| draft-ietf-lamps-pkix-shake-12.txt | draft-ietf-lamps-pkix-shake-13.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Updates: 3279 (if approved) Q. Dang | Updates: 3279 (if approved) Q. Dang | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: January 1, 2020 June 30, 2019 | Expires: January 22, 2020 July 21, 2019 | |||
| Internet X.509 Public Key Infrastructure: Additional Algorithm | Internet X.509 Public Key Infrastructure: Additional Algorithm | |||
| Identifiers for RSASSA-PSS and ECDSA using SHAKEs | Identifiers for RSASSA-PSS and ECDSA using SHAKEs | |||
| draft-ietf-lamps-pkix-shake-12 | draft-ietf-lamps-pkix-shake-13 | |||
| Abstract | Abstract | |||
| Digital signatures are used to sign messages, X.509 certificates and | Digital signatures are used to sign messages, X.509 certificates and | |||
| CRLs. This document updates [RFC3279] and describes the conventions | CRLs. This document updates the "Algorithms and Identifiers for the | |||
| for using the SHAKE function family in Internet X.509 certificates | Internet X.509 Public Key Infrastructure Certificate and Certificate | |||
| and CRLs as one-way hash functions with the RSA Probabilistic | Revocation List Profile" (RFC3279) and describes the conventions for | |||
| using the SHAKE function family in Internet X.509 certificates and | ||||
| revocation lists as one-way hash functions with the RSA Probabilistic | ||||
| signature and ECDSA signature algorithms. The conventions for the | signature and ECDSA signature algorithms. The conventions for the | |||
| associated subject public keys are also described. | associated subject public keys are also described. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 1, 2020. | This Internet-Draft will expire on January 22, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 34 ¶ | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-pkix-shake-13: | ||||
| * Addressing one applicable comment from Dan M. about sec levels | ||||
| while in secdir review of draft-ietf-lamps-cms-shakes. | ||||
| * Addressing comment from Scott B.'s opsdir review about | ||||
| references in the abstract. | ||||
| o draft-ietf-lamps-pkix-shake-12: | o draft-ietf-lamps-pkix-shake-12: | |||
| * Nits identified by Roman, Eric V. Ben K., Barry L. in ballot | * Nits identified by Roman, Eric V. Ben K., Barry L. in ballot | |||
| position review. | position review. | |||
| o draft-ietf-lamps-pkix-shake-11: | o draft-ietf-lamps-pkix-shake-11: | |||
| * Nits identified by Roman in AD Review. | * Nits identified by Roman in AD Review. | |||
| o draft-ietf-lamps-pkix-shake-10: | o draft-ietf-lamps-pkix-shake-10: | |||
| skipping to change at page 4, line 40 ¶ | skipping to change at page 4, line 48 ¶ | |||
| * Added Public key algorithm OIDs. | * Added Public key algorithm OIDs. | |||
| * Populated Introduction and IANA sections. | * Populated Introduction and IANA sections. | |||
| o draft-ietf-lamps-pkix-shake-00: | o draft-ietf-lamps-pkix-shake-00: | |||
| * Initial version | * Initial version | |||
| 2. Introduction | 2. Introduction | |||
| This document defines cryptographic algorithm identifiers for several | [RFC3279] defines cryptographic algorithm identifiers for the | |||
| cryptographic algorithms that use variable length output SHAKE | Internet X.509 Certificate and Certificate Revocation Lists (CRL) | |||
| functions introduced in [SHA3] which can be used with the Internet | profile [RFC5280]. This document updates RFC3279 and defines | |||
| X.509 Certificate and Certificate Revocation List (CRL) profile | identifiers for several cryptographic algorithms that use variable | |||
| [RFC5280]. | length output SHAKE functions introduced in [SHA3] which can be used | |||
| with . | ||||
| In the SHA-3 family, two extendable-output functions (SHAKEs), | In the SHA-3 family, two extendable-output functions (SHAKEs), | |||
| SHAKE128 and SHAKE256, are defined. Four other hash function | SHAKE128 and SHAKE256, are defined. Four other hash function | |||
| instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also | instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also | |||
| defined but are out of scope for this document. A SHAKE is a | defined but are out of scope for this document. A SHAKE is a | |||
| variable length hash function defined as SHAKE(M, d) where the output | variable length hash function defined as SHAKE(M, d) where the output | |||
| is a d-bits-long digest of message M. The corresponding collision | is a d-bits-long digest of message M. The corresponding collision | |||
| and second-preimage-resistance strengths for SHAKE128 are | and second-preimage-resistance strengths for SHAKE128 are | |||
| min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). | min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). | |||
| And the corresponding collision and second-preimage-resistance | And the corresponding collision and second-preimage-resistance | |||
| skipping to change at page 7, line 10 ¶ | skipping to change at page 7, line 10 ¶ | |||
| by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | |||
| ECDSA with SHAKE signatures in certificates and CRLs. Conforming | ECDSA with SHAKE signatures in certificates and CRLs. Conforming | |||
| client implementations that process certificates and CRLs using | client implementations that process certificates and CRLs using | |||
| RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs. | RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs. | |||
| Encoding rules for RSASSA-PSS and ECDSA signature values are | Encoding rules for RSASSA-PSS and ECDSA signature values are | |||
| specified in [RFC4055] and [RFC5480], respectively. | specified in [RFC4055] and [RFC5480], respectively. | |||
| When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA | When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA | |||
| curve order SHOULD be chosen in line with the SHAKE output length. | curve order SHOULD be chosen in line with the SHAKE output length. | |||
| In the context of this document SHAKE128 OIDs are RECOMMENDED for | Refer to Section 7 for more details. | |||
| 2048 or 3072-bit RSA modulus or curves with group order of 256-bits. | ||||
| SHAKE256 OIDs are RECOMMENDED for 4096-bit RSA modulus and higher or | ||||
| curves with group order of 384-bits and higher. | ||||
| 5.1.1. RSASSA-PSS Signatures | 5.1.1. RSASSA-PSS Signatures | |||
| The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is | |||
| used, the encoding MUST omit the parameters field. That is, the | used, the encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | |||
| PSS-params that are used to define the algorithms and inputs to the | PSS-params that are used to define the algorithms and inputs to the | |||
| algorithm. This specification does not use parameters because the | algorithm. This specification does not use parameters because the | |||
| skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 16 ¶ | |||
| This document updates [RFC3279]. The security considerations section | This document updates [RFC3279]. The security considerations section | |||
| of that document applies to this specification as well. | of that document applies to this specification as well. | |||
| NIST has defined appropriate use of the hash functions in terms of | NIST has defined appropriate use of the hash functions in terms of | |||
| the algorithm strengths and expected time frames for secure use in | the algorithm strengths and expected time frames for secure use in | |||
| Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | |||
| documents can be used as guides to choose appropriate key sizes for | documents can be used as guides to choose appropriate key sizes for | |||
| various security scenarios. | various security scenarios. | |||
| SHAKE128 with output length of 256-bits offers 128-bits of collision | ||||
| and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this | ||||
| specification are RECOMMENDED with 2048 (112-bit security) or | ||||
| 3072-bit (128-bit security) RSA modulus or curves with group order of | ||||
| 256-bits (128-bit security). SHAKE256 with 512-bits output length | ||||
| offers 256-bits of collision and 512-bits of preimage resistance. | ||||
| Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with | ||||
| 4096-bit RSA modulus or higher or curves with group order of 384-bits | ||||
| (256-bit security) or higher. Note that we recommended 4096-bit RSA | ||||
| because we would need 15360-bit modulus for 256-bits of security | ||||
| which is impractical for today's technology. | ||||
| 8. Acknowledgements | 8. Acknowledgements | |||
| We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | |||
| their valuable contributions to this document. | their valuable contributions to this document. | |||
| The authors would like to thank Russ Housley for his guidance and | The authors would like to thank Russ Housley for his guidance and | |||
| very valuable contributions with the ASN.1 module. | very valuable contributions with the ASN.1 module. | |||
| 9. References | 9. References | |||
| End of changes. 8 change blocks. | ||||
| 15 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||