draft-ietf-lamps-pkix-shake-06.txt | draft-ietf-lamps-pkix-shake-07.txt | |||
---|---|---|---|---|
LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
Intended status: Standards Track Q. Dang | Intended status: Standards Track Q. Dang | |||
Expires: June 21, 2019 NIST | Expires: July 18, 2019 NIST | |||
December 18, 2018 | January 14, 2019 | |||
Internet X.509 Public Key Infrastructure: Additional Algorithm | Internet X.509 Public Key Infrastructure: Additional Algorithm | |||
Identifiers for RSASSA-PSS and ECDSA using SHAKEs | Identifiers for RSASSA-PSS and ECDSA using SHAKEs | |||
draft-ietf-lamps-pkix-shake-06 | draft-ietf-lamps-pkix-shake-07 | |||
Abstract | Abstract | |||
Digital signatures are used to sign messages, X.509 certificates and | Digital signatures are used to sign messages, X.509 certificates and | |||
CRLs (Certificate Revocation Lists). This document describes the | CRLs (Certificate Revocation Lists). This document describes the | |||
conventions for using the SHAKE function family in Internet X.509 | conventions for using the SHAKE function family in Internet X.509 | |||
certificates and CRLs as one-way hash functions with the RSA | certificates and CRLs as one-way hash functions with the RSA | |||
Probabilistic signature and ECDSA signature algorithms. The | Probabilistic signature and ECDSA signature algorithms. The | |||
conventions for the associated subject public keys are also | conventions for the associated subject public keys are also | |||
described. | described. | |||
skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on June 21, 2019. | This Internet-Draft will expire on July 18, 2019. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
skipping to change at page 2, line 18 ¶ | skipping to change at page 2, line 18 ¶ | |||
Table of Contents | Table of Contents | |||
1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 5 | 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 | 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 6 | |||
5.1.2. Deterministic ECDSA Signatures . . . . . . . . . . . 7 | 5.1.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 7 | |||
5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 | |||
7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 | |||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 | |||
9.2. Informative References . . . . . . . . . . . . . . . . . 10 | 9.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 10 | Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 11 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
1. Change Log | 1. Change Log | |||
[ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
o draft-ietf-lamps-pkix-shake-07: | ||||
* Incorporated Eric's suggestion from WGLC. | ||||
o draft-ietf-lamps-pkix-shake-06: | o draft-ietf-lamps-pkix-shake-06: | |||
* Added informative references. | * Added informative references. | |||
* Updated ASN.1 so it compiles. | * Updated ASN.1 so it compiles. | |||
* Updated IANA considerations. | * Updated IANA considerations. | |||
o draft-ietf-lamps-pkix-shake-05: | o draft-ietf-lamps-pkix-shake-05: | |||
skipping to change at page 4, line 18 ¶ | skipping to change at page 4, line 24 ¶ | |||
This document describes cryptographic algorithm identifiers for | This document describes cryptographic algorithm identifiers for | |||
several cryptographic algorithms which use variable length output | several cryptographic algorithms which use variable length output | |||
SHAKE functions introduced in [SHA3] which can be used with the | SHAKE functions introduced in [SHA3] which can be used with the | |||
Internet X.509 Certificate and CRL profile [RFC5280]. | Internet X.509 Certificate and CRL profile [RFC5280]. | |||
In the SHA-3 family, two extendable-output functions (SHAKEs), | In the SHA-3 family, two extendable-output functions (SHAKEs), | |||
SHAKE128 and SHAKE256, are defined. Four other hash function | SHAKE128 and SHAKE256, are defined. Four other hash function | |||
instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512 are also | |||
defined but are out of scope for this document. A SHAKE is a | defined but are out of scope for this document. A SHAKE is a | |||
