| draft-ietf-lamps-cms-shakes-02.txt | draft-ietf-lamps-cms-shakes-03.txt | |||
|---|---|---|---|---|
| LAMPS WG Q. Dang | LAMPS WG Q. Dang | |||
| Internet-Draft NIST | Internet-Draft NIST | |||
| Intended status: Standards Track P. Kampanakis | Intended status: Standards Track P. Kampanakis | |||
| Expires: April 25, 2019 Cisco Systems | Expires: May 29, 2019 Cisco Systems | |||
| October 22, 2018 | November 25, 2018 | |||
| Use of the SHAKE One-way Hash Functions in the Cryptographic Message | Use of the SHAKE One-way Hash Functions in the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-lamps-cms-shakes-02 | draft-ietf-lamps-cms-shakes-03 | |||
| Abstract | Abstract | |||
| This document describes the conventions for using the SHAKE family of | This document describes the conventions for using the SHAKE family of | |||
| hash functions with the Cryptographic Message Syntax (CMS). | hash functions with the Cryptographic Message Syntax (CMS) as one-way | |||
| hash functions with the RSA Probabilistic signature and ECDSA | ||||
| signature algorithms, as message digests and message authentication | ||||
| codes. The conventions for the associated signer public keys in CMS | ||||
| are also described. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 25, 2019. | This Internet-Draft will expire on May 29, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 5 | 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 5 | 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 | 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 | |||
| 4.2.2. Deterministic ECDSA Signatures . . . . . . . . . . . 6 | 4.2.2. Deterministic ECDSA Signatures . . . . . . . . . . . 7 | |||
| 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.3.1. RSASSA-PSS Public Keys . . . . . . . . . . . . . . . 7 | 4.3.1. RSASSA-PSS Public Keys . . . . . . . . . . . . . . . 7 | |||
| 4.3.2. ECDSA Public Keys . . . . . . . . . . . . . . . . . . 8 | 4.3.2. ECDSA Public Keys . . . . . . . . . . . . . . . . . . 8 | |||
| 4.4. Message Authentication Codes . . . . . . . . . . . . . . 8 | 4.4. Message Authentication Codes . . . . . . . . . . . . . . 8 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-cms-shake-03: | ||||
| * Removed paragraph suggesting KMAC to be used in generating k in | ||||
| Deterministric ECDSA. That should be RFC6979-bis. | ||||
| * Removed paragraph from Security Considerations that talks about | ||||
| randomness of k because we are using deterministric ECDSA. | ||||
| * Completed ASN.1 module and fixed KMAC ASN.1 based on Jim's | ||||
| feedback. | ||||
| * Text fixes. | ||||
| o draft-ietf-lamps-cms-shake-02: | o draft-ietf-lamps-cms-shake-02: | |||
| * Updates based on suggestions and clarifications by Jim. | * Updates based on suggestions and clarifications by Jim. | |||
| * Started ASN.1 module. | * Started ASN.1 module. | |||
| o draft-ietf-lamps-cms-shake-01: | o draft-ietf-lamps-cms-shake-01: | |||
| * Significant reorganization of the sections to simplify the | * Significant reorganization of the sections to simplify the | |||
| introduction, the new OIDs and their use in CMS. | introduction, the new OIDs and their use in CMS. | |||
| skipping to change at page 3, line 23 ¶ | skipping to change at page 3, line 40 ¶ | |||
| 2. Introduction | 2. Introduction | |||
| The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | |||
| sign, digest, authenticate, or encrypt arbitrary message contents. | sign, digest, authenticate, or encrypt arbitrary message contents. | |||
| This specification describes the use of the SHAKE128 and SHAKE256 | This specification describes the use of the SHAKE128 and SHAKE256 | |||
| specified in [SHA3] as new hash functions in CMS. In addition, it | specified in [SHA3] as new hash functions in CMS. In addition, it | |||
| describes the use of these functions with the RSASSA-PSS signature | describes the use of these functions with the RSASSA-PSS signature | |||
| algorithm [RFC8017] and the Elliptic Curve Digital Signature | algorithm [RFC8017] and the Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA) [X9.62] with the CMS signed-data content type. | Algorithm (ECDSA) [X9.62] with the CMS signed-data content type. | |||
| The SHA-3 family of one-way hash functions is specified in [SHA3]. | In the SHA-3 family, two extendable-output functions (SHAKEs), | |||
| In the SHA-3 family, two extendable-output functions (SHAKEs): | ||||
| SHAKE128 and SHAKE256, are defined. Four other hash function | SHAKE128 and SHAKE256, are defined. Four other hash function | |||
| instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | |||
| defined but are out of scope for this document. A SHAKE is a | defined but are out of scope for this document. A SHAKE is a | |||
| variable length hash function. The output length, in bits, of a | variable length hash function. The output length, in bits, of a | |||
