| draft-ietf-lamps-pkix-shake-03.txt | draft-ietf-lamps-pkix-shake-04.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track Q. Dang | Intended status: Standards Track Q. Dang | |||
| Expires: April 22, 2019 NIST | Expires: May 29, 2019 NIST | |||
| October 19, 2018 | November 25, 2018 | |||
| Internet X.509 Public Key Infrastructure: Additional Algorithm | Internet X.509 Public Key Infrastructure: Additional Algorithm | |||
| Identifiers for RSASSA-PSS and ECDSA using SHAKEs as Hash Functions | Identifiers for RSASSA-PSS and ECDSA using SHAKEs | |||
| draft-ietf-lamps-pkix-shake-03 | draft-ietf-lamps-pkix-shake-04 | |||
| Abstract | Abstract | |||
| Digital signatures are used to sign messages, X.509 certificates and | Digital signatures are used to sign messages, X.509 certificates and | |||
| CRLs (Certificate Revocation Lists). This document describes the | CRLs (Certificate Revocation Lists). This document describes the | |||
| conventions for using the SHAKE family of hash functions in the | conventions for using the SHAKE function family in Internet X.509 | |||
| Internet X.509 as one-way hash functions with the RSA Probabilistic | certificates and CRLs as one-way hash functions with the RSA | |||
| Signature Scheme and ECDSA signature algorithms. The conventions for | Probabilistic signature and ECDSA signature algorithms. The | |||
| the associated subject public keys are also described. | conventions for the associated subject public keys are also | |||
| described. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 22, 2019. | This Internet-Draft will expire on May 29, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 23 ¶ | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 5 | 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 5 | 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 5 | |||
| 5.1.2. Deterministic ECDSA Signatures . . . . . . . . . . . 6 | 5.1.2. Deterministic ECDSA Signatures . . . . . . . . . . . 6 | |||
| 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.2.1. RSASSA-PSS Public Keys . . . . . . . . . . . . . . . 7 | 5.2.1. RSASSA-PSS Public Keys . . . . . . . . . . . . . . . 7 | |||
| 5.2.2. ECDSA Public Keys . . . . . . . . . . . . . . . . . . 8 | 5.2.2. ECDSA Public Keys . . . . . . . . . . . . . . . . . . 8 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 11 | Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 10 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-pkix-shake-04: | ||||
| * Removed paragraph suggesting KMAC to be used in generating k in | ||||
| Deterministric ECDSA. That should be RFC6979-bis. | ||||
| * Removed paragraph from Security Considerations that talks about | ||||
| randomness of k because we are using deterministric ECDSA. | ||||
| * Various ASN.1 fixes. | ||||
| * Text fixes. | ||||
| o draft-ietf-lamps-pkix-shake-03: | o draft-ietf-lamps-pkix-shake-03: | |||
| * Updates based on suggestions and clarifications by Jim. | * Updates based on suggestions and clarifications by Jim. | |||
| * Added ASN.1. | * Added ASN.1. | |||
| o draft-ietf-lamps-pkix-shake-02: | o draft-ietf-lamps-pkix-shake-02: | |||
| * Significant reorganization of the sections to simplify the | * Significant reorganization of the sections to simplify the | |||
| introduction, the new OIDs and their use in PKIX. | introduction, the new OIDs and their use in PKIX. | |||
| skipping to change at page 3, line 29 ¶ | skipping to change at page 3, line 42 ¶ | |||
| * Added Public key algorithm OIDs. | * Added Public key algorithm OIDs. | |||
| * Populated Introduction and IANA sections. | * Populated Introduction and IANA sections. | |||
| o draft-ietf-lamps-pkix-shake-00: | o draft-ietf-lamps-pkix-shake-00: | |||
| * Initial version | * Initial version | |||
| 2. Introduction | 2. Introduction | |||
| This document describes several cryptographic algorithm identifiers | This document describes cryptographic algorithm identifiers for | |||
| for several cryptographic algorithms which use variable length output | several cryptographic algorithms which use variable length output | |||
| SHAKE functions introduced in [SHA3] which can be used with the | SHAKE functions introduced in [SHA3] which can be used with the | |||
| Internet X.509 Certificate and CRL profile [RFC5280]. | Internet X.509 Certificate and CRL profile [RFC5280]. | |||
| The SHA-3 family of one-way hash functions is specified in [SHA3]. | In the SHA-3 family, two extendable-output functions (SHAKEs), | |||
| In the SHA-3 family, two extendable-output functions (SHAKEs): | ||||
| SHAKE128 and SHAKE256, are defined. Four other hash function | SHAKE128 and SHAKE256, are defined. Four other hash function | |||
| instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | |||
| defined but are out of scope for this document. A SHAKE is a | defined but are out of scope for this document. A SHAKE is a | |||
| variable length hash function. The output length, in bits, of a | variable length hash function. The output length, in bits, of a | |||
