                        M. Jenkins
Request for Comments: 8009                      National Security Agency
Category: Informational                                          M. Peck
ISSN: 2070-1721                                    The MITRE Corporation
                                                               K. Burgin
                                                            October 2016
        
Internet Engineering Task Force (IETF)                        M. Jenkins
Request for Comments: 8009                      National Security Agency
Category: Informational                                          M. Peck
ISSN: 2070-1721                                    The MITRE Corporation
                                                               K. Burgin
                                                            October 2016
        

AES Encryption with HMAC-SHA2 for Kerberos 5

使用HMAC-SHA2对Kerberos 5进行AES加密

Abstract

摘要

This document specifies two encryption types and two corresponding checksum types for Kerberos 5. The new types use AES in CTS mode (CBC mode with ciphertext stealing) for confidentiality and HMAC with a SHA-2 hash for integrity.

本文档为Kerberos 5指定了两种加密类型和两种相应的校验和类型。新类型使用CTS模式下的AES(CBC模式下的密文窃取)进行保密,HMAC使用SHA-2哈希进行完整性。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8009.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8009.

Copyright Notice

版权公告

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Protocol Key Representation  . . . . . . . . . . . . . . . . .  3
   3.  Key Derivation Function  . . . . . . . . . . . . . . . . . . .  3
   4.  Key Generation from Pass Phrases . . . . . . . . . . . . . . .  4
   5.  Kerberos Algorithm Protocol Parameters . . . . . . . . . . . .  5
   6.  Checksum Parameters  . . . . . . . . . . . . . . . . . . . . .  7
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
     8.1.  Random Values in Salt Strings  . . . . . . . . . . . . . .  9
     8.2.  Algorithm Rationale  . . . . . . . . . . . . . . . . . . .  9
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Appendix A.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 12
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Protocol Key Representation  . . . . . . . . . . . . . . . . .  3
   3.  Key Derivation Function  . . . . . . . . . . . . . . . . . . .  3
   4.  Key Generation from Pass Phrases . . . . . . . . . . . . . . .  4
   5.  Kerberos Algorithm Protocol Parameters . . . . . . . . . . . .  5
   6.  Checksum Parameters  . . . . . . . . . . . . . . . . . . . . .  7
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
     8.1.  Random Values in Salt Strings  . . . . . . . . . . . . . .  9
     8.2.  Algorithm Rationale  . . . . . . . . . . . . . . . . . . .  9
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Appendix A.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 12
   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19
        
1. Introduction
1. 介绍

This document defines two encryption types and two corresponding checksum types for Kerberos 5 using AES with 128-bit or 256-bit keys.

本文档使用具有128位或256位密钥的AES为Kerberos 5定义了两种加密类型和两种相应的校验和类型。

To avoid ciphertext expansion, we use a variation of the CBC-CS3 mode defined in [SP800-38A+], also referred to as ciphertext stealing or CTS mode. The new types conform to the framework specified in [RFC3961], but do not use the simplified profile, as the simplified profile is not compliant with modern cryptographic best practices such as calculating Message Authentication Codes (MACs) over ciphertext rather than plaintext.

为了避免密文扩展,我们使用[SP800-38A+]中定义的CBC-CS3模式的变体,也称为密文窃取或CTS模式。新类型符合[RFC3961]中指定的框架,但不使用简化配置文件,因为简化配置文件不符合现代密码最佳实践,例如通过密文而不是明文计算消息身份验证码(MAC)。

The encryption and checksum types defined in this document are intended to support environments that desire to use SHA-256 or SHA-384 (defined in [FIPS180]) as the hash algorithm. Differences between the encryption and checksum types defined in this document and the pre-existing Kerberos AES encryption and checksum types specified in [RFC3962] are:

本文档中定义的加密和校验和类型旨在支持希望使用SHA-256或SHA-384(在[FIPS180]中定义)作为哈希算法的环境。本文档中定义的加密和校验和类型与[RFC3962]中指定的现有Kerberos AES加密和校验和类型之间的区别如下:

* The pseudorandom function (PRF) used by PBKDF2 is HMAC-SHA-256 or HMAC-SHA-384. (HMAC is defined in [RFC2104].)

* PBKDF2使用的伪随机函数(PRF)为HMAC-SHA-256或HMAC-SHA-384。(HMAC在[RFC2104]中有定义。)

* A key derivation function from [SP800-108] using the SHA-256 or SHA-384 hash algorithm is used to produce keys for encryption, integrity protection, and checksum operations.

* [SP800-108]中使用SHA-256或SHA-384哈希算法的密钥派生函数用于生成用于加密、完整性保护和校验和操作的密钥。

* The HMAC is calculated over the cipher state concatenated with the AES output, instead of being calculated over the confounder and plaintext. This allows the message receiver to verify the integrity of the message before decrypting the message.

* HMAC是在与AES输出连接的密码状态上计算的,而不是在混淆因子和明文上计算的。这允许消息接收器在解密消息之前验证消息的完整性。

* The HMAC algorithm uses the SHA-256 or SHA-384 hash algorithm for integrity protection and checksum operations.

* HMAC算法使用SHA-256或SHA-384哈希算法进行完整性保护和校验和操作。

2. Protocol Key Representation
2. 协议密钥表示

The AES key space is dense, so we can use random or pseudorandom octet strings directly as keys. The byte representation for the key is described in [FIPS197], where the first bit of the bit string is the high bit of the first byte of the byte string (octet string).

AES密钥空间是密集的,因此我们可以直接使用随机或伪随机八位组字符串作为密钥。[FIPS197]中描述了密钥的字节表示,其中位字符串的第一位是字节字符串(八位字节字符串)第一个字节的高位。

3. Key Derivation Function
3. 金钥推衍函数

We use a key derivation function from Section 5.1 of [SP800-108], which uses the HMAC algorithm as the PRF.

我们使用[SP800-108]第5.1节中的密钥派生函数,该函数使用HMAC算法作为PRF。

function KDF-HMAC-SHA2(key, label, [context,] k): k-truncate(K1)

函数KDF-HMAC-SHA2(键,标签,[context,]k):k-截断(K1)

where the value of K1 is computed as below.

其中K1的值计算如下。

key: The source of entropy from which subsequent keys are derived. (This is known as "Ki" in [SP800-108].)