| SHAKE is defined by the d parameter. The corresponding collision and | SHAKE is defined by the d parameter. The corresponding collision and | |||
| second preimage resistance strengths for SHAKE128 are min(d/2,128) | second preimage resistance strengths for SHAKE128 are min(d/2,128) | |||
| and min(d,128) bits respectively. And, the corresponding collision | and min(d,128) bits respectively. And, the corresponding collision | |||
| and second preimage resistance strengths for SHAKE256 are | and second preimage resistance strengths for SHAKE256 are | |||
| min(d/2,256) and min(d,256) bits respectively. | min(d/2,256) and min(d,256) bits respectively. | |||
| A SHAKE can be used in CMS as the message digest function (to hash | A SHAKE can be used in CMS as the message digest function (to hash | |||
| the message to be signed) in RSASSA-PSS and deterministic ECDSA, | the message to be signed) in RSASSA-PSS and deterministic ECDSA, | |||
| message authentication code and as the mask generating function in | message authentication code and as the mask generating function in | |||
| RSASSA-PSS. In Section 3 of this document we define six new OIDs | RSASSA-PSS. This specification describes the identifiers for SHAKEs | |||
| using SHAKE128 and SHAKE256 in CMS. | to be used in CMS and their meaning. | |||
| 2.1. Terminology | 2.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 3. Identifiers | 3. Identifiers | |||
| The object identifiers for SHAKE128 and SHAKE256 hash functions are | This section defines six new OIDs for using SHAKE128 and SHAKE256 in | |||
| CMS. | ||||
| EDNOTE: If PKIX draft is standardized first maybe we should not say | ||||
| the identifiers are new for the RSASSA-PSS and ECDSA. | ||||
| Two object identifiers for SHAKE128 and SHAKE256 hash functions are | ||||
| defined in [shake-nist-oids] and we include them here for | defined in [shake-nist-oids] and we include them here for | |||
| convenience. | convenience. | |||
| id-shake128-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-shake128-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 17 } | nistAlgorithm(4) 2 17 } | |||
| id-shake256-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-shake256-len OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 18 } | nistAlgorithm(4) 2 18 } | |||
| In this specification, when using the id-shake128-len or id- | In this specification, when using the id-shake128-len or id- | |||
| shake256-len algorithm identifiers, the parameters MUST be absent. | shake256-len algorithm identifiers, the parameters MUST be absent. | |||
| That is, the identifier SHALL be a SEQUENCE of one component, the | That is, the identifier SHALL be a SEQUENCE of one component, the | |||
| OID. | OID. | |||
| The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | We define two new identifiers for RSASSA-PSS signatures using SHAKEs. | |||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | |||
| [ EDNOTE: "TBD" will be specified by NIST later. ] | [ EDNOTE: "TBD" will be specified by NIST later. ] | |||
| The new algorithm identifiers of ECDSA signatures using SHAKEs are | The same RSASSA-PSS algorithm identifiers can be used for identifying | |||
| below. | public keys and signatures. | |||
| We define two new algorithm identifiers of ECDSA signatures using | ||||
| SHAKEs. | ||||
| id-ecdsa-with-SHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-ecdsa-with-SHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 3 TBD } | nistAlgorithm(4) 3 TBD } | |||
| id-ecdsa-with-SHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-ecdsa-with-SHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 3 TBD } | nistAlgorithm(4) 3 TBD } | |||
| [ EDNOTE: "TBD" will be specified by NIST. ] | [ EDNOTE: "TBD" will be specified by NIST. ] | |||
| The same RSASSA-PSS and deterministric ECDSA with SHAKEs algorithm | ||||
| identifiers are used for identifying public keys and signatures. | ||||
| The parameters for the four RSASSA-PSS and deterministic ECDSA | The parameters for the four RSASSA-PSS and deterministic ECDSA | |||
| identifiers MUST be absent. That is, each identifier SHALL be a | identifiers MUST be absent. That is, each identifier SHALL be a | |||
| SEQUENCE of one component, the OID. | SEQUENCE of one component, the OID. | |||
| The new object identifiers for KMACs using SHAKE128 and SHAKE256 are | Two new object identifiers for KMACs using SHAKE128 and SHAKE256 are | |||
| below. | define elow. | |||
| id-KmacWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KmacWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 TBD } | nistAlgorithm(4) 2 19 } | |||
| id-KmacWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KmacWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 TBD } | nistAlgorithm(4) 2 20 } | |||
| EDNOTE: "TBD" will be specified by NIST. | ||||
| The parameters for id-KmacWithSHAKE128 and id-KmacWithSHAKE256 MUST | The parameters for id-KmacWithSHAKE128 and id-KmacWithSHAKE256 MUST | |||
| be absent. That is, each identifier SHALL be a SEQUENCE of one | be absent. That is, each identifier SHALL be a SEQUENCE of one | |||
| component, the OID. | component, the OID. | |||
| Section 4.1, Section 4.2.1, Section 4.2.2 and Section 4.4 specify the | Section 4.1, Section 4.2.1, Section 4.2.2 and Section 4.4 specify the | |||
| required output length for each use of SHAKE128 or SHAKE256 in | required output length for each use of SHAKE128 or SHAKE256 in | |||
| message digests, RSASSA-PSS, determinstic ECDSA and KMAC. | message digests, RSASSA-PSS, determinstic ECDSA and KMAC. | |||
| 4. Use in CMS | 4. Use in CMS | |||
| skipping to change at page 5, line 37 ¶ | skipping to change at page 6, line 4 ¶ | |||
| The id-shake128-len and id-shake256-len OIDs (Section 3) can be used | The id-shake128-len and id-shake256-len OIDs (Section 3) can be used | |||
| as the digest algorithm identifiers located in the SignedData, | as the digest algorithm identifiers located in the SignedData, | |||
| SignerInfo, DigestedData, and the AuthenticatedData digestAlgorithm | SignerInfo, DigestedData, and the AuthenticatedData digestAlgorithm | |||
| fields in CMS [RFC5652]. The encoding MUST omit the parameters field | fields in CMS [RFC5652]. The encoding MUST omit the parameters field | |||
| and the output size, d, for the SHAKE128 or SHAKE256 message digest | and the output size, d, for the SHAKE128 or SHAKE256 message digest | |||
| MUST be 256 or 512 bits respectively. | MUST be 256 or 512 bits respectively. | |||
| The digest values are located in the DigestedData field and the | The digest values are located in the DigestedData field and the | |||
| Message Digest authenticated attribute included in the | Message Digest authenticated attribute included in the | |||
| signedAttributes of the SignedData signerInfo. In addition, digest | signedAttributes of the SignedData signerInfo. In addition, digest | |||
| values are input to signature algorithms. | values are input to signature algorithms. The digest algorithm MUST | |||
| be the same as the message hash algorithms used in signatures. | ||||
| 4.2. Signatures | 4.2. Signatures | |||
| In CMS, signature algorithm identifiers are located in the SignerInfo | In CMS, signature algorithm identifiers are located in the SignerInfo | |||
| signatureAlgorithm field of SignedData content type and | signatureAlgorithm field of SignedData content type and | |||
| countersignature attribute. Signature values are located in the | countersignature attribute. Signature values are located in the | |||
| SignerInfo signature field of SignedData and countersignature. | SignerInfo signature field of SignedData and countersignature. | |||
| Conforming implementations that process RSASSA-PSS and deterministic | Conforming implementations that process RSASSA-PSS and deterministic | |||
| ECDSA with SHAKE signatures when processing CMS data MUST recognize | ECDSA with SHAKE signatures when processing CMS data MUST recognize | |||
| the corresponding OIDs specified in Section 3. | the corresponding OIDs specified in Section 3. | |||
| 4.2.1. RSASSA-PSS Signatures | 4.2.1. RSASSA-PSS Signatures | |||
| The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 3 is | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 3 is | |||
| used, the encoding MUST omit the parameters field. That is, the | used, the encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. | |||
| The hash algorithm to hash a message being signed and the hash | The hash algorithm to hash a message being signed and the hash and | |||
| algorithm as the mask generation function "MGF(H, emLen - hLen - 1)" | the hash algorithm as the mask generation function used in RSASSA-PSS | |||
| [RFC8017] used in RSASSA-PSS MUST be the same, SHAKE128 or SHAKE256 | MUST be the same, SHAKE128 or SHAKE256 respectively. The output- | |||
| respectively. The output-length of the SHAKE which hashes the | length of the hash algorithm which hashes the message SHALL be 32 or | |||
| message SHALL be 32 or 64 bytes respectively. | 64 bytes respectively. | |||
| In RSASSA-PSS, a mask generation function takes an octet string of | ||||
| variable length and a desired output length as input, and outputs an | ||||
| octet string of the desired length. In RSASSA-PSS with SHAKES, the | ||||
| SHAKEs MUST be used natively as the MGF, instead of the MGF1 | ||||
| algorithm that uses the hash function in multiple iterations as | ||||
| specified in Section B.2.1 of [RFC8017]. In other words, the MGF is | ||||
| defined as | ||||
| SHAKE128(mgfSeed, maskLen) | ||||
| and | ||||
| SHA256(mgfSeed, maskLen) | ||||
| respectively for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256. | The mask generation function takes an octet string of variable length | |||
| The mgfSeed is the seed from which mask is generated, an octet | and a desired output length as input, and outputs an octet string of | |||
| string. The maskLen for SHAKE128 or SHAKE256 being used as the MGF | the desired length. In RSASSA-PSS with SHAKES, the SHAKEs MUST be | |||
| is (n - 264)/8 or (n - 520)/8 bytes respectively, where n is the RSA | used natively as the MGF function, instead of the MGF1 algorithm that | |||
| modulus in bits. For example, when RSA modulus n is 2048, the output | uses the hash function in multiple iterations as specified in | |||
| length of SHAKE128 or SHAKE256 as the MGF will be 223 or 191 bytes | Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | |||
| when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used | the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | |||
| respectively. | SHAKE128 and id-RSASSA-PSS-SHAKE256 respectively. The mgfSeed is the | |||
| seed from which mask is generated, an octet string [RFC8017]. The | ||||
| output length is (n - 264)/8 or (n - 520)/8 bytes respectively, where | ||||
| n is the RSA modulus in bits. For example, when RSA modulus n is | ||||
| 2048, the output length of SHAKE128 or SHAKE256 as the MGF will be | ||||
| 223 or 191-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 | ||||
| is used respectively. | ||||
| The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | |||
| Finally, the trailerField MUST be 1, which represents the trailer | Finally, the trailerField MUST be 1, which represents the trailer | |||
| field with hexadecimal value 0xBC [RFC8017]. | field with hexadecimal value 0xBC [RFC8017]. | |||
| 4.2.2. Deterministic ECDSA Signatures | 4.2.2. Deterministic ECDSA Signatures | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | [X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | |||
| (specified in Section 3) algorithm identifier appears, the respective | (specified in Section 3) algorithm identifier appears, the respective | |||
| SHAKE function is used as the hash. The encoding MUST omit the | SHAKE function is used as the hash. The encoding MUST omit the | |||
| parameters field. That is, the AlgorithmIdentifier SHALL be a | parameters field. That is, the AlgorithmIdentifier SHALL be a | |||
| SEQUENCE of one component, the OID id-ecdsa-with-SHAKE128 or id- | SEQUENCE of one component, the OID id-ecdsa-with-SHAKE128 or id- | |||
| ecdsa-with-SHAKE256. | ecdsa-with-SHAKE256. | |||
| For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification, | |||
| the output size of the hash function must be explicitly determined. | the output size of the hash function must be explicitly determined. | |||
| The output size, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | The output size, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | |||
| 256 or 512 bits respectively. The ECDSA message hash function is | 256 or 512 bits respectively. | |||
| SHAKE128 or SHAKE256 respectively. | ||||
| Conforming implementations that generate ECDSA with SHAKE signatures | Conforming implementations that generate ECDSA with SHAKE signatures | |||
| in CMS MUST generate such signatures with a deterministicly | in CMS MUST generate such signatures with a deterministicly | |||
| generated, non-random k in accordance with all the requirements | generated, non-random k in accordance with all the requirements | |||
| specified in [RFC6979]. They MAY also generate such signatures in | specified in [RFC6979]. They MAY also generate such signatures in | |||
| accordance with all other recommendations in [X9.62] or [SEC1] if | accordance with all other recommendations in [X9.62] or [SEC1] if | |||
| they have a stated policy that requires conformance to these | they have a stated policy that requires conformance to these | |||
| standards. | standards. | |||
| In Section 3.2 "Generation of k" of [RFC6979], HMAC is used to derive | ||||
| the deterministic k. Conforming implementations that generate | ||||
| deterministic ECDSA with SHAKE signatures in X.509 MUST use KMAC with | ||||
| SHAKE128 or KMAC with SHAKE256 as specfied in [SP800-185] when | ||||
| SHAKE128 or SHAKE256 is used as the message hashing algorithm, | ||||
| respectively. In this situation, KMAC with SHAKE128 and KMAC with | ||||
| SHAKE256 have 256-bit and 512-bit outputs respectively, and the | ||||
| optional customization bit string S is an empty string. | ||||
| 4.3. Public Keys | 4.3. Public Keys | |||
| In CMS, the signer's public key algorithm identifiers are located in | In CMS, the signer's public key algorithm identifiers are located in | |||
| the OriginatorPublicKey's algorithm attribute. | the OriginatorPublicKey's algorithm attribute. | |||
| Conforming implementations MUST specify the algorithms explicitly by | Conforming implementations MUST specify the algorithms explicitly by | |||