| SHAKE is defined by the d parameter. The corresponding collision and | SHAKE is defined by the d parameter. The corresponding collision and | |||
| second preimage resistance strengths for SHAKE128 are min(d/2,128) | second preimage resistance strengths for SHAKE128 are min(d/2,128) | |||
| and min(d,128) bits respectively. And, the corresponding collision | and min(d,128) bits respectively. And, the corresponding collision | |||
| and second preimage resistance strengths for SHAKE256 are | and second preimage resistance strengths for SHAKE256 are | |||
| min(d/2,256) and min(d,256) bits respectively. | min(d/2,256) and min(d,256) bits respectively. | |||
| A SHAKE can be used as the message digest function (to hash the | A SHAKE can be used as the message digest function (to hash the | |||
| message to be signed) in RSASSA-PSS and ECDSA and as the hash in the | message to be signed) in RSASSA-PSS and ECDSA and as the hash in the | |||
| mask generating function in RSASSA-PSS. In Section 4, we define four | mask generating function in RSASSA-PSS. This specification describes | |||
| new OIDs for RSASSA-PSS and ECDSA when SHAKE128 and SHAKE256 are | the identifiers for SHAKEs to be used in X.509 and their meaning. | |||
| used. The same algorithm identifiers are used for identifying a | ||||
| public key, and identifying a signature. | ||||
| 3. Terminology | 3. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| 4. Identifiers | 4. Identifiers | |||
| This section defines four new OIDs for RSASSA-PSS and ECDSA when | ||||
| SHAKE128 and SHAKE256 are used. The same algorithm identifiers are | ||||
| used for identifying a public key in RSASSA-PSS. | ||||
| The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | |||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | |||
| [ EDNOTE: "TBD" will be specified by NIST later. ] | [ EDNOTE: "TBD" will be specified by NIST later. ] | |||
| The new algorithm identifiers of ECDSA signatures using SHAKEs are | The new algorithm identifiers of ECDSA signatures using SHAKEs are | |||
| below. | below. | |||
| skipping to change at page 4, line 36 ¶ | skipping to change at page 5, line 5 ¶ | |||
| csor(3) algorithms(4) id-ecdsa-with-shake(3) | csor(3) algorithms(4) id-ecdsa-with-shake(3) | |||
| TBD } | TBD } | |||
| id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | |||
| country(16) us(840) organization(1) gov(101) | country(16) us(840) organization(1) gov(101) | |||
| csor(3) algorithms(4) id-ecdsa-with-shake(3) | csor(3) algorithms(4) id-ecdsa-with-shake(3) | |||
| TBD } | TBD } | |||
| [ EDNOTE: "TBD" will be specified by NIST later. ] | [ EDNOTE: "TBD" will be specified by NIST later. ] | |||
| The parameters for these four identifiers above MUST be absent. That | The parameters for the four identifiers above MUST be absent. That | |||
| is, the identifier SHALL be a SEQUENCE of one component, the OID. | is, the identifier SHALL be a SEQUENCE of one component, the OID. | |||
| Section 5.1.1 and Section 5.1.2 specify the required output length | Section 5.1.1 and Section 5.1.2 specify the required output length | |||
| for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In | for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In | |||
| summary, when hashing messages to be signed, output lengths of | summary, when hashing messages to be signed, output lengths of | |||
| SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the | SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the | |||
| SHAKEs are used as mask generation functions, their output lengths | SHAKEs are used as mask generation functions RSASSA-PSS, their output | |||
| are (n - 264) or (n - 520) bits respectively, where n is a RSA | length is (n - 264) or (n - 520) bits respectively, where n is a RSA | |||
| modulus size in bits. | modulus size in bits. | |||
| 5. Use in PKIX | 5. Use in PKIX | |||
| 5.1. Signatures | 5.1. Signatures | |||
| Signatures can be placed in a number of different ASN.1 structures. | Signatures can be placed in a number of different ASN.1 structures. | |||
| The top level structure for an X.509 certificate, to illustrate how | The top level structure for an X.509 certificate, to illustrate how | |||
| signatures are frequently encoded with an algorithm identifier and a | signatures are frequently encoded with an algorithm identifier and a | |||
| location for the signature, is | location for the signature, is | |||
| skipping to change at page 5, line 25 ¶ | skipping to change at page 5, line 36 ¶ | |||
| tbsCertificate TBSCertificate, | tbsCertificate TBSCertificate, | |||
| signatureAlgorithm AlgorithmIdentifier, | signatureAlgorithm AlgorithmIdentifier, | |||
| signatureValue BIT STRING } | signatureValue BIT STRING } | |||
| The identifiers defined in Section 4 can be used as the | The identifiers defined in Section 4 can be used as the | |||
| AlgorithmIdentifier in the signatureAlgorithm field in the sequence | AlgorithmIdentifier in the signatureAlgorithm field in the sequence | |||
