| draft-ietf-lamps-cms-hash-sig-06.txt | draft-ietf-lamps-cms-hash-sig-07.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT R. Housley | INTERNET-DRAFT R. Housley | |||
| Internet Engineering Task Force (IETF) Vigil Security | Internet Engineering Task Force (IETF) Vigil Security | |||
| Intended Status: Proposed Standard | Intended Status: Proposed Standard | |||
| Expires: 26 August 2019 26 February 2019 | Expires: 6 September 2019 6 March 2019 | |||
| Use of the HSS/LMS Hash-based Signature Algorithm | Use of the HSS/LMS Hash-based Signature Algorithm | |||
| in the Cryptographic Message Syntax (CMS) | in the Cryptographic Message Syntax (CMS) | |||
| <draft-ietf-lamps-cms-hash-sig-06> | <draft-ietf-lamps-cms-hash-sig-07> | |||
| Abstract | Abstract | |||
| This document specifies the conventions for using the the HSS/LMS | This document specifies the conventions for using the the HSS/LMS | |||
| hash-based signature algorithm with the Cryptographic Message Syntax | hash-based signature algorithm with the Cryptographic Message Syntax | |||
| (CMS). In addition, the algorithm identifier and public key syntax | (CMS). In addition, the algorithm identifier and public key syntax | |||
| are provided. The HSS/LMS algorithm is one form of hash-based | are provided. The HSS/LMS algorithm is one form of hash-based | |||
| digital signature; it is described in [HASHSIG]. | digital signature; it is described in [HASHSIG]. | |||
| Status of this Memo | Status of this Memo | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 3 | 1.3. Algorithm Considerations . . . . . . . . . . . . . . . . . 3 | |||
| 2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 4 | ||||
| 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | |||
| 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 4 | 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 5 | |||
| 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 5 | 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 6 | |||
| 3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 6 | 3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 7 | |||
| 4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 7 | 4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 8 | |||
| 5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 8 | 5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 8 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Implementation Security Considerations . . . . . . . . . . 9 | ||||
| 6.2. Algorithm Security Considerations . . . . . . . . . . . . 9 | ||||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . . 11 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . . 11 | ||||
| Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 13 | Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 | Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14 | ||||
| 1. Introduction | 1. Introduction | |||
| This document specifies the conventions for using the HSS/LMS hash- | This document specifies the conventions for using the HSS/LMS hash- | |||
| based signature algorithm with the Cryptographic Message Syntax (CMS) | based signature algorithm with the Cryptographic Message Syntax (CMS) | |||
| [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | [CMS] signed-data content type. The Leighton-Micali Signature (LMS) | |||
| system provides a one-time digital signature that is a variant of | system provides a one-time digital signature that is a variant of | |||
| Merkle Tree Signatures (MTS). The Hierarchical Signature System | Merkle Tree Signatures (MTS). The Hierarchical Signature System | |||
| (HSS) is built on top of the LMS system to efficiently scale for a | (HSS) is built on top of the LMS system to efficiently scale for a | |||
| larger numbers of signatures. The HSS/LMS algorithm is one form of | larger numbers of signatures. The HSS/LMS algorithm is one form of | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 47 ¶ | |||
| 1.3. Algorithm Considerations | 1.3. Algorithm Considerations | |||
| At Black Hat USA 2013, some researchers gave a presentation on the | At Black Hat USA 2013, some researchers gave a presentation on the | |||
| current state of public key cryptography. They said: "Current | current state of public key cryptography. They said: "Current | |||
| cryptosystems depend on discrete logarithm and factoring which has | cryptosystems depend on discrete logarithm and factoring which has | |||
| seen some major new developments in the past 6 months" [BH2013]. | seen some major new developments in the past 6 months" [BH2013]. | |||
| They encouraged preparation for a day when RSA and DSA cannot be | They encouraged preparation for a day when RSA and DSA cannot be | |||
| depended upon. | depended upon. | |||
| A post-quantum cryptosystem is a system that is secure against | A post-quantum cryptosystem [PQC] is a system that is secure against | |||
| quantum computers that have more than a trivial number of quantum | quantum computers that have more than a trivial number of quantum | |||
| bits. It is open to conjecture when it will be feasible to build | bits. It is open to conjecture when it will be feasible to build | |||
| such a machine. RSA, DSA, and ECDSA are not post-quantum secure. | such a machine. RSA, DSA, and ECDSA are not post-quantum secure. | |||
| The LM-OTS one-time signature, LMS, and HSS do not depend on discrete | The LM-OTS one-time signature, LMS, and HSS do not depend on discrete | |||
| logarithm or factoring, as a result these algorithms are considered | logarithm or factoring, as a result these algorithms are considered | |||
| to be post-quantum secure. | to be post-quantum secure. | |||
| Hash-based signatures [HASHSIG] are currently defined to use | Hash-based signatures [HASHSIG] are currently defined to use | |||
| exclusively SHA-256 [SHS]. An IANA registry is defined so that other | exclusively SHA-256 [SHS]. An IANA registry is defined so that other | |||
| skipping to change at page 11, line 5 ¶ | skipping to change at page 10, line 42 ¶ | |||
| In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) | |||
| registry, change the description for value 17 to | registry, change the description for value 17 to | |||
| "id-alg-hss-lms-hashsig" and change the reference to point to this | "id-alg-hss-lms-hashsig" and change the reference to point to this | |||
| document. | document. | |||
| Also, add the following note to the registry: | Also, add the following note to the registry: | |||
| Value 17, "id-alg-hss-lms-hashsig", is also referred to as | Value 17, "id-alg-hss-lms-hashsig", is also referred to as | |||
| "id-alg-mts-hashsig". | "id-alg-mts-hashsig". | |||
| 8. Acknowledgements | 8. References | |||
| Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim | ||||
| Schaad, Sean Turner, and Daniel Van Geest for their careful review | ||||
| and comments. | ||||
| 9. References | ||||
| 9.1. Normative References | 8.1. Normative References | |||
| [ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation | [ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, 2015. | Recommendation X.680, 2015. | |||
| [ASN1-E] ITU-T, "Information technology -- ASN.1 encoding rules: | [ASN1-E] ITU-T, "Information technology -- ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, 2015. | (DER)", ITU-T Recommendation X.690, 2015. | |||
| skipping to change at page 12, line 5 ¶ | skipping to change at page 11, line 38 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in | |||
| RFC 2119 Key Words", BCP 14, RFC 8174, DOI | RFC 2119 Key Words", BCP 14, RFC 8174, DOI | |||
| 10.17487/RFC8174, May 2017, <https://www.rfc- | 10.17487/RFC8174, May 2017, <https://www.rfc- | |||
| editor.org/info/rfc8174>. | editor.org/info/rfc8174>. | |||
| [SHS] National Institute of Standards and Technology (NIST), | [SHS] National Institute of Standards and Technology (NIST), | |||
| FIPS Publication 180-3: Secure Hash Standard, October | FIPS Publication 180-3: Secure Hash Standard, October | |||
| 2008. | 2008. | |||
| 9.2. Informative References | 8.2. Informative References | |||
| [BH2013] Ptacek, T., T. Ritter, J. Samuel, and A. Stamos, "The | [BH2013] Ptacek, T., T. Ritter, J. Samuel, and A. Stamos, "The | |||
| Factoring Dead: Preparing for the Cryptopocalypse", August | Factoring Dead: Preparing for the Cryptopocalypse", August | |||
| 2013. <https://media.blackhat.com/us-13/us-13-Stamos-The- | 2013. <https://media.blackhat.com/us-13/us-13-Stamos-The- | |||
| Factoring-Dead.pdf> | Factoring-Dead.pdf> | |||
| [CMSASN1] Hoffman, P. and J. Schaad, "New ASN.1 Modules for | [CMSASN1] Hoffman, P. and J. Schaad, "New ASN.1 Modules for | |||
| Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, | Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, | |||
| DOI 10.17487/RFC5911, June 2010, <http://www.rfc- | DOI 10.17487/RFC5911, June 2010, <http://www.rfc- | |||
| editor.org/info/rfc5911>. | editor.org/info/rfc5911>. | |||
| skipping to change at page 13, line 30 ¶ | skipping to change at page 13, line 20 ¶ | |||
| DEFINITIONS IMPLICIT TAGS ::= BEGIN | DEFINITIONS IMPLICIT TAGS ::= BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS | |||
| FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] | |||
| { iso(1) identified-organization(3) dod(6) internet(1) | { iso(1) identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) id-mod(0) | security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58) } | id-mod-algorithmInformation-02(58) } ; | |||
| mda-sha256 | ||||
| FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1] | ||||
| { iso(1) identified-organization(3) dod(6) | ||||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-pkix1-rsa-pkalgs-02(54) } ; | ||||
| -- | -- | |||
| -- Object Identifiers | -- Object Identifiers | |||
| -- | -- | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) 17 } | |||
| id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | |||
| skipping to change at page 14, line 4 ¶ | skipping to change at page 13, line 31 ¶ | |||
| -- | -- | |||
| -- Object Identifiers | -- Object Identifiers | |||
| -- | -- | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) 17 } | |||
| id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig | |||
| -- | -- | |||
| -- Signature Algorithm and Public Key | -- Signature Algorithm and Public Key | |||
| -- | -- | |||
| sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| HASHES { mda-sha256 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | PUBLIC-KEYS { pk-HSS-LMS-HashSig } | |||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | |||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| skipping to change at page 14, line 40 ¶ | skipping to change at page 14, line 20 ¶ | |||
| -- | -- | |||
| -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | -- Expand the S/MIME capabilities set used by CMS [CMSASN1] | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= | SMimeCaps SMIME-CAPS ::= | |||
| { sa-HSS-LMS-HashSig.&smimeCaps, ... } | { sa-HSS-LMS-HashSig.&smimeCaps, ... } | |||
| END | END | |||
| Acknowledgements | ||||
| Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim | ||||
| Schaad, Sean Turner, and Daniel Van Geest for their careful review | ||||
| and comments. | ||||
| Author's Address | Author's Address | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 516 Dranesville Road | 516 Dranesville Road | |||
| Herndon, VA 20170 | Herndon, VA 20170 | |||
| USA | USA | |||
| EMail: housley@vigilsec.com | EMail: housley@vigilsec.com | |||
| End of changes. 15 change blocks. | ||||
| 31 lines changed or deleted | 25 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||