密钥:从中派生后续密钥的熵源。(在[SP800-108]中称为“Ki”)

label: An octet string describing the intended usage of the derived key.

标签:一个八位字节字符串,描述派生密钥的预期用途。

context: This parameter is optional. An octet string containing the information related to the derived keying material. This specification does not dictate a specific format for the context field. The context field is only used by the pseudorandom function defined in Section 5, where it is set to the pseudorandom function's octet-string input parameter. The content of the octet-string input parameter is defined by the application that uses it.

上下文:此参数是可选的。包含与派生键控材质相关信息的八位字节字符串。本规范不规定上下文字段的特定格式。上下文字段仅由第5节中定义的伪随机函数使用,其中它被设置为伪随机函数的八位字符串输入参数。八进制字符串输入参数的内容由使用它的应用程序定义。

k: Length in bits of the key to be outputted, expressed in big-endian binary representation in 4 bytes. (This is called "L" in [SP800-108].) Specifically, k=128 is represented as 0x00000080, 192 as 0x000000C0, 256 as 0x00000100, and 384 as 0x00000180.

k:要输出的密钥的位长度,以4字节的大端二进制表示。(在[SP800-108]中称为“L”)。具体而言,k=128表示为0x00000080,192表示为0x000000C0,256表示为0x00000100,384表示为0x00000180。

When the encryption type is aes128-cts-hmac-sha256-128, k must be no greater than 256 bits. When the encryption type is aes256-cts-hmac-sha384-192, k must be no greater than 384 bits.

当加密类型为aes128-cts-hmac-sha256-128时,k不得大于256位。当加密类型为aes256-cts-hmac-sha384-192时,k不得大于384位。

The k-truncate function is defined in Section 5.1 of [RFC3961]. It returns the 'k' leftmost bits of the bit-string input.

[RFC3961]第5.1节定义了k-截断函数。它返回位字符串输入中最左边的“k”位。

In all computations in this document, "|" indicates concatenation.

在本文档中的所有计算中,“|”表示串联。

When the encryption type is aes128-cts-hmac-sha256-128, then K1 is computed as follows:

当加密类型为aes128-cts-hmac-sha256-128时,K1的计算如下:

If the context parameter is not present: K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | k)

如果上下文参数不存在:K1=HMAC-SHA-256(键0x00000001 | label | 0x00 | k)

If the context parameter is present: K1 = HMAC-SHA-256(key, 0x00000001 | label | 0x00 | context | k)

如果存在上下文参数:K1=HMAC-SHA-256(键0x00000001 | label | 0x00 | context | k)

When the encryption type is aes256-cts-hmac-sha384-192, then K1 is computed as follows:

当加密类型为aes256-cts-hmac-sha384-192时,K1的计算如下:

If the context parameter is not present: K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | k)

如果上下文参数不存在:K1=HMAC-SHA-384(键0x00000001 | label | 0x00 | k)

If the context parameter is present: K1 = HMAC-SHA-384(key, 0x00000001 | label | 0x00 | context | k)

如果存在上下文参数:K1=HMAC-SHA-384(键0x00000001 | label | 0x00 | context | k)

In the definitions of K1 above, '0x00000001' is the i parameter (the iteration counter) from Section 5.1 of [SP800-108].

在上述K1的定义中,“0x00000001”是[SP800-108]第5.1节中的i参数(迭代计数器)。

4. Key Generation from Pass Phrases
4. 从Pass短语生成密钥

As defined below, the string-to-key function uses PBKDF2 [RFC2898] and KDF-HMAC-SHA2 to derive the base-key from a passphrase and salt. The string-to-key parameter string is 4 octets indicating an unsigned number in big-endian order, consistent with [RFC3962], except that the default is decimal 32768 if the parameter is not specified.

如下所述,string-to-key函数使用PBKDF2[RFC2898]和KDF-HMAC-SHA2从密码短语和salt派生基本密钥。“字符串到键”参数字符串为4个八位字节,表示大端顺序的无符号数字,与[RFC3962]一致,但如果未指定参数,则默认值为十进制32768。

To ensure that different long-term base-keys are used with different enctypes, we prepend the enctype name to the salt, separated by a null byte. The enctype-name is "aes128-cts-hmac-sha256-128" or "aes256-cts-hmac-sha384-192" (without the quotes).

为了确保不同的长期基键与不同的enctypes一起使用,我们在salt前面加上enctypename,用空字节分隔。enctype名称为“aes128-cts-hmac-sha256-128”或“aes256-cts-hmac-sha384-192”(不带引号)。

The user's long-term base-key is derived as follows:

用户的长期基本密钥派生如下:

      iter_count = string-to-key parameter, default is decimal 32768
      saltp = enctype-name | 0x00 | salt
      tkey = random-to-key(PBKDF2(passphrase, saltp,
                                  iter_count, keylength))
      base-key = random-to-key(KDF-HMAC-SHA2(tkey, "kerberos",
                                             keylength))
        
      iter_count = string-to-key parameter, default is decimal 32768
      saltp = enctype-name | 0x00 | salt
      tkey = random-to-key(PBKDF2(passphrase, saltp,
                                  iter_count, keylength))
      base-key = random-to-key(KDF-HMAC-SHA2(tkey, "kerberos",
                                             keylength))
        

where "kerberos" is the octet-string 0x6B65726265726F73.

其中“kerberos”是八位字节字符串0x6B65726265726F73。

where PBKDF2 is the function of that name from RFC 2898, the pseudorandom function used by PBKDF2 is HMAC-SHA-256 when the enctype is "aes128-cts-hmac-sha256-128" and HMAC-SHA-384 when the enctype is "aes256-cts-hmac-sha384-192", the value for keylength is the AES key length (128 or 256 bits), and the algorithm KDF-HMAC-SHA2 is defined in Section 3.

其中,PBKDF2是RFC 2898中该名称的函数,当enctype为“aes128-cts-HMAC-sha256-128”时,PBKDF2使用的伪随机函数为HMAC-SHA-256,当enctype为“aes256-cts-HMAC-sha384-192”时,HMAC-SHA-384,keylength的值为AES密钥长度(128或256位),第3节定义了算法KDF-HMAC-SHA2。

5. Kerberos Algorithm Protocol Parameters
5. Kerberos算法协议参数

The cipher state defined in RFC 3961 that maintains cryptographic state across different encryption operations using the same key is used as the formal initialization vector (IV) input into CBC-CS3. The plaintext is prepended with a 16-octet random value generated by the message originator, known as a confounder.