| using the OIDs specified in Section 3 when encoding RSASSA-PSS and | using the OIDs specified in Section 3 when encoding RSASSA-PSS and | |||
| ECDSA with SHAKE public keys in CMS messages. The conventions for | ECDSA with SHAKE public keys in CMS messages. The conventions for | |||
| RSASSA-PSS and ECDSA public keys algorithm identifiers are as | RSASSA-PSS and ECDSA public keys algorithm identifiers are as | |||
| specified in [RFC3279], [RFC4055] and [RFC5480] , but we include them | specified in [RFC3279], [RFC4055] and [RFC5480] , but we include them | |||
| skipping to change at page 8, line 21 ¶ | skipping to change at page 8, line 19 ¶ | |||
| MUST be encoded using the RSAPublicKey type [RFC4055]. The output of | MUST be encoded using the RSAPublicKey type [RFC4055]. The output of | |||
| this encoding is carried in the CMS publicKey bit string. | this encoding is carried in the CMS publicKey bit string. | |||
| RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
| modulus INTEGER, -- n | modulus INTEGER, -- n | |||
| publicExponent INTEGER -- e | publicExponent INTEGER -- e | |||
| } | } | |||
| 4.3.2. ECDSA Public Keys | 4.3.2. ECDSA Public Keys | |||
| When id-ecdsa-with-shake128 or id-ecdsa-with-shake256 are used as the | For ECDSA, the mandatory EC SubjectPublicKey is defined in | |||
| algorithm identitifier in the public key, the parameters, as | ||||
| explained in Section 3, MUST be absent. The hash function and its | ||||
| output-length are the same as in Section 4.2.2. | ||||
| Additionally, the mandatory EC SubjectPublicKey is defined in | ||||
| Section 2.1.1 and its syntax in Section 2.2 of [RFC5480]. We also | Section 2.1.1 and its syntax in Section 2.2 of [RFC5480]. We also | |||
| include them here for convenience: | include them here for convenience: | |||
| id-ecPublicKey OBJECT IDENTIFIER ::= { | id-ecPublicKey OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | |||
| ECParameters ::= CHOICE { | ECParameters ::= CHOICE { | |||
| namedCurve OBJECT IDENTIFIER | namedCurve OBJECT IDENTIFIER | |||
| -- implicitCurve NULL | -- implicitCurve NULL | |||
| -- specifiedCurve SpecifiedECDomain | -- specifiedCurve SpecifiedECDomain | |||
| skipping to change at page 8, line 50 ¶ | skipping to change at page 8, line 43 ¶ | |||
| certificate SHALL apply to the verification of the signature. | certificate SHALL apply to the verification of the signature. | |||
| 4.4. Message Authentication Codes | 4.4. Message Authentication Codes | |||
| KMAC message authentication code (KMAC) is specified in [SP800-185]. | KMAC message authentication code (KMAC) is specified in [SP800-185]. | |||
| In CMS, KMAC algorithm identifiers are located in the | In CMS, KMAC algorithm identifiers are located in the | |||
| AuthenticatedData macAlgorithm field. The KMAC values are located in | AuthenticatedData macAlgorithm field. The KMAC values are located in | |||
| the AuthenticatedData mac field. | the AuthenticatedData mac field. | |||
| When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 algorithm | When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 algorithm | |||
| identifier is used as the KMAC algorithm identifier, the parameters | identifier is used as the MAC algorithm identifier, the parameters | |||
| field MUST be absent. | field is optional (absent or present). If absent, the SHAKE256 | |||
| output length used in KMAC is 256 or 512 bits respectively and the | ||||
| customization string is an empty string by default. | ||||
| Conforming implementations that process KMACs with the SHAKEs when | Conforming implementations that process KMACs with the SHAKEs when | |||
| processing CMS data MUST recognize these identifiers. | processing CMS data MUST recognize these identifiers. | |||
| When calculating the KMAC output, the variable N is 0xD2B282C2, S is | When calculating the KMAC output, the variable N is 0xD2B282C2, S is | |||
| an empty string, and L, the integer representing the requested output | an empty string, and L, the integer representing the requested output | |||
| length in bits, is 256 or 512 for KmacWithSHAKE128 or | length in bits, is 256 or 512 for KmacWithSHAKE128 or | |||
| KmacWithSHAKE256 respectively in this specification. | KmacWithSHAKE256 respectively in this specification. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| [ EDNOTE: Update here only if there are OID allocations by IANA. ] | [ EDNOTE: Update here only if there are OID allocations by IANA. ] | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| SHAKE128 and SHAKE256 are one-way extensible-output functions. Their | ||||
| output length depends on a required length of the consuming | ||||
| application. | ||||
| The SHAKEs are deterministic functions. Like any other deterministic | The SHAKEs are deterministic functions. Like any other deterministic | |||