variable length hash function. The output length, in bits, of a | variable length hash function defined as SHAKE(M, d) where the output | |||
SHAKE is defined by the d parameter. The corresponding collision and | is a d-bits long digest of message M. The corresponding collision | |||
second preimage resistance strengths for SHAKE128 are min(d/2,128) | and second preimage resistance strengths for SHAKE128 are | |||
and min(d,128) bits respectively. And, the corresponding collision | min(d/2,128) and min(d,128) bits respectively. And, the | |||
and second preimage resistance strengths for SHAKE256 are | corresponding collision and second preimage resistance strengths for | |||
min(d/2,256) and min(d,256) bits respectively. | SHAKE256 are min(d/2,256) and min(d,256) bits respectively. | |||
A SHAKE can be used as the message digest function (to hash the | A SHAKE can be used as the message digest function (to hash the | |||
message to be signed) in RSASSA-PSS and ECDSA and as the hash in the | message to be signed) in RSASSA-PSS and ECDSA and as the hash in the | |||
mask generating function in RSASSA-PSS. This specification describes | mask generating function in RSASSA-PSS. This specification describes | |||
the identifiers for SHAKEs to be used in X.509 and their meaning. | the identifiers for SHAKEs to be used in X.509 and their meaning. | |||
3. Terminology | 3. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
4. Identifiers | 4. Identifiers | |||
This section defines four new OIDs for RSASSA-PSS and ECDSA when | This section defines four new OIDs, for RSASSA-PSS and ECDSA with | |||
SHAKE128 and SHAKE256 are used. The same algorithm identifiers are | each of SHAKE-128 and SHAKE-256. The same algorithm identifiers can | |||
used for identifying a public key in RSASSA-PSS. | be used for identifying a public key in RSASSA-PSS. | |||
The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | |||
id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | |||
id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | |||
[ EDNOTE: "TBD" will be specified by NIST later. ] | [ EDNOTE: "TBD" will be specified by NIST later. ] | |||
The new algorithm identifiers of ECDSA signatures using SHAKEs are | The new algorithm identifiers of ECDSA signatures using SHAKEs are | |||
below. | below. | |||
id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
country(16) us(840) organization(1) gov(101) | country(16) us(840) organization(1) gov(101) | |||
csor(3) algorithms(4) id-ecdsa-with-shake(3) | csor(3) algorithms(4) id-ecdsa-with-shake(3) | |||
skipping to change at page 5, line 28 ¶ | skipping to change at page 5, line 31 ¶ | |||
[ EDNOTE: "TBD" will be specified by NIST later. ] | [ EDNOTE: "TBD" will be specified by NIST later. ] | |||
The parameters for the four identifiers above MUST be absent. That | The parameters for the four identifiers above MUST be absent. That | |||
is, the identifier SHALL be a SEQUENCE of one component, the OID. | is, the identifier SHALL be a SEQUENCE of one component, the OID. | |||
Section 5.1.1 and Section 5.1.2 specify the required output length | Section 5.1.1 and Section 5.1.2 specify the required output length | |||
for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In | for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In | |||
summary, when hashing messages to be signed, output lengths of | summary, when hashing messages to be signed, output lengths of | |||
SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the | SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the | |||
SHAKEs are used as mask generation functions RSASSA-PSS, their output | SHAKEs are used as mask generation functions RSASSA-PSS, their output | |||
length is (n - 264) or (n - 520) bits respectively, where n is a RSA | length is (n - 264) or (n - 520) bits respectively, where n is the | |||
modulus size in bits. | RSA modulus size in bits. | |||
5. Use in PKIX | 5. Use in PKIX | |||
5.1. Signatures | 5.1. Signatures | |||
Signatures can be placed in a number of different ASN.1 structures. | Signatures are used in a number of different ASN.1 structures. In an | |||
