RFC Errata
RFC 4556, "Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)", June 2006
Note: This RFC has been updated by RFC 6112, RFC 8062, RFC 8636
Source of RFC: krb-wg (sec)
Errata ID: 3157
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Tom Yu
Date Reported: 2012-03-15
Held for Document Update by: Stephen Farrell
Section 3.2.1 says:
8. The client's Diffie-Hellman public value (clientPublicValue) is
included if and only if the client wishes to use the Diffie-
Hellman key agreement method. The Diffie-Hellman domain
parameters [IEEE1363] for the client's public key are specified
in the algorithm field of the type SubjectPublicKeyInfo
[RFC3279], and the client's Diffie-Hellman public key value is
mapped to a subjectPublicKey (a BIT STRING) according to
[RFC3279]. When using the Diffie-Hellman key agreement method,
implementations MUST support Oakley 1024-bit Modular Exponential
(MODP) well-known group 2 [RFC2412] and Oakley 2048-bit MODP
well-known group 14 [RFC3526] and SHOULD support Oakley 4096-bit
MODP well-known group 16 [RFC3526].
The Diffie-Hellman field size should be chosen so as to provide
sufficient cryptographic security [RFC3766].
When MODP Diffie-Hellman is used, the exponents should have at
least twice as many bits as the symmetric keys that will be
derived from them [ODL99].
It should say:
8. The client's Diffie-Hellman public value (clientPublicValue) is
included if and only if the client wishes to use the Diffie-
Hellman key agreement method. The Diffie-Hellman domain
parameters [IEEE1363] for the client's public key are specified
in the algorithm field of the type SubjectPublicKeyInfo
[RFC3279], and the client's Diffie-Hellman public key value is
mapped to a subjectPublicKey (a BIT STRING) according to
[RFC3279]. When using the Diffie-Hellman key agreement method,
implementations MUST support Oakley 1024-bit Modular Exponential
(MODP) well-known group 2 [RFC2412] and Oakley 2048-bit MODP
well-known group 14 [RFC3526] and SHOULD support Oakley 4096-bit
MODP well-known group 16 [RFC3526].
Some implementations are known to omit the mandatory Q value
from the DomainParameters (in the algorithm value of the
clientPublicValue) when using the well-known MODP groups 14 and
16, which can cause an ASN.1 decoding error for the
DomainParamters value. While [RFC3526] does not explicitly
specify the Q value for the well-known MODP groups 14 and 16,
the prime modulus of each of these groups is a safe prime --
having the form P = 2Q + 1, where P and Q are prime.
Therefore, the Q value for each of these moduli is the
corresponding Sophie Germain prime, and it is equal to (P-1)/2.
The Diffie-Hellman field size should be chosen so as to provide
sufficient cryptographic security [RFC3766].
When MODP Diffie-Hellman is used, the exponents should have at
least twice as many bits as the symmetric keys that will be
derived from them [ODL99].
Notes:
The new paragraph identifies an interoperability problem where an
implementation omits the Q value (required in the DomainParameters
type defined in RFC3370) of a Diffie-Hellman group when participating
in PKINIT. This happens for two well-known IKEv2 MODP groups that are
defined in RFC3526, probably because RFC3526 does not explicitly state
the Q values for the moduli. The moduli are safe primes, so the new
text specifies how to compute their Q values (which are the
corresponding Sophie Germain primes).