--- 1/draft-ietf-lamps-cmp-algorithms-10.txt 2022-02-15 09:13:20.073250204 -0800 +++ 2/draft-ietf-lamps-cmp-algorithms-11.txt 2022-02-15 09:13:20.137251821 -0800 @@ -1,21 +1,21 @@ LAMPS Working Group H. Brockhaus, Ed. Internet-Draft H. Aschauer Updates: 4210 (if approved) Siemens Intended status: Standards Track M. Ounsworth -Expires: 18 August 2022 J. Gray +Expires: 19 August 2022 J. Gray Entrust - 14 February 2022 + 15 February 2022 Certificate Management Protocol (CMP) Algorithms - draft-ietf-lamps-cmp-algorithms-10 + draft-ietf-lamps-cmp-algorithms-11 Abstract This document updates RFC 4210 describing the conventions for using concrete cryptographic algorithms with the Certificate Management Protocol (CMP). CMP is used to enroll and further manage the lifecycle of X.509 certificates. Status of This Memo @@ -25,21 +25,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 18 August 2022. + This Internet-Draft will expire on 19 August 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -768,105 +768,107 @@ KM_KW_ALG, PROT_SYM_ALG). The following table shows the algorithms listed in this document sorted by their bits of security. If an implementation intends to enroll and manage certificate for keys of a specific security, it SHALL implement and use algorithms of at least that strength for the respective PKI management operation. If one row does not provide a suitable algorithm, the implementer MUST choose one offering more bits of security. - +========+============+=========+==============+=========+==========+ - |Bits of |Recommended |RSA / D-H|Elliptic curve|Hash |Symmetric | - |security|for managing| | |function |encryption| - | |keys up to | | |or XOF | | - | | | | |with | | - | | | | |specified| | - | | | | |output | | - | | | | |length | | - | | | | |(d) | | - +========+============+=========+==============+=========+==========+ - |112 |RSA2048, |RSA2048, |ECDSA/ECDH |SHA224 | | - | |secp224r1 |D-H(2048)|(secp224r1) | | | - +--------+------------+---------+--------------+---------+----------+ - |128 |RSA3072, |RSA3072, |ECDSA/ECDH |SHA256, |AES-128 | - | |secp256r1, |D-H(3072)|(secp256r1), |SHAKE128 | | - | |Curve25519 | |Ed25519/X25519|(d=256) | | - +--------+------------+---------+--------------+---------+----------+ - |192 |secp384r1 | |ECDSA/ECDH |SHA384 |AES-192 | - | | | |(secp384r1) | | | - +--------+------------+---------+--------------+---------+----------+ - |224 |Curve448 | |Ed448/X448 | | | - +--------+------------+---------+--------------+---------+----------+ - |256 |secp521r1 | |ECDSA/ECDH |SHA512, |AES-256 | - | | | |(secp521r1) |SHAKE256 | | - | | | | |(d=512) | | - +--------+------------+---------+--------------+---------+----------+ + +=======+==========+================+==================+============+ + | Bits | RSA or | Elliptic | Hash function or | Symmetric | + | of | DH | curve | XOF with | encryption | + | secu- | | | specified output | | + | rity | | | length (d) | | + +=======+==========+================+==================+============+ + | 112 | RSA2048, | ECDSA/ECDH | SHA224 | | + | | DH(2048) | (secp224r1) | | | + +-------+----------+----------------+------------------+------------+ + | 128 | RSA3072, | ECDSA/ECDH | SHA256, | AES-128 | + | | DH(3072) | (secp256r1), | SHAKE128(d=256) | | + | | | Ed25519/ | | | + | | | X25519 | | | + | | | (Curve25519) | | | + +-------+----------+----------------+------------------+------------+ + | 192 | | ECDSA/ECDH | SHA384 | AES-192 | + | | | (secp384r1) | | | + +-------+----------+----------------+------------------+------------+ + | 224 | | Ed448/X448 | | | + | | | (Curve448) | | | + +-------+----------+----------------+------------------+------------+ + | 256 | | ECDSA/ECDH | SHA512, | AES-256 | + | | | (secp521r1) | SHAKE256(d=512) | | + +-------+----------+----------------+------------------+------------+ Table 1: Cryptographic algorithms sorted by their bits of security The following table shows the cryptographic algorithms sorted by their usage in CMP and with more details. - +=====+=============+===============+===============+===============+ - |Bits |Recommended |CMP protection |Key management | Key-wrap and | - |of |for managing | |technique | symmetric | - |secu-|keys up to | | | encryption | - |rity | | | | | - +=====+=============+===============+===============+===============+ + +========+==========+===============+===============+===============+ + |Bits of |Key types |CMP protection |Key management | Key-wrap and | + |security|to be | |technique | symmetric | + | |certified | | | encryption | + +========+==========+===============+===============+===============+ | | |MSG_SIG_ALG, |PROT_ENC_ALG or| PROT_SYM_ALG, | | | |MSG_MAC_ALG |KM_KA_ALG, | SYM_PENC_ALG | | | | |KM_KT_ALG, | or | | | | |KM_KD_ALG | KM_KW_ALG | - +-----+-------------+---------------+---------------+---------------+ - |112 |RSA2048, |RSASSA-PSS |ESDH (2048), | | + +--------+----------+---------------+---------------+---------------+ + |112 |RSA2048, |RSASSA-PSS |DH(2048), | | | |secp224r1 |(2048, SHA224 |RSAES-OAEP | | - | | |or SHAKE128), |(2048, SHA224),| | - | | |RSAEncryption |RSAEncryption | | - | | |(2048, SHA224),|(2048), | | - | | |ECDSA |ECDH | | - | | |(secp224r1, |(secp224r1, | | - | | |SHA224 or |SHA224), | | - | | |SHAKE128), |PBKDF2 (HMAC- | | - | | |PBMAC1 (HMAC- |SHA224) | | + | | |or SHAKE128 |(2048, SHA224),| | + | | |(d=256)), |RSAEncryption | | + | | |RSAEncryption |(2048, SHA224),| | + | | |(2048, SHA224),|ECDH | | + | | |ECDSA |(secp224r1, | | + | | |(secp224r1, |SHA224), | | + | | |SHA224 or |PBKDF2 (HMAC- | | + | | |SHAKE128 |SHA224) | | + | | |(d=256)), | | | + | | |PBMAC1 (HMAC- | | | | | |SHA224) | | | - +-----+-------------+---------------+---------------+---------------+ - |128 |RSA3072, |RSASSA-PSS |ESDH (3072), | AES-128 | + +--------+----------+---------------+---------------+---------------+ + |128 |RSA3072, |RSASSA-PSS |DH(3072), | AES-128 | | |secp256r1, |(3072, SHA256 |RSAES-OAEP | | - | |Curve25519 |or SHAKE128), |(3072, SHA256),| | - | | |RSAEncryption |RSAEncryption | | - | | |(3072, SHA256),|(3072), | | - | | |ECDSA |ECDH | | - | | |(secp256r1, |(secp256r1, | | - | | |SHA256 or |SHA256), | | - | | |SHAKE128), |X25519, | | - | | |Ed25519 |PBKDF2 (HMAC- | | - | | |(SHA512), |SHA256) | | + | |Curve25519|or SHAKE128 |(3072, SHA256),| | + | | |(d=256)), |RSAEncryption | | + | | |RSAEncryption |(3072, SHA256),| | + | | |(3072, SHA256),|ECDH | | + | | |ECDSA |(secp256r1, | | + | | |(secp256r1, |SHA256), | | + | | |SHA256 or |X25519, | | + | | |SHAKE128 |PBKDF2 (HMAC- | | + | | |(d=256)), |SHA256) | | + | | |Ed25519 | | | + | | |(SHA512), | | | | | |PBMAC1 (HMAC- | | | | | |SHA256) | | | - +-----+-------------+---------------+---------------+---------------+ + +--------+----------+---------------+---------------+---------------+ |192 |secp384r1 |ECDSA |ECDH | AES-192 | | | |(secp384r1, |(secp384r1, | | | | |SHA384), |SHA384), | | | | |PBMAC1 (HMAC- |PBKDF2 (HMAC- | | | | |SHA384) |SHA384) | | - +-----+-------------+---------------+---------------+---------------+ + +--------+----------+---------------+---------------+---------------+ |224 |Curve448 |Ed448 |X448 | | | | |(SHAKE256) | | | - +-----+-------------+---------------+---------------+---------------+ + +--------+----------+---------------+---------------+---------------+ |256 |secp521r1 |ECDSA |ECDH | AES-256 | | | |(secp521r1, |(secp521r1, | | | | |SHA512 or |SHA512), | | - | | |SHAKE256), |PBKDF2 (HMAC- | | - | | |PBMAC1 (HMAC- |SHA512) | | + | | |SHAKE256 |PBKDF2 (HMAC- | | + | | |(d=512)), |SHA512) | | + | | |PBMAC1 (HMAC- | | | | | |SHA512) | | | - +-----+-------------+---------------+---------------+---------------+ + +--------+----------+---------------+---------------+---------------+ Table 2: Cryptographic algorithms sorted by their bits of security and usage by CMP To avoid consuming too much computational resources it is recommended to choose a set of algorithms offering roughly the same level of security. Below are provided several algorithm profiles which are balanced, assuming the implementer chooses MAC secrets and/or certificate profiles of at least equivalent strength. @@ -906,21 +908,21 @@ | |encryption of| | |EDE, CBC | | |an end | | |Mode), RC5, | | |entity's | | |CAST-128 | | |private key | | | | | |where | | | | | |symmetric key| | | | | |is | | | | | |distributed | | | | | |out-of-band | | | | +------------+-------------+---------+-----------------+------------+ - |PROT_ENC_ALG|asymmetric |D-H |ECDH, RSA | | + |PROT_ENC_ALG|asymmetric |DH |ECDH, RSA | | | |algorithm | | | | | |used for | | | | | |encryption of| | | | | |(symmetric | | | | | |keys for | | | | | |encryption | | | | | |of) private | | | | | |keys | | | | | |transported | | | | | |in | | | | @@ -937,30 +939,30 @@ | |is encrypted | | | | | |using | | | | | |PROT_ENC_ALG)| | | | +------------+-------------+---------+-----------------+------------+ Table 3: Algorithms used within RFC 4210 Appendix D.2 [RFC4210] Mandatory Algorithm Identifiers and Specifications: RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1 - PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id- sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as the mac parameter, see Section 6.2.1) + PBMAC1: id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key derivation function, see Section 4.4.1 and id-hmacWithSHA256 as message authentication scheme, see Section 6.2.1). It is RECOMMENDED to prefer the usage of PBMAC1 instead of PasswordBasedMac. - D-H: id-alg-ESDH, see Section 4.1.1 + DH: id-alg-ESDH, see Section 4.1.1 AES-wrap: id-aes128-wrap, see Section 4.3.1 AES-CBC: id-aes128-CBC, see Section 5.1 7.2. Algorithm Profile for Lightweight CMP Profile The following table contains definitions of algorithms which MAY be supported by implementations of the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. @@ -991,21 +993,21 @@ | MSG_SIG_ALG | protection of PKI messages | RSA, ECDSA, | | | using signature and for | EdDSA | | | SignedData, e.g., a private | | | | key transported in PKIMessages | | +--------------+--------------------------------+------------------+ | MSG_MAC_ALG | protection of PKI messages | PasswordBasedMac | | | using MACing | (see Section 9), | | | | PBMAC1, HMAC, | | | | KMAC | +--------------+--------------------------------+------------------+ - | KM_KA_ALG | asymmetric key agreement | D-H, ECDH | + | KM_KA_ALG | asymmetric key agreement | DH, ECDH | | | algorithm used for agreement | | | | of a symmetric key for use | | | | with KM_KW_ALG | | +--------------+--------------------------------+------------------+ | KM_KT_ALG | asymmetric key encryption | RSA | | | algorithm used for transport | | | | of a symmetric key for | | | | PROT_SYM_ALG | | +--------------+--------------------------------+------------------+ | KM_KD_ALG | symmetric key derivation | PBKDF2 | @@ -1317,21 +1319,24 @@ Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, DOI 10.17487/RFC8692, December 2019, . Appendix A. History of changes Note: This appendix will be deleted in the final version of the document. - From version 09 -> 10: + From version 10 -> 11: + + * Changes on the tables in Section 7 after direct exchange with + Quynh * Removed the pre-RFC5378 work disclaimer after the RFC 4210 authors granted BCP78 rights to the IETF Trust * Implemented the changes proposed by Quynh, (see thread "Quynh Action: draft-ietf-lamps-cmp-algorithms-08.txt") and removed markers for ToDos regarding this review of SHAKE and KMAC usage as well as on the tables in Section 7 From version 08 -> 09: