| draft-ietf-lamps-crmf-update-algs-06.txt | draft-ietf-lamps-crmf-update-algs-07.txt | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Network Working Group R. Housley | |||
| Internet-Draft Vigil Security | Internet-Draft Vigil Security | |||
| Updates: 4211 (if approved) 6 April 2021 | Updates: 4211 (if approved) 8 April 2021 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 8 October 2021 | Expires: 10 October 2021 | |||
| Algorithm Requirements Update to the Internet X.509 Public Key | Algorithm Requirements Update to the Internet X.509 Public Key | |||
| Infrastructure Certificate Request Message Format (CRMF) | Infrastructure Certificate Request Message Format (CRMF) | |||
| draft-ietf-lamps-crmf-update-algs-06 | draft-ietf-lamps-crmf-update-algs-07 | |||
| Abstract | Abstract | |||
| This document updates the cryptographic algorithm requirements for | This document updates the cryptographic algorithm requirements for | |||
| the Password-Based Message Authentication Code in the Internet X.509 | the Password-Based Message Authentication Code in the Internet X.509 | |||
| Public Key Infrastructure Certificate Request Message Format (CRMF) | Public Key Infrastructure Certificate Request Message Format (CRMF) | |||
| specified in RFC 4211. | specified in RFC 4211. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 8 October 2021. | This Internet-Draft will expire on 10 October 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 3, line 34 ¶ | skipping to change at page 3, line 34 ¶ | |||
| algId identifies the algorithm used to compute the MAC value. All | algId identifies the algorithm used to compute the MAC value. All | |||
| implementations MUST support id-PasswordBasedMAC. The details on | implementations MUST support id-PasswordBasedMAC. The details on | |||
| this algorithm are presented in section 4.4 | this algorithm are presented in section 4.4 | |||
| NEW: | NEW: | |||
| algId identifies the algorithm used to compute the MAC value. All | algId identifies the algorithm used to compute the MAC value. All | |||
| implementations MUST support id-PasswordBasedMAC as presented in | implementations MUST support id-PasswordBasedMAC as presented in | |||
| Section 4.4 of [RFC4211]. Implementations MAY also support PBMAC1 | Section 4.4 of [RFC4211]. Implementations MAY also support PBMAC1 | |||
| presented in Section 7.1 of [RFC8018]. | as presented in Section 7.1 of [RFC8018]. | |||
| 4. Password-Based Message Authentication Code | 4. Password-Based Message Authentication Code | |||
| Section 4.4 of [RFC4211] specifies a Password-Based MAC that relies | Section 4.4 of [RFC4211] specifies a Password-Based MAC that relies | |||
| on a one-way function to compute a symmetric key from the password | on a one-way function to compute a symmetric key from the password | |||
| and a MAC algorithm. This section specifies algorithm requirements | and a MAC algorithm. This section specifies algorithm requirements | |||
| for the one-way function and the MAC algorithm. | for the one-way function and the MAC algorithm. | |||
| 4.1. Introduction Paragraph | 4.1. Introduction Paragraph | |||
| skipping to change at page 5, line 32 ¶ | skipping to change at page 5, line 32 ¶ | |||
| mac identifies the algorithm and associated parameters of the MAC | mac identifies the algorithm and associated parameters of the MAC | |||
| function to be used. All implementations MUST support HMAC-SHA1 | function to be used. All implementations MUST support HMAC-SHA1 | |||
| [HMAC]. All implementations SHOULD support DES-MAC and Triple- | [HMAC]. All implementations SHOULD support DES-MAC and Triple- | |||
| DES-MAC [PKCS11]. | DES-MAC [PKCS11]. | |||
| NEW: | NEW: | |||
| mac identifies the algorithm and associated parameters of the MAC | mac identifies the algorithm and associated parameters of the MAC | |||
| function to be used. All implementations MUST support HMAC-SHA256 | function to be used. All implementations MUST support HMAC-SHA256 | |||
| [HMAC]. All implementations SHOULD support AES-GMAC AES [GMAC] | [HMAC]. All implementations SHOULD support AES-GMAC [AES][GMAC] | |||
| with a 128 bit key. | with a 128-bit key. | |||
| For convenience, the identifiers for these two algorithms are | For convenience, the identifiers for these two algorithms are | |||
| repeated here. | repeated here. | |||
| The ASN.1 algorithm identifier for HMAC-SHA256 is defined in | The ASN.1 algorithm identifier for HMAC-SHA256 is defined in | |||
| [RFC4231]: | [RFC4231]: | |||
| id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||
| us(840) rsadsi(113549) digestAlgorithm(2) 9 } | us(840) rsadsi(113549) digestAlgorithm(2) 9 } | |||
