--- 1/draft-ietf-lamps-cms-shakes-04.txt 2018-12-18 14:13:54.139492966 -0800 +++ 2/draft-ietf-lamps-cms-shakes-05.txt 2018-12-18 14:13:54.175493839 -0800 @@ -1,20 +1,20 @@ LAMPS WG Q. Dang Internet-Draft NIST Intended status: Standards Track P. Kampanakis -Expires: June 2, 2019 Cisco Systems - November 29, 2018 +Expires: June 21, 2019 Cisco Systems + December 18, 2018 Use of the SHAKE One-way Hash Functions in the Cryptographic Message Syntax (CMS) - draft-ietf-lamps-cms-shakes-04 + draft-ietf-lamps-cms-shakes-05 Abstract This document describes the conventions for using the SHAKE family of hash functions with the Cryptographic Message Syntax (CMS) as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms, as message digests and message authentication codes. The conventions for the associated signer public keys in CMS are also described. @@ -26,21 +26,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 2, 2019. + This Internet-Draft will expire on June 21, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -54,35 +54,43 @@ 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 6 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 4.2.2. Deterministic ECDSA Signatures . . . . . . . . . . . 7 - 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 + 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 8 4.4. Message Authentication Codes . . . . . . . . . . . . . . 8 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 - 8.2. Informative References . . . . . . . . . . . . . . . . . 10 - Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 11 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 8.2. Informative References . . . . . . . . . . . . . . . . . 11 + Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 12 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 1. Change Log [ EDNOTE: Remove this section before publication. ] + o draft-ietf-lamps-cms-shake-05: + + * Added informative references. + + * Updated ASN.1 so it compiles. + + * Updated IANA considerations. + o draft-ietf-lamps-cms-shake-04: * Added RFC8174 reference and text. * Explicitly explained why RSASSA-PSS-params are omitted in section 4.2.1. * Simplified Public Keys section by removing redundand info from RFCs. @@ -359,23 +367,27 @@ Conforming implementations that process KMACs with the SHAKEs when processing CMS data MUST recognize these identifiers. When calculating the KMAC output, the variable N is 0xD2B282C2, S is an empty string, and L, the integer representing the requested output length in bits, is 256 or 512 for KmacWithSHAKE128 or KmacWithSHAKE256 respectively in this specification. 5. IANA Considerations - [ EDNOTE: Update here only if there are OID allocations by IANA. ] + One object identifier for the ASN.1 module in Appendix A was assigned + in the SMI Security for S/MIME Module Identifiers + (1.2.840.113549.1.9.16.0) registry: - This document has no IANA actions. + CMSAlgsForSHAKE-2018 { { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) + id-mod-cms-shakes(TBD) } 6. Security Considerations The SHAKEs are deterministic functions. Like any other deterministic function, executing each function with the same input multiple times will produce the same output. Therefore, users should not expect unrelated outputs (with the same or different output lengths) from excuting a SHAKE function with the same input multiple times. The shorter one of any 2 outputs produced from a SHAKE with the same input is a prefix of the longer one. It is a similar situation as @@ -395,25 +407,27 @@ computing power increases, the work factor or time required to break a particular cryptographic algorithm may decrease. Therefore, cryptographic algorithm implementations should be modular allowing new algorithms to be readily inserted. That is, implementers should be prepared to regularly update the set of algorithms in their implementations. 7. Acknowledgements This document is based on Russ Housley's draft - [I-D.housley-lamps-cms-sha3-hash] It replaces SHA3 hash functions by - SHAKE128 and SHAKE256 as the LAMPS WG agreed. + [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions + by SHAKE128 and SHAKE256 as the LAMPS WG agreed. -8. References + The authors would like to thank Russ Housley for his guidance and + very valuable contributions with the ASN.1 module. +8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate @@ -457,20 +471,36 @@ Housley, R., "Use of the SHA3 One-way Hash Functions in the Cryptographic Message Syntax (CMS)", draft-housley- lamps-cms-sha3-hash-00 (work in progress), March 2017. [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2002, . + [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve + Cryptography (ECC) Algorithms in Cryptographic Message + Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January + 2010, . + + [RFC5911] Hoffman, P. and J. Schaad, "New ASN.1 Modules for + Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, + DOI 10.17487/RFC5911, June 2010, + . + + [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules + for the Cryptographic Message Syntax (CMS) and the Public + Key Infrastructure Using X.509 (PKIX)", RFC 6268, + DOI 10.17487/RFC6268, July 2011, + . + [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 2013, . [SEC1] Standards for Efficient Cryptography Group, "SEC 1: Elliptic Curve Cryptography", May 2009, . [shake-nist-oids] @@ -482,51 +512,50 @@ [X9.62] American National Standard for Financial Services (ANSI), "X9.62-2005 Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)", November 2005. Appendix A. ASN.1 Module This appendix includes the ASN.1 modules for SHAKEs in CMS. This module includes some ASN.1 from other standards for reference. - CMSAlgsForSHAKE-2018 { { iso(1) member-body(2) us(840) + CMSAlgsForSHAKE-2018 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-shakes(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL; IMPORTS DIGEST-ALGORITHM, MAC-ALGORITHM, SMIME-CAPS FROM AlgorithmInformation-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } RSAPublicKey, rsaEncryption, id-ecPublicKey FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) - id-mod-pkix1-algorithms2008-02(56) } + id-mod-pkix1-algorithms2008-02(56) } ; -- -- Message Digest Algorithms (mda-) -- used in SignedData, SignerInfo, DigestedData, -- and the AuthenticatedData digestAlgorithm -- fields in CMS -- - digestAlgorithms DIGEST-ALGORITHM ::= { - ... + MessageDigestAlgs DIGEST-ALGORITHM ::= { -- This expands MessageAuthAlgs from [RFC5652] -- and MessageDigestAlgs in [RFC5753] mda-shake128 | mda-shake256, ... } -- -- One-Way Hash Functions -- SHAKE128 @@ -555,120 +584,123 @@ -- type and countersignature attribute in CMS. -- -- From RFC5280, for reference. -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } -- When the rsaEncryption algorithm identifier is used -- for a public key, the AlgorithmIdentifier parameters -- field MUST contain NULL. -- id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } + -- When the id-RSASSA-PSS-* algorithm identifiers are used - -- for a public key or a signature in CMS, the AlgorithmIdentifier + -- for a public key or signature in CMS, the AlgorithmIdentifier -- parameters field MUST be absent. The message digest algorithm -- used in RSASSA-PSS MUST be SHAKE128 or SHAKE256 with a 32 or -- 64 byte outout length respectively. The mask generating -- function MUST be SHAKE128 or SHAKE256 with an output length -- of (n - 264)/8 or (n - 520)/8 bytes respectively, where n -- is the RSA modulus in bits. The RSASSA-PSS saltLength MUST -- be 32 or 64 bytes respectively. In both cases, the RSA -- public key, MUST be encoded using the RSAPublicKey type. -- From RFC4055, for reference. -- RSAPublicKey ::= SEQUENCE { - -- modulus INTEGER, -- n - -- publicExponent INTEGER } -- e + -- modulus INTEGER, -- -- n + -- publicExponent INTEGER } -- -- e - id-ecdsa-with-shake128 ::= { joint-iso-itu-t(2) country(16) - us(840) organization(1) gov(101) - csor(3) nistAlgorithm(4) + id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) + country(16) us(840) organization(1) + gov(101) csor(3) nistAlgorithm(4) sigAlgs(3) TBD } - id-ecdsa-with-shake256 ::= { joint-iso-itu-t(2) country(16) - us(840) organization(1) gov(101) - csor(3) nistAlgorithm(4) + id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) + country(16) us(840) organization(1) + gov(101) csor(3) nistAlgorithm(4) sigAlgs(3) TBD } -- When the id-ecdsa-with-shake* algorithm identifiers are -- used in CMS, the AlgorithmIdentifier parameters field -- MUST be absent and the signature algorithm should -- Deterministric ECDSA [RFC6979]. The message digest MUST -- be SHAKE128 or SHAKE256 with a 32 or 64 byte outout -- length respectively. In both cases, the ECDSA public key, -- MUST be encoded using the id-ecPublicKey type. -- From RFC5480, for reference. -- id-ecPublicKey OBJECT IDENTIFIER ::= { -- iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } -- The id-ecPublicKey parameters must be absent or present -- and are defined as -- ECParameters ::= CHOICE { -- namedCurve OBJECT IDENTIFIER - -- -- implicitCurve NULL - -- -- specifiedCurve SpecifiedECDomain + -- -- -- implicitCurve NULL + -- -- -- specifiedCurve SpecifiedECDomain -- } -- -- Message Authentication (maca-) Algorithms -- used in AuthenticatedData macAlgorithm in CMS -- MessageAuthAlgs MAC-ALGORITHM ::= { - ... -- This expands MessageAuthAlgs from [RFC5652] and [RFC6268] maca-KMACwithSHAKE128 | - maca-KMACwithSHAKE256 + maca-KMACwithSHAKE256, + ... } SMimeCaps SMIME-CAPS ::= { - ... -- The expands SMimeCaps from [RFC5911] - - maca-KMACwithSHAKE128 | - maca-KMACwithSHAKE256 + maca-KMACwithSHAKE128.&smimeCaps | + maca-KMACwithSHAKE256.&smimeCaps, + ... } -- -- KMAC with SHAKE128 maca-KMACwithSHAKE128 MAC-ALGORITHM ::= { IDENTIFIER id-KMACWithSHAKE128 PARAMS TYPE KMACwithSHAKE128-params ARE optional -- If KMACwithSHAKE128-params parameters are absent -- the SHAKE128 output length used in KMAC is 256 bits -- and the customization string is an empty string. + IS-KEYED-MAC TRUE SMIME-CAPS {IDENTIFIED BY id-KMACWithSHAKE128} } id-KMACWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) 19 } KMACwithSHAKE128-params ::= SEQUENCE { - KMACOutputLength INTEGER DEFAULT 256, -- Output length in bits + kMACOutputLength INTEGER DEFAULT 256, -- Output length in bits customizationString OCTET STRING DEFAULT ''H } -- KMAC with SHAKE256 maca-KMACwithSHAKE256 MAC-ALGORITHM ::= { IDENTIFIER id-KMACWithSHAKE256 PARAMS TYPE KMACwithSHAKE256-params ARE optional -- If KMACwithSHAKE256-params parameters are absent -- the SHAKE256 output length used in KMAC is 512 bits -- and the customization string is an empty string. + IS-KEYED-MAC TRUE SMIME-CAPS {IDENTIFIED BY id-KMACWithSHAKE256} } id-KMACWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) hashAlgs(2) 20 } KMACwithSHAKE256-params ::= SEQUENCE { - KMACOutputLength INTEGER DEFAULT 512, -- Output length in bits + kMACOutputLength INTEGER DEFAULT 512, -- Output length in bits customizationString OCTET STRING DEFAULT ''H } END Authors' Addresses + Quynh Dang NIST 100 Bureau Drive Gaithersburg, MD 20899 Email: quynh.Dang@nist.gov Panos Kampanakis Cisco Systems