| Certificate and the signature field in the sequence tbsCertificate in | Certificate and the signature field in the sequence tbsCertificate in | |||
| X.509 [RFC5280]. | X.509 [RFC5280]. | |||
| Conforming CA implementations MUST specify the algorithms explicitly | Conforming CA implementations MUST specify the algorithms explicitly | |||
| by using the OIDs specified in Section 4 when encoding RSASSA-PSS and | by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | |||
| ECDSA with SHAKE signatures in certificates and CRLs. Encoding rules | ECDSA with SHAKE signatures in certificates and CRLs. Conforming | |||
| for RSASSA-PSS and ECDSA signature values are specified in [RFC4055] | client implementations that process RSASSA-PSS or ECDSA with SHAKE | |||
| and [RFC5480] respectively. | signatures when processing certificates and CRLs MUST recognize the | |||
| corresponding OIDs. Encoding rules for RSASSA-PSS and ECDSA | ||||
| Conforming client implementations that process RSASSA-PSS and ECDSA | signature values are specified in [RFC4055] and [RFC5480] | |||
| with SHAKE signatures when processing certificates and CRLs MUST | respectively. | |||
| recognize the corresponding OIDs. | ||||
| 5.1.1. RSASSA-PSS Signatures | 5.1.1. RSASSA-PSS Signatures | |||
| The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is | |||
| used, the encoding MUST omit the parameters field. That is, the | used, the encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. | |||
| The hash algorithm to hash a message being signed and the hash | The hash algorithm to hash a message being signed and the hash | |||
| algorithm as the mask generation function "MGF(H, emLen - hLen - 1)" | algorithm as the mask generation function used in RSASSA-PSS MUST be | |||
| [RFC8017] used in RSASSA-PSS MUST be the same, SHAKE128 or SHAKE256 | the same, SHAKE128 or SHAKE256 respectively. The output-length of | |||
| respectively. The output-length of the hash algorithm which hashes | the hash algorithm which hashes the message SHALL be 32 or 64 bytes | |||
| the message SHALL be 32 or 64 bytes respectively. | respectively. | |||
| In RSASSA-PSS, a mask generation function takes an octet string of | ||||
| variable length and a desired output length as input, and outputs an | ||||
| octet string of the desired length. In RSASSA-PSS with SHAKES, the | ||||
| SHAKEs MUST be used natively as the MGF function, instead of the MGF1 | ||||
| algorithm that uses the hash function in multiple iterations as | ||||
| specified in Section B.2.1 of [RFC8017]. In other words, the MGF is | ||||
| defined as | ||||
| SHAKE128(mgfSeed, maskLen) | ||||
| and | ||||
| SHAKE256(mgfSeed, maskLen) | ||||
| respectively for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256. | The mask generation function takes an octet string of variable length | |||
| The mgfSeed is the seed from which mask is generated, an octet | and a desired output length as input, and outputs an octet string of | |||
| string. The maskLen for SHAKE128 or SHAKE256 being used as the MGF | the desired length. In RSASSA-PSS with SHAKES, the SHAKEs MUST be | |||
| is (n - 264)/8 or (n - 520)/8 bytes respectively, where n is the RSA | used natively as the MGF function, instead of the MGF1 algorithm that | |||
| modulus in bits. For example, when RSA modulus n is 2048, the output | uses the hash function in multiple iterations as specified in | |||
| length of SHAKE128 or SHAKE256 as the MGF will be 223 or 191 when id- | Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | |||
| RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used respectively. | the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | |||
| SHAKE128 and id-RSASSA-PSS-SHAKE256 respectively. The mgfSeed is the | ||||
| seed from which mask is generated, an octet string [RFC8017]. The | ||||
| output length is (n - 264)/8 or (n - 520)/8 bytes respectively, where | ||||
| n is the RSA modulus in bits. For example, when RSA modulus n is | ||||
| 2048, the output length of SHAKE128 or SHAKE256 as the MGF will be | ||||
| 223 or 191-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 | ||||
| is used respectively. | ||||
| The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | |||
| Finally, the trailerField MUST be 1, which represents the trailer | Finally, the trailerField MUST be 1, which represents the trailer | |||
| field with hexadecimal value 0xBC [RFC8017]. | field with hexadecimal value 0xBC [RFC8017]. | |||
| 5.1.2. Deterministic ECDSA Signatures | 5.1.2. Deterministic ECDSA Signatures | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | [X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | |||
| (specified in Section 4) algorithm identifier appears, the respective | (specified in Section 4) algorithm identifier appears, the respective | |||
| SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | |||
| encoding MUST omit the parameters field. That is, the | encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id- | |||
| ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256. | ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256. | |||
| For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification, | |||
| the output size of the hash function must be explicitly determined. | the output length of the hash function must be explicitly determined. | |||
| The output size, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | The output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | |||
| 256 or 512 bits respectively. | 256 or 512 bits respectively. | |||
| Conforming CA implementations that generate ECDSA with SHAKE | Conforming CA implementations that generate ECDSA with SHAKE | |||
| signatures in certificates or CRLs MUST generate such signatures with | signatures in certificates or CRLs MUST generate such signatures with | |||
| a deterministicly generated, non-random k in accordance with all the | a deterministicly generated, non-random k in accordance with all the | |||
| requirements specified in [RFC6979]. They MAY also generate such | requirements specified in [RFC6979]. They MAY also generate such | |||
| signatures in accordance with all other recommendations in [X9.62] or | signatures in accordance with all other recommendations in [X9.62] or | |||
| [SEC1] if they have a stated policy that requires conformance to | [SEC1] if they have a stated policy that requires conformance to | |||
| these standards. These standards may have not specified SHAKE128 and | these standards. These standards may have not specified SHAKE128 and | |||
| SHAKE256 as hash algorithm options. However, SHAKE128 and SHAKE256 | SHAKE256 as hash algorithm options. However, SHAKE128 and SHAKE256 | |||
| with output length being 32 and 64 octets respectively are | with output length being 32 and 64 octets respectively are | |||
| subtitutions for 256 and 512-bit output hash algorithms such as | subtitutions for 256 and 512-bit output hash algorithms such as | |||
| SHA256 and SHA512 used in the standards. | SHA256 and SHA512 used in the standards. | |||
| In Section 3.2 "Generation of k" of [RFC6979], HMAC is used to derive | ||||
| the deterministic k. Conforming implementations that generate | ||||
| deterministic ECDSA with SHAKE signatures in X.509 MUST use KMAC with | ||||
| SHAKE128 or KMAC with SHAKE256 as specfied in [SP800-185] when | ||||
| SHAKE128 or SHAKE256 is used as the message hashing algorithm, | ||||
| respectively. In this situation, KMAC with SHAKE128 and KMAC with | ||||
| SHAKE256 have 256-bit and 512-bit outputs respectively, and the | ||||
| optional customization bit string S is an empty string. | ||||
| 5.2. Public Keys | 5.2. Public Keys | |||
| Certificates conforming to [RFC5280] can convey a public key for any | Certificates conforming to [RFC5280] can convey a public key for any | |||
| public key algorithm. The certificate indicates the algorithm | public key algorithm. The certificate indicates the algorithm | |||
| through an algorithm identifier. This algorithm identifier is an OID | through an algorithm identifier. This algorithm identifier is an OID | |||
| and optionally associated parameters. | and optionally associated parameters. | |||
| In the X.509 certificate, the subjectPublicKeyInfo field has the | In the X.509 certificate, the subjectPublicKeyInfo field has the | |||
| SubjectPublicKeyInfo type, which has the following ASN.1 syntax: | SubjectPublicKeyInfo type, which has the following ASN.1 syntax: | |||
| skipping to change at page 7, line 39 ¶ | skipping to change at page 7, line 33 ¶ | |||
| The fields in SubjectPublicKeyInfo have the following meanings: | The fields in SubjectPublicKeyInfo have the following meanings: | |||
| o algorithm is the algorithm identifier and parameters for the | o algorithm is the algorithm identifier and parameters for the | |||
| public key. | public key. | |||
| o subjectPublicKey contains the byte stream of the public key. The | o subjectPublicKey contains the byte stream of the public key. The | |||
| algorithms defined in this document always encode the public key | algorithms defined in this document always encode the public key | |||
| as an exact multiple of 8-bits. | as an exact multiple of 8-bits. | |||
| Conforming CA implementations MUST specify the algorithms explicitly | Conforming CA implementations MUST specify the algorithms explicitly | |||
| by using the OIDs specified in Section 4 when encoding RSASSA-PSS and | by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | |||
| ECDSA with SHAKE public keys in certificates and CRLs. The | ECDSA with SHAKE public keys in certificates and CRLs. Conforming | |||
| conventions for RSASSA-PSS and ECDSA public keys algorithm | client implementations that process RSASSA-PSS or ECDSA with SHAKE | |||
| identifiers are as specified in [RFC3279], [RFC4055] and [RFC5480] , | public key when processing certificates and CRLs MUST recognize the | |||
| but we include them below for convenience. | corresponding OIDs. The conventions for RSASSA-PSS and ECDSA public | |||
