draft-ietf-lamps-cmp-algorithms-00.txt   draft-ietf-lamps-cmp-algorithms-01.txt 
LAMPS Working Group H. Brockhaus LAMPS Working Group H. Brockhaus
Internet-Draft Siemens Internet-Draft Siemens
Intended status: Standards Track October 24, 2020 Intended status: Standards Track November 2, 2020
Expires: April 27, 2021 Expires: May 6, 2021
CMP Algorithms CMP Algorithms
draft-ietf-lamps-cmp-algorithms-00 draft-ietf-lamps-cmp-algorithms-01
Abstract Abstract
This document describes the conventions for using several This document describes the conventions for using several
cryptographic algorithms with the Certificate Management Protocol cryptographic algorithms with the Certificate Management Protocol
(CMP). CMP is used to enroll and further manage the lifecycle of (CMP). CMP is used to enroll and further manage the lifecycle of
X.509 certificates. X.509 certificates.
Status of This Memo Status of This Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 27, 2021. This Internet-Draft will expire on May 6, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 22 skipping to change at page 2, line 22
3.1. DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.3. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Key Management Algorithms . . . . . . . . . . . . . . . . . . 5 4. Key Management Algorithms . . . . . . . . . . . . . . . . . . 5
4.1. Key Agreement Algorithms . . . . . . . . . . . . . . . . 6 4.1. Key Agreement Algorithms . . . . . . . . . . . . . . . . 6
4.1.1. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 6 4.1.1. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 6
4.1.2. ECDH . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1.2. ECDH . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2. Key Transport Algorithms . . . . . . . . . . . . . . . . 7 4.2. Key Transport Algorithms . . . . . . . . . . . . . . . . 7
4.2.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.3. Symmetric Key-Encryption Algorithms . . . . . . . . . . . 7 4.3. Symmetric Key-Encryption Algorithms . . . . . . . . . . . 7
4.3.1. AES Key Wrap with Padding . . . . . . . . . . . . . . 8 4.3.1. AES Key Wrap . . . . . . . . . . . . . . . . . . . . 8
4.4. Key Derivation Algorithms . . . . . . . . . . . . . . . . 8 4.4. Key Derivation Algorithms . . . . . . . . . . . . . . . . 8
4.4.1. Password-based Key Derivation Function 2 . . . . . . 8 4.4.1. Password-based Key Derivation Function 2 . . . . . . 8
5. Content Encryption Algorithms . . . . . . . . . . . . . . . . 9 5. Content Encryption Algorithms . . . . . . . . . . . . . . . . 9
5.1. AES . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5.1. AES . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Message Authentication Code Algorithms . . . . . . . . . . . 9 6. Message Authentication Code Algorithms . . . . . . . . . . . 10
6.1. Password-based MAC . . . . . . . . . . . . . . . . . . . 9 6.1. Password-based MAC . . . . . . . . . . . . . . . . . . . 10
6.2. Diffie-Hellman-based MAC . . . . . . . . . . . . . . . . 10 6.2. Diffie-Hellman-based MAC . . . . . . . . . . . . . . . . 11
6.3. HMAC SHA2 . . . . . . . . . . . . . . . . . . . . . . . . 10 6.3. SHA2-based HMAC . . . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
10.1. Normative References . . . . . . . . . . . . . . . . . . 11 10.1. Normative References . . . . . . . . . . . . . . . . . . 12
10.2. Informative References . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix A. History of changes . . . . . . . . . . . . . . . . . 13 Appendix A. Algorithm Use Profiles . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 13 A.1. Algorithm Profile for PKI Management Message Profiles . . 15
A.2. Algorithm Profile for Lightweight CMP Profile . . . . . . 16
Appendix B. History of changes . . . . . . . . . . . . . . . . . 17
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
[RFC Editor: please delete]: !!! The change history was moved to
Appendix B !!!
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119] document are to be interpreted as described in BCP 14 [RFC2119]
[RFC8174] when, and only when, they appear in all capitals, as shown [RFC8174] when, and only when, they appear in all capitals, as shown
here. here.
