draft-ietf-lamps-cmp-algorithms-12.txt   draft-ietf-lamps-cmp-algorithms-13.txt 
LAMPS Working Group H. Brockhaus, Ed. LAMPS Working Group H. Brockhaus, Ed.
Internet-Draft H. Aschauer Internet-Draft H. Aschauer
Updates: 4210 (if approved) Siemens Updates: 4210 (if approved) Siemens
Intended status: Standards Track M. Ounsworth Intended status: Standards Track M. Ounsworth
Expires: 8 October 2022 J. Gray Expires: 14 November 2022 J. Gray
Entrust Entrust
6 April 2022 13 May 2022
Certificate Management Protocol (CMP) Algorithms Certificate Management Protocol (CMP) Algorithms
draft-ietf-lamps-cmp-algorithms-12 draft-ietf-lamps-cmp-algorithms-13
Abstract Abstract
This document updates RFC 4210 describing the conventions for using This document describes the conventions for using several
concrete cryptographic algorithms with the Certificate Management cryptographic algorithms with the Certificate Management Protocol
Protocol (CMP). CMP is used to enroll and further manage the (CMP). CMP is used to enroll and further manage the lifecycle of
lifecycle of X.509 certificates. X.509 certificates. This document also updates the algorithm use
profile from RFC 4210 Appendix D.2.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 October 2022. This Internet-Draft will expire on 14 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 18 skipping to change at page 3, line 18
1. Introduction 1. Introduction
1.1. Terminology 1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
In the following sections ASN.1 values and types are used to indicate
where algorithm identifier and output values are provided. Theses
ASN.1 values and types are defined in CMP [RFC4210], CRMF [RFC4211],
CMP Updates [I-D.ietf-lamps-cmp-updates], or CMS [RFC5652].
2. Message Digest Algorithms 2. Message Digest Algorithms
This section provides references to object identifiers and This section provides references to object identifiers and
conventions to be employed by CMP implementations that support SHA2 conventions to be employed by CMP implementations that support SHA2
or SHAKE message digest algorithms. or SHAKE message digest algorithms.
Digest algorithm identifiers are located in: Digest algorithm identifiers are located in:
* hashAlg field of OOBCertHash and CertStatus * hashAlg field of OOBCertHash and CertStatus
* owf field of Challenge, PBMParameter, and DHBMParameter * owf field of Challenge, PBMParameter, and DHBMParameter
skipping to change at page 4, line 28 skipping to change at page 4, line 28
Specific conventions to be considered are specified in RFC 5754 Specific conventions to be considered are specified in RFC 5754
Section 2 [RFC5754]. Section 2 [RFC5754].
2.2. SHAKE 2.2. SHAKE
The SHA-3 family of hash functions is defined in FIPS Pub 202 The SHA-3 family of hash functions is defined in FIPS Pub 202
[NIST.FIPS.202] and includes fixed output length variants SHA3-224, [NIST.FIPS.202] and includes fixed output length variants SHA3-224,
SHA3-256, SHA3-384, and SHA3-512, as well as extendable-output SHA3-256, SHA3-384, and SHA3-512, as well as extendable-output
functions (SHAKEs) SHAKE128 and SHAKE256. Currently SHAKE128 and functions (SHAKEs) SHAKE128 and SHAKE256. Currently SHAKE128 and
SHAKE256 are the only members of the SHA3-family which are specified SHAKE256 are the only members of the SHA3-family which are specified
for use in X.509 and PKIX [RFC8692], and CMS [RFC8702] as one-way for use in X.509 certificates [RFC8692] and CMS [RFC8702] as one-way
hash function for use with RSASSA-PSS and ECDSA as one-way hash hash function for use with RSASSA-PSS and ECDSA.
function for use with RSASSA-PSS and ECDSA.