| functions, executing each function with the same input multiple times | function, executing each function with the same input multiple times | |||
| will produce the same output. Therefore, users should not expect | will produce the same output. Therefore, users should not expect | |||
| unrelated outputs (with the same or different output lengths) from | unrelated outputs (with the same or different output lengths) from | |||
| excuting a SHAKE function with the same input multiple times. The | excuting a SHAKE function with the same input multiple times. The | |||
| shorter one of any 2 outputs produced from a SHAKE with the same | shorter one of any 2 outputs produced from a SHAKE with the same | |||
| input is a prefix of the longer one. It is a similar situation as | input is a prefix of the longer one. It is a similar situation as | |||
| truncating a 512-bit output of SHA-512 by taking its 256 left-most | truncating a 512-bit output of SHA-512 by taking its 256 left-most | |||
| bits. These 256 left-most bits are a prefix of the 512-bit output. | bits. These 256 left-most bits are a prefix of the 512-bit output. | |||
| Implementations must protect the signer's private key. Compromise of | Implementations must protect the signer's private key. Compromise of | |||
| the signer's private key permits masquerade. | the signer's private key permits masquerade. | |||
| When more than two parties share the same message-authentication key, | When more than two parties share the same message-authentication key, | |||
| data origin authentication is not provided. Any party that knows the | data origin authentication is not provided. Any party that knows the | |||
| message-authentication key can compute a valid MAC, therefore the | message-authentication key can compute a valid MAC, therefore the | |||
| content could originate from any one of the parties. | content could originate from any one of the parties. | |||
| Implementations must randomly generate message-authentication keys | ||||
| and one-time values, such as the k value when generating a ECDSA | ||||
| signature. In addition, the generation of public/private key pairs | ||||
| relies on random numbers. The use of inadequate pseudo-random number | ||||
| generators (PRNGs) to generate such cryptographic values can result | ||||
| in little or no security. The generation of quality random numbers | ||||
| is difficult. [RFC4086] offers important guidance in this area, and | ||||
| [SP800-90A] series provide acceptable PRNGs. | ||||
| Implementers should be aware that cryptographic algorithms may become | Implementers should be aware that cryptographic algorithms may become | |||
| weaker with time. As new cryptanalysis techniques are developed and | weaker with time. As new cryptanalysis techniques are developed and | |||
| computing power increases, the work factor or time required to break | computing power increases, the work factor or time required to break | |||
| a particular cryptographic algorithm may decrease. Therefore, | a particular cryptographic algorithm may decrease. Therefore, | |||
| cryptographic algorithm implementations should be modular allowing | cryptographic algorithm implementations should be modular allowing | |||
| new algorithms to be readily inserted. That is, implementers should | new algorithms to be readily inserted. That is, implementers should | |||
| be prepared to regularly update the set of algorithms in their | be prepared to regularly update the set of algorithms in their | |||
| implementations. | implementations. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| skipping to change at page 11, line 30 ¶ | skipping to change at page 11, line 11 ¶ | |||
| Housley, R., "Use of the SHA3 One-way Hash Functions in | Housley, R., "Use of the SHA3 One-way Hash Functions in | |||
| the Cryptographic Message Syntax (CMS)", draft-housley- | the Cryptographic Message Syntax (CMS)", draft-housley- | |||
| lamps-cms-sha3-hash-00 (work in progress), March 2017. | lamps-cms-sha3-hash-00 (work in progress), March 2017. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
| 2002, <https://www.rfc-editor.org/info/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | ||||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | ||||
| DOI 10.17487/RFC4086, June 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4086>. | ||||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | |||
| Algorithm (DSA) and Elliptic Curve Digital Signature | Algorithm (DSA) and Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | |||
| 2013, <https://www.rfc-editor.org/info/rfc6979>. | 2013, <https://www.rfc-editor.org/info/rfc6979>. | |||
| [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||
| Elliptic Curve Cryptography", May 2009, | Elliptic Curve Cryptography", May 2009, | |||