RFC 3961中定义的密码状态使用同一密钥在不同加密操作中保持密码状态,用作CBC-CS3的正式初始化向量(IV)输入。明文前面是由消息发起者生成的16个八位组的随机值,称为混淆因子。

The ciphertext is a concatenation of the output of AES in CBC-CS3 mode and the HMAC of the cipher state concatenated with the AES output. The HMAC is computed using either SHA-256 or SHA-384 depending on the encryption type. The output of HMAC-SHA-256 is truncated to 128 bits, and the output of HMAC-SHA-384 is truncated to 192 bits. Sample test vectors are given in Appendix A.

密文是CBC-CS3模式下AES输出和与AES输出串联的密码状态HMAC的串联。根据加密类型,使用SHA-256或SHA-384计算HMAC。HMAC-SHA-256的输出被截断为128位,HMAC-SHA-384的输出被截断为192位。附录A中给出了样本测试向量。

Decryption is performed by removing the HMAC, verifying the HMAC against the cipher state concatenated with the ciphertext, and then decrypting the ciphertext if the HMAC is correct. Finally, the first 16 octets of the decryption output (the confounder) is discarded, and the remainder is returned as the plaintext decryption output.

解密是通过移除HMAC,根据与密文连接的密码状态验证HMAC,然后在HMAC正确的情况下解密密文来执行的。最后,解密输出(混淆)的前16个八位字节被丢弃,剩余的作为明文解密输出返回。

The following parameters apply to the encryption types aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192.

以下参数适用于加密类型aes128-cts-hmac-sha256-128和aes256-cts-hmac-sha384-192。

protocol key format: as defined in Section 2.

协议密钥格式:如第2节所定义。

specific key structure: three derived keys: { Kc, Ke, Ki }.

特定密钥结构:三个派生密钥:{Kc,Ke,Ki}。

Kc: the checksum key, inputted into HMAC to provide the checksum mechanism defined in Section 6.

Kc:校验和键,输入HMAC以提供第6节中定义的校验和机制。

Ke: the encryption key, inputted into AES encryption and decryption as defined in "encryption function" and "decryption function" below.

Ke:加密密钥,输入以下“加密函数”和“解密函数”中定义的AES加密和解密。

Ki: the integrity key, inputted into HMAC to provide authenticated encryption as defined in "encryption function" and "decryption function" below.

Ki:完整性密钥,输入HMAC以提供以下“加密功能”和“解密功能”中定义的经过身份验证的加密。

required checksum mechanism: as defined in Section 6.

所需校验和机制:如第6节所定义。

key-generation seed length: key size (128 or 256 bits).

密钥生成种子长度:密钥大小(128或256位)。

string-to-key function: as defined in Section 4.

字符串到键函数:如第4节所定义。

default string-to-key parameters: iteration count of decimal 32768.

键参数的默认字符串:十进制32768的迭代计数。

random-to-key function: identity function.

随机键函数:标识函数。

key-derivation function: KDF-HMAC-SHA2 as defined in Section 3. The key usage number is expressed as 4 octets in big-endian order.

关键派生函数:第3节中定义的KDF-HMAC-SHA2。密钥使用数以大端顺序表示为4个八位字节。

   If the enctype is aes128-cts-hmac-sha256-128:
   Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128)
   Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128)
   Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128)
        
   If the enctype is aes128-cts-hmac-sha256-128:
   Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 128)
   Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 128)
   Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 128)
        
   If the enctype is aes256-cts-hmac-sha384-192:
   Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192)
   Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256)
   Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192)
        
   If the enctype is aes256-cts-hmac-sha384-192:
   Kc = KDF-HMAC-SHA2(base-key, usage | 0x99, 192)
   Ke = KDF-HMAC-SHA2(base-key, usage | 0xAA, 256)
   Ki = KDF-HMAC-SHA2(base-key, usage | 0x55, 192)
        

cipher state: a 128-bit CBC initialization vector derived from a previous ciphertext (if any) using the same encryption key, as specified below.

密码状态:从使用相同加密密钥的先前密文(如果有)派生的128位CBC初始化向量,如下所述。

initial cipher state: all bits zero.

初始密码状态:所有位为零。

encryption function: as follows, where E() is AES encryption in CBC-CS3 mode, and h is the size of truncated HMAC (128 bits or 192 bits as described above).

加密函数:如下所示,其中E()为CBC-CS3模式下的AES加密,h为截断HMAC的大小(如上所述为128位或192位)。

      N = random value of length 128 bits (the AES block size)
      IV = cipher state
      C = E(Ke, N | plaintext, IV)
      H = HMAC(Ki, IV | C)
      ciphertext = C | H[1..h]
        
      N = random value of length 128 bits (the AES block size)
      IV = cipher state
      C = E(Ke, N | plaintext, IV)
      H = HMAC(Ki, IV | C)
      ciphertext = C | H[1..h]
        
      Steps to compute the 128-bit cipher state:
         L = length of C in bits
         portion C into 128-bit blocks, placing any remainder of less
         than 128 bits into a final block
         if L == 128: cipher state = C
         else if L mod 128 > 0: cipher state = last full (128-bit) block
                                             of C (the next-to-last
                                             block)
         else if L mod 128 == 0: cipher state = next-to-last block of C
        
      Steps to compute the 128-bit cipher state:
         L = length of C in bits
         portion C into 128-bit blocks, placing any remainder of less
         than 128 bits into a final block
         if L == 128: cipher state = C
         else if L mod 128 > 0: cipher state = last full (128-bit) block
                                             of C (the next-to-last
                                             block)
         else if L mod 128 == 0: cipher state = next-to-last block of C
        

(Note that L will never be less than 128 because of the presence of N in the encryption input.)

(请注意,由于加密输入中存在N,因此L永远不会小于128。)

decryption function: as follows, where D() is AES decryption in CBC-CS3 mode, and h is the size of truncated HMAC.

