Next: , Previous: Overview, Up: Introduction


1.4 Cryptographic Overview

Shishi implements several of the standard cryptographic primitives. In this section we give the names of the supported encryption suites, and some notes about them, and their associated checksum suite.

Statements such as “it is weak” should be read as meaning that there is no credible security analysis of the mechanism available, and/or that should an attack be published publicly, few people would likely be surprised. Also keep in mind that the key size mentioned is the actual key size, not the effective key space as far as a brute force attack is concerned.

As you may infer from the descriptions, there is currently no encryption algorithm and only one checksum algorithm that inspire great confidence in its design. Hopefully this will change over time.

NULL
NULL is a dummy encryption suite for debugging. Encryption and decryption are identity functions. No integrity protection. It is weak. It is associated with the NULL checksum.
arcfour-hmac
arcfour-hmac-exp
arcfour-hmac-* are a proprietary stream cipher with 56 bit (arcfour-hmac-exp) or 128 bit (arcfour-hmac) keys, used in a proprietary way described in an expired IETF draft draft-brezak-win2k-krb-rc4-hmac-04.txt. Deriving keys from passwords is supported, and is done by computing a message digest (MD4) of a 16-bit Unicode representation of the ASCII password, with no salt. Data is integrity protected with a keyed hash (HMAC-MD5), where the key is derived from the base key in a creative way. It is weak. It is associated with the arcfour-hmac-md5 checksum.
des-cbc-none
des-cbc-none is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. It is weak, because it offers no integrity protection. This is typically only used by RFC 1964 GSS-API implementations (which try to protect integrity using an ad-hoc solution). It is associated with the NULL checksum.
des-cbc-crc
des-cbc-crc is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using the key as IV (see Key as initialization vector). The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted CRC32-like checksum. It is weak. It is associated with the rsa-md5-des checksum.
des-cbc-md4
des-cbc-md4 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD4 hash. It is weak. It is associated with the rsa-md4-des checksum.
des-cbc-md5
des-cbc-md5 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD5 hash. It is weak. It is associated with the rsa-md5-des checksum. This is the strongest RFC 1510 interoperable encryption mechanism.
des3-cbc-none
des3-cbc-none is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by the same algorithm as des3-cbc-sha1-kd. It is weak, because it offers no integrity protection. This is typically only used by GSS-API implementations (which try to protect integrity using an ad-hoc solution) for interoperability with some existing Kerberos GSS implementations. It is associated with the NULL checksum.
des3-cbc-sha1-kd
des3-cbc-sha1-kd is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by a algorithm based on the paper "A Better Key Schedule For DES-like Ciphers" 1 by Uri Blumenthal and Steven M. Bellovin (it is not clear if the algorithm, and the way it is used, is used by any other protocols, although it seems unlikely). Data is integrity protected with a keyed SHA1 hash in HMAC mode. It has no security proof, but is assumed to provide adequate security in the sense that knowledge on how to crack it is not known to the public. Note that the key derivation function is not widely used outside of Kerberos, hence not widely studied. It is associated with the hmac-sha1-des3-kd checksum.
aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 is AES encryption and decryption with 128 bit and 256 bit key, respectively, and 16 byte blocks in CBC mode with Cipher Text Stealing. Cipher Text Stealing means data length of encrypted data is preserved (pure CBC add up to 7 pad characters). The keys can be derived from passwords with RSA Laboratories PKCS#5 Password Based Key Derivation Function 22, which is allegedly provably secure in a random oracle model. Data is integrity protected with a keyed SHA1 hash, in HMAC mode, truncated to 96 bits. There is no security proof, but the schemes are assumed to provide adequate security in the sense that knowledge on how to crack them is not known to the public. Note that AES has yet to receive the test of time, and the AES cipher encryption mode (CBC with Ciphertext Stealing, and a non-standard IV output) is not widely standardized (hence not widely studied). It is associated with the hmac-sha1-96-aes128 and hmac-sha1-96-aes256 checksums, respectively.

The protocol do not include any way to negotiate which checksum mechanisms to use, so in most cases the associated checksum will be used. However, checksum mechanisms can be used with other encryption mechanisms, as long as they are compatible in terms of key format etc. Here are the names of the supported checksum mechanisms, with some notes on their status and the compatible encryption mechanisms. They are ordered by increased security as perceived by the author.

NULL
NULL is a dummy checksum suite for debugging. It provides no integrity. It is weak. It is compatible with the NULL encryption mechanism.
arcfour-hmac-md5
arcfour-hmac-md5 is a keyed HMAC-MD5 checksum computed on a MD5 message digest, in turn computed on a four byte message type indicator concatenated with the application data. (The arcfour designation is thus somewhat misleading, but since this checksum mechanism is described in the same document as the arcfour encryption mechanisms, it is not a completely unnatural designation.) It is weak. It is compatible with all encryption mechanisms.
rsa-md4
rsa-md4 is a unkeyed MD4 hash computed over the message. It is weak, because it is unkeyed. However applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are protected by other means). It is compatible with all encryption mechanisms.
rsa-md4-des
rsa-md4-des is a DES CBC encryption of one block of random data and a unkeyed MD4 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.
rsa-md5
rsa-md5 is a unkeyed MD5 hash computed over the message. It is weak, because it is unkeyed. However applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are protected by other means). It is compatible with all encryption mechanisms.
rsa-md5-des
rsa-md5-des is a DES CBC encryption of one block of random data and a unkeyed MD5 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.
hmac-sha1-des3-kd
hmac-sha1-des3-kd is a keyed SHA1 hash in HMAC mode computed over the message. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of des3-cbc-sha1-kd, which does not appear to be widely used outside Kerberos and hence not widely studied). It has no security proof, but is assumed to provide good security. The weakest part is likely the proprietary key derivation function. It is compatible with the des3-cbc-sha1-kd encryption mechanism.
hmac-sha1-96-aes128
hmac-sha1-96-aes256
hmac-sha1-96-aes* are keyed SHA1 hashes in HMAC mode computed over the message and then truncated to 96 bits. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of aes*-cts-hmac-sha1-96, i.e., PKCS#5). It has no security proof, but is assumed to provide good security. It is compatible with the aes*-cts-hmac-sha1-96 encryption mechanisms.

Several of the cipher suites have long names that can be hard to memorize. For your convenience, the following short-hand aliases exists. They can be used wherever the full encryption names are used.

arcfour
Alias for arcfour-hmac.
des-crc
Alias for des-cbc-crc.
des-md4
Alias for des-cbc-md4.
des-md5
des
Alias for des-cbc-md5.
des3
3des
Alias for des3-cbc-sha1-kd.
aes128
Alias for aes128-cts-hmac-sha1-96.
aes
aes256
Alias for aes256-cts-hmac-sha1-96.

Footnotes

[1] http://www.research.att.com/~smb/papers/ides.pdf

[2] http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/