Next: Supported Platforms, Previous: Overview, Up: Introduction
Shishi implements several of the standard cryptographic primitives. In this section we give the names of the supported encryption suites, and some notes about them, and their associated checksum suite.
Statements such as “it is weak” should be read as meaning that there is no credible security analysis of the mechanism available, and/or that should an attack be published publicly, few people would likely be surprised. Also keep in mind that the key size mentioned is the actual key size, not the effective key space as far as a brute force attack is concerned.
As you may infer from the descriptions, there is currently no encryption algorithm and only one checksum algorithm that inspire great confidence in its design. Hopefully this will change over time.
NULL
NULL
is a dummy encryption suite for debugging. Encryption and
decryption are identity functions. No integrity protection. It is
weak. It is associated with the NULL
checksum.
arcfour-hmac
arcfour-hmac-exp
arcfour-hmac-*
are a proprietary stream cipher with 56 bit
(arcfour-hmac-exp
) or 128 bit (arcfour-hmac
) keys, used
in a proprietary way described in an expired IETF draft
draft-brezak-win2k-krb-rc4-hmac-04.txt. Deriving keys from
passwords is supported, and is done by computing a message digest
(MD4) of a 16-bit Unicode representation of the ASCII password, with
no salt. Data is integrity protected with a keyed hash (HMAC-MD5),
where the key is derived from the base key in a creative way. It is
weak. It is associated with the arcfour-hmac-md5
checksum.
des-cbc-none
des-cbc-none
is DES encryption and decryption with 56 bit keys
and 8 byte blocks in CBC mode, using a zero IV. The keys can be
derived from passwords by an obscure application specific algorithm.
It is weak, because it offers no integrity protection. This is
typically only used by RFC 1964 GSS-API implementations (which try to
protect integrity using an ad-hoc solution). It is associated with
the NULL
checksum.
des-cbc-crc
des-cbc-crc
is DES encryption and decryption with 56 bit keys
and 8 byte blocks in CBC mode, using the key as IV (see Key as initialization vector). The keys can be derived from passwords by an
obscure application specific algorithm. Data is integrity protected
with an unkeyed but encrypted CRC32
-like checksum. It is
weak. It is associated with the rsa-md5-des
checksum.
des-cbc-md4
des-cbc-md4
is DES encryption and decryption with 56 bit keys
and 8 byte blocks in CBC mode, using a zero IV. The keys can be
derived from passwords by an obscure application specific algorithm.
Data is integrity protected with an unkeyed but encrypted MD4 hash.
It is weak. It is associated with the rsa-md4-des
checksum.
des-cbc-md5
des-cbc-md5
is DES encryption and decryption with 56 bit keys
and 8 byte blocks in CBC mode, using a zero IV. The keys can be
derived from passwords by an obscure application specific algorithm.
Data is integrity protected with an unkeyed but encrypted MD5 hash.
It is weak. It is associated with the rsa-md5-des
checksum.
This is the strongest RFC 1510 interoperable encryption mechanism.
des3-cbc-none
des3-cbc-none
is DES encryption and decryption with three 56
bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode.
The keys can be derived from passwords by the same algorithm as
des3-cbc-sha1-kd
. It is weak, because it offers no integrity
protection. This is typically only used by GSS-API implementations
(which try to protect integrity using an ad-hoc solution) for
interoperability with some existing Kerberos GSS implementations. It
is associated with the NULL
checksum.
des3-cbc-sha1-kd
des3-cbc-sha1-kd
is DES encryption and decryption with three 56
bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode.
The keys can be derived from passwords by a algorithm based on the
paper "A Better Key Schedule For DES-like Ciphers"
1 by
Uri Blumenthal and Steven M. Bellovin (it is not clear if the
algorithm, and the way it is used, is used by any other protocols,
although it seems unlikely). Data is integrity protected with a keyed
SHA1 hash in HMAC mode. It has no security proof, but is assumed to
provide adequate security in the sense that knowledge on how to crack
it is not known to the public. Note that the key derivation function
is not widely used outside of Kerberos, hence not widely studied. It
is associated with the hmac-sha1-des3-kd
checksum.
aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
and aes256-cts-hmac-sha1-96
is
AES encryption and decryption with 128 bit and 256 bit key,
respectively, and 16 byte blocks in CBC mode with Cipher Text
Stealing. Cipher Text Stealing means data length of encrypted data is
preserved (pure CBC add up to 7 pad characters). The keys can be
derived from passwords with RSA Laboratories PKCS#5 Password Based Key
Derivation Function
22,
which is allegedly provably secure in a random oracle model. Data is
integrity protected with a keyed SHA1 hash, in HMAC mode, truncated to
96 bits. There is no security proof, but the schemes are assumed to
provide adequate security in the sense that knowledge on how to crack
them is not known to the public. Note that AES has yet to receive the
test of time, and the AES cipher encryption mode (CBC with Ciphertext
Stealing, and a non-standard IV output) is not widely standardized
(hence not widely studied). It is associated with the
hmac-sha1-96-aes128
and hmac-sha1-96-aes256
checksums,
respectively.
The protocol do not include any way to negotiate which checksum mechanisms to use, so in most cases the associated checksum will be used. However, checksum mechanisms can be used with other encryption mechanisms, as long as they are compatible in terms of key format etc. Here are the names of the supported checksum mechanisms, with some notes on their status and the compatible encryption mechanisms. They are ordered by increased security as perceived by the author.
NULL
NULL
is a dummy checksum suite for debugging. It provides no
integrity. It is weak. It is compatible with the NULL
encryption mechanism.
arcfour-hmac-md5
arcfour-hmac-md5
is a keyed HMAC-MD5 checksum computed on a MD5
message digest, in turn computed on a four byte message type indicator
concatenated with the application data. (The arcfour
designation is thus somewhat misleading, but since this checksum
mechanism is described in the same document as the arcfour
encryption mechanisms, it is not a completely unnatural designation.)
It is weak. It is compatible with all encryption mechanisms.
rsa-md4
rsa-md4
is a unkeyed MD4 hash computed over the message. It is
weak, because it is unkeyed. However applications can, with care, use
it non-weak ways (e.g., by including the hash in other messages that
are protected by other means). It is compatible with all encryption
mechanisms.
rsa-md4-des
rsa-md4-des
is a DES CBC encryption of one block of random data
and a unkeyed MD4 hash computed over the random data and the message
to integrity protect. The key used is derived from the base protocol
key by XOR with a constant. It is weak. It is compatible with the
des-cbc-crc
, des-cbc-md4
, des-cbc-md5
encryption
mechanisms.
rsa-md5
rsa-md5
is a unkeyed MD5 hash computed over the message. It is
weak, because it is unkeyed. However applications can, with care, use
it non-weak ways (e.g., by including the hash in other messages that
are protected by other means). It is compatible with all encryption
mechanisms.
rsa-md5-des
rsa-md5-des
is a DES CBC encryption of one block of random data
and a unkeyed MD5 hash computed over the random data and the message
to integrity protect. The key used is derived from the base protocol
key by XOR with a constant. It is weak. It is compatible with the
des-cbc-crc
, des-cbc-md4
, des-cbc-md5
encryption
mechanisms.
hmac-sha1-des3-kd
hmac-sha1-des3-kd
is a keyed SHA1 hash in HMAC mode computed
over the message. The key is derived from the base protocol by the
simplified key derivation function (similar to the password key
derivation functions of des3-cbc-sha1-kd
, which does not appear
to be widely used outside Kerberos and hence not widely studied). It
has no security proof, but is assumed to provide good security. The
weakest part is likely the proprietary key derivation function. It is
compatible with the des3-cbc-sha1-kd
encryption mechanism.
hmac-sha1-96-aes128
hmac-sha1-96-aes256
hmac-sha1-96-aes*
are keyed SHA1 hashes in HMAC mode computed
over the message and then truncated to 96 bits. The key is derived
from the base protocol by the simplified key derivation function
(similar to the password key derivation functions of
aes*-cts-hmac-sha1-96
, i.e., PKCS#5). It has no security
proof, but is assumed to provide good security. It is compatible with
the aes*-cts-hmac-sha1-96
encryption mechanisms.
Several of the cipher suites have long names that can be hard to memorize. For your convenience, the following short-hand aliases exists. They can be used wherever the full encryption names are used.
arcfour
arcfour-hmac
.
des-crc
des-cbc-crc
.
des-md4
des-cbc-md4
.
des-md5
des
des-cbc-md5
.
des3
3des
des3-cbc-sha1-kd
.
aes128
aes128-cts-hmac-sha1-96
.
aes
aes256
aes256-cts-hmac-sha1-96
.