解密函数:如下所示,其中D()是CBC-CS3模式下的AES解密,h是截断HMAC的大小。

      (C, H) = ciphertext
          (Note: H is the last h bits of the ciphertext.)
      IV = cipher state
      if H != HMAC(Ki, IV | C)[1..h]
          stop, report error
      (N, P) = D(Ke, C, IV)
        
      (C, H) = ciphertext
          (Note: H is the last h bits of the ciphertext.)
      IV = cipher state
      if H != HMAC(Ki, IV | C)[1..h]
          stop, report error
      (N, P) = D(Ke, C, IV)
        

(Note: N is set to the first block of the decryption output; P is set to the rest of the output.)

(注意:N设置为解密输出的第一个块;P设置为输出的其余部分。)

cipher state = same as described above in encryption function

密码状态=与上述加密功能中所述相同

pseudorandom function: If the enctype is aes128-cts-hmac-sha256-128: PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 256)

伪随机函数:如果enctype为aes128-cts-hmac-sha256-128:PRF=KDF-hmac-SHA2(输入键,“PRF”,八位字符串,256)

If the enctype is aes256-cts-hmac-sha384-192: PRF = KDF-HMAC-SHA2(input-key, "prf", octet-string, 384)

如果enctype为aes256-cts-hmac-sha384-192:PRF=KDF-hmac-SHA2(输入键,“PRF”,八位字符串,384)

where "prf" is the octet-string 0x707266

其中“prf”是八位字节字符串0x707266

6. Checksum Parameters
6. 校验和参数

The following parameters apply to the checksum types hmac-sha256-128-aes128 and hmac-sha384-192-aes256, which are the associated checksums for aes128-cts-hmac-sha256-128 and aes256-cts-hmac-sha384-192, respectively.

以下参数适用于校验和类型hmac-sha256-128-aes128和hmac-sha384-192-aes256,它们分别是aes128-cts-hmac-sha256-128和aes256-cts-hmac-sha384-192的相关校验和。

associated cryptosystem: aes128-cts-hmac-sha256-128 or aes256-cts-hmac-sha384-192 as appropriate.

相关密码系统:aes128-cts-hmac-sha256-128或aes256-cts-hmac-sha384-192(视情况而定)。

get_mic: HMAC(Kc, message)[1..h]. where h is 128 bits for checksum type hmac-sha256-128-aes128 and 192 bits for checksum type hmac-sha384-192-aes256

获取麦克风:HMAC(Kc,message)[1..h]。其中h是校验和类型hmac-sha256-128-aes128的128位,校验和类型hmac-sha384-192-aes256的192位

verify_mic: get_mic and compare.

验证麦克风:获取麦克风并进行比较。

7. IANA Considerations
7. IANA考虑

IANA has assigned encryption type numbers as follows in the "Kerberos Encryption Type Numbers" registry.

IANA在“Kerberos加密类型号”注册表中分配了如下加密类型号。

      etype   encryption type              Reference
      -----   ---------------              ---------
      19      aes128-cts-hmac-sha256-128   RFC 8009
      20      aes256-cts-hmac-sha384-192   RFC 8009
        
      etype   encryption type              Reference
      -----   ---------------              ---------
      19      aes128-cts-hmac-sha256-128   RFC 8009
      20      aes256-cts-hmac-sha384-192   RFC 8009
        

IANA has assigned checksum type numbers as follows in the "Kerberos Checksum Type Numbers" registry.

IANA在“Kerberos校验和类型号”注册表中分配了校验和类型号,如下所示。

      sumtype   Checksum type            checksum  Reference
      value                              size
      -------   -------------            --------  ---------
      19        hmac-sha256-128-aes128   16        RFC 8009
      20        hmac-sha384-192-aes256   24        RFC 8009
        
      sumtype   Checksum type            checksum  Reference
      value                              size
      -------   -------------            --------  ---------
      19        hmac-sha256-128-aes128   16        RFC 8009
      20        hmac-sha384-192-aes256   24        RFC 8009
        
8. Security Considerations
8. 安全考虑

This specification requires implementations to generate random values. The use of inadequate pseudorandom number generators (PRNGs) can result in little or no security. The generation of quality random numbers is difficult. [RFC4086] offers guidance on random number generation.

该规范要求实现生成随机值。使用不充分的伪随机数生成器(PRNG)可能导致很少或没有安全性。生成高质量的随机数是困难的。[RFC4086]提供随机数生成指南。

This document specifies a mechanism for generating keys from passphrases or passwords. The use of PBKDF2, a salt, and a large iteration count adds some resistance to offline dictionary attacks by passive eavesdroppers. Salting prevents "rainbow table" attacks, while large iteration counts slow password-guess attempts. Nonetheless, computing power continues to rapidly improve, including the potential for use of graphics processing units (GPUs) in password-guess attempts. It is important to choose strong passphrases. Use of Kerberos extensions that protect against offline dictionary attacks should also be considered, as should the use of public key cryptography for initial Kerberos authentication [RFC4556] to eliminate the use of passwords or passphrases within the Kerberos protocol.

本文档指定了从密码短语或密码生成密钥的机制。PBKDF2是一种salt,它的使用和大量迭代次数增加了对被动窃听者的离线字典攻击的抵抗力。Salting可以防止“rainbow table”攻击,而大型迭代会计算出缓慢的密码猜测尝试。尽管如此,计算能力仍在迅速提高,包括在密码猜测尝试中使用图形处理单元(GPU)的可能性。选择强密码短语很重要。还应考虑使用可防止脱机字典攻击的Kerberos扩展,以及使用公钥加密进行初始Kerberos身份验证[RFC4556],以消除Kerberos协议中密码或密码短语的使用。

The NIST guidance in Section 5.3 of [SP800-38A], requiring that CBC initialization vectors be unpredictable, is satisfied by the use of a random confounder as the first block of plaintext. The confounder fills the cryptographic role typically played by an initialization vector. This approach was chosen to align with other Kerberos cryptosystem approaches.