SHAKE is an extendable-output function and FIPS Pub 202 SHAKE is an extendable-output function and FIPS Pub 202
[NIST.FIPS.202] prohibits using SHAKE as general-purpose hash [NIST.FIPS.202] prohibits using SHAKE as general-purpose hash
function. When SHAKE is used in CMP as a message digest algorithm, function. When SHAKE is used in CMP as a message digest algorithm,
the output length MUST be 256 bits for SHAKE128 and 512 bits for the output length MUST be 256 bits for SHAKE128 and 512 bits for
SHAKE256. SHAKE256.
The message digest algorithms SHAKE128 and SHAKE256 are identified by The message digest algorithms SHAKE128 and SHAKE256 are identified by
the following OIDs: the following OIDs:
skipping to change at page 12, line 20 skipping to change at page 12, line 20
Key derivation algorithms are only used in CMP when using CMS Key derivation algorithms are only used in CMP when using CMS
[RFC5652] EnvelopedData together with password-based key management [RFC5652] EnvelopedData together with password-based key management
technique. technique.
Key derivation algorithm identifiers are located in: Key derivation algorithm identifiers are located in:
* keyDerivationAlgorithm field of PasswordRecipientInfo * keyDerivationAlgorithm field of PasswordRecipientInfo
When using the password-based key management technique with When using the password-based key management technique with
EnvelopedData as specified in CMP Updates together with MAC-based EnvelopedData as specified in CMP Updates together with message
PKIProtection, the salt for the password-based MAC and KDF must be authentication code (MAC)-based PKIProtection, the salt for the
chosen independently to ensure usage of independent symmetric keys. password-based MAC and KDF must be chosen independently to ensure
usage of independent symmetric keys.
4.4.1. PBKDF2 4.4.1. PBKDF2
The password-based key derivation function 2 (PBKDF2) is defined in The password-based key derivation function 2 (PBKDF2) is defined in
RFC 8018 [RFC8018]. RFC 8018 [RFC8018].
Password-based key derivation function 2 has the algorithm Password-based key derivation function 2 has the algorithm
identifier: identifier:
id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
skipping to change at page 13, line 30 skipping to change at page 13, line 33
nistAlgorithm(4) aes(1)22 } nistAlgorithm(4) aes(1)22 }
id-aes256-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) id-aes256-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
country(16) us(840) organization(1) gov(101) csor(3) country(16) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) aes(1)42 } nistAlgorithm(4) aes(1)42 }
Specific conventions to be considered for AES-CBC content encryption Specific conventions to be considered for AES-CBC content encryption
are specified in RFC 3565 [RFC3565]. are specified in RFC 3565 [RFC3565].
6. Message Authentication Code Algorithms 6. Message Authentication Code Algorithms
The message authentication code is either used for shared secret- The message authentication code (MAC) is either used for shared
based CMP message protection or together with the password-based key secret-based CMP message protection or together with the password-
derivation function (PBKDF2). based key derivation function (PBKDF2).
The message authentication code algorithm is also referred to as The message authentication code algorithm is also referred to as
MSG_MAC_ALG in Section 7, RFC 4210 Appendix D and E [RFC4210], and MSG_MAC_ALG in Section 7, RFC 4210 Appendix D and E [RFC4210], and
the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile].
6.1. Password-Based MAC 6.1. Password-Based MAC
Password-based MAC algorithms combine the derivation of a symmetric Password-based message authentication code (MAC) algorithms combine
key from a password or other shared secret information and a the derivation of a symmetric key from a password or other shared
symmetric key-based MAC function as specified in Section 6.2 using secret information and a symmetric key-based MAC function as
this derived key. specified in Section 6.2 using this derived key.
Message authentication code algorithm identifiers are located in: Message authentication code algorithm identifiers are located in:
* protectionAlg field of PKIHeader * protectionAlg field of PKIHeader
Message authentication code values are located in: Message authentication code values are located in:
* PKIProtection field of PKIMessage * PKIProtection field of PKIMessage
6.1.1. PasswordBasedMac 6.1.1. PasswordBasedMac
skipping to change at page 14, line 40 skipping to change at page 14, line 42
PBMAC1 has the following OID: PBMAC1 has the following OID:
id-PBMAC1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-PBMAC1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-5(5) 14 } rsadsi(113549) pkcs(1) pkcs-5(5) 14 }
Specific conventions to be considered for PBMAC1 are specified in Specific conventions to be considered for PBMAC1 are specified in
RFC 8018 Section 7.1 and A.5 [RFC8018]. RFC 8018 Section 7.1 and A.5 [RFC8018].
6.2. Symmetric Key-Based MAC 6.2. Symmetric Key-Based MAC
Symmetric key-based MAC algorithms are used for deriving the Symmetric key-based message authentication code (MAC) algorithms are
symmetric encryption key when using PBKDF2 as described in used for deriving the symmetric encryption key when using PBKDF2 as
Section 4.4.1 as well as with Password-based MAC as described in described in Section 4.4.1 as well as with Password-based MAC as
Section 6.1. described in Section 6.1.
Message authentication code algorithm identifiers are located in: Message authentication code algorithm identifiers are located in:
* protectionAlg field of PKIHeader * protectionAlg field of PKIHeader
* messageAuthScheme field of PBMAC1 * messageAuthScheme field of PBMAC1
* mac field of PBMParameter * mac field of PBMParameter
* prf field of PBKDF2-params * prf field of PBKDF2-params
Message authentication code values are located in: Message authentication code values are located in:
* PKIProtection field of PKIMessage * PKIProtection field of PKIMessage
6.2.1. SHA2-Based HMAC 6.2.1. SHA2-Based HMAC
The HMAC algorithm is defined in RFC 2104 [RFC2104] and The HMAC algorithm is defined in RFC 2104 [RFC2104] and
FIPS Pub 198-1 [NIST.FIPS.198-1]. FIPS Pub 198-1 [NIST.FIPS.198-1].
The HMAC algorithm used with SHA2 message digest algorithms is The HMAC algorithm used with SHA2 message digest algorithms is
skipping to change at page 19, line 42 skipping to change at page 20, line 4
Use: Description of where and for what the algorithm is used Use: Description of where and for what the algorithm is used
Mandatory: Algorithms which MUST be supported by conforming Mandatory: Algorithms which MUST be supported by conforming
implementations implementations
Optional: Algorithms which are OPTIONAL to support Optional: Algorithms which are OPTIONAL to support
Deprecated: Algorithms from RFC 4210 [RFC4210] which SHOULD NOT be Deprecated: Algorithms from RFC 4210 [RFC4210] which SHOULD NOT be
used anymore used anymore
+============+==============+======+===================+============+
+============+=============+=========+=================+============+ |Name |Use |Manda-| Optional |Deprecated |
|Name |Use |Mandatory|Optional |Deprecated | | | |tory | | |
+============+=============+=========+=================+============+ +============+==============+======+===================+============+
|MSG_SIG_ALG |protection of|RSA |ECDSA, EdDSA |DSA, | |MSG_SIG_ALG |protection of |RSA | ECDSA, EdDSA |DSA, |
| |PKI messages | | |combinations| | |PKI messages | | |combinations|
| |using | | |with MD5 and| | |using | | |with MD5 and|
| |signature | | |SHA-1 | | |signature | | |SHA-1 |
+------------+-------------+---------+-----------------+------------+ +------------+--------------+------+-------------------+------------+
|MSG_MAC_ALG |protection of|PBMAC1 |PasswordBasedMac,|X9.9 | |MSG_MAC_ALG |protection of |PBMAC1| PasswordBasedMac, |X9.9 |
| |PKI messages | |HMAC, KMAC | | | |PKI messages | | HMAC, KMAC | |