The top level structure for an X.509 certificate, to illustrate how | X.509 certificate a signature is encoded with an algorithm identifier | |||
signatures are frequently encoded with an algorithm identifier and a | in the signatureAlgorithm attribute and a signatureValue that | |||
location for the signature, is | contains the actual signature. | |||
Certificate ::= SEQUENCE { | Certificate ::= SEQUENCE { | |||
tbsCertificate TBSCertificate, | tbsCertificate TBSCertificate, | |||
signatureAlgorithm AlgorithmIdentifier, | signatureAlgorithm AlgorithmIdentifier, | |||
signatureValue BIT STRING } | signatureValue BIT STRING } | |||
The identifiers defined in Section 4 can be used as the | The identifiers defined in Section 4 can be used as the | |||
AlgorithmIdentifier in the signatureAlgorithm field in the sequence | AlgorithmIdentifier in the signatureAlgorithm field in the sequence | |||
Certificate and the signature field in the sequence tbsCertificate in | Certificate and the signature field in the sequence tbsCertificate in | |||
X.509 [RFC5280]. | X.509. The parameters of these signature algorithms are absent as | |||
explained in Section 4. [RFC5280]. | ||||
Conforming CA implementations MUST specify the algorithms explicitly | Conforming CA implementations MUST specify the algorithms explicitly | |||
by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | |||
ECDSA with SHAKE signatures in certificates and CRLs. Conforming | ECDSA with SHAKE signatures in certificates and CRLs. Conforming | |||
client implementations that process RSASSA-PSS or ECDSA with SHAKE | client implementations that process RSASSA-PSS or ECDSA with SHAKE | |||
signatures when processing certificates and CRLs MUST recognize the | signatures when processing certificates and CRLs MUST recognize the | |||
corresponding OIDs. Encoding rules for RSASSA-PSS and ECDSA | corresponding OIDs. Encoding rules for RSASSA-PSS and ECDSA | |||
signature values are specified in [RFC4055] and [RFC5480] | signature values are specified in [RFC4055] and [RFC5480] | |||
respectively. | respectively. | |||
skipping to change at page 6, line 40 ¶ | skipping to change at page 6, line 46 ¶ | |||
respectively. | respectively. | |||
The mask generation function takes an octet string of variable length | The mask generation function takes an octet string of variable length | |||
and a desired output length as input, and outputs an octet string of | and a desired output length as input, and outputs an octet string of | |||
the desired length. In RSASSA-PSS with SHAKES, the SHAKEs MUST be | the desired length. In RSASSA-PSS with SHAKES, the SHAKEs MUST be | |||
used natively as the MGF function, instead of the MGF1 algorithm that | used natively as the MGF function, instead of the MGF1 algorithm that | |||
uses the hash function in multiple iterations as specified in | uses the hash function in multiple iterations as specified in | |||
Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | |||
the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | |||
SHAKE128 and id-RSASSA-PSS-SHAKE256 respectively. The mgfSeed is the | SHAKE128 and id-RSASSA-PSS-SHAKE256 respectively. The mgfSeed is the | |||
seed from which mask is generated, an octet string [RFC8017]. The | seed from which mask is generated, an octet string [RFC8017]. As | |||
output length is (n - 264)/8 or (n - 520)/8 bytes respectively, where | explained in Step 9 of section 9.1.1 of [RFC8017], the output length | |||
n is the RSA modulus in bits. For example, when RSA modulus n is | of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message | |||
2048, the output length of SHAKE128 or SHAKE256 as the MGF will be | length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 | |||
223 or 191-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 | and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256 | |||
is used respectively. | respectively. Thus when SHAKE is used as the MGF, the SHAKE output | |||
length maskLen is (n - 264) or (n - 520) bits respectively. For | ||||
example, when RSA modulus n is 2048, the output length of SHAKE128 or | ||||