[SP800-38A]第5.3节中的NIST指南要求CBC初始化向量不可预测,可通过使用随机混杂因子作为第一块明文来满足。混杂因素填补了初始化向量通常扮演的加密角色。选择此方法是为了与其他Kerberos密码系统方法保持一致。

8.1. Random Values in Salt Strings
8.1. 盐串中的随机值

The NIST guidance in Section 5.1 of [SP800-132] requires at least 128 bits of the salt to be randomly generated. The string-to-key function as defined in [RFC3961] requires the salt to be valid UTF-8 strings [RFC3629]. Not every 128-bit random string will be valid UTF-8, so a UTF-8-compatible encoding would be needed to encapsulate the random bits. However, using a salt containing a random portion may have the following issues with some implementations:

[SP800-132]第5.1节中的NIST指南要求随机生成至少128位盐。[RFC3961]中定义的字符串到键函数要求salt为有效的UTF-8字符串[RFC3629]。并非每个128位随机字符串都是有效的UTF-8,因此需要UTF-8兼容编码来封装随机位。但是,使用包含随机部分的盐在某些实现中可能存在以下问题:

* Keys for cross-realm krbtgt services [RFC4120] are typically managed by entering the same password at two Key Distribution Centers (KDCs) to get the same keys. If each KDC uses a random salt, they won't have the same keys.

* 跨领域krbtgt服务[RFC4120]的密钥通常通过在两个密钥分发中心(KDC)输入相同的密码来管理,以获得相同的密钥。如果每个KDC使用一个随机salt,它们就不会有相同的密钥。

* Random salts may interfere with checking of password history.

* 随机盐可能会干扰密码历史记录的检查。

8.2. Algorithm Rationale
8.2. 算法原理

This document has been written to be consistent with common implementations of AES and SHA-2. The encryption and hash algorithm sizes have been chosen to create a consistent level of protection, with consideration to implementation efficiencies. So, for instance, SHA-384, which would normally be matched to AES-192, is instead matched to AES-256 to leverage the fact that there are efficient hardware implementations of AES-256. Note that, as indicated by the enc-type name "aes256-cts-hmac-sha384-192", the truncation of the HMAC-SHA-384 output to 192 bits results in an overall 192-bit level of security.

本文档的编写与AES和SHA-2的常见实现保持一致。选择加密和哈希算法的大小是为了创建一致的保护级别,同时考虑到实现效率。因此,例如,通常与AES-192匹配的SHA-384与AES-256匹配,以利用AES-256存在高效硬件实现这一事实。请注意,如enc类型名称“aes256-cts-hmac-sha384-192”所示,将hmac-SHA-384输出截断为192位将导致总体192位安全级别。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[FIPS180] National Institute of Standards and Technology, "Secure Hash Standard", FIPS PUB 180-4, DOI 10.6028/NIST.FIPS.180-4, August 2015.

[FIPS180]国家标准与技术研究所,“安全哈希标准”,FIPS PUB 180-4,DOI 10.6028/NIST.FIPS.180-42015年8月。

[FIPS197] National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, November 2001.

[FIPS197]国家标准与技术研究所,“高级加密标准(AES)”,FIPS PUB 197,2001年11月。

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <http://www.rfc-editor.org/info/rfc2104>.

[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,DOI 10.17487/RFC2104,1997年2月<http://www.rfc-editor.org/info/rfc2104>.

[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, DOI 10.17487/RFC2898, September 2000, <http://www.rfc-editor.org/info/rfc2898>.

[RFC2898]Kaliski,B.,“PKCS#5:基于密码的加密规范2.0版”,RFC 2898,DOI 10.17487/RFC2898,2000年9月<http://www.rfc-editor.org/info/rfc2898>.

[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.

[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.

[RFC3961] Raeburn, K., "Encryption and Checksum Specifications for Kerberos 5", RFC 3961, DOI 10.17487/RFC3961, February 2005, <http://www.rfc-editor.org/info/rfc3961>.

[RFC3961]Raeburn,K.,“Kerberos 5的加密和校验和规范”,RFC 3961,DOI 10.17487/RFC3961,2005年2月<http://www.rfc-editor.org/info/rfc3961>.

[RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) Encryption for Kerberos 5", RFC 3962, DOI 10.17487/RFC3962, February 2005, <http://www.rfc-editor.org/info/rfc3962>.

[RFC3962]Raeburn,K.,“Kerberos 5的高级加密标准(AES)加密”,RFC 3962,DOI 10.17487/RFC3962,2005年2月<http://www.rfc-editor.org/info/rfc3962>.

[SP800-38A+] National Institute of Standards and Technology, "Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode", NIST Special Publication 800-38A Addendum, October 2010.

[SP800-38A+]国家标准与技术研究所,“分组密码操作模式的建议:CBC模式下密文窃取的三种变体”,NIST特别出版物800-38A附录,2010年10月。

[SP800-108] National Institute of Standards and Technology, "Recommendation for Key Derivation Using Pseudorandom Functions", NIST Special Publication 800-108, October 2009.

[SP800-108]国家标准与技术研究所,“使用伪随机函数进行密钥推导的建议”,NIST特别出版物800-108,2009年10月。

9.2. Informative References
9.2. 资料性引用

[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, <http://www.rfc-editor.org/info/rfc4086>.

[RFC4086]Eastlake 3rd,D.,Schiller,J.,和S.Crocker,“安全的随机性要求”,BCP 106,RFC 4086,DOI 10.17487/RFC4086,2005年6月<http://www.rfc-editor.org/info/rfc4086>.

[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The Kerberos Network Authentication Service (V5)", RFC 4120, DOI 10.17487/RFC4120, July 2005, <http://www.rfc-editor.org/info/rfc4120>.

[RFC4120]Neuman,C.,Yu,T.,Hartman,S.,和K.Raeburn,“Kerberos网络身份验证服务(V5)”,RFC 4120,DOI 10.17487/RFC4120,2005年7月<http://www.rfc-editor.org/info/rfc4120>.

[RFC4556] Zhu, L. and B. Tung, "Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)", RFC 4556, DOI 10.17487/RFC4556, June 2006, <http://www.rfc-editor.org/info/rfc4556>.

[RFC4556]Zhu,L.和B.Tung,“Kerberos中初始身份验证的公钥加密(PKINIT)”,RFC 4556,DOI 10.17487/RFC4556,2006年6月<http://www.rfc-editor.org/info/rfc4556>.

[SP800-38A] National Institute of Standards and Technology, "Recommendation for Block Cipher Modes of Operation: Methods and Techniques", NIST Special Publication 800-38A, December 2001.