2. Message Digest Algorithms 2. Message Digest Algorithms
This section specifies the conventions employed by CMP This section specifies the conventions employed by CMP
implementations that support SHA-1 or SHA2 algorithm family. implementations that support SHA-1 or SHA2 algorithm family.
Digest algorithm identifiers are located in the hashAlg field of Digest algorithm identifiers are located in the hashAlg field of
OOBCertHash, the owf field of Challenge, PBMParameter, and OOBCertHash, the owf field of Challenge, PBMParameter, and
skipping to change at page 4, line 16 skipping to change at page 4, line 20
field of PKIHeader, the algorithmIdentifier field of POPOSigningKey, field of PKIHeader, the algorithmIdentifier field of POPOSigningKey,
signatureAlgorithm field of p10cr, SignKeyPairTypes, and the signatureAlgorithm field of p10cr, SignKeyPairTypes, and the
SignerInfo signatureAlgorithm field of SignedData. SignerInfo signatureAlgorithm field of SignedData.
Signature values are located in the protection field of PKIMessage, Signature values are located in the protection field of PKIMessage,
signature field of POPOSigningKey, signature field of p10cr, and signature field of POPOSigningKey, signature field of p10cr, and
SignerInfo signature field of SignedData. SignerInfo signature field of SignedData.
3.1. DSA 3.1. DSA
The DSA signature algorithm is defined in FIPS Pub 186-5 [FIPS186-5] The DSA signature algorithm is defined in FIPS Pub 186-4 [FIPS186-4]
and MAY be used with SHA-224 and SHA-256 as specified in RFC 5754 and MAY be used with SHA-224 and SHA-256 as specified in RFC 5754
[RFC5754]. [RFC5754].
The algorithm identifiers for DSA with SHA2 signature values are: The algorithm identifiers for DSA with SHA2 signature values are:
id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2)
country(16) us(840) organization(1) gov(101) csor(3) country(16) us(840) organization(1) gov(101) csor(3)
algorithms(4) id-dsa-with-sha2(3) 1 } algorithms(4) id-dsa-with-sha2(3) 1 }
id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2)
country(16) us(840) organization(1) gov(101) csor(3) country(16) us(840) organization(1) gov(101) csor(3)
skipping to change at page 5, line 22 skipping to change at page 5, line 22
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) sha384WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 12 } member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 12 }
sha512WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) sha512WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 13 } member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 13 }
Further conventions to be considered are specified in RFC 5754 Further conventions to be considered are specified in RFC 5754
Section 3.2 [RFC5754]. Section 3.2 [RFC5754].
3.3. ECDSA 3.3. ECDSA
The ECDSA signature algorithm is defined in FIPS Pub 186-5 The ECDSA signature algorithm is defined in FIPS Pub 186-4
[FIPS186-5] and MAY be used with SHA-224, SHA-256, SHA-384, or [FIPS186-4] and MAY be used with SHA-224, SHA-256, SHA-384, or
SHA-512 as specified in RFC 5754 [RFC5754]. SHA-512 as specified in RFC 5754 [RFC5754].
The algorithm identifiers for ECDSA with SHA2 signature values are: The algorithm identifiers for ECDSA with SHA2 signature values are:
ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 }
ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 }
ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 }
skipping to change at page 8, line 15 skipping to change at page 8, line 15
Key-encryption algorithm identifiers are located in the EnvelopedData Key-encryption algorithm identifiers are located in the EnvelopedData
RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm and RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm and
EnvelopedData RecipientInfos PassworRecipientInfo EnvelopedData RecipientInfos PassworRecipientInfo
keyEncryptionAlgorithm fields. keyEncryptionAlgorithm fields.
Wrapped content-encryption keys are located in the EnvelopedData Wrapped content-encryption keys are located in the EnvelopedData
RecipientInfos KeyAgreeRecipientInfo RecipientEncryptedKeys RecipientInfos KeyAgreeRecipientInfo RecipientEncryptedKeys
encryptedKey and EnvelopedData RecipientInfos PassworRecipientInfo encryptedKey and EnvelopedData RecipientInfos PassworRecipientInfo
encryptedKey fields. encryptedKey fields.
