3.4.5.4.1 Kerberos Binding of GSS_WrapEx()

  • Article

Kerberos GSS_WrapEx() depends on the encryption type of the session key for the context. The algorithms depend on which Kerberos encryption ciphers are negotiated by the Kerberos protocol.

If the session key encryption type is AES128-CTS-HMAC-SHA1-96 or AES256-CTS-HMAC-SHA1-96 (as specified in [RFC3961]):

  • The base line is [RFC4121].

  • The encrypted data is per [RFC3961] (on which [RFC4121] is based), as follows.

     C1 | H1[1..h]

    where 

     (C1, newIV) = E(Ke, conf | plaintext | pad, oldstate.ivec)
 H1 = HMAC(Ki, conf | plaintext | pad)

    where the "plaintext+encrypted-data" is all the input data buffers supply to GSS_WrapEx() concatenated in the order provided in the ordered list, input_message.

The RRC field ([RFC4121] section 4.2.5) is 12 if no encryption is requested or 28 if encryption is requested. The RRC field is chosen such that all the data can be encrypted in place. The trailing meta-data H1 is rotated by RRC+EC bytes, which is different from RRC alone. Thus the token buffer contains the header ([RFC4121] section 4.2.6.2) with the rotated H1 that is placed before the encrypted confounder and after the header.

If the session key encryption type is DES-CBC-MD5 or DES-CBC-CRC per [RFC3961]:

  • The base line is [RFC1964].

  • The ordered list contains the header ([RFC1964] 1.2.2 ) and errata, then DER(Kerberos OID | Token | Encrypted Data | Padding).

  • The data is encrypted in place.

The "to-be-signed data" in [RFC1964] section 1.2.2.1 is a concatenation of all the input_message data for which sign==TRUE. Only the input data with encrypt set to TRUE is encrypted in output_message. The InitialContextToken header as specified in [RFC1964] section 1.1 is included at the beginning of the ordered list.

For [MS-RPCE], the length field in the above pseudo ASN.1 header does not include the length of the concatenated data if [RFC1964] is used.

If the session key encryption type is RC4-HMAC or RC4-HMAC-EXP per [RFC3961]:

  • The base line is [RFC4757].

  • The ordered list contains the header ([RFC4757] section 7.3).

  • The data (excluding the conf_req_flag set to FALSE) is encrypted in place.

The "to-be-signed data" is a concatenation of all the input buffers for which sign==TRUE. The InitialContextToken pseudo ASN.1 header is included at the beginning of the token header.