[SP800-38A]国家标准与技术研究所,“分组密码操作模式的建议:方法和技术”,NIST特别出版物800-38A,2001年12月。

[SP800-132] National Institute of Standards and Technology, "Recommendation for Password-Based Key Derivation, Part 1: Storage Applications", NIST Special Publication 800-132, June 2010.

[SP800-132]国家标准与技术研究所,“基于密码的密钥推导建议,第1部分:存储应用”,NIST特别出版物800-132,2010年6月。

Appendix A. Test Vectors
附录A.测试向量
   Sample results for string-to-key conversion:
   --------------------------------------------
        
   Sample results for string-to-key conversion:
   --------------------------------------------
        

Iteration count = 32768 Pass phrase = "password" Saltp for creating 128-bit base-key: 61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E

迭代计数=32768 Pass phrase=“password”Saltp用于创建128位基本密钥:61 65 73 31 32 38 2D 63 74 73 2D 68 6D 61 63 2D 73 68 61 32 35 36 2D 31 32 38 00 10 DF 9D D7 83 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 41 2E 4D 49 54 2E 45 55 72 62 75 6 E

(The saltp is "aes128-cts-hmac-sha256-128" | 0x00 | random 16-byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 128-bit base-key: 08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7

(saltp是“aes128-cts-hmac-sha256-128”| 0x00 |随机16字节有效UTF-8序列|“ATHENA.MIT.EDUraeburn”)128位基本密钥:08 9B CA 48 B1 05 EA 6E A7 7C A5 D2 F3 9D C5 E7

Saltp for creating 256-bit base-key: 61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 73 68 61 33 38 34 2D 31 39 32 00 10 DF 9D D7 83 E5 BC 8A CE A1 73 0E 74 35 5F 61 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 72 61 65 62 75 72 6E (The saltp is "aes256-cts-hmac-sha384-192" | 0x00 | random 16-byte valid UTF-8 sequence | "ATHENA.MIT.EDUraeburn") 256-bit base-key: 45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67

用于创建256位基本密钥的Saltp:61 65 73 32 35 36 2D 63 74 73 2D 68 6D 61 63 2D 73 68 61 33 34 2D 31 39 32 00 10 DF 9D D7 83 E5 BC 8A CE A1 73 0E 74 35 5F 61 54 48 4E 41 2E 4D 49 54 2E 45 44 55 72 61 62 75 72 6E(Saltp是“aes256-cts-hmac-sha384-192”12400 |随机16字节有效UTF-8序列|“ATHENA.MIT.EDUraeburn”)256位基本密钥:45 BD 80 6D BF 6A 83 3A 9C FF C1 C9 45 89 A2 22 36 7A 79 BC 21 C4 13 71 89 06 E9 F5 78 A7 84 67

   Sample results for key derivation:
   ----------------------------------
        
   Sample results for key derivation:
   ----------------------------------
        

enctype aes128-cts-hmac-sha256-128: 128-bit base-key: 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C Kc value for key usage 2 (label = 0x0000000299): B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 Ke value for key usage 2 (label = 0x00000002AA): 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E Ki value for key usage 2 (label = 0x0000000255): 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C

enctype aes128-cts-hmac-sha256-128:128位基本密钥:37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C密钥使用2的Kc值(标签=0x0000000299):B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3密钥使用2的Ke值(标签=0x00000002AA):9B 19 7D D1 E8 C5 60 9D 67 C3 E3 7C 62 C7 2E密钥使用2的Ki值(标签=0x0000000255):9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C

enctype aes256-cts-hmac-sha384-192: 256-bit base-key: 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 Kc value for key usage 2 (label = 0x0000000299): EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 BA 41 F2 8F AF 69 E7 3D Ke value for key usage 2 (label = 0x00000002AA): 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 Ki value for key usage 2 (label = 0x0000000255): 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F

enctype aes256-cts-hmac-sha384-192:256位基本密钥:6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52密钥使用2的Kc值(标签=0x0000000299):EF 57 18 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 BA 41 F2 8F AF 69 E7密钥使用2的3D Ke值(标签=0x00000002AA):56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49密钥使用2的Ki值(标签=0x0000000255):69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F

   Sample encryptions (all using the default cipher state):
   --------------------------------------------------------
        
   Sample encryptions (all using the default cipher state):
   --------------------------------------------------------
        

These sample encryptions use the above sample key derivation results, including use of the same base-key and key usage values.

这些示例加密使用上述示例密钥派生结果,包括使用相同的基本密钥和密钥使用值。

The following test vectors are for enctype aes128-cts-hmac-sha256-128:

以下测试向量适用于enctype aes128-cts-hmac-sha256-128:

Plaintext: (empty) Confounder: 7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 128-bit AES key (Ke): 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128-bit HMAC key (Ki): 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES Output: EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D Truncated HMAC Output: AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18 Ciphertext (AES Output | HMAC Output): EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18

明文:(空)混淆因子:7E 58 95 EA F2 67 24 35 BA D8 17 F5 45 A3 71 48 128位AES密钥(Ke):9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128位HMAC密钥(Ki):9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES输出:EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D截断HMAC输出:AD 87 7E DA 39 D5 0C 87 0C 0D 5A 0A 8E 48 C7 18密文(AES输出| HMAC输出):EF 85 FB 89 0B B8 47 2F 4D AB 20 39 4D CA 78 1D AD 87 7E DA 39 D5 0C 87 0C 5A 48 C7 18

Plaintext: (length less than block size) 00 01 02 03 04 05 Confounder: 7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 128-bit AES key (Ke): 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128-bit HMAC key (Ki): 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES Output: 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF B5 54 02 CE F7 E6 Truncated HMAC Output: 87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C Ciphertext: 84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF B5 54 02 CE F7 E6 87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C

明文:(长度小于块大小)00 01 02 03 04 05混杂因素:7B CA 28 5E 2F D4 13 0F B5 5B 1A 5C 83 BC 5B 24 128位AES密钥(Ke):9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128位HMAC密钥(Ki):9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES输出:84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF B5 54 02 CE F7 E6截断HMAC输出:87 7C E9 9E 24 7E 52 D1 6E D4 42 1D FD F8 97 6C密文:84 D7 F3 07 54 ED 98 7B AB 0B F3 50 6B EB 09 CF B5 54 02 CE F7 E6 87 7C E9 24 7E 52 D1 6E D4 42 1D F8 97 6C