4.3.1. AES Key Wrap with Padding 4.3.1. AES Key Wrap
The AES key encryption algorithm is defined in RFC 3394 [RFC3394] and The AES encryption algorithm is defined in FIBS Pub 197 [FIPS197] and
the respective padding is defined in RFC 5649 [RFC5649]. the key wrapping is defined in RFC 3394 [RFC3394].
AES key encryption has the algorithm identifier: AES key encryption has the algorithm identifier:
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) id-aes128-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3) country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 48 } nistAlgorithm(4) aes(1) 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 45 }
Further conventions to be considered for AES key wrap with padding Further conventions to be considered for AES key wrap are specified
are specified in RFC 5649 Section 4 [RFC5649]. in RFC 3394 Section 2.2 [RFC3394] and RFC 3565 Section 2.3.2
[RFC3565].
4.4. Key Derivation Algorithms 4.4. Key Derivation Algorithms
Key derivation algorithms are only used in CMP when using CMS Key derivation algorithms are only used in CMP when using CMS
[RFC5652] EnvelopedData together with password-based key management [RFC5652] EnvelopedData together with password-based key management
technique. technique.
Key derivation algorithm identifiers are located in the EnvelopedData Key derivation algorithm identifiers are located in the EnvelopedData
RecipientInfos PassworRecipientInfo keyDerivationAlgorithm field. RecipientInfos PassworRecipientInfo keyDerivationAlgorithm field.
skipping to change at page 9, line 26 skipping to change at page 9, line 35
Content encryption algorithm identifiers are located in the Content encryption algorithm identifiers are located in the
EnvelopedData EncryptedContentInfo contentEncryptionAlgorithmrithm EnvelopedData EncryptedContentInfo contentEncryptionAlgorithmrithm
field. field.
Encrypted content is located in the EnvelopedData Encrypted content is located in the EnvelopedData
EncryptedContentInfo encryptedContent field. EncryptedContentInfo encryptedContent field.
5.1. AES 5.1. AES
Since the using CMP, the content encrypted is a cryptographic key and The AES encryption algorithm is defined in FIPS Pub 197 [FIPS197].
its attributes, a certificate or a password, the same algorithms as Details of usage of AES-CCM and AES-GCM in CMS [RFC5652]
specified in Section 4.3.1 are used for content encryption. EnvelopedData is specified in RFC 5084 [RFC5084].
AES content encryption has the algorithm identifier:
id-aes128-CCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 47 }
id-aes128-GCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 6 }
id-aes192-GCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 26 }
id-aes256-GCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1) 46 }
Further conventions to be considered for AES content encryption are
specified in RFC 5084 [RFC5084].
6. Message Authentication Code Algorithms 6. Message Authentication Code Algorithms
The message authentication code algorithm is also referred to as The message authentication code algorithm is also referred to as
MSG_MAC_ALG in RFC 4210 Appendix D and E [RFC4210] and in the MSG_MAC_ALG in RFC 4210 Appendix D and E [RFC4210] and in the
Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile].
Message authentication code algorithm identifiers are located in the Message authentication code algorithm identifiers are located in the
mac field of PBMParameter and DHBMParameter, the PBKDF2-params prf mac field of PBMParameter and DHBMParameter, the PBKDF2-params prf
field. field.
Message authentication code values are located in the EnvelopedData Message authentication code values are located in the EnvelopedData
EncryptedContentInfo encryptedContent field. EncryptedContentInfo encryptedContent field.
6.1. Password-based MAC 6.1. Password-based MAC
The password-based MAC is defined in RFC 4210 [RFC4210]. The password-based MAC is defined in RFC 4210 [RFC4210].
The algorithm identifiers for password-based MAC is: The algorithm identifier for password-based MAC as specified in
RFC 4210 [RFC4210] is:
id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) nt(113533) nsn(7) algorithms(66) 13 } us(840) nt(113533) nsn(7) algorithms(66) 13 }
Further conventions to be considered for password-based MAC are Further conventions to be considered for password-based MAC are
specified in RFC 4210 Section 5.1.3.1 [RFC4210]. specified in RFC 4210 Section 5.1.3.1 [RFC4210].
