draft-ietf-lamps-cmp-algorithms-10.txt   draft-ietf-lamps-cmp-algorithms-11.txt 
LAMPS Working Group H. Brockhaus, Ed. LAMPS Working Group H. Brockhaus, Ed.
Internet-Draft H. Aschauer Internet-Draft H. Aschauer
Updates: 4210 (if approved) Siemens Updates: 4210 (if approved) Siemens
Intended status: Standards Track M. Ounsworth Intended status: Standards Track M. Ounsworth
Expires: 18 August 2022 J. Gray Expires: 19 August 2022 J. Gray
Entrust Entrust
14 February 2022 15 February 2022
Certificate Management Protocol (CMP) Algorithms Certificate Management Protocol (CMP) Algorithms
draft-ietf-lamps-cmp-algorithms-10 draft-ietf-lamps-cmp-algorithms-11
Abstract Abstract
This document updates RFC 4210 describing the conventions for using This document updates RFC 4210 describing the conventions for using
concrete cryptographic algorithms with the Certificate Management concrete cryptographic algorithms with the Certificate Management
Protocol (CMP). CMP is used to enroll and further manage the Protocol (CMP). CMP is used to enroll and further manage the
lifecycle of X.509 certificates. lifecycle of X.509 certificates.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 August 2022. This Internet-Draft will expire on 19 August 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 17, line 20 skipping to change at page 17, line 20
KM_KW_ALG, PROT_SYM_ALG). KM_KW_ALG, PROT_SYM_ALG).
The following table shows the algorithms listed in this document The following table shows the algorithms listed in this document
sorted by their bits of security. If an implementation intends to sorted by their bits of security. If an implementation intends to
enroll and manage certificate for keys of a specific security, it enroll and manage certificate for keys of a specific security, it
SHALL implement and use algorithms of at least that strength for the SHALL implement and use algorithms of at least that strength for the
respective PKI management operation. If one row does not provide a respective PKI management operation. If one row does not provide a
suitable algorithm, the implementer MUST choose one offering more suitable algorithm, the implementer MUST choose one offering more
bits of security. bits of security.
+========+============+=========+==============+=========+==========+ +=======+==========+================+==================+============+
|Bits of |Recommended |RSA / D-H|Elliptic curve|Hash |Symmetric | | Bits | RSA or | Elliptic | Hash function or | Symmetric |
|security|for managing| | |function |encryption| | of | DH | curve | XOF with | encryption |
| |keys up to | | |or XOF | | | secu- | | | specified output | |
| | | | |with | | | rity | | | length (d) | |
| | | | |specified| | +=======+==========+================+==================+============+
| | | | |output | | | 112 | RSA2048, | ECDSA/ECDH | SHA224 | |
| | | | |length | | | | DH(2048) | (secp224r1) | | |
| | | | |(d) | | +-------+----------+----------------+------------------+------------+
+========+============+=========+==============+=========+==========+ | 128 | RSA3072, | ECDSA/ECDH | SHA256, | AES-128 |
|112 |RSA2048, |RSA2048, |ECDSA/ECDH |SHA224 | | | | DH(3072) | (secp256r1), | SHAKE128(d=256) | |
| |secp224r1 |D-H(2048)|(secp224r1) | | | | | | Ed25519/ | | |
+--------+------------+---------+--------------+---------+----------+ | | | X25519 | | |
|128 |RSA3072, |RSA3072, |ECDSA/ECDH |SHA256, |AES-128 | | | | (Curve25519) | | |
| |secp256r1, |D-H(3072)|(secp256r1), |SHAKE128 | | +-------+----------+----------------+------------------+------------+
| |Curve25519 | |Ed25519/X25519|(d=256) | | | 192 | | ECDSA/ECDH | SHA384 | AES-192 |
+--------+------------+---------+--------------+---------+----------+ | | | (secp384r1) | | |
|192 |secp384r1 | |ECDSA/ECDH |SHA384 |AES-192 | +-------+----------+----------------+------------------+------------+
| | | |(secp384r1) | | | | 224 | | Ed448/X448 | | |
+--------+------------+---------+--------------+---------+----------+ | | | (Curve448) | | |
|224 |Curve448 | |Ed448/X448 | | | +-------+----------+----------------+------------------+------------+
+--------+------------+---------+--------------+---------+----------+ | 256 | | ECDSA/ECDH | SHA512, | AES-256 |
|256 |secp521r1 | |ECDSA/ECDH |SHA512, |AES-256 | | | | (secp521r1) | SHAKE256(d=512) | |
| | | |(secp521r1) |SHAKE256 | | +-------+----------+----------------+------------------+------------+
| | | | |(d=512) | |
+--------+------------+---------+--------------+---------+----------+
Table 1: Cryptographic algorithms sorted by their bits of security Table 1: Cryptographic algorithms sorted by their bits of security
The following table shows the cryptographic algorithms sorted by The following table shows the cryptographic algorithms sorted by
their usage in CMP and with more details. their usage in CMP and with more details.