| <http://www.secg.org/sec1-v2.pdf>. | <http://www.secg.org/sec1-v2.pdf>. | |||
| [shake-nist-oids] | [shake-nist-oids] | |||
| National Institute of Standards and Technology, "Computer | National Institute of Standards and Technology, "Computer | |||
| Security Objects Register", October 2017, | Security Objects Register", October 2017, | |||
| <https://csrc.nist.gov/Projects/Computer-Security-Objects- | <https://csrc.nist.gov/Projects/Computer-Security-Objects- | |||
| Register/Algorithm-Registration>. | Register/Algorithm-Registration>. | |||
| [SP800-90A] | ||||
| National Institute of Standards and Technology, | ||||
| "Recommendation for Random Number Generation Using | ||||
| Deterministic Random Bit Generators. NIST SP 800-90A", | ||||
| June 2015, | ||||
| <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | ||||
| NIST.SP.800-90Ar1.pdf>. | ||||
| [X9.62] American National Standard for Financial Services (ANSI), | [X9.62] American National Standard for Financial Services (ANSI), | |||
| "X9.62-2005 Public Key Cryptography for the Financial | "X9.62-2005 Public Key Cryptography for the Financial | |||
| Services Industry: The Elliptic Curve Digital Signature | Services Industry: The Elliptic Curve Digital Signature | |||
| Standard (ECDSA)", November 2005. | Standard (ECDSA)", November 2005. | |||
| Appendix A. ASN.1 Module | Appendix A. ASN.1 Module | |||
| [EDNOTE: Update. TBD. ] | This appendix includes the ASN.1 modules for SHAKEs in CMS. This | |||
| module includes some ASN.1 from other standards for reference. | ||||
| PKIXAlgsForSHAKE-2018 { iso(1) identified-organization(3) dod(6) | CMSAlgsForSHAKE-2018 { { iso(1) member-body(2) us(840) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) | |||
| id-mod-cms-shakes-2018(TBD) } | id-mod-cms-shakes(TBD) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL; | -- EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| -- FROM [RFC6268] | DIGEST-ALGORITHM, MAC-ALGORITHM, SMIME-CAPS | |||
| FROM AlgorithmInformation-2009 | ||||
| { iso(1) identified-organization(3) dod(6) internet(1) security(5) | ||||
| mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-algorithmInformation-02(58) } | ||||
| RSAPublicKey, rsaEncryption, id-ecPublicKey | ||||
| FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | ||||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | ||||
| id-mod-pkix1-algorithms2008-02(56) } | ||||
| -- | ||||
| -- Message Digest Algorithms (mda-) | ||||
| -- used in SignedData, SignerInfo, DigestedData, | ||||
| -- and the AuthenticatedData digestAlgorithm | ||||
| -- fields in CMS | ||||
| -- | ||||
| digestAlgorithms DIGEST-ALGORITHM ::= { | ||||
| ... | ||||
| -- This expands MessageAuthAlgs from [RFC5652] | ||||
| -- and MessageDigestAlgs in [RFC5753] | ||||
| mda-shake128 | | ||||
| mda-shake256, | ||||
| ... | ||||
| } | ||||
| -- | -- | |||
| -- One-Way Hash Functions | -- One-Way Hash Functions | |||
| -- SHAKE128 | -- SHAKE128 | |||
| mda-shake128 DIGEST-ALGORITHM ::= { | mda-shake128 DIGEST-ALGORITHM ::= { | |||
| IDENTIFIER id-shake128 -- with output length 32 bytes. | IDENTIFIER id-shake128 -- with output length 32 bytes. | |||
| } | } | |||
| id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 11 } | hashAlgs(2) 11 } | |||
| -- SHAKE-256 | -- SHAKE-256 | |||
| mda-shake256 DIGEST-ALGORITHM ::= { | mda-shake256 DIGEST-ALGORITHM ::= { | |||
| IDENTIFIER id-shake256 -- with output length 64 bytes. | IDENTIFIER id-shake256 -- with output length 64 bytes. | |||
| } | } | |||
| id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 12 } | hashAlgs(2) 12 } | |||
| -- | ||||
| -- Public key algorithm identifiers located in the | ||||
| -- OriginatorPublicKey's algorithm attribute in CMS. | ||||
| -- And Signature identifiers used in SignerInfo | ||||
| -- signatureAlgorithm field of SignedData content | ||||
| -- type and countersignature attribute in CMS. | ||||
| -- | ||||
| -- From RFC5280, for reference. | ||||
| -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } | ||||
| -- When the rsaEncryption algorithm identifier is used | ||||
| -- for a public key, the AlgorithmIdentifier parameters | ||||
| -- field MUST contain NULL. | ||||
| -- | ||||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | ||||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | ||||
| -- When the id-RSASSA-PSS-* algorithm identifiers are used | ||||
| -- for a public key or a signature in CMS, the AlgorithmIdentifier | ||||
| -- parameters field MUST be absent. The message digest algorithm | ||||
| -- used in RSASSA-PSS MUST be SHAKE128 or SHAKE256 with a 32 or | ||||
| -- 64 byte outout length respectively. The mask generating | ||||
| -- function MUST be SHAKE128 or SHAKE256 with an output length | ||||
| -- of (n - 264)/8 or (n - 520)/8 bytes respectively, where n | ||||
| -- is the RSA modulus in bits. The RSASSA-PSS saltLength MUST | ||||
| -- be 32 or 64 bytes respectively. In both cases, the RSA | ||||
| -- public key, MUST be encoded using the RSAPublicKey type. | ||||
| -- From RFC4055, for reference. | ||||
| -- RSAPublicKey ::= SEQUENCE { | ||||
| -- modulus INTEGER, -- n | ||||
| -- publicExponent INTEGER } -- e | ||||
| id-ecdsa-with-shake128 ::= { joint-iso-itu-t(2) country(16) | ||||
| us(840) organization(1) gov(101) | ||||
| csor(3) nistAlgorithm(4) | ||||
| sigAlgs(3) TBD } | ||||
| id-ecdsa-with-shake256 ::= { joint-iso-itu-t(2) country(16) | ||||
| us(840) organization(1) gov(101) | ||||
| csor(3) nistAlgorithm(4) | ||||
| sigAlgs(3) TBD } | ||||
| -- When the id-ecdsa-with-shake* algorithm identifiers are | ||||
| -- used in CMS, the AlgorithmIdentifier parameters field | ||||
| -- MUST be absent and the signature algorithm should | ||||
| -- Deterministric ECDSA [RFC6979]. The message digest MUST | ||||
| -- be SHAKE128 or SHAKE256 with a 32 or 64 byte outout | ||||
| -- length respectively. In both cases, the ECDSA public key, | ||||
| -- MUST be encoded using the id-ecPublicKey type. | ||||
| -- From RFC5480, for reference. | ||||
| -- id-ecPublicKey OBJECT IDENTIFIER ::= { | ||||
| -- iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | ||||
| -- The id-ecPublicKey parameters must be absent or present | ||||
| -- and are defined as | ||||
| -- ECParameters ::= CHOICE { | ||||
| -- namedCurve OBJECT IDENTIFIER | ||||
| -- -- implicitCurve NULL | ||||
| -- -- specifiedCurve SpecifiedECDomain | ||||
| -- } | ||||
| -- | ||||
| -- Message Authentication (maca-) Algorithms | ||||
| -- used in AuthenticatedData macAlgorithm in CMS | ||||
| -- | ||||
| MessageAuthAlgs MAC-ALGORITHM ::= { | ||||
| ... | ||||
| -- This expands MessageAuthAlgs from [RFC5652] and [RFC6268] | ||||
| maca-KMACwithSHAKE128 | | ||||
| maca-KMACwithSHAKE256 | ||||
| } | ||||
| SMimeCaps SMIME-CAPS ::= { | ||||
| ... | ||||
| -- The expands SMimeCaps from [RFC5911] | ||||
| maca-KMACwithSHAKE128 | | ||||
| maca-KMACwithSHAKE256 | ||||
| } | ||||
| -- | -- | |||
| -- KMAC Functions | ||||
| -- KMAC with SHAKE128 | -- KMAC with SHAKE128 | |||
| KMACwithSHAKE128 MAC-ALGORITHM ::= { | maca-KMACwithSHAKE128 MAC-ALGORITHM ::= { | |||
| IDENTIFIER id-KMACWithSHAKE128 | IDENTIFIER id-KMACWithSHAKE128 | |||
| PARAMS TYPE KMACwithSHAKE128-params ARE required | PARAMS TYPE KMACwithSHAKE128-params ARE optional | |||
| -- If KMACwithSHAKE128-params parameters are absent | ||||
| -- the SHAKE128 output length used in KMAC is 256 bits | ||||
| -- and the customization string is an empty string. | ||||
| SMIME-CAPS {IDENTIFIED BY id-KMACWithSHAKE128} | ||||
| } | } | |||
| id-KMACWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KMACWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) | country(16) us(840) organization(1) | |||
| gov(101) csor(3) nistAlgorithm(4) | gov(101) csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 19 } | hashAlgs(2) 19 } | |||
| KMACwithSHAKE128-params ::= SEQUENCE { | KMACwithSHAKE128-params ::= SEQUENCE { | |||
| KMACOutputLength INTEGER DEFAULT 256, -- Output length in bits | KMACOutputLength INTEGER DEFAULT 256, -- Output length in bits | |||
| customizationString OCTET STRING DEFAULT '' | customizationString OCTET STRING DEFAULT ''H | |||
| } | } | |||
| -- KMAC with SHAKE256 | -- KMAC with SHAKE256 | |||
| KMACwithSHAKE256 MAC-ALGORITHM ::= { | maca-KMACwithSHAKE256 MAC-ALGORITHM ::= { | |||
| IDENTIFIER id-KMACWithSHAKE256 | IDENTIFIER id-KMACWithSHAKE256 | |||
| PARAMS TYPE KMACwithSHAKE256-params ARE required | PARAMS TYPE KMACwithSHAKE256-params ARE optional | |||
| -- If KMACwithSHAKE256-params parameters are absent | ||||
| -- the SHAKE256 output length used in KMAC is 512 bits | ||||
| -- and the customization string is an empty string. | ||||
| SMIME-CAPS {IDENTIFIED BY id-KMACWithSHAKE256} | ||||
| } | } | |||
| id-KMACWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KMACWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) | country(16) us(840) organization(1) | |||
| gov(101) csor(3) nistAlgorithm(4) | gov(101) csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 20 } | hashAlgs(2) 20 } | |||
| KMACwithSHAKE256-params ::= SEQUENCE { | KMACwithSHAKE256-params ::= SEQUENCE { | |||
| KMACOutputLength INTEGER DEFAULT 512, -- Output length in bits | KMACOutputLength INTEGER DEFAULT 512, -- Output length in bits | |||
| customizationString OCTET STRING DEFAULT '' | customizationString OCTET STRING DEFAULT ''H | |||
| } | } | |||
| END | END | |||
| Authors' Addresses | Authors' Addresses | |||
| Quynh Dang | Quynh Dang | |||
| NIST | NIST | |||
| 100 Bureau Drive | 100 Bureau Drive | |||
| Gaithersburg, MD 20899 | Gaithersburg, MD 20899 | |||
| End of changes. 42 change blocks. | ||||
| 116 lines changed or deleted | 197 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||