| draft-ietf-lamps-cms-shakes-13.txt | draft-ietf-lamps-cms-shakes-14.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Updates: 3370 (if approved) Q. Dang | Updates: 3370 (if approved) Q. Dang | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: January 22, 2020 July 21, 2019 | Expires: January 22, 2020 July 21, 2019 | |||
| Use of the SHAKE One-way Hash Functions in the Cryptographic Message | Use of the SHAKE One-way Hash Functions in the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-lamps-cms-shakes-13 | draft-ietf-lamps-cms-shakes-14 | |||
| Abstract | Abstract | |||
| This document updates the "Cryptographic Message Syntax Algorithms" | This document updates the "Cryptographic Message Syntax Algorithms" | |||
| (RFC3370) and describes the conventions for using the SHAKE family of | (RFC3370) and describes the conventions for using the SHAKE family of | |||
| hash functions in the Cryptographic Message Syntax as one-way hash | hash functions in the Cryptographic Message Syntax as one-way hash | |||
| functions with the RSA Probabilistic signature and ECDSA signature | functions with the RSA Probabilistic signature and ECDSA signature | |||
| algorithms. The conventions for the associated signer public keys in | algorithms. The conventions for the associated signer public keys in | |||
| CMS are also described. | CMS are also described. | |||
| skipping to change at page 2, line 11 ¶ | skipping to change at page 2, line 11 ¶ | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 | 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8 | 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8 | |||
| 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 9 | |||
| 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.4. Message Authentication Codes . . . . . . . . . . . . . . 10 | 4.4. Message Authentication Codes . . . . . . . . . . . . . . 10 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-cms-shake-13: | o draft-ietf-lamps-cms-shake-13: | |||
| * Fixing error with incorrect preimage resistance bits for SHA128 | ||||
| and SHA256. | ||||
| o draft-ietf-lamps-cms-shake-13: | ||||
| * Addressing comments from Dan M.'s secdir review. | * Addressing comments from Dan M.'s secdir review. | |||
| * Addressing comment from Scott B.'s opsdir review about | * Addressing comment from Scott B.'s opsdir review about | |||
| references in the abstract. | references in the abstract. | |||
| o draft-ietf-lamps-cms-shake-12: | o draft-ietf-lamps-cms-shake-12: | |||
| * Nits identified by Roman, Barry L. in ballot position review. | * Nits identified by Roman, Barry L. in ballot position review. | |||
| o draft-ietf-lamps-cms-shake-11: | o draft-ietf-lamps-cms-shake-11: | |||
| skipping to change at page 8, line 29 ¶ | skipping to change at page 8, line 33 ¶ | |||
| the same: both SHAKE128 or both SHAKE256. The output length of the | the same: both SHAKE128 or both SHAKE256. The output length of the | |||
| hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or | hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or | |||
| 64 bytes (for SHAKE256). | 64 bytes (for SHAKE256). | |||
| The mask generation function takes an octet string of variable length | The mask generation function takes an octet string of variable length | |||
| and a desired output length as input, and outputs an octet string of | and a desired output length as input, and outputs an octet string of | |||
| the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be | the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be | |||
| used natively as the MGF function, instead of the MGF1 algorithm that | used natively as the MGF function, instead of the MGF1 algorithm that | |||
| uses the hash function in multiple iterations as specified in | uses the hash function in multiple iterations as specified in | |||
| Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | |||
| the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | the SHAKE128 or SHAKE256 with input being the mgfSeed for id-RSASSA- | |||
| SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is | PSS- SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed | |||
| the seed from which mask is generated, an octet string [RFC8017]. As | is the seed from which mask is generated, an octet string [RFC8017]. | |||
| explained in Step 9 of section 9.1.1 of [RFC8017], the output length | As explained in Step 9 of section 9.1.1 of [RFC8017], the output | |||
| of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message | length of the MGF is emLen - hLen - 1 bytes. emLen is the maximum | |||
| length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 | message length ceil((n-1)/8), where n is the RSA modulus in bits. | |||
| and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, | hLen is 32 and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS- | |||
| respectively. Thus when SHAKE is used as the MGF, the SHAKE output | SHAKE256, respectively. Thus when SHAKE is used as the MGF, the | |||
| length maskLen is (8*emLen - 264) or (8*emLen - 520) bits, | SHAKE output length maskLen is (8*emLen - 264) or (8*emLen - 520) | |||
| respectively. For example, when RSA modulus n is 2048, the output | bits, respectively. For example, when RSA modulus n is 2048, the | |||
| length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits | output length of SHAKE128 or SHAKE256 as the MGF will be 1784 or | |||
| when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, | 1528-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is | |||
| respectively. | used, respectively. | |||
| The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 | The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 | |||
| or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField | or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField | |||
| MUST be 1, which represents the trailer field with hexadecimal value | MUST be 1, which represents the trailer field with hexadecimal value | |||
| 0xBC [RFC8017]. | 0xBC [RFC8017]. | |||
| 4.2.2. ECDSA Signatures | 4.2.2. ECDSA Signatures | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | |||
| skipping to change at page 10, line 50 ¶ | skipping to change at page 11, line 8 ¶ | |||
| This document updates [RFC3370]. The security considerations section | This document updates [RFC3370]. The security considerations section | |||
| of that document applies to this specification as well. | of that document applies to this specification as well. | |||
| NIST has defined appropriate use of the hash functions in terms of | NIST has defined appropriate use of the hash functions in terms of | |||
| the algorithm strengths and expected time frames for secure use in | the algorithm strengths and expected time frames for secure use in | |||
| Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | |||
| documents can be used as guides to choose appropriate key sizes for | documents can be used as guides to choose appropriate key sizes for | |||
| various security scenarios. | various security scenarios. | |||
| SHAKE128 with output length of 256-bits offers 128-bits of collision | SHAKE128 with output length of 256-bits offers 128-bits of collision | |||
| and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this | preimage resistance. Thus, SHAKE128 OIDs in this specification are | |||
| specification are RECOMMENDED with 2048 (112-bit security) or | RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit | |||
| 3072-bit (128-bit security) RSA modulus or curves with group order of | security) RSA modulus or curves with group order of 256-bits (128-bit | |||
| 256-bits (128-bit security). SHAKE256 with 512-bits output length | security). SHAKE256 with 512-bits output length offers 256-bits of | |||
| offers 256-bits of collision and 512-bits of preimage resistance. | collision and preimage resistance. Thus, the SHAKE256 OIDs in this | |||
| Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with | specification are RECOMMENDED with 4096-bit RSA modulus or higher or | |||
| 4096-bit RSA modulus or higher or curves with group order of 384-bits | curves with group order of 521-bits (256-bit security) or higher. | |||
| (256-bit security) or higher. Note that we recommended 4096-bit RSA | Note that we recommended 4096-bit RSA because we would need 15360-bit | |||
| because we would need 15360-bit modulus for 256-bits of security | modulus for 256-bits of security which is impractical for today's | |||
| which is impractical for today's technology. | technology. | |||
| When more than two parties share the same message-authentication key, | When more than two parties share the same message-authentication key, | |||
| data origin authentication is not provided. Any party that knows the | data origin authentication is not provided. Any party that knows the | |||
| message-authentication key can compute a valid MAC, therefore the | message-authentication key can compute a valid MAC, therefore the | |||
| content could originate from any one of the parties. | content could originate from any one of the parties. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| This document is based on Russ Housley's draft | This document is based on Russ Housley's draft | |||
| [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions | [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions | |||
| End of changes. 6 change blocks. | ||||
| 26 lines changed or deleted | 31 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||