SHAKE256 as the MGF will be 1784 or 1528-bits when id-RSASSA-PSS- | ||||
SHAKE128 or id-RSASSA-PSS-SHAKE256 is used respectively. | ||||
The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | The RSASSA-PSS saltLength MUST be 32 or 64 bytes respectively. | |||
Finally, the trailerField MUST be 1, which represents the trailer | Finally, the trailerField MUST be 1, which represents the trailer | |||
field with hexadecimal value 0xBC [RFC8017]. | field with hexadecimal value 0xBC [RFC8017]. | |||
5.1.2. Deterministic ECDSA Signatures | 5.1.2. ECDSA Signatures | |||
The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
[X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | [X9.62]. When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256 | |||
(specified in Section 4) algorithm identifier appears, the respective | (specified in Section 4) algorithm identifier appears, the respective | |||
SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | |||
encoding MUST omit the parameters field. That is, the | encoding MUST omit the parameters field. That is, the | |||
AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id- | |||
ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256. | ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256. | |||
For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification, | |||
the output length of the hash function must be explicitly determined. | the output length of the hash function must be explicitly determined. | |||
The output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | The output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | |||
256 or 512 bits respectively. | 256 or 512 bits respectively. | |||
Conforming CA implementations that generate ECDSA with SHAKE | It is RECOMMENDED that conforming CA implementations that generate | |||
signatures in certificates or CRLs MUST generate such signatures with | ECDSA with SHAKE signatures in certificates or CRLs generate such | |||
a deterministicly generated, non-random k in accordance with all the | signatures with a deterministically generated, non-random k in | |||
requirements specified in [RFC6979]. They MAY also generate such | accordance with all the requirements specified in [RFC6979]. They | |||
signatures in accordance with all other recommendations in [X9.62] or | MAY also generate such signatures in accordance with all other | |||
[SEC1] if they have a stated policy that requires conformance to | recommendations in [X9.62] or [SEC1] if they have a stated policy | |||
these standards. These standards may have not specified SHAKE128 and | that requires conformance to these standards. These standards may | |||
SHAKE256 as hash algorithm options. However, SHAKE128 and SHAKE256 | have not specified SHAKE128 and SHAKE256 as hash algorithm options. | |||
with output length being 32 and 64 octets respectively are | However, SHAKE128 and SHAKE256 with output length being 32 and 64 | |||
subtitutions for 256 and 512-bit output hash algorithms such as | octets respectively are subtitutions for 256 and 512-bit output hash | |||
SHA256 and SHA512 used in the standards. | algorithms such as SHA256 and SHA512 used in the standards. | |||
5.2. Public Keys | 5.2. Public Keys | |||
Certificates conforming to [RFC5280] can convey a public key for any | Certificates conforming to [RFC5280] can convey a public key for any | |||
public key algorithm. The certificate indicates the public key | public key algorithm. The certificate indicates the public key | |||
algorithm through an algorithm identifier. This algorithm identifier | algorithm through an algorithm identifier. This algorithm identifier | |||
is an OID and optionally associated parameters. | is an OID and optionally associated parameters. The conventions and | |||
encoding for RSASSA-PSS and ECDSA public keys algorithm identifiers | ||||
are as specified in Section 2.3 of [RFC3279], Section 3.1 of | ||||
[RFC4055] and Section 2.1 of [RFC5480]. | ||||
Traditionally, the rsaEncryption object identifier is used to | ||||
identify RSA public keys. The rsaEncryption object identifier | ||||