Plaintext: (length equals block size) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Confounder: 56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 128-bit AES key (Ke): 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128-bit HMAC key (Ki): 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES Output: 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 Truncated HMAC Output: 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3 Ciphertext: 35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2 95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3

纯文本:(长度等于块大小)00 01 02 03 04 05 07 08 09 0A 0B 0C 0D 0E 0F混杂:56 AB 21 71 3F F6 2C 0A 14 57 20 0F 6F A9 94 8F 128位AES密钥(Ke):9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128位HMAC密钥(Ki):9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES输出:35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A E0 74 93 FA 82 63 25 40 80 EA 65 C1 00 8E 8F C2截断HMAC输出:95 FB 48 52 E7 D8 3E 1E 7C 48 C3 7E E6 B0 D3密文:35 17 D6 40 F5 0D DC 8A D3 62 87 22 B3 56 9D 2A E0 74 93 FA 82 25 40 80 EA 65 C1 00 8E 8F C2 FB 48 52E7 D8 3E 1E 7C 48 C3 7E EB E6 B0 D3

Plaintext: (length greater than block size) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 Confounder: A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 128-bit AES key (Ke): 9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128-bit HMAC key (Ki): 9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES Output: 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC E1 E6 D0 72 C1 Truncated HMAC Output: 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC Ciphertext: 72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 C7 0F 58 ED C0 C4 43 7C 55 73 54 4C 31 C8 13 BC E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC

明文:(长度大于块大小)00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14混杂因素:A7 A4 E2 9A 47 28 CE 10 66 4F B6 4E 49 AD 3F AC 128位AES密钥(Ke):9B 19 7D D1 E8 C5 60 9D 6E 67 C3 E3 7C 62 C7 2E 128位HMAC密钥(Ki):9F DA 0E 56 AB 2D 85 E1 56 9A 68 86 96 C2 6A 6C AES输出:72 0F 73 B1 8D 98 59 CD 6C CB 43 46 11 5C D3 36 C7 0F 58 ED C0 43 7C 55 54 4C 31 C8 13 BC E1 E6 D0 72 C1截断HMAC输出:86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC密文:72 0F 73 B1 8D 98 59 CD 6C CB 43 11 5C D3 36 C7 0F 58 ED C0 43 7C 55 54 4C 31 C8BC E1 E6 D0 72 C1 86 B3 9A 41 3C 2F 92 CA 9B 83 34 A2 87 FF CB FC

The following test vectors are for enctype aes256-cts-hmac-sha384-192:

以下测试向量适用于enctype aes256-cts-hmac-sha384-192:

Plaintext: (empty) Confounder: F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 256-bit AES key (Ke): 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192-bit HMAC key (Ki): 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES Output: 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 Truncated HMAC Output: 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 8B 9B BF BE 7E B4 CE 3C Ciphertext: 41 F5 3F A5 BF E7 02 6D 91 FA F9 BE 95 91 95 A0 58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 8B 9B BF BE 7E B4 CE 3C

明文:(空)混淆因子:F7 64 E9 FA 15 C2 76 47 8B 2C 7D 0C 4E 5F 58 E4 256位AES密钥(Ke):56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192位HMAC密钥(Ki):69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES输出:41 F5 3F A5 BF E7 02 6D 91 FA F9是95 91 95 A0截断HMAC输出:58 70 72 73 A9 6A 40 F0 A0 19 60 62 1A C6 12 74 8B BF是7E B4 CE 3C密文:41 F5 3F A5 BF E7 02 6D 91 FA F9是95 91 91 A0 58 70 72 A9 40 F0 19 60 62 C6 12 74 8B BF是95 91 A0 58 70 70 72 72 C6 9 BF7E B4 CE 3C

Plaintext: (length less than block size) 00 01 02 03 04 05 Confounder: B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 256-bit AES key (Ke): 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192-bit HMAC key (Ki): 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES Output: 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 B7 5F B3 F6 37 B9 Truncated HMAC Output: F5 59 C7 F6 64 F6 9E AB 7B 60 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2 Ciphertext: 4E D7 B3 7C 2B CA C8 F7 4F 23 C1 CF 07 E6 2B C7 B7 5F B3 F6 37 B9 F5 59 C7 F6 64 F6 9E AB 7B 60 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2

明文:(长度小于块大小)00 01 02 03 04 05混淆因素:B8 0D 32 51 C1 F6 47 14 94 25 6F FE 71 2D 0B 9A 256位AES密钥(Ke):56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192位HMAC密钥(Ki):69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES输出:4E D7 B3 7C 2B CA C8 F7 23 C1 CF 07 E6 2B C7 B7 5F B3 F6 37 B9截断HMAC输出:F5 59 C7 F6 64 F6 9E AB 60 92 23 75 EA 0D 61 CB 20 D6 9D 10 F2密文:4E D7 B3 7C 2B CA C8 F7 4F 23 CF 07 CF 07 E6 2B C7 B7 B7 5F B3 26 F6 F6 59 F6 B6 B67B 60 92 23 75 26 EA 0D 1F 61 CB 20 D6 9D 10 F2

Plaintext: (length equals block size) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F Confounder: 53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 256-bit AES key (Ke): 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192-bit HMAC key (Ki): 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES Output: BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 Truncated HMAC Output: 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 40 C4 FF 25 5B 36 A2 66 Ciphertext: BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B BB E2 E1 63 E8 7D D3 7F 49 BE CA 92 02 77 64 F6 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 40 C4 FF 25 5B 36 A2 66

明文:(长度等于块大小)00 01 02 03 04 05 07 08 09 0A 0B 0C 0D 0E 0F混杂:53 BF 8A 0D 10 52 65 D4 E2 76 42 86 24 CE 5E 63 256位AES密钥(Ke):56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192位HMAC密钥(Ki):69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES输出:BC 47 FF EC 79 98 EB 91 E8 11 5C F8 D1 9D AC 4B BB E2 63 E8 7D D3 7F 49 BE 92 02 77 64 F6截断HMAC输出:8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 40 C4 FF 25 5B 36 A2 66密文:BC 47 FF EC 79 EB 91 E8 11 5C F8 9D AC 4B E2 E2 63E8 7D D3 7F 49 BE CA 92 02 77 64 F6 8C F5 1F 14 D7 98 C2 27 3F 35 DF 57 4D 1F 93 2E 40 C4 FF 25 5B 36 A2 66

