draft-ietf-lamps-cms-shakes-14.txt		draft-ietf-lamps-cms-shakes-15.txt
	LAMPS WG P. Kampanakis		LAMPS WG P. Kampanakis
	Internet-Draft Cisco Systems		Internet-Draft Cisco Systems
	Updates: 3370 (if approved) Q. Dang		Updates: 3370 (if approved) Q. Dang
	Intended status: Standards Track NIST		Intended status: Standards Track NIST
	Expires: January 22, 2020 July 21, 2019		Expires: January 22, 2020 July 21, 2019
	Use of the SHAKE One-way Hash Functions in the Cryptographic Message		Use of the SHAKE One-way Hash Functions in the Cryptographic Message
	Syntax (CMS)		Syntax (CMS)
	draft-ietf-lamps-cms-shakes-14		draft-ietf-lamps-cms-shakes-15
	Abstract		Abstract
	This document updates the "Cryptographic Message Syntax Algorithms"		This document updates the "Cryptographic Message Syntax Algorithms"
	(RFC3370) and describes the conventions for using the SHAKE family of		(RFC3370) and describes the conventions for using the SHAKE family of
	hash functions in the Cryptographic Message Syntax as one-way hash		hash functions in the Cryptographic Message Syntax as one-way hash
	functions with the RSA Probabilistic signature and ECDSA signature		functions with the RSA Probabilistic signature and ECDSA signature
	algorithms. The conventions for the associated signer public keys in		algorithms. The conventions for the associated signer public keys in
	CMS are also described.		CMS are also described.
	skipping to change at page 2, line 34 ¶		skipping to change at page 2, line 34 ¶
	8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11		8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
	8.1. Normative References . . . . . . . . . . . . . . . . . . 11		8.1. Normative References . . . . . . . . . . . . . . . . . . 11
	8.2. Informative References . . . . . . . . . . . . . . . . . 12		8.2. Informative References . . . . . . . . . . . . . . . . . 12
	Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14		Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14
	Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18		Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
	1. Change Log		1. Change Log
	[ EDNOTE: Remove this section before publication. ]		[ EDNOTE: Remove this section before publication. ]
	o draft-ietf-lamps-cms-shake-13:		o draft-ietf-lamps-cms-shake-15:
			* Minor editorial nits.
			o draft-ietf-lamps-cms-shake-14:
	* Fixing error with incorrect preimage resistance bits for SHA128		* Fixing error with incorrect preimage resistance bits for SHA128
	and SHA256.		and SHA256.
	o draft-ietf-lamps-cms-shake-13:		o draft-ietf-lamps-cms-shake-13:
	* Addressing comments from Dan M.'s secdir review.		* Addressing comments from Dan M.'s secdir review.
	* Addressing comment from Scott B.'s opsdir review about		* Addressing comment from Scott B.'s opsdir review about
	references in the abstract.		references in the abstract.
	skipping to change at page 11, line 8 ¶		skipping to change at page 11, line 8 ¶
	This document updates [RFC3370]. The security considerations section		This document updates [RFC3370]. The security considerations section
	of that document applies to this specification as well.		of that document applies to this specification as well.
	NIST has defined appropriate use of the hash functions in terms of		NIST has defined appropriate use of the hash functions in terms of
	the algorithm strengths and expected time frames for secure use in		the algorithm strengths and expected time frames for secure use in
	Special Publications (SPs) [SP800-78-4] and [SP800-107]. These		Special Publications (SPs) [SP800-78-4] and [SP800-107]. These
	documents can be used as guides to choose appropriate key sizes for		documents can be used as guides to choose appropriate key sizes for
	various security scenarios.		various security scenarios.
	SHAKE128 with output length of 256-bits offers 128-bits of collision		SHAKE128 with output length of 256-bits offers 128-bits of collision
	preimage resistance. Thus, SHAKE128 OIDs in this specification are		and preimage resistance. Thus, SHAKE128 OIDs in this specification
	RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit		are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit
	security) RSA modulus or curves with group order of 256-bits (128-bit		security) RSA modulus or curves with group order of 256-bits (128-bit
	security). SHAKE256 with 512-bits output length offers 256-bits of		security). SHAKE256 with 512-bits output length offers 256-bits of
	collision and preimage resistance. Thus, the SHAKE256 OIDs in this		collision and preimage resistance. Thus, the SHAKE256 OIDs in this
	specification are RECOMMENDED with 4096-bit RSA modulus or higher or		specification are RECOMMENDED with 4096-bit RSA modulus or higher or
	curves with group order of 521-bits (256-bit security) or higher.		curves with group order of at least 521-bits (256-bit security).
	Note that we recommended 4096-bit RSA because we would need 15360-bit		Note that we recommended 4096-bit RSA because we would need 15360-bit
	modulus for 256-bits of security which is impractical for today's		modulus for 256-bits of security which is impractical for today's
	technology.		technology.
	When more than two parties share the same message-authentication key,		When more than two parties share the same message-authentication key,
	data origin authentication is not provided. Any party that knows the		data origin authentication is not provided. Any party that knows the
	message-authentication key can compute a valid MAC, therefore the		message-authentication key can compute a valid MAC, therefore the
	content could originate from any one of the parties.		content could originate from any one of the parties.
	7. Acknowledgements		7. Acknowledgements
End of changes. 4 change blocks.
	5 lines changed or deleted		9 lines changed or added
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/