continues to identify the subject public key when the RSA private key | ||||
owner does not wish to limit the use of the public key exclusively to | ||||
RSASSA-PSS with SHAKEs. When the RSA private key owner wishes to | ||||
limit the use of the public key exclusively to RSASSA-PSS with | ||||
SHAKEs, the AlgorithmIdentifiers for RSASSA-PSS defined in Section 4 | ||||
SHOULD be used as the algorithm field in the SubjectPublicKeyInfo | ||||
sequence [RFC5280]. Conforming client implementations that process | ||||
RSASSA-PSS with SHAKE public keys when processing certificates and | ||||
CRLs MUST recognize the corresponding OIDs. | ||||
Conforming CA implementations MUST specify the X.509 public key | Conforming CA implementations MUST specify the X.509 public key | |||
algorithm explicitly by using the OIDs specified in Section 4 when | algorithm explicitly by using the OIDs specified in Section 4 when | |||
encoding RSASSA-PSS or ECDSA with SHAKE public keys in certificates | encoding ECDSA with SHAKE public keys in certificates and CRLs. | |||
and CRLs. Conforming client implementations that process RSASSA-PSS | Conforming client implementations that process ECDSA with SHAKE | |||
or ECDSA with SHAKE public key when processing certificates and CRLs | public keys when processing certificates and CRLs MUST recognize the | |||
MUST recognize the corresponding OIDs. The conventions and encoding | corresponding OIDs. | |||
for RSASSA-PSS and ECDSA public keys algorithm identifiers are as | ||||
specified in Section 2.3 of [RFC3279], Section 3.1 of [RFC4055] and | ||||
Section 2.1 of [RFC5480]. | ||||
When the RSA private key owner wishes to limit the use of the public | The identifier parameters, as explained in section Section 4, MUST be | |||
key exclusively to RSASSA-PSS, the AlgorithmIdentifiers for RSASSA- | absent. | |||
PSS defined in Section 4 can be used as the algorithm field in the | ||||
SubjectPublicKeyInfo sequence [RFC5280]. The identifier parameters, | ||||
as explained in section Section 4, MUST be absent. The RSASSA-PSS | ||||
algorithm functions and output lengths are the same as defined in | ||||
Section 5.1.1. | ||||
6. IANA Considerations | 6. IANA Considerations | |||
One object identifier for the ASN.1 module in Appendix A was assigned | One object identifier for the ASN.1 module in Appendix A was assigned | |||
in the SMI Security for PKIX Module Identifiers (1.3.6.1.5.5.7.0) | in the SMI Security for PKIX Module Identifiers (1.3.6.1.5.5.7.0) | |||
registry: | registry: | |||
PKIXAlgsForSHAKE-2018 { iso(1) identified-organization(3) dod(6) | PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6) | |||
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
id-mod-pkix1-shake-2018(TBD) } | id-mod-pkix1-shakes-2019(TBD) } | |||
7. Security Considerations | 7. Security Considerations | |||
The SHAKEs are deterministic functions. Like any other deterministic | The SHAKEs are deterministic functions. Like any other deterministic | |||
function, executing multiple times with the same input will produce | function, executing multiple times with the same input will produce | |||
the same output. Therefore, users should not expect unrelated | the same output. Therefore, users should not expect unrelated | |||
outputs (with the same or different output lengths) from running a | outputs (with the same or different output lengths) from running a | |||
SHAKE function with the same input multiple times. The shorter of | SHAKE function with the same input multiple times. The shorter of | |||
any two outputs produced from a SHAKE with the same input is a prefix | any two outputs produced from a SHAKE with the same input is a prefix | |||
of the longer one. It is a similar situation as truncating a 512-bit | of the longer one. It is a similar situation as truncating a 512-bit | |||
output of SHA-512 by taking its 256 left-most bits. These 256 left- | output of SHA-512 by taking its 256 left-most bits. These 256 left- | |||
most bits are a prefix of the 512-bit output. | most bits are a prefix of the 512-bit output. | |||
Implementations must protect the signer's private key. Compromise of | When using ECDSA with SHAKEs, the ECDSA curve order SHOULD be chosen | |||
