| draft-ietf-lamps-cms-shakes-11.txt | draft-ietf-lamps-cms-shakes-12.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Updates: 3370 (if approved) Q. Dang | Updates: 3370 (if approved) Q. Dang | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: December 19, 2019 June 17, 2019 | Expires: January 1, 2020 June 30, 2019 | |||
| Use of the SHAKE One-way Hash Functions in the Cryptographic Message | Use of the SHAKE One-way Hash Functions in the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-lamps-cms-shakes-11 | draft-ietf-lamps-cms-shakes-12 | |||
| Abstract | Abstract | |||
| This document describes the conventions for using the SHAKE family of | This document updates [RFC3370] and describes the conventions for | |||
| hash functions with the Cryptographic Message Syntax (CMS) as one-way | using the SHAKE family of hash functions with the Cryptographic | |||
| hash functions with the RSA Probabilistic signature and ECDSA | Message Syntax (CMS) as one-way hash functions with the RSA | |||
| signature algorithms, as message digests and message authentication | Probabilistic signature and ECDSA signature algorithms, as message | |||
| codes. The conventions for the associated signer public keys in CMS | digests and message authentication codes. The conventions for the | |||
| are also described. | associated signer public keys in CMS are also described. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on December 19, 2019. | This Internet-Draft will expire on January 1, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 7 | 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 7 | |||
| 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | |||
| 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.4. Message Authentication Codes . . . . . . . . . . . . . . 9 | 4.4. Message Authentication Codes . . . . . . . . . . . . . . 9 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 13 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-cms-shake-12: | ||||
| * Nits identified by Roman, Barry L. in ballot position review. | ||||
| o draft-ietf-lamps-cms-shake-11: | o draft-ietf-lamps-cms-shake-11: | |||
| * Minor nits. | * Minor nits. | |||
| * Nits identified by Roman in AD Review. | * Nits identified by Roman in AD Review. | |||
| o draft-ietf-lamps-cms-shake-10: | o draft-ietf-lamps-cms-shake-10: | |||
| * Updated IANA considerations section to request for OID | * Updated IANA considerations section to request for OID | |||
| assignments. | assignments. | |||
| skipping to change at page 4, line 44 ¶ | skipping to change at page 4, line 48 ¶ | |||
| The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | |||
| sign, digest, authenticate, or encrypt arbitrary message contents. | sign, digest, authenticate, or encrypt arbitrary message contents. | |||
| This specification describes the use of the SHAKE128 and SHAKE256 | This specification describes the use of the SHAKE128 and SHAKE256 | |||
| specified in [SHA3] as new hash functions in CMS. In addition, it | specified in [SHA3] as new hash functions in CMS. In addition, it | |||
| describes the use of these functions with the RSASSA-PSS signature | describes the use of these functions with the RSASSA-PSS signature | |||
| algorithm [RFC8017] and the Elliptic Curve Digital Signature | algorithm [RFC8017] and the Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA) [X9.62] with the CMS signed-data content type. | Algorithm (ECDSA) [X9.62] with the CMS signed-data content type. | |||
| In the SHA-3 family, two extendable-output functions (SHAKEs), | In the SHA-3 family, two extendable-output functions (SHAKEs), | |||
| SHAKE128 and SHAKE256, are defined. Four other hash function | SHAKE128 and SHAKE256, are defined. Four other hash function | |||
| instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also | |||
| defined but are out of scope for this document. A SHAKE is a | defined but are out of scope for this document. A SHAKE is a | |||
| variable length hash function defined as SHAKE(M, d) where the output | variable length hash function defined as SHAKE(M, d) where the output | |||
| is a d-bits long digest of message M. The corresponding collision | is a d-bits-long digest of message M. The corresponding collision | |||
| and second preimage resistance strengths for SHAKE128 are | and second-preimage-resistance strengths for SHAKE128 are | |||
| min(d/2,128) and min(d,128) bits respectively (Appendix A.1 [SHA3]). | min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). | |||
| And, the corresponding collision and second preimage resistance | And the corresponding collision and second-preimage-resistance | |||