| keys algorithm identifiers are as specified in [RFC3279], [RFC4055] | ||||
| and [RFC5480] , but we include them below for convenience. | ||||
| 5.2.1. RSASSA-PSS Public Keys | 5.2.1. RSASSA-PSS Public Keys | |||
| [RFC3279] defines the following OID for RSA AlgorithmIdentifier in | [RFC3279] defines the following OID for RSA AlgorithmIdentifier in | |||
| the SubjectPublicKeyInfo with NULL parameters. | the SubjectPublicKeyInfo with NULL parameters. | |||
| rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1} | rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1} | |||
| Additionally, when the RSA private key owner wishes to limit the use | Additionally, when the RSA private key owner wishes to limit the use | |||
| of the public key exclusively to RSASSA-PSS, the AlgorithmIdentifiers | of the public key exclusively to RSASSA-PSS, the AlgorithmIdentifiers | |||
| skipping to change at page 8, line 32 ¶ | skipping to change at page 8, line 28 ¶ | |||
| For ECDSA, the public key identifier defined in [RFC5480] is | For ECDSA, the public key identifier defined in [RFC5480] is | |||
| id-ecPublicKey OBJECT IDENTIFIER ::= { | id-ecPublicKey OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } | |||
| Additionally, the mandatory EC SubjectPublicKey is defined in | Additionally, the mandatory EC SubjectPublicKey is defined in | |||
| Section 2.1.1 and its syntax is in Section 2.2 of [RFC5480]. We also | Section 2.1.1 and its syntax is in Section 2.2 of [RFC5480]. We also | |||
| include them here for convenience: | include them here for convenience: | |||
| The id-ecPublicKey parameters MUST be present and are defined as | The id-ecPublicKey parameters MUST be absent or present and are | |||
| defined as | ||||
| ECParameters ::= CHOICE { | ECParameters ::= CHOICE { | |||
| namedCurve OBJECT IDENTIFIER | namedCurve OBJECT IDENTIFIER | |||
| -- implicitCurve NULL | -- implicitCurve NULL | |||
| -- specifiedCurve SpecifiedECDomain | -- specifiedCurve SpecifiedECDomain | |||
| } | } | |||
| The ECParameters associated with the ECDSA public key in the signer's | The ECParameters associated with the ECDSA public key in the signer's | |||
| certificate SHALL apply to the verification of the signature. | certificate SHALL apply to the verification of the signature. | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| [ EDNOTE: Update here only if there are OID allocations by IANA. ] | [ EDNOTE: Update here only if there are OID allocations by IANA. ] | |||
| This document has no IANA actions. | This document has no IANA actions. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The SHAKEs are deterministic functions. Like any other deterministic | The SHAKEs are deterministic functions. Like any other deterministic | |||
| functions, executing each function with the same input multiple times | function, executing multiple times with the same input will produce | |||
| will produce the same output. Therefore, users should not expect | the same output. Therefore, users should not expect unrelated | |||
| unrelated outputs (with the same or different output lengths) from | outputs (with the same or different output lengths) from running a | |||
| excuting a SHAKE function with the same input multiple times.The | SHAKE function with the same input multiple times. The shorter of | |||
| shorter one of any 2 outputs produced from a SHAKE with the same | any two outputs produced from a SHAKE with the same input is a prefix | |||
| input is a prefix of the longer one. It is a similar situation as | of the longer one. It is a similar situation as truncating a 512-bit | |||
| truncating a 512-bit output of SHA-512 by taking its 256 left-most | output of SHA-512 by taking its 256 left-most bits. These 256 left- | |||
| bits. These 256 left-most bits are a prefix of the 512-bit output. | most bits are a prefix of the 512-bit output. | |||
| Implementations must protect the signer's private key. Compromise of | Implementations must protect the signer's private key. Compromise of | |||
| the signer's private key permits masquerade. | the signer's private key permits masquerade attacks. | |||
| Implementations must randomly generate one-time values, such as the k | ||||
| value when generating a ECDSA signature. In addition, the generation | ||||
| of public/private key pairs relies on random numbers. The use of | ||||
| inadequate pseudo-random number generators (PRNGs) to generate such | ||||
| cryptographic values can result in little or no security. The | ||||
| generation of quality random numbers is difficult. [RFC4086] offers | ||||
| important guidance in this area, and [SP800-90A] series provide | ||||
| acceptable PRNGs. | ||||
| Implementers should be aware that cryptographic algorithms may become | Implementers should be aware that cryptographic algorithms may become | |||
| weaker with time. As new cryptanalysis techniques are developed and | weaker with time. As new cryptanalysis techniques are developed and | |||
| computing power increases, the work factor or time required to break | computing power increases, the work factor or time required to break | |||
