Share via

3.4.5.4.1 Kerberos Binding of GSS_WrapEx()

  • Article

Kerberos GSS_WrapEx() depends on the encryption type of the session key for the context. The algorithms depend on which Kerberos encryption ciphers are negotiated by the Kerberos protocol.

If the session key encryption type is AES128-CTS-HMAC-SHA1-96 or AES256-CTS-HMAC-SHA1-96 (as specified in [RFC3961]):

  • The base line is [RFC4121].

  • The encrypted data is per [RFC3961] (on which [RFC4121] is based), as follows.

     C1 | H1[1..h]

    where 

     (C1, newIV) = E(Ke, conf | plaintext | pad, oldstate.ivec)
 H1 = HMAC(Ki, conf | plaintext | pad)

    where the "plaintext" is all the input data buffers supply to GSS_WrapEx() concatenated in the order provided in the ordered list, input_message.

The "plaintext" in [RFC3961] corresponds to "plaintext-data | filler | header" in [RFC4121] GSS_Wrap, see section 4.2.4. In GSS_WrapEx AES-SHA1 ciphers use different values for "plaintext-data" and thus "plaintext" for encryption and checksum. For encryption, the plaintext-data is the concatenation in order of all the buffers where Conf_req_flag == TRUE. For checksum, the "plaintext-data" is the concatenation in order of all the input buffers including those that are only marked with sign == TRUE.

Pad: For AES-SHA1 ciphers using GSS_WrapEx, the extra count (EC) must not be zero. The sender should set extra count (EC) to 1 block - 16 bytes. The recipient must follow the extra count (EC) field in the wrap header to know how many of the decrypted bytes are just padding and must be discarded from the result.

The RRC field ([RFC4121] section 4.2.5) is 12 if no encryption is requested or 28 if encryption is requested. The RRC field is chosen such that all the data can be encrypted in place. The trailing meta-data H1 is rotated by RRC+EC bytes, which is different from RRC alone. Thus, the token buffer contains the header ([RFC4121] section 4.2.6.2) with the rotated H1 that is placed before the encrypted confounder and after the header.

If the session key encryption type is DES-CBC-MD5 or DES-CBC-CRC per [RFC3961]:

  • The base line is [RFC1964].

  • The ordered list contains the header ([RFC1964] 1.2.2 ) and errata, then DER(Kerberos OID | Token | Encrypted Data | Padding).

  • The data is encrypted in place.

The "to-be-signed data" in [RFC1964] section 1.2.2.1 is a concatenation of all the input_message data for which sign == TRUE. Only the input data with encrypt set to TRUE is encrypted in output_message. The InitialContextToken header as specified in [RFC1964] section 1.1 is included at the beginning of the ordered list.

For [MS-RPCE], the length field in the above pseudo ASN.1 header does not include the length of the concatenated data if [RFC1964] is used.

If the session key encryption type is RC4-HMAC or RC4-HMAC-EXP per [RFC3961]:

  • The base line is [RFC4757].

  • The ordered list contains the header ([RFC4757] section 7.3).

  • The data (excluding the conf_req_flag set to FALSE) is encrypted in place.

The "to-be-signed data" is a concatenation of all the input buffers for which sign==TRUE. The InitialContextToken pseudo ASN.1 header is included at the beginning of the token header.