Plaintext: (length greater than block size) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 Confounder: 76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 256-bit AES key (Ke): 56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A7 A5 EB 1C 82 51 60 C3 83 12 98 0C 44 2E 5C 7E 49 192-bit HMAC key (Ki): 69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES Output: 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 B2 A6 02 AC 86 Truncated HMAC Output: FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62 Ciphertext: 40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62

纯文本:(长度大于块大小)00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14混杂因素:76 3E 65 36 7E 86 4F 02 F5 51 53 C7 E3 B5 8A F1 256位AES密钥(Ke):56 AB 22 BE E6 3D 82 D7 BC 52 27 F6 77 3F 8E A5 EB 1C 82 60 C3 83 12 98 0C 44 5C 7E 49 192位HMAC密钥(Ki):69 B1 65 14 E3 CD 8E 56 B8 20 10 D5 C7 30 12 B6 22 C4 D0 0F FC 23 ED 1F AES输出:40 01 3E 2D F5 8E 87 51 95 7D 28 78 BC D2 D6 FE 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 B2 A6 02 AC 86截断HMAC输出:FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62密文:40 01 3E 2D F5 8E 87 51 D2 78 BC D6FE 10 1C CF D5 56 CB 1E AE 79 DB 3C 3E E8 64 29 F2 B2 A6 02 AC 86 FE F6 EC B6 47 D6 29 5F AE 07 7A 1F EB 51 75 08 D2 C1 6B 41 92 E0 1F 62

   Sample checksums:
   -----------------
        
   Sample checksums:
   -----------------
        

These sample checksums use the above sample key derivation results, including use of the same base-key and key usage values.

这些示例校验和使用上述示例密钥派生结果,包括使用相同的基密钥和密钥使用值。

Checksum type: hmac-sha256-128-aes128 128-bit HMAC key (Kc): B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3 Plaintext: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 Checksum: D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE

校验和类型:hmac-sha256-128-aes128位hmac密钥(Kc):B3 1A 01 8A 48 F5 47 76 F4 03 E9 A3 96 32 5D C3明文:00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14校验和:D7 83 67 18 66 43 D6 7B 41 1C BA 91 39 FC 1D EE

Checksum type: hmac-sha384-192-aes256 192-bit HMAC key (Kc): EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 BA 41 F2 8F AF 69 E7 3D Plaintext: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 Checksum: 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 43 C3 BF A0 66 99 67 2A

Checksum type: hmac-sha384-192-aes256 192-bit HMAC key (Kc): EF 57 18 BE 86 CC 84 96 3D 8B BB 50 31 E9 F5 C4 BA 41 F2 8F AF 69 E7 3D Plaintext: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 Checksum: 45 EE 79 15 67 EE FC A3 7F 4A C1 E0 22 2D E8 0D 43 C3 BF A0 66 99 67 2Atranslate error, please retry

   Sample pseudorandom function (PRF) invocations:
   -----------------------------------------------
        
   Sample pseudorandom function (PRF) invocations:
   -----------------------------------------------
        

PRF input octet-string: "test" (0x74657374)

PRF输入八位字节字符串:“测试”(0x74657374)

enctype aes128-cts-hmac-sha256-128: input-key value / HMAC-SHA-256 key: 37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C HMAC-SHA-256 input message: 00 00 00 01 70 72 66 00 74 65 73 74 00 00 01 00 PRF output: 9D 18 86 16 F6 38 52 FE 86 91 5B B8 40 B4 A8 86 FF 3E 6B B0 F8 19 B4 9B 89 33 93 D3 93 85 42 95

enctype aes128-cts-hmac-sha256-128:输入键值/hmac-SHA-256键:37 05 D9 60 80 C1 77 28 A0 E8 00 EA B6 E0 D2 3C hmac-SHA-256输入消息:00 00 00 01 70 72 66 00 74 65 73 74 00 01 00 00 00 00 00 00 PRF输出:9D 18 86 16 F6 38 52 FE 86 91 5B B8 40 B4 A8 86 FF 3E 6B B0 F8 19 B4 9B 89 33 D3 93 85 42 95

enctype aes256-cts-hmac-sha384-192: input-key value / HMAC-SHA-384 key: 6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 HMAC-SHA-384 input message: 00 00 00 01 70 72 66 00 74 65 73 74 00 00 01 80 PRF output: 98 01 F6 9A 36 8C 2B F6 75 E5 95 21 E1 77 D9 A0 7F 67 EF E1 CF DE 8D 3C 8D 6F 6A 02 56 E3 B1 7D B3 C1 B6 2A D1 B8 55 33 60 D1 73 67 EB 15 14 D2

enctype aes256-cts-hmac-sha384-192:输入键值/hmac-SHA-384键:6D 40 4D 37 FA F7 9F 9D F0 D3 35 68 D3 20 66 98 00 EB 48 36 47 2E A8 A0 26 D1 6B 71 82 46 0C 52 hmac-SHA-384输入消息:00 00 00 00 00 01 70 66 00 74 73 00 01 80 PRF输出:98 01 F6 9A 36 8C 2B F6 75 E5 95 21 E1 77 D9 A0 7F 67 EF E1 CF DE 8D 3C 02 56 E3 B17D B3 C1 B6 2A D1 B8 55 33 60 D1 73 67 EB 15 14 D2

Acknowledgements

致谢

Kelley Burgin was employed at the National Security Agency during much of the work on this document.

Kelley Burgin在这份文件的大部分工作中受雇于国家安全局。

Authors' Addresses

作者地址

Michael J. Jenkins National Security Agency

迈克尔·J·詹金斯国家安全局

   Email: mjjenki@tycho.ncsc.mil
        
   Email: mjjenki@tycho.ncsc.mil
        

Michael A. Peck The MITRE Corporation

迈克尔·A·佩克米特尔公司

   Email: mpeck@mitre.org
        
   Email: mpeck@mitre.org
        

Kelley W. Burgin

凯利·W·伯金

   Email: kelley.burgin@gmail.com
        
   Email: kelley.burgin@gmail.com