+=====+=============+===============+===============+===============+ +========+==========+===============+===============+===============+
|Bits |Recommended |CMP protection |Key management | Key-wrap and | |Bits of |Key types |CMP protection |Key management | Key-wrap and |
|of |for managing | |technique | symmetric | |security|to be | |technique | symmetric |
|secu-|keys up to | | | encryption | | |certified | | | encryption |
|rity | | | | | +========+==========+===============+===============+===============+
+=====+=============+===============+===============+===============+ | | |MSG_SIG_ALG, |PROT_ENC_ALG or| PROT_SYM_ALG, |
| | |MSG_SIG_ALG, |PROT_ENC_ALG or| PROT_SYM_ALG, | | | |MSG_MAC_ALG |KM_KA_ALG, | SYM_PENC_ALG |
| | |MSG_MAC_ALG |KM_KA_ALG, | SYM_PENC_ALG | | | | |KM_KT_ALG, | or |
| | | |KM_KT_ALG, | or | | | | |KM_KD_ALG | KM_KW_ALG |
| | | |KM_KD_ALG | KM_KW_ALG | +--------+----------+---------------+---------------+---------------+
+-----+-------------+---------------+---------------+---------------+ |112 |RSA2048, |RSASSA-PSS |DH(2048), | |
|112 |RSA2048, |RSASSA-PSS |ESDH (2048), | | | |secp224r1 |(2048, SHA224 |RSAES-OAEP | |
| |secp224r1 |(2048, SHA224 |RSAES-OAEP | | | | |or SHAKE128 |(2048, SHA224),| |
| | |or SHAKE128), |(2048, SHA224),| | | | |(d=256)), |RSAEncryption | |
| | |RSAEncryption |RSAEncryption | | | | |RSAEncryption |(2048, SHA224),| |
| | |(2048, SHA224),|(2048), | | | | |(2048, SHA224),|ECDH | |
| | |ECDSA |ECDH | | | | |ECDSA |(secp224r1, | |
| | |(secp224r1, |(secp224r1, | | | | |(secp224r1, |SHA224), | |
| | |SHA224 or |SHA224), | | | | |SHA224 or |PBKDF2 (HMAC- | |
| | |SHAKE128), |PBKDF2 (HMAC- | | | | |SHAKE128 |SHA224) | |
| | |PBMAC1 (HMAC- |SHA224) | | | | |(d=256)), | | |
| | |SHA224) | | | | | |PBMAC1 (HMAC- | | |
+-----+-------------+---------------+---------------+---------------+ | | |SHA224) | | |
|128 |RSA3072, |RSASSA-PSS |ESDH (3072), | AES-128 | +--------+----------+---------------+---------------+---------------+
| |secp256r1, |(3072, SHA256 |RSAES-OAEP | | |128 |RSA3072, |RSASSA-PSS |DH(3072), | AES-128 |
| |Curve25519 |or SHAKE128), |(3072, SHA256),| | | |secp256r1,|(3072, SHA256 |RSAES-OAEP | |
| | |RSAEncryption |RSAEncryption | | | |Curve25519|or SHAKE128 |(3072, SHA256),| |
| | |(3072, SHA256),|(3072), | | | | |(d=256)), |RSAEncryption | |
| | |ECDSA |ECDH | | | | |RSAEncryption |(3072, SHA256),| |
| | |(secp256r1, |(secp256r1, | | | | |(3072, SHA256),|ECDH | |
| | |SHA256 or |SHA256), | | | | |ECDSA |(secp256r1, | |
| | |SHAKE128), |X25519, | | | | |(secp256r1, |SHA256), | |
| | |Ed25519 |PBKDF2 (HMAC- | | | | |SHA256 or |X25519, | |
| | |(SHA512), |SHA256) | | | | |SHAKE128 |PBKDF2 (HMAC- | |
| | |PBMAC1 (HMAC- | | | | | |(d=256)), |SHA256) | |
| | |SHA256) | | | | | |Ed25519 | | |
+-----+-------------+---------------+---------------+---------------+ | | |(SHA512), | | |
|192 |secp384r1 |ECDSA |ECDH | AES-192 | | | |PBMAC1 (HMAC- | | |
| | |(secp384r1, |(secp384r1, | | | | |SHA256) | | |
| | |SHA384), |SHA384), | | +--------+----------+---------------+---------------+---------------+
| | |PBMAC1 (HMAC- |PBKDF2 (HMAC- | | |192 |secp384r1 |ECDSA |ECDH | AES-192 |
| | |SHA384) |SHA384) | | | | |(secp384r1, |(secp384r1, | |
+-----+-------------+---------------+---------------+---------------+ | | |SHA384), |SHA384), | |
|224 |Curve448 |Ed448 |X448 | | | | |PBMAC1 (HMAC- |PBKDF2 (HMAC- | |
| | |(SHAKE256) | | | | | |SHA384) |SHA384) | |
+-----+-------------+---------------+---------------+---------------+ +--------+----------+---------------+---------------+---------------+
|256 |secp521r1 |ECDSA |ECDH | AES-256 | |224 |Curve448 |Ed448 |X448 | |
| | |(secp521r1, |(secp521r1, | | | | |(SHAKE256) | | |
| | |SHA512 or |SHA512), | | +--------+----------+---------------+---------------+---------------+