6.2. Diffie-Hellman-based MAC 6.2. Diffie-Hellman-based MAC
The Diffie-Hellman-based MAC is defined in RFC 4210 [RFC4210]. The Diffie-Hellman-based MAC is defined in RFC 4210 [RFC4210].
The algorithm identifiers for Diffie-Hellman-based MAC is: The algorithm identifiers for Diffie-Hellman-based MAC is:
id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-DHBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) nt(113533) nsn(7) algorithms(66) 30 } us(840) nt(113533) nsn(7) algorithms(66) 30 }
Further conventions to be considered for Diffie-Hellman-based MAC are Further conventions to be considered for Diffie-Hellman-based MAC are
specified in RFC 4210 Section 5.1.3.2 [RFC4210]. specified in RFC 4210 Section 5.1.3.2 [RFC4210].
6.3. HMAC SHA2 6.3. SHA2-based HMAC
The HMAC is defined in RFC 2104 [RFC2104]. The HMAC is defined in RFC 2104 [RFC2104] and FIPS Pub 198-1
[FIPS198-1]. The SHA2 algorithms are defined in
Section 2.1Section 2.1 and FIPS Pub 180-4 [FIPS180-4].
The algorithm identifiers for HMAC with SHA2 as specified in RFC 4231 The algorithm identifiers for SHA2-based HMAC as specified in
[RFC4231] are: RFC 4231 [RFC4231] are:
id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) digestAlgorithm(2) 8 } us(840) rsadsi(113549) digestAlgorithm(2) 8 }
id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) digestAlgorithm(2) 9 } us(840) rsadsi(113549) digestAlgorithm(2) 9 }
id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) digestAlgorithm(2) 10 } us(840) rsadsi(113549) digestAlgorithm(2) 10 }
id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) digestAlgorithm(2) 11 } us(840) rsadsi(113549) digestAlgorithm(2) 11 }
Further conventions to be considered for HMAC with SHA2 are specified Further conventions to be considered for SHA2-based HMAC are
in RFC 4231 Section 3.1 [RFC4231]. specified in RFC 4231 Section 3.1 [RFC4231].
7. IANA Considerations 7. IANA Considerations
TBD This document does not request changes to the IANA registry.
8. Security Considerations 8. Security Considerations
TBD RFC 4210 Appendix D.2 [RFC4210] contains a set of algorithms,
mandatory to be supported by conforming implementations. Theses
algorithms were appropriate at the time CMP war releases, but as
cryptographic algorithms weaken over time, some of them should not be
uses anymore. In general, new attacks are emerging due to research
cryptoanalysis or increase in computing power. new algorithms were
introduced that are more resistant to today's attacks.
This document lists many cryptographic algorithms usable with CMP to
offer implementers a more up to date choice. Finally, the algorithms
to be supported also heavily depend on the utilizes certificates in
the target environment.
In the appendix of this document there is also an update to the
Appendix D.2 of RFC 4210 [RFC4210] and a set of algorithms to be
supported when implementing the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile].
To keep the list of algorithms to be used with CMP up to date to
enlist secure algorithms resisting known attack scenarios, future
algorithms should be added and weakened algorithms should be
deprecated.
9. Acknowledgements 9. Acknowledgements
TBD Thanks to Russ Housley for his input and feedback to this document.
10. References 10. References
10.1. Normative References 10.1. Normative References
[FIPS180-4] [FIPS180-4]
NIST, "FIPS Pub 180-4: Secure Hash Standard (SHA)", August NIST, "FIPS Pub 180-4: Secure Hash Standard (SHA)", August
2015 , <https://nvlpubs.nist.gov/nistpubs/FIPS/ 2015 , <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>. NIST.FIPS.180-4.pdf>.
