| draft-ietf-lamps-cms-shakes-15.txt | draft-ietf-lamps-cms-shakes-16.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Updates: 3370 (if approved) Q. Dang | Updates: 3370 (if approved) Q. Dang | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: January 22, 2020 July 21, 2019 | Expires: February 8, 2020 August 7, 2019 | |||
| Use of the SHAKE One-way Hash Functions in the Cryptographic Message | Use of the SHAKE One-way Hash Functions in the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-lamps-cms-shakes-15 | draft-ietf-lamps-cms-shakes-16 | |||
| Abstract | Abstract | |||
| This document updates the "Cryptographic Message Syntax Algorithms" | This document updates the "Cryptographic Message Syntax Algorithms" | |||
| (RFC3370) and describes the conventions for using the SHAKE family of | (RFC3370) and describes the conventions for using the SHAKE family of | |||
| hash functions in the Cryptographic Message Syntax as one-way hash | hash functions in the Cryptographic Message Syntax as one-way hash | |||
| functions with the RSA Probabilistic signature and ECDSA signature | functions with the RSA Probabilistic signature and ECDSA signature | |||
| algorithms. The conventions for the associated signer public keys in | algorithms. The conventions for the associated signer public keys in | |||
| CMS are also described. | CMS are also described. | |||
| skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 22, 2020. | This Internet-Draft will expire on February 8, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 | 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 | 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8 | 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8 | |||
| 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 9 | 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 9 | |||
| 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4.4. Message Authentication Codes . . . . . . . . . . . . . . 10 | 4.4. Message Authentication Codes . . . . . . . . . . . . . . 10 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 12 | 8.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-cms-shake-16: | ||||
| * Minor nits. | ||||
| * Using bytes instead of bits for consistency. | ||||
| o draft-ietf-lamps-cms-shake-15: | o draft-ietf-lamps-cms-shake-15: | |||
| * Minor editorial nits. | * Minor editorial nits. | |||
| o draft-ietf-lamps-cms-shake-14: | o draft-ietf-lamps-cms-shake-14: | |||
| * Fixing error with incorrect preimage resistance bits for SHA128 | * Fixing error with incorrect preimage resistance bits for SHA128 | |||
| and SHA256. | and SHA256. | |||
| o draft-ietf-lamps-cms-shake-13: | o draft-ietf-lamps-cms-shake-13: | |||
| skipping to change at page 7, line 7 ¶ | skipping to change at page 7, line 21 ¶ | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD4 } | TBD4 } | |||
| The parameters for the four RSASSA-PSS and ECDSA identifiers MUST be | The parameters for the four RSASSA-PSS and ECDSA identifiers MUST be | |||
| absent. That is, each identifier SHALL be a SEQUENCE of one | absent. That is, each identifier SHALL be a SEQUENCE of one | |||
| component, the OID. | component, the OID. | |||
| Two object identifiers for KMACs using SHAKE128 and SHAKE256 as | Two object identifiers for KMACs using SHAKE128 and SHAKE256 as | |||
| defined in by the National Institute of Standards and Technology | defined in by the National Institute of Standards and Technology | |||
| (NIST) in [shake-nist-oids] and we include them here for convenience. | (NIST) in [shake-nist-oids] [EDNOTE: Make sure NIST has published | |||
| these. ] and we include them here for convenience. | ||||
| id-KmacWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KmacWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 19 } | nistAlgorithm(4) 2 19 } | |||
| id-KmacWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-KmacWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) 2 20 } | nistAlgorithm(4) 2 20 } | |||
| The parameters for id-KmacWithSHAKE128 and id-KmacWithSHAKE256 are | The parameters for id-KmacWithSHAKE128 and id-KmacWithSHAKE256 are | |||
| skipping to change at page 7, line 32 ¶ | skipping to change at page 7, line 47 ¶ | |||
| message digests, RSASSA-PSS, ECDSA and KMAC. | message digests, RSASSA-PSS, ECDSA and KMAC. | |||
| 4. Use in CMS | 4. Use in CMS | |||
| 4.1. Message Digests | 4.1. Message Digests | |||
| The id-shake128 and id-shake256 OIDs (Section 3) can be used as the | The id-shake128 and id-shake256 OIDs (Section 3) can be used as the | |||
| digest algorithm identifiers located in the SignedData, SignerInfo, | digest algorithm identifiers located in the SignedData, SignerInfo, | |||
| DigestedData, and the AuthenticatedData digestAlgorithm fields in CMS | DigestedData, and the AuthenticatedData digestAlgorithm fields in CMS | |||
| [RFC5652]. The OID encoding MUST omit the parameters field and the | [RFC5652]. The OID encoding MUST omit the parameters field and the | |||
| output length of SHA256 or SHAKE256 as the message digest MUST be 256 | output length of SHAKE128 or SHAKE256 as the message digest MUST be | |||
| or 512 bits, respectively. | 32 or 64 bytes, respectively. | |||
| The digest values are located in the DigestedData field and the | The digest values are located in the DigestedData field and the | |||
| Message Digest authenticated attribute included in the | Message Digest authenticated attribute included in the | |||
| signedAttributes of the SignedData signerInfo. In addition, digest | signedAttributes of the SignedData signerInfo. In addition, digest | |||
| values are input to signature algorithms. The digest algorithm MUST | values are input to signature algorithms. The digest algorithm MUST | |||
| be the same as the message hash algorithms used in signatures. | be the same as the message hash algorithms used in signatures. | |||
| 4.2. Signatures | 4.2. Signatures | |||
| In CMS, signature algorithm identifiers are located in the SignerInfo | In CMS, signature algorithm identifiers are located in the SignerInfo | |||
| skipping to change at page 9, line 17 ¶ | skipping to change at page 9, line 30 ¶ | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | |||
| (specified in Section 3) algorithm identifier appears, the respective | (specified in Section 3) algorithm identifier appears, the respective | |||
| SHAKE function is used as the hash. The encoding MUST omit the | SHAKE function is used as the hash. The encoding MUST omit the | |||
| parameters field. That is, the AlgorithmIdentifier SHALL be a | parameters field. That is, the AlgorithmIdentifier SHALL be a | |||
| SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | SEQUENCE of one component, the OID id-ecdsa-with-shake128 or id- | |||
| ecdsa-with-shake256. | ecdsa-with-shake256. | |||
| For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification, | |||
| the output length of the hash function must be explicitly determined. | the output length of the hash function must be explicitly determined. | |||
| The output length for SHAKE128 or SHAKE256 used in ECDSA MUST be 256 | The output length for SHAKE128 or SHAKE256 used in ECDSA MUST be 32 | |||
| or 512 bits, respectively. | or 64 bytes, respectively. | |||
| Conforming CA implementations that generate ECDSA with SHAKE | Conforming CA implementations that generate ECDSA with SHAKE | |||
| signatures in certificates or CRLs SHOULD generate such signatures | signatures in certificates or CRLs SHOULD generate such signatures | |||
| with a deterministically generated, non-random k in accordance with | with a deterministically generated, non-random k in accordance with | |||
| all the requirements specified in [RFC6979]. They MAY also generate | all the requirements specified in [RFC6979]. They MAY also generate | |||
| such signatures in accordance with all other recommendations in | such signatures in accordance with all other recommendations in | |||
| [X9.62] or [SEC1] if they have a stated policy that requires | [X9.62] or [SEC1] if they have a stated policy that requires | |||
| conformance to those standards. Those standards have not specified | conformance to those standards. Those standards have not specified | |||
| SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 | SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 | |||
| and SHAKE256 with output length being 32 and 64 octets, respectively | and SHAKE256 with output length being 32 and 64 octets, respectively | |||
| skipping to change at page 10, line 21 ¶ | skipping to change at page 10, line 33 ¶ | |||
| 4.4. Message Authentication Codes | 4.4. Message Authentication Codes | |||
| KMAC message authentication code (KMAC) is specified in [SP800-185]. | KMAC message authentication code (KMAC) is specified in [SP800-185]. | |||
| In CMS, KMAC algorithm identifiers are located in the | In CMS, KMAC algorithm identifiers are located in the | |||
| AuthenticatedData macAlgorithm field. The KMAC values are located in | AuthenticatedData macAlgorithm field. The KMAC values are located in | |||
| the AuthenticatedData mac field. | the AuthenticatedData mac field. | |||
| When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 OID is used as | When the id-KmacWithSHAKE128 or id-KmacWithSHAKE256 OID is used as | |||
| the MAC algorithm identifier, the parameters field is optional | the MAC algorithm identifier, the parameters field is optional | |||
| (absent or present). If absent, the SHAKE256 output length used in | (absent or present). If absent, the SHAKE256 output length used in | |||
| KMAC is 256 or 512 bits, respectively, and the customization string | KMAC is 32 or 64 bytes, respectively, and the customization string is | |||
| is an empty string by default. | an empty string by default. | |||
| Conforming implementations that process KMACs with the SHAKEs when | Conforming implementations that process KMACs with the SHAKEs when | |||
| processing CMS data MUST recognize these identifiers. | processing CMS data MUST recognize these identifiers. | |||
| When calculating the KMAC output, the variable N is 0xD2B282C2, S is | When calculating the KMAC output, the variable N is 0xD2B282C2, S is | |||
| an empty string, and L, the integer representing the requested output | an empty string, and L, the integer representing the requested output | |||