| |using MACing | | | | | |using MACing | | | |
+------------+-------------+---------+-----------------+------------+ +------------+--------------+------+-------------------+------------+
|SYM_PENC_ALG|symmetric |AES-wrap | |3-DES(3-key-| |SYM_PENC_ALG|symmetric |AES- | |3-DES(3-key-|
| |encryption of| | |EDE, CBC | | |encryption of |wrap | |EDE, CBC |
| |an end | | |Mode), RC5, | | |an end | | |Mode), RC5, |
| |entity's | | |CAST-128 | | |entity's | | |CAST-128 |
| |private key | | | | | |private key | | | |
| |where | | | | | |where | | | |
| |symmetric key| | | | | |symmetric key | | | |
| |is | | | | | |is distributed| | | |
| |distributed | | | | | |out-of-band | | | |
| |out-of-band | | | | +------------+--------------+------+-------------------+------------+
+------------+-------------+---------+-----------------+------------+ |PROT_ENC_ALG|asymmetric |DH | ECDH, RSA | |
|PROT_ENC_ALG|asymmetric |DH |ECDH, RSA | | | |algorithm used| | | |
| |algorithm | | | | | |for encryption| | | |
| |used for | | | | | |of (symmetric | | | |
| |encryption of| | | | | |keys for | | | |
| |(symmetric | | | | | |encryption of)| | | |
| |keys for | | | | | |private keys | | | |
| |encryption | | | | | |transported in| | | |
| |of) private | | | | | |PKIMessages | | | |
| |keys | | | | +------------+--------------+------+-------------------+------------+
| |transported | | | | |PROT_SYM_ALG|symmetric |AES- | |3-DES(3-key-|
| |in | | | | | |encryption |CBC | |EDE, CBC |
| |PKIMessages | | | | | |algorithm used| | |Mode), RC5, |
+------------+-------------+---------+-----------------+------------+ | |for encryption| | |CAST-128 |
|PROT_SYM_ALG|symmetric |AES-CBC | |3-DES(3-key-| | |of private key| | | |
| |encryption | | |EDE, CBC | | |bits (a key of| | | |
| |algorithm | | |Mode), RC5, | | |this type is | | | |
| |used for | | |CAST-128 | | |encrypted | | | |
| |encryption of| | | | | |using | | | |
| |private key | | | | | |PROT_ENC_ALG) | | | |
| |bits (a key | | | | +------------+--------------+------+-------------------+------------+
| |of this type | | | |
| |is encrypted | | | |
| |using | | | |
| |PROT_ENC_ALG)| | | |
+------------+-------------+---------+-----------------+------------+
Table 3: Algorithms Used Within RFC 4210 Appendix D.2 Table 3: Algorithms Used Within RFC 4210 Appendix D.2
Mandatory Algorithm Identifiers and Specifications: Mandatory Algorithm Identifiers and Specifications:
RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1 RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1
PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id- PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id-
sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as
the mac parameter, see Section 6.2.1) the mac parameter, see Section 6.2.1)
PBMAC1: id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key PBMAC1: id-PBMAC1, see Section 6.1.2 (with id-PBKDF2 as the key
derivation function, see Section 4.4.1 and id-hmacWithSHA256 as derivation function, see Section 4.4.1 and id-hmacWithSHA256 as
message authentication scheme, see Section 6.2.1). It is RECOMMENDED message authentication scheme, see Section 6.2.1). It is RECOMMENDED
to prefer the usage of PBMAC1 instead of PasswordBasedMac. to prefer the usage of PBMAC1 instead of PasswordBasedMac.
DH: id-alg-ESDH, see Section 4.1.1 DH: id-alg-ESDH, see Section 4.1.1
skipping to change at page 24, line 34 skipping to change at page 24, line 34
May thanks also to all reviewers like Serge Mister, Mark Ferreira, May thanks also to all reviewers like Serge Mister, Mark Ferreira,
Yuefei Lu, Tomas Gustavsson, Lijun Liao, David von Oheimb and Steffen Yuefei Lu, Tomas Gustavsson, Lijun Liao, David von Oheimb and Steffen
Fries for their input and feedback to this document. Apologies to Fries for their input and feedback to this document. Apologies to
all not mentioned reviewers and supporters. all not mentioned reviewers and supporters.