| a particular cryptographic algorithm may decrease. Therefore, | a particular cryptographic algorithm may decrease. Therefore, | |||
| cryptographic algorithm implementations should be modular allowing | cryptographic algorithm implementations should be modular allowing | |||
| new algorithms to be readily inserted. That is, implementers should | new algorithms to be readily inserted. That is, implementers should | |||
| be prepared to regularly update the set of algorithms in their | be prepared to regularly update the set of algorithms in their | |||
| implementations. | implementations. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| We would like to thank Sean Turner and Jim Schaad for his valuable | We would like to thank Sean Turner and Jim Schaad for their valuable | |||
| contributions to this document. | contributions to this document. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 10 ¶ | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
| "Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
| Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | |||
| <https://www.rfc-editor.org/info/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | |||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | ||||
| Algorithm (DSA) and Elliptic Curve Digital Signature | ||||
| Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | ||||
| 2013, <https://www.rfc-editor.org/info/rfc6979>. | ||||
| [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
| "PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
| RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
| <https://www.rfc-editor.org/info/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
| [SHA3] National Institute of Standards and Technology, "SHA-3 | [SHA3] National Institute of Standards and Technology, "SHA-3 | |||
| Standard - Permutation-Based Hash and Extendable-Output | Standard - Permutation-Based Hash and Extendable-Output | |||
| Functions FIPS PUB 202", August 2015, | Functions FIPS PUB 202", August 2015, | |||
| <https://www.nist.gov/publications/sha-3-standard- | <https://www.nist.gov/publications/sha-3-standard- | |||
| permutation-based-hash-and-extendable-output-functions>. | permutation-based-hash-and-extendable-output-functions>. | |||
| 9.2. Informative References | 9.2. Informative References | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
| 2002, <https://www.rfc-editor.org/info/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | ||||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | ||||
| DOI 10.17487/RFC4086, June 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4086>. | ||||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | ||||
| Algorithm (DSA) and Elliptic Curve Digital Signature | ||||
| Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | ||||
| 2013, <https://www.rfc-editor.org/info/rfc6979>. | ||||
| [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||
| Elliptic Curve Cryptography", May 2009, | Elliptic Curve Cryptography", May 2009, | |||
| <http://www.secg.org/sec1-v2.pdf>. | <http://www.secg.org/sec1-v2.pdf>. | |||
| [SP800-185] | ||||
| National Institute of Standards and Technology, "SHA-3 | ||||
| Derived Functions: cSHAKE, KMAC, TupleHash and | ||||
| ParallelHash. NIST SP 800-185", December 2016, | ||||
| <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | ||||
| NIST.SP.800-185.pdf>. | ||||
| [SP800-90A] | ||||
| National Institute of Standards and Technology, | ||||
| "Recommendation for Random Number Generation Using | ||||
| Deterministic Random Bit Generators. NIST SP 800-90A", | ||||
| June 2015, | ||||
| <http://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | ||||
| NIST.SP.800-90Ar1.pdf>. | ||||
| [X9.62] American National Standard for Financial Services (ANSI), | [X9.62] American National Standard for Financial Services (ANSI), | |||
| "X9.62-2005 Public Key Cryptography for the Financial | "X9.62-2005 Public Key Cryptography for the Financial | |||
| Services Industry: The Elliptic Curve Digital Signature | Services Industry: The Elliptic Curve Digital Signature | |||
| Standard (ECDSA)", November 2005. | Standard (ECDSA)", November 2005. | |||
| Appendix A. ASN.1 module | Appendix A. ASN.1 module | |||
| This appendix includes the ASN.1 modules for SHAKEs in X.509. This | This appendix includes the ASN.1 module for SHAKEs in X.509. This | |||
| module does not come from any existing RFC. | module does not come from any existing RFC. | |||
| PKIXAlgsForSHAKE-2018 { iso(1) identified-organization(3) dod(6) | PKIXAlgsForSHAKE-2018 { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-shake-2018(TBD) } | id-mod-pkix1-shake-2018(TBD) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL; | -- EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| -- FROM [RFC5912] | -- FROM [RFC5912] | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, MAC-ALGORITHM, | PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS | |||
| SMIME-CAPS | ||||
