--- 1/draft-ietf-lamps-cms-shakes-03.txt 2018-11-29 09:13:14.687838424 -0800 +++ 2/draft-ietf-lamps-cms-shakes-04.txt 2018-11-29 09:13:14.719839196 -0800 @@ -1,20 +1,20 @@ LAMPS WG Q. Dang Internet-Draft NIST Intended status: Standards Track P. Kampanakis -Expires: May 29, 2019 Cisco Systems - November 25, 2018 +Expires: June 2, 2019 Cisco Systems + November 29, 2018 Use of the SHAKE One-way Hash Functions in the Cryptographic Message Syntax (CMS) - draft-ietf-lamps-cms-shakes-03 + draft-ietf-lamps-cms-shakes-04 Abstract This document describes the conventions for using the SHAKE family of hash functions with the Cryptographic Message Syntax (CMS) as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms, as message digests and message authentication codes. The conventions for the associated signer public keys in CMS are also described. @@ -26,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 29, 2019. + This Internet-Draft will expire on June 2, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -49,42 +49,50 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 5 + 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 6 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 4.2.2. Deterministic ECDSA Signatures . . . . . . . . . . . 7 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 - 4.3.1. RSASSA-PSS Public Keys . . . . . . . . . . . . . . . 7 - 4.3.2. ECDSA Public Keys . . . . . . . . . . . . . . . . . . 8 4.4. Message Authentication Codes . . . . . . . . . . . . . . 8 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 8.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Change Log [ EDNOTE: Remove this section before publication. ] + o draft-ietf-lamps-cms-shake-04: + + * Added RFC8174 reference and text. + + * Explicitly explained why RSASSA-PSS-params are omitted in + section 4.2.1. + + * Simplified Public Keys section by removing redundand info from + RFCs. + o draft-ietf-lamps-cms-shake-03: * Removed paragraph suggesting KMAC to be used in generating k in Deterministric ECDSA. That should be RFC6979-bis. * Removed paragraph from Security Considerations that talks about randomness of k because we are using deterministric ECDSA. * Completed ASN.1 module and fixed KMAC ASN.1 based on Jim's feedback. @@ -143,22 +151,24 @@ A SHAKE can be used in CMS as the message digest function (to hash the message to be signed) in RSASSA-PSS and deterministic ECDSA, message authentication code and as the mask generating function in RSASSA-PSS. This specification describes the identifiers for SHAKEs to be used in CMS and their meaning. 2.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", - "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in [RFC2119]. + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in BCP + 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. 3. Identifiers This section defines six new OIDs for using SHAKE128 and SHAKE256 in CMS. EDNOTE: If PKIX draft is standardized first maybe we should not say the identifiers are new for the RSASSA-PSS and ECDSA. Two object identifiers for SHAKE128 and SHAKE256 hash functions are @@ -252,21 +262,25 @@ Conforming implementations that process RSASSA-PSS and deterministic ECDSA with SHAKE signatures when processing CMS data MUST recognize the corresponding OIDs specified in Section 3. 4.2.1. RSASSA-PSS Signatures The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 3 is used, the encoding MUST omit the parameters field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- - PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. + PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- + PSS-params that are used to define the algorithms and inputs to the + algorithm. This specification does not use parameters because the + hash and mask generating algorithsm and trailer and salt are embedded + in the OID definition. The hash algorithm to hash a message being signed and the hash and the hash algorithm as the mask generation function used in RSASSA-PSS MUST be the same, SHAKE128 or SHAKE256 respectively. The output- length of the hash algorithm which hashes the message SHALL be 32 or 64 bytes respectively. The mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. In RSASSA-PSS with SHAKES, the SHAKEs MUST be @@ -308,69 +322,34 @@ accordance with all other recommendations in [X9.62] or [SEC1] if they have a stated policy that requires conformance to these standards. 4.3. Public Keys In CMS, the signer's public key algorithm identifiers are located in the OriginatorPublicKey's algorithm attribute. Conforming implementations MUST specify the algorithms explicitly by - using the OIDs specified in Section 3 when encoding RSASSA-PSS and - ECDSA with SHAKE public keys in CMS messages. The conventions for + using the OIDs specified in Section 3 when encoding RSASSA-PSS with + SHAKE public keys in CMS messages. The conventions and encoding for RSASSA-PSS and ECDSA public keys algorithm identifiers are as - specified in [RFC3279], [RFC4055] and [RFC5480] , but we include them - below for convenience. - -4.3.1. RSASSA-PSS Public Keys - - [RFC3279] defines the following OID for RSA AlgorithmIdentifier in - the SubjectPublicKeyInfo with NULL parameters. - - rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1} + specified in Section 2.3 of [RFC3279], Section 3.1 of [RFC4055] and + Section 2.1 of [RFC5480]. - Additionally, when the RSA private key owner wishes to limit the use - of the public key exclusively to RSASSA-PSS, the AlgorithmIdentifier - for RSASSA-PSS defined in Section 3 can be used as the algorithm - attribute in the OriginatorPublicKey sequence. The identifier - parameters, as explained in Section 3, MUST be absent. The RSASSA- - PSS algorithm functions and output lengths are the same as defined in + When the RSA private key owner wishes to limit the use of the public + key exclusively to RSASSA-PSS, the AlgorithmIdentifier for RSASSA-PSS + defined in Section 3 can be used as the algorithm attribute in the + OriginatorPublicKey sequence. The identifier parameters, as + explained in Section 3, MUST be absent. The RSASSA-PSS algorithm + functions and output lengths are the same as defined in Section 4.2.1. - Regardless of what public key algorithm identifier is used, the RSA - public key, which is composed of a modulus and a public exponent, - MUST be encoded using the RSAPublicKey type [RFC4055]. The output of - this encoding is carried in the CMS publicKey bit string. - - RSAPublicKey ::= SEQUENCE { - modulus INTEGER, -- n - publicExponent INTEGER -- e - } - -4.3.2. ECDSA Public Keys - - For ECDSA, the mandatory EC SubjectPublicKey is defined in - Section 2.1.1 and its syntax in Section 2.2 of [RFC5480]. We also - include them here for convenience: - - id-ecPublicKey OBJECT IDENTIFIER ::= { - iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } - - ECParameters ::= CHOICE { - namedCurve OBJECT IDENTIFIER - -- implicitCurve NULL - -- specifiedCurve SpecifiedECDomain - } - - The ECParameters associated with the ECDSA public key in the signers - certificate SHALL apply to the verification of the signature. - 4.4. Message Authentication Codes KMAC message authentication code (KMAC) is specified in [SP800-185]. In CMS, KMAC algorithm identifiers are located in the AuthenticatedData macAlgorithm field. The KMAC values are located in the AuthenticatedData mac field. When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 algorithm identifier is used as the MAC algorithm identifier, the parameters field is optional (absent or present). If absent, the SHAKE256 @@ -449,20 +428,24 @@ [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, DOI 10.17487/RFC5652, September 2009, . [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, . + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + [SHA3] National Institute of Standards and Technology, U.S. Department of Commerce, "SHA-3 Standard - Permutation- Based Hash and Extendable-Output Functions", FIPS PUB 202, August 2015. [SP800-185] National Institute of Standards and Technology, "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash. NIST SP 800-185", December 2016,