| strengths for SHAKE256 are min(d/2,256) and min(d,256) bits | strengths for SHAKE256 are min(d/2,256) and min(d,256) bits, | |||
| respectively. | respectively. | |||
| A SHAKE can be used in CMS as the message digest function (to hash | A SHAKE can be used in CMS as the message digest function (to hash | |||
| the message to be signed) in RSASSA-PSS and ECDSA, message | the message to be signed) in RSASSA-PSS and ECDSA, message | |||
| authentication code and as the mask generation function (MGF) in | authentication code and as the mask generation function (MGF) in | |||
| RSASSA-PSS. This specification describes the identifiers for SHAKEs | RSASSA-PSS. This specification describes the identifiers for SHAKEs | |||
| to be used in CMS and their meaning. | to be used in CMS and their meaning. | |||
| 2.1. Terminology | 2.1. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Identifiers | 3. Identifiers | |||
| This section defines four new object identifiers (OIDs) for using | This section identifies eight new object identifiers (OIDs) for using | |||
| SHAKE128 and SHAKE256 in CMS. | SHAKE128 and SHAKE256 in CMS. | |||
| Two object identifiers for SHAKE128 and SHAKE256 hash functions are | Two object identifiers for SHAKE128 and SHAKE256 hash functions are | |||
| defined in [shake-nist-oids] and we include them here for | defined in [shake-nist-oids] and we include them here for | |||
| convenience. | convenience. | |||
| id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 11 } | nistAlgorithm(4) 2 11 } | |||
| skipping to change at page 7, line 5 ¶ | skipping to change at page 7, line 18 ¶ | |||
| 4. Use in CMS | 4. Use in CMS | |||
| 4.1. Message Digests | 4.1. Message Digests | |||
| The id-shake128 and id-shake256 OIDs (Section 3) can be used as the | The id-shake128 and id-shake256 OIDs (Section 3) can be used as the | |||
| digest algorithm identifiers located in the SignedData, SignerInfo, | digest algorithm identifiers located in the SignedData, SignerInfo, | |||
| DigestedData, and the AuthenticatedData digestAlgorithm fields in CMS | DigestedData, and the AuthenticatedData digestAlgorithm fields in CMS | |||
| [RFC5652]. The encoding MUST omit the parameters field and the | [RFC5652]. The encoding MUST omit the parameters field and the | |||
| output size, d, for the SHAKE128 or SHAKE256 message digest MUST be | output size, d, for the SHAKE128 or SHAKE256 message digest MUST be | |||
| 256 or 512 bits respectively. | 256 or 512 bits, respectively. | |||
| The digest values are located in the DigestedData field and the | The digest values are located in the DigestedData field and the | |||
| Message Digest authenticated attribute included in the | Message Digest authenticated attribute included in the | |||
| signedAttributes of the SignedData signerInfo. In addition, digest | signedAttributes of the SignedData signerInfo. In addition, digest | |||
| values are input to signature algorithms. The digest algorithm MUST | values are input to signature algorithms. The digest algorithm MUST | |||
| be the same as the message hash algorithms used in signatures. | be the same as the message hash algorithms used in signatures. | |||
| 4.2. Signatures | 4.2. Signatures | |||
| In CMS, signature algorithm identifiers are located in the SignerInfo | In CMS, signature algorithm identifiers are located in the SignerInfo | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 8, line 10 ¶ | |||
| used, the encoding MUST omit the parameters field. That is, the | used, the encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | |||
| PSS-params that are used to define the algorithms and inputs to the | PSS-params that are used to define the algorithms and inputs to the | |||
| algorithm. This specification does not use parameters because the | algorithm. This specification does not use parameters because the | |||
| hash, mask generation algorithm, trailer and salt are embedded in the | hash, mask generation algorithm, trailer and salt are embedded in the | |||
| OID definition. | OID definition. | |||
| The hash algorithm to hash a message being signed and the hash | The hash algorithm to hash a message being signed and the hash | |||
| algorithm as the mask generation function used in RSASSA-PSS MUST be | algorithm as the mask generation function used in RSASSA-PSS MUST be | |||
| the same, SHAKE128 or SHAKE256 respectively. The output-length of | the same: both SHAKE128 or both SHAKE256. The output length of the | |||
| the hash algorithm which hashes the message SHALL be 32 or 64 bytes | hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or | |||