| length in bits, is 256 or 512 for KmacWithSHAKE128 or | length in bits, is 256 or 512 for KmacWithSHAKE128 or | |||
| KmacWithSHAKE256, respectively, in this specification. | KmacWithSHAKE256, respectively, in this specification. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| skipping to change at page 11, line 7 ¶ | skipping to change at page 11, line 22 ¶ | |||
| This document updates [RFC3370]. The security considerations section | This document updates [RFC3370]. The security considerations section | |||
| of that document applies to this specification as well. | of that document applies to this specification as well. | |||
| NIST has defined appropriate use of the hash functions in terms of | NIST has defined appropriate use of the hash functions in terms of | |||
| the algorithm strengths and expected time frames for secure use in | the algorithm strengths and expected time frames for secure use in | |||
| Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | |||
| documents can be used as guides to choose appropriate key sizes for | documents can be used as guides to choose appropriate key sizes for | |||
| various security scenarios. | various security scenarios. | |||
| SHAKE128 with output length of 256-bits offers 128-bits of collision | SHAKE128 with output length of 32 bytes offers 128-bits of collision | |||
| and preimage resistance. Thus, SHAKE128 OIDs in this specification | and preimage resistance. Thus, SHAKE128 OIDs in this specification | |||
| are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit | are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit | |||
| security) RSA modulus or curves with group order of 256-bits (128-bit | security) RSA modulus or curves with group order of 256-bits (128-bit | |||
| security). SHAKE256 with 512-bits output length offers 256-bits of | security). SHAKE256 with 64 bytes output length offers 256-bits of | |||
| collision and preimage resistance. Thus, the SHAKE256 OIDs in this | collision and preimage resistance. Thus, the SHAKE256 OIDs in this | |||
| specification are RECOMMENDED with 4096-bit RSA modulus or higher or | specification are RECOMMENDED with 4096-bit RSA modulus or higher or | |||
| curves with group order of at least 521-bits (256-bit security). | curves with group order of at least 512 bits such as NIST Curve P-521 | |||
| Note that we recommended 4096-bit RSA because we would need 15360-bit | (256-bit security). Note that we recommended 4096-bit RSA because we | |||
| modulus for 256-bits of security which is impractical for today's | would need 15360-bit modulus for 256-bits of security which is | |||
| technology. | impractical for today's technology. | |||
| When more than two parties share the same message-authentication key, | When more than two parties share the same message-authentication key, | |||
| data origin authentication is not provided. Any party that knows the | data origin authentication is not provided. Any party that knows the | |||
| message-authentication key can compute a valid MAC, therefore the | message-authentication key can compute a valid MAC, therefore the | |||
| content could originate from any one of the parties. | content could originate from any one of the parties. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| This document is based on Russ Housley's draft | This document is based on Russ Housley's draft | |||
| [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions | [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions | |||
| skipping to change at page 13, line 9 ¶ | skipping to change at page 13, line 23 ¶ | |||
| [I-D.housley-lamps-cms-sha3-hash] | [I-D.housley-lamps-cms-sha3-hash] | |||
| Housley, R., "Use of the SHA3 One-way Hash Functions in | Housley, R., "Use of the SHA3 One-way Hash Functions in | |||
| the Cryptographic Message Syntax (CMS)", draft-housley- | the Cryptographic Message Syntax (CMS)", draft-housley- | |||
| lamps-cms-sha3-hash-00 (work in progress), March 2017. | lamps-cms-sha3-hash-00 (work in progress), March 2017. | |||
| [I-D.ietf-lamps-pkix-shake] | [I-D.ietf-lamps-pkix-shake] | |||
| Kampanakis, P. and Q. Dang, "Internet X.509 Public Key | Kampanakis, P. and Q. Dang, "Internet X.509 Public Key | |||
| Infrastructure: Additional Algorithm Identifiers for | Infrastructure: Additional Algorithm Identifiers for | |||
| RSASSA-PSS and ECDSA using SHAKEs", draft-ietf-lamps-pkix- | RSASSA-PSS and ECDSA using SHAKEs", draft-ietf-lamps-pkix- | |||
| shake-12 (work in progress), June 2019. | shake-15 (work in progress), July 2019. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
| 2002, <https://www.rfc-editor.org/info/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
| [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve | [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve | |||
| Cryptography (ECC) Algorithms in Cryptographic Message | Cryptography (ECC) Algorithms in Cryptographic Message | |||
| Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January | Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January | |||
| End of changes. 16 change blocks. | ||||
| 23 lines changed or deleted | 30 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||