the signer's private key permits masquerade attacks. | in line with the SHAKE output length. NIST has defined appropriate | |||
use of the hash functions in terms of the algorithm strengths and | ||||
Implementers should be aware that cryptographic algorithms may become | expected time frames for secure use in Special Publications (SPs) | |||
weaker with time. As new cryptanalysis techniques are developed and | [SP800-78-4] and [SP800-107]. These documents can be used as guides | |||
computing power increases, the work factor or time required to break | to choose appropriate key sizes for various security scenarios. In | |||
a particular cryptographic algorithm may decrease. Therefore, | the context of this document id-ecdsa-with-shake128 is RECOMMENDED | |||
cryptographic algorithm implementations should be modular allowing | for curves with group order of 256-bits. id-ecdsa-with-shake256 is | |||
new algorithms to be readily inserted. That is, implementers should | RECOMMENDED for curves with group order of 384-bits or more. | |||
be prepared to regularly update the set of algorithms in their | ||||
implementations. | ||||
8. Acknowledgements | 8. Acknowledgements | |||
We would like to thank Sean Turner and Jim Schaad for their valuable | We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | |||
contributions to this document. | their valuable contributions to this document. | |||
The authors would like to thank Russ Housley for his guidance and | The authors would like to thank Russ Housley for his guidance and | |||
very valuable contributions with the ASN.1 module. | very valuable contributions with the ASN.1 module. | |||
9. References | 9. References | |||
9.1. Normative References | 9.1. Normative References | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
skipping to change at page 9, line 32 ¶ | skipping to change at page 9, line 42 ¶ | |||
Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
<https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
"Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | |||
<https://www.rfc-editor.org/info/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | |||
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | ||||
Algorithm (DSA) and Elliptic Curve Digital Signature | ||||
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | ||||
2013, <https://www.rfc-editor.org/info/rfc6979>. | ||||
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
<https://www.rfc-editor.org/info/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[SHA3] National Institute of Standards and Technology, "SHA-3 | [SHA3] National Institute of Standards and Technology (NIST), | |||
Standard - Permutation-Based Hash and Extendable-Output | "SHA-3 Standard - Permutation-Based Hash and Extendable- | |||
Functions FIPS PUB 202", August 2015, | Output Functions FIPS PUB 202", August 2015, | |||
<https://www.nist.gov/publications/sha-3-standard- | <https://www.nist.gov/publications/sha-3-standard- | |||
permutation-based-hash-and-extendable-output-functions>. | permutation-based-hash-and-extendable-output-functions>. | |||
9.2. Informative References | 9.2. Informative References | |||
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
2002, <https://www.rfc-editor.org/info/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
<https://www.rfc-editor.org/info/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | ||||
Algorithm (DSA) and Elliptic Curve Digital Signature | ||||
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | ||||
2013, <https://www.rfc-editor.org/info/rfc6979>. | ||||
[SEC1] Standards for Efficient Cryptography Group, "SEC 1: | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||
Elliptic Curve Cryptography", May 2009, | Elliptic Curve Cryptography", May 2009, | |||
<http://www.secg.org/sec1-v2.pdf>. | <http://www.secg.org/sec1-v2.pdf>. | |||
[SP800-107] | ||||
National Institute of Standards and Technology (NIST), | ||||
"SP800-107: Recommendation for Applications Using Approved | ||||
Hash Algorithms", May 2014, | ||||