| respectively. | 64 bytes (for SHAKE256). | |||
| The mask generation function takes an octet string of variable length | The mask generation function takes an octet string of variable length | |||
| and a desired output length as input, and outputs an octet string of | and a desired output length as input, and outputs an octet string of | |||
| the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be | the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be | |||
| used natively as the MGF function, instead of the MGF1 algorithm that | used natively as the MGF function, instead of the MGF1 algorithm that | |||
| uses the hash function in multiple iterations as specified in | uses the hash function in multiple iterations as specified in | |||
| Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | |||
| the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | |||
| SHAKE128 and id-RSASSA-PSS-SHAKE256 respectively. The mgfSeed is the | SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is | |||
| seed from which mask is generated, an octet string [RFC8017]. As | the seed from which mask is generated, an octet string [RFC8017]. As | |||
| explained in Step 9 of section 9.1.1 of [RFC8017], the output length | explained in Step 9 of section 9.1.1 of [RFC8017], the output length | |||
| of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message | of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message | |||
| length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 | length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 | |||
| and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256 | and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, | |||
| respectively. Thus when SHAKE is used as the MGF, the SHAKE output | respectively. Thus when SHAKE is used as the MGF, the SHAKE output | |||
| length maskLen is (n - 264) or (n - 520) bits respectively. For | length maskLen is (8*emLen - 264) or (8*emLen - 520) bits, | |||
| example, when RSA modulus n is 2048, the output length of SHAKE128 or | respectively. For example, when RSA modulus n is 2048, the output | |||
| SHAKE256 as the MGF will be 1784 or 1528-bits when id-RSASSA-PSS- | length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits | |||
| SHAKE128 or id-RSASSA-PSS-SHAKE256 is used respectively. | when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, | |||
| respectively. | ||||
| The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 | |||
| Finally, the trailerField MUST be 1, which represents the trailer | or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField | |||
| field with hexadecimal value 0xBC [RFC8017]. | MUST be 1, which represents the trailer field with hexadecimal value | |||
| 0xBC [RFC8017]. | ||||
| 4.2.2. ECDSA Signatures | 4.2.2. ECDSA Signatures | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | |||
| (specified in Section 3) algorithm identifier appears, the respective | (specified in Section 3) algorithm identifier appears, the respective | |||
| SHAKE function is used as the hash. The encoding MUST omit the | SHAKE function is used as the hash. The encoding MUST omit the | |||
| parameters field. That is, the AlgorithmIdentifier SHALL be a | parameters field. That is, the AlgorithmIdentifier SHALL be a | |||
| SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | |||
| ecdsa-with-shake256. | ecdsa-with-shake256. | |||
| skipping to change at page 8, line 37 ¶ | skipping to change at page 9, line 4 ¶ | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | |||
| (specified in Section 3) algorithm identifier appears, the respective | (specified in Section 3) algorithm identifier appears, the respective | |||
| SHAKE function is used as the hash. The encoding MUST omit the | SHAKE function is used as the hash. The encoding MUST omit the | |||
| parameters field. That is, the AlgorithmIdentifier SHALL be a | parameters field. That is, the AlgorithmIdentifier SHALL be a | |||
| SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | |||
| ecdsa-with-shake256. | ecdsa-with-shake256. | |||
| For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification, | |||
| the output size of the hash function must be explicitly determined. | the output size of the hash function must be explicitly determined. | |||
| The output size, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | The output size, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | |||
| 256 or 512 bits respectively. | 256 or 512 bits, respectively. | |||
| It is RECOMMENDED that conforming implementations that generate ECDSA | Conforming CA implementations that generate ECDSA with SHAKE | |||
| with SHAKE signatures in CMS generate such signatures with a | signatures in certificates or CRLs SHOULD generate such signatures | |||
| deterministically generated, non-random k in accordance with all the | with a deterministically generated, non-random k in accordance with | |||
| requirements specified in [RFC6979]. They MAY also generate such | all the requirements specified in [RFC6979]. They MAY also generate | |||
| signatures in accordance with all other recommendations in [X9.62] or | such signatures in accordance with all other recommendations in | |||
| [SEC1] if they have a stated policy that requires conformance to | [X9.62] or [SEC1] if they have a stated policy that requires | |||
| these standards. These standards have not specified SHAKE128 and | conformance to those standards. Those standards have not specified | |||
| SHAKE256 as hash algorithm options. However, SHAKE128 and SHAKE256 | SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 | |||
| with output length being 32 and 64 octets respectively can be used | and SHAKE256 with output length being 32 and 64 octets, respectively | |||
| instead of 256 and 512-bit output hash algorithms such as SHA256 and | can be used instead of 256 and 512-bit output hash algorithms such as | |||
| SHA512 used in the standards. | SHA256 and SHA512. | |||
| 4.3. Public Keys | 4.3. Public Keys | |||
| In CMS, the signer's public key algorithm identifiers are located in | In CMS, the signer's public key algorithm identifiers are located in | |||
| the OriginatorPublicKey's algorithm attribute. The conventions and | the OriginatorPublicKey's algorithm attribute. The conventions and | |||
| encoding for RSASSA-PSS and ECDSA public keys algorithm identifiers | encoding for RSASSA-PSS and ECDSA public keys algorithm identifiers | |||
| are as specified in Section 2.3 of [RFC3279], Section 3.1 of | are as specified in Section 2.3 of [RFC3279], Section 3.1 of | |||
| [RFC4055] and Section 2.1 of [RFC5480]. | [RFC4055] and Section 2.1 of [RFC5480]. | |||
| Traditionally, the rsaEncryption object identifier is used to | Traditionally, the rsaEncryption object identifier is used to | |||
| skipping to change at page 9, line 41 ¶ | skipping to change at page 10, line 8 ¶ | |||
| 4.4. Message Authentication Codes | 4.4. Message Authentication Codes | |||
| KMAC message authentication code (KMAC) is specified in [SP800-185]. | KMAC message authentication code (KMAC) is specified in [SP800-185]. | |||
| In CMS, KMAC algorithm identifiers are located in the | In CMS, KMAC algorithm identifiers are located in the | |||
| AuthenticatedData macAlgorithm field. The KMAC values are located in | AuthenticatedData macAlgorithm field. The KMAC values are located in | |||
| the AuthenticatedData mac field. | the AuthenticatedData mac field. | |||
| When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 OID is used as | When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 OID is used as | |||
| the MAC algorithm identifier, the parameters field is optional | the MAC algorithm identifier, the parameters field is optional | |||
| (absent or present). If absent, the SHAKE256 output length used in | (absent or present). If absent, the SHAKE256 output length used in | |||
| KMAC is 256 or 512 bits respectively and the customization string is | KMAC is 256 or 512 bits, respectively, and the customization string | |||
| an empty string by default. | is an empty string by default. | |||
| Conforming implementations that process KMACs with the SHAKEs when | Conforming implementations that process KMACs with the SHAKEs when | |||
| processing CMS data MUST recognize these identifiers. | processing CMS data MUST recognize these identifiers. | |||
| When calculating the KMAC output, the variable N is 0xD2B282C2, S is | When calculating the KMAC output, the variable N is 0xD2B282C2, S is | |||
| an empty string, and L, the integer representing the requested output | an empty string, and L, the integer representing the requested output | |||
| length in bits, is 256 or 512 for KmacWithSHAKE128 or | length in bits, is 256 or 512 for KmacWithSHAKE128 or | |||
| KmacWithSHAKE256 respectively in this specification. | KmacWithSHAKE256, respectively, in this specification. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| One object identifier for the ASN.1 module in Appendix A was | One object identifier for the ASN.1 module in Appendix A was | |||
| requested for the SMI Security for S/MIME Module Identifiers | requested for the SMI Security for S/MIME Module Identifiers | |||
| (1.2.840.113549.1.9.16.0) registry: | (1.2.840.113549.1.9.16.0) registry: | |||
| +---------+----------------------+--------------------+ | +---------+----------------------+--------------------+ | |||
| | Decimal | Description | References | | | Decimal | Description | References | | |||
| +---------+----------------------+--------------------+ | +---------+----------------------+--------------------+ | |||
| skipping to change at page 15, line 14 ¶ | skipping to change at page 15, line 24 ¶ | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD1 } | TBD1 } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD2 } | TBD2 } | |||
| -- When the id-RSASSA-PSS-* algorithm identifiers are used | -- When the id-RSASSA-PSS-* algorithm identifiers are used | |||
| -- for a public key or signature in CMS, the AlgorithmIdentifier | -- for a public key or signature in CMS, the AlgorithmIdentifier | |||
| -- parameters field MUST be absent. The message digest algorithm | -- parameters field MUST be absent. The message digest algorithm | |||
| -- used in RSASSA-PSS MUST be SHAKE128 or SHAKE256 with a 32 or | -- used in RSASSA-PSS MUST be SHAKE128 or SHAKE256 with a 32 or | |||
| -- 64 byte outout length respectively. The mask generation | -- 64 byte outout length, respectively. The mask generation | |||
| -- function MUST be SHAKE128 or SHAKE256 with an output length | -- function MUST be SHAKE128 or SHAKE256 with an output length | |||
| -- of (n - 264) or (n - 520) bits respectively, where n | -- of (8*ceil((n-1)/8) - 264) or (8*ceil((n-1)/8) - 520) bits, | |||
| -- is the RSA modulus in bits. The RSASSA-PSS saltLength MUST | -- respectively, where n is the RSA modulus in bits. | |||
| -- be 32 or 64 bytes respectively. The trailerField MUST be 1, | -- The RSASSA-PSS saltLength MUST be 32 or 64 bytes, respectively. | |||
| -- which represents the trailer field with hexadecimal value | -- The trailerField MUST be 1, which represents the trailer | |||
| -- 0xBC. Regardless of id-RSASSA-PSS-* or rsaEncryption being | -- field with hexadecimal value 0xBC. Regardless of | |||
| -- used as the AlgorithmIdentifier of the OriginatorPublicKey, | -- id-RSASSA-PSS-* or rsaEncryption being used as the | |||
| -- the RSA public key MUST be encoded using the RSAPublicKey | -- AlgorithmIdentifier of the OriginatorPublicKey, the RSA | |||
| -- type. | -- public key MUST be encoded using the RSAPublicKey type. | |||
| -- From RFC4055, for reference. | -- From RFC4055, for reference. | |||
| -- RSAPublicKey ::= SEQUENCE { | -- RSAPublicKey ::= SEQUENCE { | |||
| -- modulus INTEGER, -- -- n | -- modulus INTEGER, -- -- n | |||
| -- publicExponent INTEGER } -- -- e | -- publicExponent INTEGER } -- -- e | |||
| id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD3 } | TBD3 } | |||
| id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD4 } | TBD4 } | |||
| -- When the id-ecdsa-with-shake* algorithm identifiers are | -- When the id-ecdsa-with-shake* algorithm identifiers are | |||
| -- used in CMS, the AlgorithmIdentifier parameters field | -- used in CMS, the AlgorithmIdentifier parameters field | |||
| -- MUST be absent and the signature algorithm should be | -- MUST be absent and the signature algorithm should be | |||
| -- deterministic ECDSA [RFC6979]. The message digest MUST | -- deterministic ECDSA [RFC6979]. The message digest MUST | |||
| -- be SHAKE128 or SHAKE256 with a 32 or 64 byte outout | -- be SHAKE128 or SHAKE256 with a 32 or 64 byte outout | |||
| -- length respectively. In both cases, the ECDSA public key, | -- length, respectively. In both cases, the ECDSA public key, | |||
| -- MUST be encoded using the id-ecPublicKey type. | -- MUST be encoded using the id-ecPublicKey type. | |||
| -- From RFC5480, for reference. | -- From RFC5480, for reference. | |||
| -- id-ecPublicKey OBJECT IDENTIFIER ::= { | -- id-ecPublicKey OBJECT IDENTIFIER ::= { | |||
| -- iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | -- iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | |||
| -- The id-ecPublicKey parameters must be absent or present | -- The id-ecPublicKey parameters must be absent or present | |||
| -- and are defined as | -- and are defined as | |||
| -- ECParameters ::= CHOICE { | -- ECParameters ::= CHOICE { | |||
| -- namedCurve OBJECT IDENTIFIER | -- namedCurve OBJECT IDENTIFIER | |||
| -- -- -- implicitCurve NULL | -- -- -- implicitCurve NULL | |||
| End of changes. 24 change blocks. | ||||
| 60 lines changed or deleted | 67 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||