| FROM AlgorithmInformation-2009 | FROM AlgorithmInformation-2009 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) security(5) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58) } | id-mod-algorithmInformation-02(58) } | |||
| -- FROM [RFC5912] | -- FROM [RFC5912] | |||
| id-RSASSA-PSS, RSAPublicKey, rsaEncryption, id-ecPublicKey, | RSAPublicKey, rsaEncryption, id-ecPublicKey, | |||
| ECPoint, ECDSA-Sig-Value | ECPoint, ECDSA-Sig-Value | |||
| FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-algorithms2008-02(56) } | id-mod-pkix1-algorithms2008-02(56) } | |||
| -- | -- | |||
| -- Message Digest Algorithms (mda-) | ||||
| -- | ||||
| HashAlgs DIGEST-ALGORITHM ::= { | ||||
| ... | ||||
| -- This expands MessageAuthAlgs from [RFC5912] | ||||
| mda-shake128 | | ||||
| mda-shake256, | ||||
| ... | ||||
| } | ||||
| -- | ||||
| -- One-Way Hash Functions | -- One-Way Hash Functions | |||
| -- SHAKE128 | -- SHAKE128 | |||
| mda-shake128 DIGEST-ALGORITHM ::= { | mda-shake128 DIGEST-ALGORITHM ::= { | |||
| IDENTIFIER id-shake128 -- with output length 32 bytes. | IDENTIFIER id-shake128 -- with output length 32 bytes. | |||
| } | } | |||
| id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 11 } | hashAlgs(2) 11 } | |||
| skipping to change at page 12, line 38 ¶ | skipping to change at page 12, line 15 ¶ | |||
| } | } | |||
| id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 12 } | hashAlgs(2) 12 } | |||
| -- | -- | |||
| -- Public Key (pk-) Algorithms | -- Public Key (pk-) Algorithms | |||
| -- | -- | |||
| PublicKeys PUBLIC-KEY ::= { | PublicKeys PUBLIC-KEY ::= { | |||
| ..., | ... | |||
| pk-rsaSSA-PSS-SHAKE128 | | pk-rsaSSA-PSS-SHAKE128 | | |||
| pk-rsaSSA-PSS-SHAKE256 | | pk-rsaSSA-PSS-SHAKE256, | |||
| pk-ec, | ||||
| ... | ... | |||
| } | } | |||
| -- From [RFC5912] - Here so it compiles. | -- From [RFC5912] - Here so it compiles. | |||
| pk-rsa PUBLIC-KEY ::= { | pk-rsa PUBLIC-KEY ::= { | |||
| IDENTIFIER rsaEncryption | IDENTIFIER rsaEncryption | |||
| KEY RSAPublicKey | KEY RSAPublicKey | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE {digitalSignature, nonRepudiation, | CERT-KEY-USAGE {digitalSignature, nonRepudiation, | |||
| keyEncipherment, dataEncipherment, keyCertSign, cRLSign} | keyEncipherment, dataEncipherment, keyCertSign, cRLSign} | |||
| } | } | |||
| -- The hashAlgorithm is mda-shake128 | -- The hashAlgorithm is mda-shake128 | |||
| skipping to change at page 13, line 9 ¶ | skipping to change at page 12, line 32 ¶ | |||
| pk-rsa PUBLIC-KEY ::= { | pk-rsa PUBLIC-KEY ::= { | |||
| IDENTIFIER rsaEncryption | IDENTIFIER rsaEncryption | |||
| KEY RSAPublicKey | KEY RSAPublicKey | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE {digitalSignature, nonRepudiation, | CERT-KEY-USAGE {digitalSignature, nonRepudiation, | |||
| keyEncipherment, dataEncipherment, keyCertSign, cRLSign} | keyEncipherment, dataEncipherment, keyCertSign, cRLSign} | |||
| } | } | |||
| -- The hashAlgorithm is mda-shake128 | -- The hashAlgorithm is mda-shake128 | |||
| -- The maskGenAlgorithm is mda-shake128 | -- The maskGenAlgorithm is id-shake128 | |||
| -- Mask Gen Algorithm is SHAKE128 with output length | -- Mask Gen Algorithm is SHAKE128 with output length | |||
| -- (n - 264)/8, where n is the RSA modulus in bits. | -- (n - 264)/8, where n is the RSA modulus in bits. | |||
| -- the saltLength is 32 | -- the saltLength is 32 | |||
| -- the trailerField is 1 | -- the trailerField is 1 | |||
| pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE128 | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
| KEY RSAPublicKey | KEY RSAPublicKey | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE { nonRepudiation, digitalSignature, | CERT-KEY-USAGE { nonRepudiation, digitalSignature, | |||
| keyCertSign, cRLSign } | keyCertSign, cRLSign } | |||
| } | } | |||
| -- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake256 | |||
| -- The maskGenAlgorithm is mda-shake256 | -- The maskGenAlgorithm is id-shake256 | |||
| -- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE256 with output length | |||
| -- (n - 520)/8, where n is the RSA modulus in bits. | -- (n - 520)/8, where n is the RSA modulus in bits. | |||
| -- the saltLength is 64 | -- the saltLength is 64 | |||
| -- the trailerField is 1 | -- the trailerField is 1 | |||
| pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
| KEY RSAPublicKey | KEY RSAPublicKey | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE { nonRepudiation, digitalSignature, | CERT-KEY-USAGE { nonRepudiation, digitalSignature, | |||
| skipping to change at page 14, line 13 ¶ | skipping to change at page 13, line 35 ¶ | |||
| -- specifiedCurve MUST NOT be used in PKIX | -- specifiedCurve MUST NOT be used in PKIX | |||
| -- Details for specifiedCurve can be found in [X9.62] | -- Details for specifiedCurve can be found in [X9.62] | |||
| -- Any future additions to this CHOICE should be coordinated | -- Any future additions to this CHOICE should be coordinated | |||
| -- with ANSI X.9. | -- with ANSI X.9. | |||