[FIPS186-5] [FIPS186-4]
NIST, "FIPS Pub 186-5: Digital Signature Standard (DSS)", NIST, "FIPS Pub 186-4: Digital Signature Standard (DSS)",
October 2019, <https://nvlpubs.nist.gov/nistpubs/FIPS/ July 2013, <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.186-5-draft.pdf>. NIST.FIPS.186-4.pdf>.
[FIPS197] NIST, "FIPS Pub 197: Advanced Encryption Standard (AES)",
November 2001, <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.197.pdf>.
[FIPS198-1]
NIST, "The Keyed-Hash Message Authentication Code (HMAC)",
July 2008, <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.198-1.pdf>.
[I-D.ietf-lamps-cmp-updates] [I-D.ietf-lamps-cmp-updates]
Brockhaus, H., "CMP Updates", draft-ietf-lamps-cmp- Brockhaus, H., "CMP Updates", draft-ietf-lamps-cmp-
updates-05 (work in progress), September 2020. updates-05 (work in progress), September 2020.
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, Hashing for Message Authentication", RFC 2104,
DOI 10.17487/RFC2104, February 1997, DOI 10.17487/RFC2104, February 1997,
<https://www.rfc-editor.org/info/rfc2104>. <https://www.rfc-editor.org/info/rfc2104>.
skipping to change at page 12, line 5 skipping to change at page 13, line 32
[RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394,
September 2002, <https://www.rfc-editor.org/info/rfc3394>. September 2002, <https://www.rfc-editor.org/info/rfc3394>.
[RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport
Algorithm in Cryptographic Message Syntax (CMS)", Algorithm in Cryptographic Message Syntax (CMS)",
RFC 3560, DOI 10.17487/RFC3560, July 2003, RFC 3560, DOI 10.17487/RFC3560, July 2003,
<https://www.rfc-editor.org/info/rfc3560>. <https://www.rfc-editor.org/info/rfc3560>.
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003,
<https://www.rfc-editor.org/info/rfc3565>.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in Algorithms and Identifiers for RSA Cryptography for use in
the Internet X.509 Public Key Infrastructure Certificate the Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) Profile", RFC 4055, and Certificate Revocation List (CRL) Profile", RFC 4055,
DOI 10.17487/RFC4055, June 2005, DOI 10.17487/RFC4055, June 2005,
<https://www.rfc-editor.org/info/rfc4055>. <https://www.rfc-editor.org/info/rfc4055>.
[RFC4056] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in [RFC4056] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in
Cryptographic Message Syntax (CMS)", RFC 4056, Cryptographic Message Syntax (CMS)", RFC 4056,
DOI 10.17487/RFC4056, June 2005, DOI 10.17487/RFC4056, June 2005,
skipping to change at page 12, line 33 skipping to change at page 14, line 21
[RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure
Certificate Request Message Format (CRMF)", RFC 4211, Certificate Request Message Format (CRMF)", RFC 4211,
DOI 10.17487/RFC4211, September 2005, DOI 10.17487/RFC4211, September 2005,
<https://www.rfc-editor.org/info/rfc4211>. <https://www.rfc-editor.org/info/rfc4211>.
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
RFC 4231, DOI 10.17487/RFC4231, December 2005, RFC 4231, DOI 10.17487/RFC4231, December 2005,
<https://www.rfc-editor.org/info/rfc4231>. <https://www.rfc-editor.org/info/rfc4231>.
[RFC5649] Housley, R. and M. Dworkin, "Advanced Encryption Standard [RFC5084] Housley, R., "Using AES-CCM and AES-GCM Authenticated
(AES) Key Wrap with Padding Algorithm", RFC 5649, Encryption in the Cryptographic Message Syntax (CMS)",
DOI 10.17487/RFC5649, September 2009, RFC 5084, DOI 10.17487/RFC5084, November 2007,
<https://www.rfc-editor.org/info/rfc5649>. <https://www.rfc-editor.org/info/rfc5084>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve
Cryptography (ECC) Algorithms in Cryptographic Message Cryptography (ECC) Algorithms in Cryptographic Message
Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January
2010, <https://www.rfc-editor.org/info/rfc5753>. 2010, <https://www.rfc-editor.org/info/rfc5753>.
skipping to change at page 13, line 31 skipping to change at page 15, line 16
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP
Profile", draft-ietf-lamps-lightweight-cmp-profile-03 Profile", draft-ietf-lamps-lightweight-cmp-profile-03
(work in progress), October 2020. (work in progress), October 2020.