| | |SHAKE256), |PBKDF2 (HMAC- | | |256 |secp521r1 |ECDSA |ECDH | AES-256 |
| | |PBMAC1 (HMAC- |SHA512) | | | | |(secp521r1, |(secp521r1, | |
| | |SHA512) | | | | | |SHA512 or |SHA512), | |
+-----+-------------+---------------+---------------+---------------+ | | |SHAKE256 |PBKDF2 (HMAC- | |
| | |(d=512)), |SHA512) | |
| | |PBMAC1 (HMAC- | | |
| | |SHA512) | | |
+--------+----------+---------------+---------------+---------------+
Table 2: Cryptographic algorithms sorted by their bits of Table 2: Cryptographic algorithms sorted by their bits of
security and usage by CMP security and usage by CMP
To avoid consuming too much computational resources it is recommended To avoid consuming too much computational resources it is recommended
to choose a set of algorithms offering roughly the same level of to choose a set of algorithms offering roughly the same level of
security. Below are provided several algorithm profiles which are security. Below are provided several algorithm profiles which are
balanced, assuming the implementer chooses MAC secrets and/or balanced, assuming the implementer chooses MAC secrets and/or
certificate profiles of at least equivalent strength. certificate profiles of at least equivalent strength.
skipping to change at page 20, line 14 skipping to change at page 20, line 18
| |encryption of| | |EDE, CBC | | |encryption of| | |EDE, CBC |
| |an end | | |Mode), RC5, | | |an end | | |Mode), RC5, |
| |entity's | | |CAST-128 | | |entity's | | |CAST-128 |
| |private key | | | | | |private key | | | |
| |where | | | | | |where | | | |
| |symmetric key| | | | | |symmetric key| | | |
| |is | | | | | |is | | | |
| |distributed | | | | | |distributed | | | |
| |out-of-band | | | | | |out-of-band | | | |
+------------+-------------+---------+-----------------+------------+ +------------+-------------+---------+-----------------+------------+
|PROT_ENC_ALG|asymmetric |D-H |ECDH, RSA | | |PROT_ENC_ALG|asymmetric |DH |ECDH, RSA | |
| |algorithm | | | | | |algorithm | | | |
| |used for | | | | | |used for | | | |
| |encryption of| | | | | |encryption of| | | |
| |(symmetric | | | | | |(symmetric | | | |
| |keys for | | | | | |keys for | | | |
| |encryption | | | | | |encryption | | | |
| |of) private | | | | | |of) private | | | |
| |keys | | | | | |keys | | | |
| |transported | | | | | |transported | | | |
| |in | | | | | |in | | | |
skipping to change at page 20, line 45 skipping to change at page 21, line 4
| |is encrypted | | | | | |is encrypted | | | |
| |using | | | | | |using | | | |
| |PROT_ENC_ALG)| | | | | |PROT_ENC_ALG)| | | |
+------------+-------------+---------+-----------------+------------+ +------------+-------------+---------+-----------------+------------+
Table 3: Algorithms used within RFC 4210 Appendix D.2 [RFC4210] Table 3: Algorithms used within RFC 4210 Appendix D.2 [RFC4210]
Mandatory Algorithm Identifiers and Specifications: Mandatory Algorithm Identifiers and Specifications:
RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1 RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1
PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id- PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id-
sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as
the mac parameter, see Section 6.2.1) the mac parameter, see Section 6.2.1)
PBMAC1: id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key PBMAC1: id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key
derivation function, see Section 4.4.1 and id-hmacWithSHA256 as derivation function, see Section 4.4.1 and id-hmacWithSHA256 as
message authentication scheme, see Section 6.2.1). It is RECOMMENDED message authentication scheme, see Section 6.2.1). It is RECOMMENDED
to prefer the usage of PBMAC1 instead of PasswordBasedMac. to prefer the usage of PBMAC1 instead of PasswordBasedMac.
D-H: id-alg-ESDH, see Section 4.1.1 DH: id-alg-ESDH, see Section 4.1.1
AES-wrap: id-aes128-wrap, see Section 4.3.1 AES-wrap: id-aes128-wrap, see Section 4.3.1
AES-CBC: id-aes128-CBC, see Section 5.1 AES-CBC: id-aes128-CBC, see Section 5.1
7.2. Algorithm Profile for Lightweight CMP Profile 7.2. Algorithm Profile for Lightweight CMP Profile
The following table contains definitions of algorithms which MAY be The following table contains definitions of algorithms which MAY be
supported by implementations of the Lightweight CMP Profile supported by implementations of the Lightweight CMP Profile
[I-D.ietf-lamps-lightweight-cmp-profile]. [I-D.ietf-lamps-lightweight-cmp-profile].
skipping to change at page 22, line 18 skipping to change at page 22, line 18
| MSG_SIG_ALG | protection of PKI messages | RSA, ECDSA, | | MSG_SIG_ALG | protection of PKI messages | RSA, ECDSA, |
| | using signature and for | EdDSA | | | using signature and for | EdDSA |
| | SignedData, e.g., a private | | | | SignedData, e.g., a private | |
| | key transported in PKIMessages | | | | key transported in PKIMessages | |
+--------------+--------------------------------+------------------+ +--------------+--------------------------------+------------------+
| MSG_MAC_ALG | protection of PKI messages | PasswordBasedMac | | MSG_MAC_ALG | protection of PKI messages | PasswordBasedMac |
| | using MACing | (see Section 9), | | | using MACing | (see Section 9), |
| | | PBMAC1, HMAC, | | | | PBMAC1, HMAC, |
| | | KMAC | | | | KMAC |
+--------------+--------------------------------+------------------+ +--------------+--------------------------------+------------------+
| KM_KA_ALG | asymmetric key agreement | D-H, ECDH | | KM_KA_ALG | asymmetric key agreement | DH, ECDH |
| | algorithm used for agreement | | | | algorithm used for agreement | |
| | of a symmetric key for use | | | | of a symmetric key for use | |
| | with KM_KW_ALG | | | | with KM_KW_ALG | |
+--------------+--------------------------------+------------------+ +--------------+--------------------------------+------------------+
| KM_KT_ALG | asymmetric key encryption | RSA | | KM_KT_ALG | asymmetric key encryption | RSA |
| | algorithm used for transport | | | | algorithm used for transport | |
| | of a symmetric key for | | | | of a symmetric key for | |
| | PROT_SYM_ALG | | | | PROT_SYM_ALG | |
+--------------+--------------------------------+------------------+ +--------------+--------------------------------+------------------+
| KM_KD_ALG | symmetric key derivation | PBKDF2 | | KM_KD_ALG | symmetric key derivation | PBKDF2 |
skipping to change at page 29, line 21 skipping to change at page 29, line 21
Infrastructure: Additional Algorithm Identifiers for Infrastructure: Additional Algorithm Identifiers for
RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692,
DOI 10.17487/RFC8692, December 2019, DOI 10.17487/RFC8692, December 2019,
<https://www.rfc-editor.org/info/rfc8692>. <https://www.rfc-editor.org/info/rfc8692>.
Appendix A. History of changes Appendix A. History of changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 09 -> 10: From version 10 -> 11:
* Changes on the tables in Section 7 after direct exchange with
Quynh
* Removed the pre-RFC5378 work disclaimer after the RFC 4210 authors * Removed the pre-RFC5378 work disclaimer after the RFC 4210 authors
granted BCP78 rights to the IETF Trust granted BCP78 rights to the IETF Trust
* Implemented the changes proposed by Quynh, (see thread "Quynh * Implemented the changes proposed by Quynh, (see thread "Quynh
Action: draft-ietf-lamps-cmp-algorithms-08.txt") and removed Action: draft-ietf-lamps-cmp-algorithms-08.txt") and removed
markers for ToDos regarding this review of SHAKE and KMAC usage as markers for ToDos regarding this review of SHAKE and KMAC usage as
well as on the tables in Section 7 well as on the tables in Section 7
From version 08 -> 09: From version 08 -> 09:
 End of changes. 12 change blocks. 
88 lines changed or deleted 93 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/