--- 1/draft-ietf-lamps-crmf-update-algs-00.txt 2020-12-18 10:13:12.205823096 -0800 +++ 2/draft-ietf-lamps-crmf-update-algs-01.txt 2020-12-18 10:13:12.229823707 -0800 @@ -1,20 +1,20 @@ Network Working Group R. Housley Internet-Draft Vigil Security -Updates: 4211 (if approved) 10 December 2020 +Updates: 4211 (if approved) 18 December 2020 Intended status: Standards Track -Expires: 13 June 2021 +Expires: 21 June 2021 Algorithm Requirements Update to the Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) - draft-ietf-lamps-crmf-update-algs-00 + draft-ietf-lamps-crmf-update-algs-01 Abstract This document updates the cryptographic algorithm requirements for the Password-Based Message Authentication Code in the Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) specified in RFC 4211. Status of This Memo @@ -24,21 +24,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 13 June 2021. + This Internet-Draft will expire on 21 June 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -51,23 +51,24 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Password-Based Message Authentication Code . . . . . . . . . 2 3.1. Introduction Paragraph . . . . . . . . . . . . . . . . . 2 3.2. One-Way Function . . . . . . . . . . . . . . . . . . . . 3 3.3. Iteration Count . . . . . . . . . . . . . . . . . . . . . 3 3.4. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 - 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 - 6.2. Informative References . . . . . . . . . . . . . . . . . 6 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 + 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction This document updates the cryptographic algorithm requirements for the Password-Based Message Authentication Code (MAC) in the Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) [RFC4211]. The algorithms specified in [RFC4211] were appropriate in 2005; however, these algorithms are no longer considered the best choices. This update specifies algorithms that @@ -139,23 +140,25 @@ iterations as the minimum value. The trade off here is between protection of the password from attacks and the time spent by the server processing all of the different iterations in deriving passwords. Hashing is generally considered a cheap operation but this may not be true with all hash functions in the future. NEW: iterationCount identifies the number of times the hash is applied during the key computation process. The iterationCount MUST be a - least 10,000 [NISTSP800-63B]. There is a trade off between - protection of the password from attacks and the time spent by the - server processing the iterations. + minimum of 100; however, the iterationCount SHOULD be as large as + server performance will allow, typically at least 10,000 + [NISTSP800-63B]. There is a trade off between protection of the + password from attacks and the time spent by the server processing + the iterations. 3.4. MAC Algorithm Change the paragraph describing the "mac" as follows: OLD: mac identifies the algorithm and associated parameters of the MAC function to be used. All implementations MUST support HMAC-SHA1 [HMAC]. All implementations SHOULD support DES-MAC and Triple- @@ -208,49 +211,58 @@ 4. IANA Considerations This document makes no requests of the IANA. 5. Security Considerations The security of the password-based MAC relies on the number of times the hash function is applied as well as the entropy of the shared secret (the password). Hardware support for hash calculation is - available at very low cost [CHIP], which reduces the protection + available at very low cost [PHS], which reduces the protection provided by a high iterationCount value. Therefore, the entropy of - the used shared secret (the password) is crucial for the security of - password-based MAC function. High entropy can be achieved by using - randomly generated strings. For example, assuming an alphabet of 60 - characters a randomly chosen password with 10 characters offers 59 - bits a entropy, and 20 characters offers 118 bits of entropy. Using - a one-time password also increases the security of the MAC, assuming - that the integrity-protected transaction will complete before the - attacker is able to learn the password with an offline attack. + the password is crucial for the security of password-based MAC + function. In 2010, researchers showed that about half of the real- + world passwords can be broken with less than 150 million trials, + indicating a median entropy of only 27 bits [DMR]. Higher entropy + can be achieved by using randomly generated strings. For example, + assuming an alphabet of 60 characters a randomly chosen password with + 10 characters offers 59 bits a entropy, and 20 characters offers 118 + bits of entropy. Using a one-time password also increases the + security of the MAC, assuming that the integrity-protected + transaction will complete before the attacker is able to learn the + password with an offline attack. Cryptographic algorithms age; they become weaker with time. As new cryptanalysis techniques are developed and computing capabilities improve, the work required to break a particular cryptographic algorithm will reduce, making an attack on the algorithm more feasible for more attackers. While it is unknown how cryptoanalytic attacks will evolve, it is certain that they will get better. It is unknown how much better they will become or when the advances will happen. For this reason, the algorithm requirements for CRMF are updated by this specification. When a Password-Based MAC is used, implementations must protect the password and the MAC key. Compromise of either the password or the MAC key may result in the ability of an attacker to undermine authentication. -6. References +6. Acknowledgements -6.1. Normative References + Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Tomas + Gustavsson, Jonathan Hammell, Lijun Liao, Tim Polk, Mike StJohns, and + Sean Turner for their careful review and improvements. + +7. References + +7.1. Normative References [AES] "Advanced encryption standard (AES)", National Institute of Standards and Technology report, DOI 10.6028/nist.fips.197, November 2001, . [GMAC] Dworkin, M., "Recommendation for block cipher modes of operation :: GaloisCounter Mode (GCM) and GMAC", National Institute of Standards and Technology report, DOI 10.6028/nist.sp.800-38d, 2007, @@ -268,45 +280,50 @@ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [SHS] Dang, Q., "Secure Hash Standard", National Institute of Standards and Technology report, DOI 10.6028/nist.fips.180-4, July 2015, . -6.2. Informative References +7.2. Informative References - [CHIP] Pham, H., Tran, T., Phan, T., Duong Le, V., Lam, D., and - Y. Nakashima, "Double SHA-256 Hardware Architecture With - Compact Message Expander for Bitcoin Mining", IEEE - Access Vol. 8, pp. 139634-139646, - DOI 10.1109/access.2020.3012581, 2020, - . + [DMR] Dell'Amico, M., Michiardi, P., and Y. Roudier, "Password + Strength: An Empirical Analysis", 2010 Proceedings + IEEE INFOCOM, DOI 10.1109/infcom.2010.5461951, March 2010, + . [I-D.housley-lamps-cms-aes-mac-alg] Housley, R., "Using the AES-GMAC Algorithm with the Cryptographic Message Syntax (CMS)", Work in Progress, Internet-Draft, draft-housley-lamps-cms-aes-mac-alg-00, 9 November 2020, . [NISTSP800-63B] Grassi, P., Fenton, J., Newton, E., Perlner, R., Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N., Danker, J., Choong, Y., Greene, K., and M. Theofanos, "Digital identity guidelines: authentication and lifecycle management", National Institute of Standards and Technology report, DOI 10.6028/nist.sp.800-63b, June 2017, . + [PHS] Pathirana, A., Halgamuge, M., and A. Syed, "Energy + efficient bitcoin mining to maximize the mining profit: + Using data from 119 bitcoin mining hardware setups", + International Conference on Advances in Business + Management and Information Technology, pp 1-14, November + 2019. + [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC 4231, DOI 10.17487/RFC4231, December 2005, . Author's Address Russ Housley Vigil Security, LLC 516 Dranesville Road