11. Normative References 11. Normative References
[I-D.ietf-lamps-cmp-updates] [I-D.ietf-lamps-cmp-updates]
Brockhaus, H., Oheimb, D. V., and J. Gray, "Certificate Brockhaus, H., Oheimb, D. V., and J. Gray, "Certificate
Management Protocol (CMP) Updates", Work in Progress, Management Protocol (CMP) Updates", Work in Progress,
Internet-Draft, draft-ietf-lamps-cmp-updates-17, 12 Internet-Draft, draft-ietf-lamps-cmp-updates-18, 6 April
January 2022, <https://datatracker.ietf.org/doc/html/ 2022, <https://datatracker.ietf.org/doc/html/draft-ietf-
draft-ietf-lamps-cmp-updates-17>. lamps-cmp-updates-18>.
[I-D.ietf-lamps-lightweight-cmp-profile] [I-D.ietf-lamps-lightweight-cmp-profile]
Brockhaus, H., Oheimb, D. V., and S. Fries, "Lightweight Brockhaus, H., Oheimb, D. V., and S. Fries, "Lightweight
Certificate Management Protocol (CMP) Profile", Work in Certificate Management Protocol (CMP) Profile", Work in
Progress, Internet-Draft, draft-ietf-lamps-lightweight- Progress, Internet-Draft, draft-ietf-lamps-lightweight-
cmp-profile-10, 1 February 2022, cmp-profile-11, 15 April 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-lamps- <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
lightweight-cmp-profile-10>. lightweight-cmp-profile-11>.
[NIST.FIPS.180-4] [NIST.FIPS.180-4]
Dang, Quynh H., "Secure Hash Standard", NIST NIST FIPS Dang, Quynh H., "Secure Hash Standard", NIST NIST FIPS
180-4, DOI 10.6028/NIST.FIPS.180-4, July 2015, 180-4, DOI 10.6028/NIST.FIPS.180-4, July 2015,
<https://nvlpubs.nist.gov/nistpubs/FIPS/ <https://nvlpubs.nist.gov/nistpubs/FIPS/
NIST.FIPS.180-4.pdf>. NIST.FIPS.180-4.pdf>.
[NIST.FIPS.186-4] [NIST.FIPS.186-4]
National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST),
"Digital Signature Standard (DSS)", NIST NIST FIPS 186-4, "Digital Signature Standard (DSS)", NIST NIST FIPS 186-4,
skipping to change at page 29, line 21 skipping to change at page 29, line 21
Infrastructure: Additional Algorithm Identifiers for Infrastructure: Additional Algorithm Identifiers for
RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692, RSASSA-PSS and ECDSA Using SHAKEs", RFC 8692,
DOI 10.17487/RFC8692, December 2019, DOI 10.17487/RFC8692, December 2019,
<https://www.rfc-editor.org/info/rfc8692>. <https://www.rfc-editor.org/info/rfc8692>.
Appendix A. History of Changes Appendix A. History of Changes
Note: This appendix will be deleted in the final version of the Note: This appendix will be deleted in the final version of the
document. document.
From version 12 -> 13:
* Providing changes addressing comments from OPSDIR and GENART last
call reviews
From version 11 -> 12: From version 11 -> 12:
* Capitalized all headlines * Capitalized all headlines
From version 10 -> 11: From version 10 -> 11:
* Changes on the tables in Section 7 after direct exchange with * Changes on the tables in Section 7 after direct exchange with
Quynh Quynh
From version 09 -> 10: From version 09 -> 10:
 End of changes. 18 change blocks. 
80 lines changed or deleted 86 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/