| When this object identifier is used in the ASN.1 algorithm | When this object identifier is used in the ASN.1 algorithm | |||
| identifier, the parameters SHOULD be present. When present, the | identifier, the parameters SHOULD be present. When present, the | |||
| parameters MUST contain a type of NULL. | parameters MUST contain a type of NULL as specified in [RFC4231]. | |||
| The ASN.1 algorithm identifier for AES-GMAC [AES][GMAC] with a | The ASN.1 algorithm identifier for AES-GMAC [AES][GMAC] with a | |||
| 128-bit key is defined in [I-D.ietf-lamps-cms-aes-gmac-alg]: | 128-bit key is defined in [I-D.ietf-lamps-cms-aes-gmac-alg]: | |||
| id-aes128-GMAC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-aes128-GMAC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
| country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||
| nistAlgorithm(4) aes(1) 9 } | nistAlgorithm(4) aes(1) 9 } | |||
| When this object identifier is used in the ASN.1 algorithm | When this object identifier is used in the ASN.1 algorithm | |||
| identifier, the parameters MUST be present, and the parameters MUST | identifier, the parameters MUST be present, and the parameters MUST | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at page 6, line 44 ¶ | |||
| 6. Security Considerations | 6. Security Considerations | |||
| The security of the password-based MAC relies on the number of times | The security of the password-based MAC relies on the number of times | |||
| the hash function is applied as well as the entropy of the shared | the hash function is applied as well as the entropy of the shared | |||
| secret (the password). Hardware support for hash calculation is | secret (the password). Hardware support for hash calculation is | |||
| available at very low cost [PHS], which reduces the protection | available at very low cost [PHS], which reduces the protection | |||
| provided by a high iterationCount value. Therefore, the entropy of | provided by a high iterationCount value. Therefore, the entropy of | |||
| the password is crucial for the security of the password-based MAC | the password is crucial for the security of the password-based MAC | |||
| function. In 2010, researchers showed that about half of the real- | function. In 2010, researchers showed that about half of the real- | |||
| world passwords can be broken with less than 150 million trials, | world passwords in a leaked corpus can be broken with less than 150 | |||
| indicating a median entropy of only 27 bits [DMR]. Higher entropy | million trials, indicating a median entropy of only 27 bits [DMR]. | |||
| can be achieved by using randomly generated strings. For example, | Higher entropy can be achieved by using randomly generated strings. | |||
| assuming an alphabet of 60 characters a randomly chosen password with | For example, assuming an alphabet of 60 characters a randomly chosen | |||
| 10 characters offers 59 bits of entropy, and 20 characters offers 118 | password with 10 characters offers 59 bits of entropy, and 20 | |||
| bits of entropy. Using a one-time password also increases the | characters offers 118 bits of entropy. Using a one-time password | |||
| security of the MAC, assuming that the integrity-protected | also increases the security of the MAC, assuming that the integrity- | |||
| transaction will complete before the attacker is able to learn the | protected transaction will complete before the attacker is able to | |||
| password with an offline attack. | learn the password with an offline attack. | |||
| Please see [RFC8018] for security considerations related to PBMAC1. | Please see [RFC8018] for security considerations related to PBMAC1. | |||
| Please see [HMAC] and [SHS] for security considerations related to | Please see [HMAC] and [SHS] for security considerations related to | |||
| HMAC-SHA256. | HMAC-SHA256. | |||
| Please see [AES] and [GMAC] for security considerations related to | Please see [AES] and [GMAC] for security considerations related to | |||
| AES-GMAC. | AES-GMAC. | |||
| Cryptographic algorithms age; they become weaker with time. As new | Cryptographic algorithms age; they become weaker with time. As new | |||
| skipping to change at page 7, line 32 ¶ | skipping to change at page 7, line 32 ¶ | |||
| When a Password-Based MAC is used, implementations must protect the | When a Password-Based MAC is used, implementations must protect the | |||
| password and the MAC key. Compromise of either the password or the | password and the MAC key. Compromise of either the password or the | |||
| MAC key may result in the ability of an attacker to undermine | MAC key may result in the ability of an attacker to undermine | |||
| authentication. | authentication. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Roman | Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Roman | |||