Appendix A. History of changes Appendix A. Algorithm Use Profiles
This appendix provides profiles of algorithms and respective
conventions for different application use cases.
A.1. Algorithm Profile for PKI Management Message Profiles
The following table contains definitions of algorithm used within PKI
Management Message Profiles as defined in CMP Appendix D.2 [RFC4210].
The columns in the table are:
Name: an identifier used for message profiles
Use: description of where and for what the algorithm is used
Mandatory: an AlgorithmIdentifier which MUST be supported by
conforming implementations
Name Use Mandatory
------------ --------------------------------------- ----------------
MSG_SIG_ALG protection of PKI messages using RSA
signature
MSG_MAC_ALG protection of PKI messages using MACing PasswordBasedMac
SYM_PENC_ALG symmetric encryption of an end entity's AES-wrap
private key where symmetric key is
distributed out-of-band
PROT_ENC_ALG asymmetric algorithm used for D-H
encryption of (symmetric keys for
encryption of) private keys transported
in PKIMessages
PROT_SYM_ALG symmetric encryption algorithm used for AES
encryption of private key bits (a key
of this type is encrypted using
PROT_ENC_ALG)
Mandatory Algorithm Identifiers and Specifications:
RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.2
PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id-
sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as
the mac parameter, see Section 6.3)
D-H: id-alg-ESDH, see Section 4.1.1
AES-wrap: id-aes256-wrap, see Section 4.3.1
AES: id-aes256-GCM, see Section 5.1
A.2. Algorithm Profile for Lightweight CMP Profile
The following table contains definitions of algorithm which MUST be
supported by conforming implementations This profile is referenced in
the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile].
The columns in the table are:
Name: an identifier used for message profiles
Use: description of where and for what the algorithm is used
Mandatory: an AlgorithmIdentifier which MUST be supported by
conforming implementations
Name Use Mandatory
------------ --------------------------------------- ----------------
MSG_SIG_ALG protection of PKI messages using ECDSA
signature
MSG_MAC_ALG protection of PKI messages using MACing PasswordBasedMac
KM_KA_ALG asymmetric key agreement algorithm used ECDH
for agreement of a symmetric keys for
encryption of EnvelopedData, e.g., a
private key transported in PKIMessages
KM_KT_ALG asymmetric key encryption algorithm RSA
used for transport of a symmetric keys
for encryption of EnvelopedData, e.g.,
a private key transported in
PKIMessages
KM_PB_ALG symmetric derivation algorithm used to PBKDF2
derive a symmetric key for encryption
of EnvelopedData, e.g., a private key
transported in PKIMessages, from a
password
PROT_ENC_ALG Symmetric key encryption algorithm to AES-wrap
encrypt a content encryption key
PROT_SYM_ALG symmetric content encryption algorithm AES
used for encryption of, e.g., private
key bits (a key of this type is
encrypted using PROT_ENC_ALG)
Mandatory Algorithm Identifiers and Specifications:
< TBD: The list of mandatory algorithms has to be defined later. >
Appendix B. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 00 -> 01:
o Changed sections Symmetric Key-Encryption Algorithms and Content
Encryption Algorithms based on the discussion on the mailing list
(see thread "[CMP Algorithms] Use Key-Wrap with or without padding
in Section 4.3 and Section 5")
o Added Appendix A with updated algorithms profile for RDC4210
Appendix D.2 and first proposal for the Lightweight CMP Profile
o Minor changes in wording
Author's Address Author's Address
Hendrik Brockhaus Hendrik Brockhaus
Siemens AG Siemens AG
Email: hendrik.brockhaus@siemens.com Email: hendrik.brockhaus@siemens.com
 End of changes. 28 change blocks. 
49 lines changed or deleted 229 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/