<https://csrc.nist.gov/csrc/media/publications/sp/800-107/ | ||||
rev-1/final/documents/draft_revised_sp800-107.pdf>. | ||||
[SP800-78-4] | ||||
National Institute of Standards and Technology (NIST), | ||||
"SP800-78-4: Cryptographic Algorithms and Key Sizes for | ||||
Personal Identity Verification", May 2014, | ||||
<https://csrc.nist.gov/csrc/media/publications/sp/800- | ||||
78/4/final/documents/sp800_78-4_revised_draft.pdf>. | ||||
[X9.62] American National Standard for Financial Services (ANSI), | [X9.62] American National Standard for Financial Services (ANSI), | |||
"X9.62-2005 Public Key Cryptography for the Financial | "X9.62-2005: Public Key Cryptography for the Financial | |||
Services Industry: The Elliptic Curve Digital Signature | Services Industry: The Elliptic Curve Digital Signature | |||
Standard (ECDSA)", November 2005. | Standard (ECDSA)", November 2005. | |||
Appendix A. ASN.1 module | Appendix A. ASN.1 module | |||
This appendix includes the ASN.1 module for SHAKEs in X.509. This | This appendix includes the ASN.1 module for SHAKEs in X.509. This | |||
module does not come from any existing RFC. | module does not come from any existing RFC. | |||
PKIXAlgsForSHAKE-2018 { iso(1) identified-organization(3) dod(6) | PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6) | |||
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
id-mod-pkix1-shake-2018(TBD) } | id-mod-pkix1-shakes-2019(TBD) } | |||
DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
BEGIN | BEGIN | |||
-- EXPORTS ALL; | -- EXPORTS ALL; | |||
IMPORTS | IMPORTS | |||
-- FROM [RFC5912] | -- FROM [RFC5912] | |||
skipping to change at page 12, line 4 ¶ | skipping to change at page 12, line 31 ¶ | |||
-- | -- | |||
-- Public Key (pk-) Algorithms | -- Public Key (pk-) Algorithms | |||
-- | -- | |||
PublicKeys PUBLIC-KEY ::= { | PublicKeys PUBLIC-KEY ::= { | |||
-- This expands PublicKeys from [RFC5912] | -- This expands PublicKeys from [RFC5912] | |||
pk-rsaSSA-PSS-SHAKE128 | | pk-rsaSSA-PSS-SHAKE128 | | |||
pk-rsaSSA-PSS-SHAKE256, | pk-rsaSSA-PSS-SHAKE256, | |||
... | ... | |||
} | } | |||
-- The hashAlgorithm is mda-shake128 | -- The hashAlgorithm is mda-shake128 | |||
-- The maskGenAlgorithm is id-shake128 | -- The maskGenAlgorithm is id-shake128 | |||
-- Mask Gen Algorithm is SHAKE128 with output length | -- Mask Gen Algorithm is SHAKE128 with output length | |||
-- (n - 264)/8, where n is the RSA modulus in bits. | -- (n - 264) bits, where n is the RSA modulus in bits. | |||
-- the saltLength is 32 | -- the saltLength is 32 | |||
-- the trailerField is 1 | -- the trailerField is 1 | |||
pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | |||
IDENTIFIER id-RSASSA-PSS-SHAKE128 | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
KEY RSAPublicKey | KEY RSAPublicKey | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
-- Private key format not in this module -- | -- Private key format not in this module -- | |||
CERT-KEY-USAGE { nonRepudiation, digitalSignature, | CERT-KEY-USAGE { nonRepudiation, digitalSignature, | |||
keyCertSign, cRLSign } | keyCertSign, cRLSign } | |||
} | } | |||
-- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake256 | |||
-- The maskGenAlgorithm is id-shake256 | -- The maskGenAlgorithm is id-shake256 | |||
-- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE256 with output length | |||
-- (n - 520)/8, where n is the RSA modulus in bits. | -- (n - 520)-bits, where n is the RSA modulus in bits. | |||
-- the saltLength is 64 | -- the saltLength is 64 | |||
-- the trailerField is 1 | -- the trailerField is 1 | |||
pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | |||
IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
KEY RSAPublicKey | KEY RSAPublicKey | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
-- Private key format not in this module -- | -- Private key format not in this module -- | |||
CERT-KEY-USAGE { nonRepudiation, digitalSignature, | CERT-KEY-USAGE { nonRepudiation, digitalSignature, | |||
keyCertSign, cRLSign } | keyCertSign, cRLSign } | |||
} | } | |||
-- | -- | |||
-- Signature Algorithms (sa-) | -- Signature Algorithms (sa-) | |||
-- | -- | |||
