--- 1/draft-ietf-lamps-pkix-shake-12.txt 2019-07-21 21:13:11.365336830 -0700 +++ 2/draft-ietf-lamps-pkix-shake-13.txt 2019-07-21 21:13:11.397337643 -0700 @@ -1,46 +1,48 @@ LAMPS WG P. Kampanakis Internet-Draft Cisco Systems Updates: 3279 (if approved) Q. Dang Intended status: Standards Track NIST -Expires: January 1, 2020 June 30, 2019 +Expires: January 22, 2020 July 21, 2019 Internet X.509 Public Key Infrastructure: Additional Algorithm Identifiers for RSASSA-PSS and ECDSA using SHAKEs - draft-ietf-lamps-pkix-shake-12 + draft-ietf-lamps-pkix-shake-13 Abstract Digital signatures are used to sign messages, X.509 certificates and - CRLs. This document updates [RFC3279] and describes the conventions - for using the SHAKE function family in Internet X.509 certificates - and CRLs as one-way hash functions with the RSA Probabilistic + CRLs. This document updates the "Algorithms and Identifiers for the + Internet X.509 Public Key Infrastructure Certificate and Certificate + Revocation List Profile" (RFC3279) and describes the conventions for + using the SHAKE function family in Internet X.509 certificates and + revocation lists as one-way hash functions with the RSA Probabilistic signature and ECDSA signature algorithms. The conventions for the associated subject public keys are also described. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 1, 2020. + This Internet-Draft will expire on January 22, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -67,20 +69,28 @@ 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 9.2. Informative References . . . . . . . . . . . . . . . . . 11 Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 1. Change Log [ EDNOTE: Remove this section before publication. ] + o draft-ietf-lamps-pkix-shake-13: + + * Addressing one applicable comment from Dan M. about sec levels + while in secdir review of draft-ietf-lamps-cms-shakes. + + * Addressing comment from Scott B.'s opsdir review about + references in the abstract. + o draft-ietf-lamps-pkix-shake-12: * Nits identified by Roman, Eric V. Ben K., Barry L. in ballot position review. o draft-ietf-lamps-pkix-shake-11: * Nits identified by Roman in AD Review. o draft-ietf-lamps-pkix-shake-10: @@ -170,25 +180,26 @@ * Added Public key algorithm OIDs. * Populated Introduction and IANA sections. o draft-ietf-lamps-pkix-shake-00: * Initial version 2. Introduction - This document defines cryptographic algorithm identifiers for several - cryptographic algorithms that use variable length output SHAKE - functions introduced in [SHA3] which can be used with the Internet - X.509 Certificate and Certificate Revocation List (CRL) profile - [RFC5280]. + [RFC3279] defines cryptographic algorithm identifiers for the + Internet X.509 Certificate and Certificate Revocation Lists (CRL) + profile [RFC5280]. This document updates RFC3279 and defines + identifiers for several cryptographic algorithms that use variable + length output SHAKE functions introduced in [SHA3] which can be used + with . In the SHA-3 family, two extendable-output functions (SHAKEs), SHAKE128 and SHAKE256, are defined. Four other hash function instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also defined but are out of scope for this document. A SHAKE is a variable length hash function defined as SHAKE(M, d) where the output is a d-bits-long digest of message M. The corresponding collision and second-preimage-resistance strengths for SHAKE128 are min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). And the corresponding collision and second-preimage-resistance @@ -274,24 +285,21 @@ by using the OIDs specified in Section 4 when encoding RSASSA-PSS or ECDSA with SHAKE signatures in certificates and CRLs. Conforming client implementations that process certificates and CRLs using RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs. Encoding rules for RSASSA-PSS and ECDSA signature values are specified in [RFC4055] and [RFC5480], respectively. When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA curve order SHOULD be chosen in line with the SHAKE output length. - In the context of this document SHAKE128 OIDs are RECOMMENDED for - 2048 or 3072-bit RSA modulus or curves with group order of 256-bits. - SHAKE256 OIDs are RECOMMENDED for 4096-bit RSA modulus and higher or - curves with group order of 384-bits and higher. + Refer to Section 7 for more details. 5.1.1. RSASSA-PSS Signatures The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is used, the encoding MUST omit the parameters field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- PSS-params that are used to define the algorithms and inputs to the algorithm. This specification does not use parameters because the @@ -426,20 +434,32 @@ This document updates [RFC3279]. The security considerations section of that document applies to this specification as well. NIST has defined appropriate use of the hash functions in terms of the algorithm strengths and expected time frames for secure use in Special Publications (SPs) [SP800-78-4] and [SP800-107]. These documents can be used as guides to choose appropriate key sizes for various security scenarios. + SHAKE128 with output length of 256-bits offers 128-bits of collision + and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this + specification are RECOMMENDED with 2048 (112-bit security) or + 3072-bit (128-bit security) RSA modulus or curves with group order of + 256-bits (128-bit security). SHAKE256 with 512-bits output length + offers 256-bits of collision and 512-bits of preimage resistance. + Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with + 4096-bit RSA modulus or higher or curves with group order of 384-bits + (256-bit security) or higher. Note that we recommended 4096-bit RSA + because we would need 15360-bit modulus for 256-bits of security + which is impractical for today's technology. + 8. Acknowledgements We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for their valuable contributions to this document. The authors would like to thank Russ Housley for his guidance and very valuable contributions with the ASN.1 module. 9. References