| Danyliw, Lars Eggert, Tomas Gustavsson, Jonathan Hammell, Tim | Danyliw, Lars Eggert, Tomas Gustavsson, Jonathan Hammell, Tim | |||
| Hollebeek, Erik Kline, Lijun Liao, Mike Ounsworth, Francesca | Hollebeek, Ben Kaduk, Erik Kline, Lijun Liao, Mike Ounsworth, | |||
| Palombini, Tim Polk, Ines Robles, Mike StJohns, and Sean Turner for | Francesca Palombini, Tim Polk, Ines Robles, Mike StJohns, and Sean | |||
| their careful review and improvements. | Turner for their careful review and improvements. | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [AES] National Institute of Standards and Technology, "Advanced | [AES] National Institute of Standards and Technology, "Advanced | |||
| encryption standard (AES)", DOI 10.6028/nist.fips.197, | encryption standard (AES)", DOI 10.6028/nist.fips.197, | |||
| November 2001, <https://doi.org/10.6028/nist.fips.197>. | November 2001, <https://doi.org/10.6028/nist.fips.197>. | |||
| [GMAC] National Institute of Standards and Technology, | [GMAC] National Institute of Standards and Technology, | |||
| "Recommendation for block cipher modes of operation: | "Recommendation for block cipher modes of operation: | |||
| Galois Counter Mode (GCM) and GMAC", | Galois Counter Mode (GCM) and GMAC", | |||
| DOI 10.6028/nist.sp.800-38d, 2007, | DOI 10.6028/nist.sp.800-38d, 2007, | |||
| <https://doi.org/10.6028/nist.sp.800-38d>. | <https://doi.org/10.6028/nist.sp.800-38d>. | |||
| [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
| Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||
| DOI 10.17487/RFC2104, February 1997, | DOI 10.17487/RFC2104, February 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2104>. | <https://www.rfc-editor.org/rfc/rfc2104>. | |||
| [I-D.ietf-lamps-cms-aes-gmac-alg] | ||||
| Housley, R., "Using the AES-GMAC Algorithm with the | ||||
| Cryptographic Message Syntax (CMS)", Work in Progress, | ||||
| Internet-Draft, draft-ietf-lamps-cms-aes-gmac-alg-02, 30 | ||||
| December 2020, <http://www.ietf.org/internet-drafts/draft- | ||||
| ietf-lamps-cms-aes-gmac-alg-02.txt>. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||
| Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||
| DOI 10.17487/RFC4211, September 2005, | DOI 10.17487/RFC4211, September 2005, | |||
| <https://www.rfc-editor.org/info/rfc4211>. | <https://www.rfc-editor.org/info/rfc4211>. | |||
| skipping to change at page 9, line 5 ¶ | skipping to change at page 9, line 10 ¶ | |||
| [DIGALM] National Institute of Standards and Technology, "Digital | [DIGALM] National Institute of Standards and Technology, "Digital | |||
| identity guidelines: authentication and lifecycle | identity guidelines: authentication and lifecycle | |||
| management", DOI 10.6028/nist.sp.800-63b, June 2017, | management", DOI 10.6028/nist.sp.800-63b, June 2017, | |||
| <https://doi.org/10.6028/nist.sp.800-63b>. | <https://doi.org/10.6028/nist.sp.800-63b>. | |||
| [DMR] Dell'Amico, M., Michiardi, P., and Y. Roudier, "Password | [DMR] Dell'Amico, M., Michiardi, P., and Y. Roudier, "Password | |||
| Strength: An Empirical Analysis", | Strength: An Empirical Analysis", | |||
| DOI 10.1109/INFCOM.2010.5461951, March 2010, | DOI 10.1109/INFCOM.2010.5461951, March 2010, | |||
| <https://doi.org/10.1109/INFCOM.2010.5461951>. | <https://doi.org/10.1109/INFCOM.2010.5461951>. | |||
| [I-D.ietf-lamps-cms-aes-gmac-alg] | ||||
| Housley, R., "Using the AES-GMAC Algorithm with the | ||||
| Cryptographic Message Syntax (CMS)", Work in Progress, | ||||
| Internet-Draft, draft-ietf-lamps-cms-aes-gmac-alg-02, 30 | ||||
| December 2020, <http://www.ietf.org/internet-drafts/draft- | ||||
| ietf-lamps-cms-aes-gmac-alg-02.txt>. | ||||
| [PHS] Pathirana, A., Halgamuge, M., and A. Syed, "Energy | [PHS] Pathirana, A., Halgamuge, M., and A. Syed, "Energy | |||
| efficient bitcoin mining to maximize the mining profit: | efficient bitcoin mining to maximize the mining profit: | |||
| Using data from 119 bitcoin mining hardware setups", | Using data from 119 bitcoin mining hardware setups", | |||
| International Conference on Advances in Business | International Conference on Advances in Business | |||
| Management and Information Technology, pp 1-14, November | Management and Information Technology, pp 1-14, November | |||
| 2019. | 2019. | |||
| [PKCS11] RSA Laboratories, "The Public-Key Cryptography Standards - | [PKCS11] RSA Laboratories, "The Public-Key Cryptography Standards - | |||
| PKCS #11 v2.11: Cryptographic Token Interface Standard", | PKCS #11 v2.11: Cryptographic Token Interface Standard", | |||
| June 2001. | June 2001. | |||
| End of changes. 11 change blocks. | ||||
| 27 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||