SignatureAlgs SIGNATURE-ALGORITHM ::= { | SignatureAlgs SIGNATURE-ALGORITHM ::= { | |||
-- This expands SignatureAlgorithms from [RFC5912] | -- This expands SignatureAlgorithms from [RFC5912] | |||
skipping to change at page 13, line 13 ¶ | skipping to change at page 13, line 41 ¶ | |||
sa-rsassapssWithSHAKE128.&smimeCaps | | sa-rsassapssWithSHAKE128.&smimeCaps | | |||
sa-rsassapssWithSHAKE256.&smimeCaps | | sa-rsassapssWithSHAKE256.&smimeCaps | | |||
sa-ecdsaWithSHAKE128.&smimeCaps | | sa-ecdsaWithSHAKE128.&smimeCaps | | |||
sa-ecdsaWithSHAKE256.&smimeCaps, | sa-ecdsaWithSHAKE256.&smimeCaps, | |||
... | ... | |||
} | } | |||
-- RSASSA-PSS with SHAKE128 | -- RSASSA-PSS with SHAKE128 | |||
sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | |||
IDENTIFIER id-RSASSA-PSS-SHAKE128 | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
-- The hashAlgorithm is mda-shake128 | -- The hashAlgorithm is mda-shake128 | |||
-- The maskGenAlgorithm is id-shake128 | -- The maskGenAlgorithm is id-shake128 | |||
-- Mask Gen Algorithm is SHAKE128 with output length | -- Mask Gen Algorithm is SHAKE128 with output length | |||
-- (n - 264)/8, where n is the RSA modulus in bits. | -- (n - 264) bits, where n is the RSA modulus in bits. | |||
-- the saltLength is 32 | -- the saltLength is 32 | |||
-- the trailerField is 1 | -- the trailerField is 1 | |||
HASHES { mda-shake128 } | HASHES { mda-shake128 } | |||
PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | |||
SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | |||
} | } | |||
id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { TBD } | |||
-- RSASSA-PSS with SHAKE256 | -- RSASSA-PSS with SHAKE256 | |||
sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | |||
IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
-- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake256 | |||
-- The maskGenAlgorithm is id-shake256 | -- The maskGenAlgorithm is id-shake256 | |||
-- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE256 with output length | |||
-- (n - 520)/8, where n is the RSA modulus in bits. | -- (n - 520)-bits, where n is the RSA modulus in bits. | |||
-- the saltLength is 64 | -- the saltLength is 64 | |||
-- the trailerField is 1 | -- the trailerField is 1 | |||
HASHES { mda-shake256 } | HASHES { mda-shake256 } | |||
PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | |||
SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | |||
} | } | |||
id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { TBD } | |||
-- Determinstic ECDSA with SHAKE128 | -- Determinstic ECDSA with SHAKE128 | |||
sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | |||
IDENTIFIER id-ecdsa-with-shake128 | IDENTIFIER id-ecdsa-with-shake128 | |||
VALUE ECDSA-Sig-Value | VALUE ECDSA-Sig-Value | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
HASHES { mda-shake128 } | HASHES { mda-shake128 } | |||
PUBLIC-KEYS { pk-ec } | PUBLIC-KEYS { pk-ec } | |||
SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | |||
} | } | |||
id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
country(16) us(840) organization(1) | country(16) us(840) organization(1) | |||
gov(101) csor(3) nistAlgorithm(4) | gov(101) csor(3) nistAlgorithm(4) | |||
sigAlgs(3) TBD } | sigAlgs(3) TBD } | |||
-- Determinstic ECDSA with SHAKE256 | -- Determinstic ECDSA with SHAKE256 | |||
sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | |||
IDENTIFIER id-ecdsa-with-shake256 | IDENTIFIER id-ecdsa-with-shake256 | |||
VALUE ECDSA-Sig-Value | VALUE ECDSA-Sig-Value | |||
PARAMS TYPE NULL ARE absent | PARAMS ARE absent | |||
HASHES { mda-shake256 } | HASHES { mda-shake256 } | |||
PUBLIC-KEYS { pk-ec } | PUBLIC-KEYS { pk-ec } | |||
SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | |||
} | } | |||
id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | |||
country(16) us(840) organization(1) | country(16) us(840) organization(1) | |||
gov(101) csor(3) nistAlgorithm(4) | gov(101) csor(3) nistAlgorithm(4) | |||
sigAlgs(3) TBD } | sigAlgs(3) TBD } | |||
END | END | |||
End of changes. 42 change blocks. | ||||
95 lines changed or deleted | 123 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |