draft-ietf-lamps-crmf-update-algs-00.txt   draft-ietf-lamps-crmf-update-algs-01.txt 
Network Working Group R. Housley Network Working Group R. Housley
Internet-Draft Vigil Security Internet-Draft Vigil Security
Updates: 4211 (if approved) 10 December 2020 Updates: 4211 (if approved) 18 December 2020
Intended status: Standards Track Intended status: Standards Track
Expires: 13 June 2021 Expires: 21 June 2021
Algorithm Requirements Update to the Internet X.509 Public Key Algorithm Requirements Update to the Internet X.509 Public Key
Infrastructure Certificate Request Message Format (CRMF) Infrastructure Certificate Request Message Format (CRMF)
draft-ietf-lamps-crmf-update-algs-00 draft-ietf-lamps-crmf-update-algs-01
Abstract Abstract
This document updates the cryptographic algorithm requirements for This document updates the cryptographic algorithm requirements for
the Password-Based Message Authentication Code in the Internet X.509 the Password-Based Message Authentication Code in the Internet X.509
Public Key Infrastructure Certificate Request Message Format (CRMF) Public Key Infrastructure Certificate Request Message Format (CRMF)
specified in RFC 4211. specified in RFC 4211.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 13 June 2021. This Internet-Draft will expire on 21 June 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Password-Based Message Authentication Code . . . . . . . . . 2 3. Password-Based Message Authentication Code . . . . . . . . . 2
3.1. Introduction Paragraph . . . . . . . . . . . . . . . . . 2 3.1. Introduction Paragraph . . . . . . . . . . . . . . . . . 2
3.2. One-Way Function . . . . . . . . . . . . . . . . . . . . 3 3.2. One-Way Function . . . . . . . . . . . . . . . . . . . . 3
3.3. Iteration Count . . . . . . . . . . . . . . . . . . . . . 3 3.3. Iteration Count . . . . . . . . . . . . . . . . . . . . . 3
3.4. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 3.4. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
6.1. Normative References . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
6.2. Informative References . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction 1. Introduction
This document updates the cryptographic algorithm requirements for This document updates the cryptographic algorithm requirements for
the Password-Based Message Authentication Code (MAC) in the Internet the Password-Based Message Authentication Code (MAC) in the Internet
X.509 Public Key Infrastructure Certificate Request Message Format X.509 Public Key Infrastructure Certificate Request Message Format
(CRMF) [RFC4211]. The algorithms specified in [RFC4211] were (CRMF) [RFC4211]. The algorithms specified in [RFC4211] were
appropriate in 2005; however, these algorithms are no longer appropriate in 2005; however, these algorithms are no longer
considered the best choices. This update specifies algorithms that considered the best choices. This update specifies algorithms that
skipping to change at page 4, line 9 skipping to change at page 4, line 9
iterations as the minimum value. The trade off here is between iterations as the minimum value. The trade off here is between
protection of the password from attacks and the time spent by the protection of the password from attacks and the time spent by the
server processing all of the different iterations in deriving server processing all of the different iterations in deriving
passwords. Hashing is generally considered a cheap operation but passwords. Hashing is generally considered a cheap operation but
this may not be true with all hash functions in the future. this may not be true with all hash functions in the future.
NEW: NEW:
iterationCount identifies the number of times the hash is applied iterationCount identifies the number of times the hash is applied
during the key computation process. The iterationCount MUST be a during the key computation process. The iterationCount MUST be a
least 10,000 [NISTSP800-63B]. There is a trade off between minimum of 100; however, the iterationCount SHOULD be as large as
protection of the password from attacks and the time spent by the server performance will allow, typically at least 10,000
server processing the iterations. [NISTSP800-63B]. There is a trade off between protection of the
password from attacks and the time spent by the server processing
the iterations.
3.4. MAC Algorithm 3.4. MAC Algorithm
Change the paragraph describing the "mac" as follows: Change the paragraph describing the "mac" as follows:
OLD: OLD:
mac identifies the algorithm and associated parameters of the MAC mac identifies the algorithm and associated parameters of the MAC
function to be used. All implementations MUST support HMAC-SHA1 function to be used. All implementations MUST support HMAC-SHA1
[HMAC]. All implementations SHOULD support DES-MAC and Triple- [HMAC]. All implementations SHOULD support DES-MAC and Triple-
skipping to change at page 5, line 30 skipping to change at page 5, line 34
4. IANA Considerations 4. IANA Considerations
This document makes no requests of the IANA. This document makes no requests of the IANA.
5. Security Considerations 5. Security Considerations
The security of the password-based MAC relies on the number of times The security of the password-based MAC relies on the number of times
the hash function is applied as well as the entropy of the shared the hash function is applied as well as the entropy of the shared
secret (the password). Hardware support for hash calculation is secret (the password). Hardware support for hash calculation is
available at very low cost [CHIP], which reduces the protection available at very low cost [PHS], which reduces the protection
provided by a high iterationCount value. Therefore, the entropy of provided by a high iterationCount value. Therefore, the entropy of
the used shared secret (the password) is crucial for the security of the password is crucial for the security of password-based MAC
password-based MAC function. High entropy can be achieved by using function. In 2010, researchers showed that about half of the real-
randomly generated strings. For example, assuming an alphabet of 60 world passwords can be broken with less than 150 million trials,
characters a randomly chosen password with 10 characters offers 59 indicating a median entropy of only 27 bits [DMR]. Higher entropy
bits a entropy, and 20 characters offers 118 bits of entropy. Using can be achieved by using randomly generated strings. For example,
a one-time password also increases the security of the MAC, assuming assuming an alphabet of 60 characters a randomly chosen password with
that the integrity-protected transaction will complete before the 10 characters offers 59 bits a entropy, and 20 characters offers 118
attacker is able to learn the password with an offline attack. bits of entropy. Using a one-time password also increases the
security of the MAC, assuming that the integrity-protected
transaction will complete before the attacker is able to learn the
password with an offline attack.
Cryptographic algorithms age; they become weaker with time. As new Cryptographic algorithms age; they become weaker with time. As new
cryptanalysis techniques are developed and computing capabilities cryptanalysis techniques are developed and computing capabilities
improve, the work required to break a particular cryptographic improve, the work required to break a particular cryptographic
algorithm will reduce, making an attack on the algorithm more algorithm will reduce, making an attack on the algorithm more
feasible for more attackers. While it is unknown how cryptoanalytic feasible for more attackers. While it is unknown how cryptoanalytic
attacks will evolve, it is certain that they will get better. It is attacks will evolve, it is certain that they will get better. It is
unknown how much better they will become or when the advances will unknown how much better they will become or when the advances will
happen. For this reason, the algorithm requirements for CRMF are happen. For this reason, the algorithm requirements for CRMF are
updated by this specification. updated by this specification.
When a Password-Based MAC is used, implementations must protect the When a Password-Based MAC is used, implementations must protect the
password and the MAC key. Compromise of either the password or the password and the MAC key. Compromise of either the password or the
MAC key may result in the ability of an attacker to undermine MAC key may result in the ability of an attacker to undermine
authentication. authentication.
6. References 6. Acknowledgements
6.1. Normative References Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Tomas
Gustavsson, Jonathan Hammell, Lijun Liao, Tim Polk, Mike StJohns, and
Sean Turner for their careful review and improvements.
7. References
7.1. Normative References
[AES] "Advanced encryption standard (AES)", National Institute [AES] "Advanced encryption standard (AES)", National Institute
of Standards and Technology report, of Standards and Technology report,
DOI 10.6028/nist.fips.197, November 2001, DOI 10.6028/nist.fips.197, November 2001,
<https://doi.org/10.6028/nist.fips.197>. <https://doi.org/10.6028/nist.fips.197>.
[GMAC] Dworkin, M., "Recommendation for block cipher modes of [GMAC] Dworkin, M., "Recommendation for block cipher modes of
operation :: GaloisCounter Mode (GCM) and GMAC", National operation :: GaloisCounter Mode (GCM) and GMAC", National
Institute of Standards and Technology report, Institute of Standards and Technology report,
DOI 10.6028/nist.sp.800-38d, 2007, DOI 10.6028/nist.sp.800-38d, 2007,
skipping to change at page 6, line 44 skipping to change at page 7, line 10
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[SHS] Dang, Q., "Secure Hash Standard", National Institute of [SHS] Dang, Q., "Secure Hash Standard", National Institute of
Standards and Technology report, Standards and Technology report,
DOI 10.6028/nist.fips.180-4, July 2015, DOI 10.6028/nist.fips.180-4, July 2015,
<https://doi.org/10.6028/nist.fips.180-4>. <https://doi.org/10.6028/nist.fips.180-4>.
6.2. Informative References 7.2. Informative References
[CHIP] Pham, H., Tran, T., Phan, T., Duong Le, V., Lam, D., and [DMR] Dell'Amico, M., Michiardi, P., and Y. Roudier, "Password
Y. Nakashima, "Double SHA-256 Hardware Architecture With Strength: An Empirical Analysis", 2010 Proceedings
Compact Message Expander for Bitcoin Mining", IEEE IEEE INFOCOM, DOI 10.1109/infcom.2010.5461951, March 2010,
Access Vol. 8, pp. 139634-139646, <https://doi.org/10.1109/infcom.2010.5461951>.
DOI 10.1109/access.2020.3012581, 2020,
<https://doi.org/10.1109/access.2020.3012581>.
[I-D.housley-lamps-cms-aes-mac-alg] [I-D.housley-lamps-cms-aes-mac-alg]
Housley, R., "Using the AES-GMAC Algorithm with the Housley, R., "Using the AES-GMAC Algorithm with the
Cryptographic Message Syntax (CMS)", Work in Progress, Cryptographic Message Syntax (CMS)", Work in Progress,
Internet-Draft, draft-housley-lamps-cms-aes-mac-alg-00, 9 Internet-Draft, draft-housley-lamps-cms-aes-mac-alg-00, 9
November 2020, <http://www.ietf.org/internet-drafts/draft- November 2020, <http://www.ietf.org/internet-drafts/draft-
housley-lamps-cms-aes-mac-alg-00.txt>. housley-lamps-cms-aes-mac-alg-00.txt>.
[NISTSP800-63B] [NISTSP800-63B]
Grassi, P., Fenton, J., Newton, E., Perlner, R., Grassi, P., Fenton, J., Newton, E., Perlner, R.,
Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N., Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N.,
Danker, J., Choong, Y., Greene, K., and M. Theofanos, Danker, J., Choong, Y., Greene, K., and M. Theofanos,
"Digital identity guidelines: authentication and lifecycle "Digital identity guidelines: authentication and lifecycle
management", National Institute of Standards and management", National Institute of Standards and
Technology report, DOI 10.6028/nist.sp.800-63b, June 2017, Technology report, DOI 10.6028/nist.sp.800-63b, June 2017,
<https://doi.org/10.6028/nist.sp.800-63b>. <https://doi.org/10.6028/nist.sp.800-63b>.
[PHS] Pathirana, A., Halgamuge, M., and A. Syed, "Energy
efficient bitcoin mining to maximize the mining profit:
Using data from 119 bitcoin mining hardware setups",
International Conference on Advances in Business
Management and Information Technology, pp 1-14, November
2019.
[RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
RFC 4231, DOI 10.17487/RFC4231, December 2005, RFC 4231, DOI 10.17487/RFC4231, December 2005,
<https://www.rfc-editor.org/info/rfc4231>. <https://www.rfc-editor.org/info/rfc4231>.
Author's Address Author's Address
Russ Housley Russ Housley
Vigil Security, LLC Vigil Security, LLC
516 Dranesville Road 516 Dranesville Road
 End of changes. 13 change blocks. 
28 lines changed or deleted 45 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/