| } | } | |||
| -- | -- | |||
| -- Signature Algorithms (sa-) | -- Signature Algorithms (sa-) | |||
| -- | -- | |||
| SignatureAlgs SIGNATURE-ALGORITHM ::= { | SignatureAlgs SIGNATURE-ALGORITHM ::= { | |||
| ..., | ... | |||
| -- This expands SignatureAlgorithms from [RFC5912] | -- This expands SignatureAlgorithms from [RFC5912] | |||
| sa-rsassapssWithSHAKE128 | | sa-rsassapssWithSHAKE128 | | |||
| sa-rsassapssWithSHAKE256 | | sa-rsassapssWithSHAKE256, | |||
| ... | ||||
| sa-ecdsaWithSHAKE128 | | sa-ecdsaWithSHAKE128 | | |||
| sa-ecdsaWithSHAKE256 | sa-ecdsaWithSHAKE256, | |||
| ... | ||||
| } | } | |||
| -- | -- | |||
| -- SMIME Capabilities (sa-) | -- SMIME Capabilities (sa-) | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= { | SMimeCaps SMIME-CAPS ::= { | |||
| ..., | ... | |||
| -- The expands SMimeCaps from [RFC5912] | -- The expands SMimeCaps from [RFC5912] | |||
| sa-rsassapssWithSHAKE128.&smimeCaps | | sa-rsassapssWithSHAKE128.&smimeCaps | | |||
| sa-rsassapssWithSHAKE256.&smimeCaps | | sa-rsassapssWithSHAKE256.&smimeCaps, | |||
| sa-ecdsaWithSHAKE128.&smimeCaps | | sa-ecdsaWithSHAKE128.&smimeCaps | | |||
| sa-ecdsaWithSHAKE256.&smimeCaps | sa-ecdsaWithSHAKE256.&smimeCaps, | |||
| ... | ||||
| } | } | |||
| -- RSASSA-PSS with SHAKE128 | -- RSASSA-PSS with SHAKE128 | |||
| sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE128 | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- The hashAlgorithm is mda-shake128 | -- The hashAlgorithm is mda-shake128 | |||
| -- The maskGenAlgorithm is mda-shake128 | -- The maskGenAlgorithm is id-shake128 | |||
| -- Mask Gen Algorithm is SHAKE128 with output length | -- Mask Gen Algorithm is SHAKE128 with output length | |||
| -- (n - 264)/8, where n is the RSA modulus in bits. | -- (n - 264)/8, where n is the RSA modulus in bits. | |||
| -- the saltLength is 32 | -- the saltLength is 32 | |||
| -- the trailerField is 1 | -- the trailerField is 1 | |||
| HASHES {mda-shake128} -- omitting mda-shake128-params | HASHES mda-shake128 | |||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | |||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | |||
| } | } | |||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | |||
| -- RSASSA-PSS with SHAKE256 | -- RSASSA-PSS with SHAKE256 | |||
| sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| -- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake256 | |||
| -- The maskGenAlgorithm is mda-shake256 | -- The maskGenAlgorithm is id-shake256 | |||
| -- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE256 with output length | |||
| -- (n - 520)/8, where n is the RSA modulus in bits. | -- (n - 520)/8, where n is the RSA modulus in bits. | |||
| -- the saltLength is 64 | -- the saltLength is 64 | |||
| -- the trailerField is 1 | -- the trailerField is 1 | |||
| HASHES {mda-shake256} -- omitting mda-shake256-params | HASHES mda-shake256 | |||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | |||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | |||
| } | } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | |||
| -- Determinstic ECDSA with SHAKE128 | -- Determinstic ECDSA with SHAKE128 | |||
| -- Generating k by using KMAC with SHAKE128 as the hash | ||||
| -- [SP800-185] instead of HMAC with output length 256-bits | ||||
| -- that is equal to or slightly less than the elliptic | ||||
| -- curve group order. S is set to an empty string. | ||||
| sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-ecdsa-with-shake128 | IDENTIFIER id-ecdsa-with-shake128 | |||
| VALUE ECDSA-Sig-Value | VALUE ECDSA-Sig-Value | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| HASHES { mda-shake128 } | HASHES { mda-shake128 } | |||
| PUBLIC-KEYS { pk-ec } | PUBLIC-KEYS { pk-ec } | |||
| SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | |||
| } | } | |||
| id-ecdsa-with-shake128 ::= { joint-iso-itu-t(2) country(16) | id-ecdsa-with-shake128 ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| sigAlgs(3) TBD } | sigAlgs(3) TBD } | |||
| -- Determinstic ECDSA with SHAKE256 | -- Determinstic ECDSA with SHAKE256 | |||
| -- Generating k by using KMAC with SHAKE256 as the hash | ||||
| -- [SP800-185] instead of HMAC with output length 512-bits | ||||
| -- truncated to equal to or slightly less than the elliptic | ||||
| -- curve group order. S is set to an empty string. | ||||
| sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-ecdsa-with-shake256 | IDENTIFIER id-ecdsa-with-shake256 | |||
| VALUE ECDSA-Sig-Value | VALUE ECDSA-Sig-Value | |||
| PARAMS TYPE NULL ARE absent | PARAMS TYPE NULL ARE absent | |||
| HASHES { mda-shake256 } | HASHES { mda-shake256 } | |||
| PUBLIC-KEYS { pk-ec } | PUBLIC-KEYS { pk-ec } | |||
| SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | |||
| } | } | |||
| id-ecdsa-with-shake256 ::= { joint-iso-itu-t(2) country(16) | id-ecdsa-with-shake256 ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| End of changes. 47 change blocks. | ||||
| 148 lines changed or deleted | 121 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||