2.4. Cryptographic Overview

Shishi implements several of the standard cryptographic primitives. In this section we give the names of the supported encryption suites, and some notes about them, and their associated checksum suite.

Statements such as "it is weak" should be read as meaning that there is no credible security analysis of the mechanism available, and/or that should an attack be published publicly, few people would likely be surprised. Also keep in mind that the key size mentioned is the actual key size, not the effective key space as far as a brute force attack is concerned.

NULL

NULL is a dummy encryption suite for debugging. Encryption and decryption are identity functions. No integrity protection. It is weak. It is associated with the NULL checksum.

arcfour-hmac, arcfour-hmac-exp

arcfour-hmac-* are a proprietary stream cipher with 56 bit (arcfour-hmac-exp) or 128 bit (arcfour-hmac) keys, used in a proprietary way described in an expired IETF draft draft-brezak-win2k-krb-rc4-hmac-04.txt. Deriving keys from passwords is supported, and is done by computing a message digest (MD4) of a 16-bit Unicode representation of the ASCII password, with no salt. Data is integrity protected with a keyed hash (HMAC-MD5), where the key is derived from the base key in a creative way. It is weak. It is associated with the arcfour-hmac-md5 checksum.

des-cbc-crc

des-cbc-crc is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using the key as IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted CRC32-like checksum. It is weak. It is associated with the rsa-md5-des checksum.

des-cbc-md4

des-cbc-md4 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD4 hash. It is weak. It is associated with the rsa-md4-des checksum.

des-cbc-md5

des-cbc-md5 is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD5 hash. It is weak. It is associated with the rsa-md5-des checksum. This is the strongest RFC 1510 interoperable encryption mechanism.

des3-cbc-sha1-kd

des3-cbc-sha1-kd is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by a algorithm based on the paper "A Better Key Schedule For DES-like Ciphers" [1] by Uri Blumenthal and Steven M. Bellovin (it is not clear if the algorithm, and the way it is used, is used by any other protocols, although it seems unlikely). Data is integrity protected with a keyed SHA1 hash in HMAC mode. It has no security proof, but is assumed to provide adequate security in the sense that knowledge on how to crack it is not known to the public. Note that the key derivation function is not widely used outside of Kerberos, hence not widely studied. It is associated with the hmac-sha1-des3-kd checksum.

aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

aes128-cts-hmac-sha1-96 and aes256-cts-hmac-sha1-96 is AES encryption and decryption with 128 bit and 256 bit key, respectively, and 16 byte blocks in CBC mode with Cipher Text Stealing. Cipher Text Stealing means data length of encrypted data is preserved (pure CBC add up to 7 pad characters). The keys can be derived from passwords with RSA Laboratories PKCS#5 Password Based Key Derivation Function 2[2], which is allegedly provably secure in a random oracle model. Data is integrity protected with a keyed SHA1 hash, in HMAC mode, truncated to 96 bits. There is no security proof, but the schemes are assumed to provide adequate security in the sense that knowledge on how to crack them is not known to the public. Note that AES has yet to receive the test of time, and the CBC variation used is not widely standardized (hence not widely studied). It is associated with the hmac-sha1-96-aes128 and hmac-sha1-96-aes256 checksums, respectively.

The protocol do not include any way to negotiate which checksum mechanisms to use, so in most cases the associated checksum will be used. However, checksum mechanisms can be used with other encryption mechanisms, as long as they are compatible in terms of key format etc. Here are the names of the supported checksum mechanisms, with some notes on their status and the compatible encryption mechanisms. They are ordered by increased security as perceived by the author.

NULL

NULL is a dummy checksum suite for debugging. It provides no integrity. It is weak. It is compatible with the NULL encryption mechanism.

arcfour-hmac-md5

arcfour-hmac-md5 is a keyed HMAC-MD5 checksum computed on a MD5 message digest, in turn computed on a four byte message type indicator concatenated with the application data. (The arcfour designation is thus somewhat misleading, but since this checksum mechanism is described in the same document as the arcfour encryption mechanisms, it is not a completely unnatural designation.) It is weak. It is compatible with all encryption mechanisms.

rsa-md4

rsa-md4 is a unkeyed MD4 hash computed over the message. Since it is unkeyed, it is in general a weak checksum, however applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are encrypted or checksummed). It is compatible with all encryption mechanisms.

rsa-md4-des

rsa-md4-des is a DES CBC encryption of one block of random data and a unkeyed MD4 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.

rsa-md5

rsa-md5 is a unkeyed MD5 hash computed over the message. Since it is unkeyed, it is in general a weak checksum, however applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are encrypted or checksummed). It is compatible with all encryption mechanisms.

rsa-md5-des

rsa-md5-des is a DES CBC encryption of one block of random data and a unkeyed MD5 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the des-cbc-crc, des-cbc-md4, des-cbc-md5 encryption mechanisms.

hmac-sha1-des3-kd

hmac-sha1-des3-kd is a keyed SHA1 hash in HMAC mode computed over the message. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of des3-cbc-sha1-kd). It has no security proof, but is assumed to provide good security, if the key derivation function is good. It is compatible with the des3-cbc-sha1-kd encryption mechanism.

hmac-sha1-96-aes128, hmac-sha1-96-aes256

hmac-sha1-96-aes* are keyed SHA1 hashes in HMAC mode computed over the message and then truncated to 96 bits. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of des3-cbc-sha1-kd). It has no security proof, but is assumed to provide good security, if the key derivation function is good. It is compatible with the aes*-cts-hmac-sha1-96 encryption mechanisms.

Several of the cipher suites have long names that can be hard to memorize. For your convenience, the following short-hand aliases exists.

arcfour

Alias for arcfour-hmac.

des-crc

Alias for des-cbc-crc.

des-md4

Alias for des-cbc-md4.

des-md5, des

Alias for des-cbc-md5.

des3, 3des

Alias for des3-cbc-sha1-kd.

aes128

Alias for aes128-cts-hmac-sha1-96.

aes, aes256

Alias for aes256-cts-hmac-sha1-96.

Notes

[1]

http://www.research.att.com/~smb/papers/ides.pdf

[2]

http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/