| draft-ietf-lamps-pkix-shake-13.txt | draft-ietf-lamps-pkix-shake-14.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | LAMPS WG P. Kampanakis | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Updates: 3279 (if approved) Q. Dang | Updates: 3279 (if approved) Q. Dang | |||
| Intended status: Standards Track NIST | Intended status: Standards Track NIST | |||
| Expires: January 22, 2020 July 21, 2019 | Expires: January 22, 2020 July 21, 2019 | |||
| Internet X.509 Public Key Infrastructure: Additional Algorithm | Internet X.509 Public Key Infrastructure: Additional Algorithm | |||
| Identifiers for RSASSA-PSS and ECDSA using SHAKEs | Identifiers for RSASSA-PSS and ECDSA using SHAKEs | |||
| draft-ietf-lamps-pkix-shake-13 | draft-ietf-lamps-pkix-shake-14 | |||
| Abstract | Abstract | |||
| Digital signatures are used to sign messages, X.509 certificates and | Digital signatures are used to sign messages, X.509 certificates and | |||
| CRLs. This document updates the "Algorithms and Identifiers for the | CRLs. This document updates the "Algorithms and Identifiers for the | |||
| Internet X.509 Public Key Infrastructure Certificate and Certificate | Internet X.509 Public Key Infrastructure Certificate and Certificate | |||
| Revocation List Profile" (RFC3279) and describes the conventions for | Revocation List Profile" (RFC3279) and describes the conventions for | |||
| using the SHAKE function family in Internet X.509 certificates and | using the SHAKE function family in Internet X.509 certificates and | |||
| revocation lists as one-way hash functions with the RSA Probabilistic | revocation lists as one-way hash functions with the RSA Probabilistic | |||
| signature and ECDSA signature algorithms. The conventions for the | signature and ECDSA signature algorithms. The conventions for the | |||
| skipping to change at page 2, line 13 ¶ | skipping to change at page 2, line 13 ¶ | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 7 | 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 7 | |||
| 5.1.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | 5.1.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | |||
| 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 8 | 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | |||
| Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 1. Change Log | 1. Change Log | |||
| [ EDNOTE: Remove this section before publication. ] | [ EDNOTE: Remove this section before publication. ] | |||
| o draft-ietf-lamps-pkix-shake-14: | ||||
| * Fixing error with incorrect preimage resistance bits for SHA128 | ||||
| and SHA256. | ||||
| o draft-ietf-lamps-pkix-shake-13: | o draft-ietf-lamps-pkix-shake-13: | |||
| * Addressing one applicable comment from Dan M. about sec levels | * Addressing one applicable comment from Dan M. about sec levels | |||
| while in secdir review of draft-ietf-lamps-cms-shakes. | while in secdir review of draft-ietf-lamps-cms-shakes. | |||
| * Addressing comment from Scott B.'s opsdir review about | * Addressing comment from Scott B.'s opsdir review about | |||
| references in the abstract. | references in the abstract. | |||
| o draft-ietf-lamps-pkix-shake-12: | o draft-ietf-lamps-pkix-shake-12: | |||
| skipping to change at page 10, line 17 ¶ | skipping to change at page 10, line 37 ¶ | |||
| This document updates [RFC3279]. The security considerations section | This document updates [RFC3279]. The security considerations section | |||
| of that document applies to this specification as well. | of that document applies to this specification as well. | |||
| NIST has defined appropriate use of the hash functions in terms of | NIST has defined appropriate use of the hash functions in terms of | |||
| the algorithm strengths and expected time frames for secure use in | the algorithm strengths and expected time frames for secure use in | |||
| Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | |||
| documents can be used as guides to choose appropriate key sizes for | documents can be used as guides to choose appropriate key sizes for | |||
| various security scenarios. | various security scenarios. | |||
| SHAKE128 with output length of 256-bits offers 128-bits of collision | SHAKE128 with output length of 256-bits offers 128-bits of collision | |||
| and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this | and preimage resistance. Thus, SHAKE128 OIDs in this specification | |||
| specification are RECOMMENDED with 2048 (112-bit security) or | are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit | |||
| 3072-bit (128-bit security) RSA modulus or curves with group order of | security) RSA modulus or curves with group order of 256-bits (128-bit | |||
| 256-bits (128-bit security). SHAKE256 with 512-bits output length | security). SHAKE256 with 512-bits output length offers 256-bits of | |||
| offers 256-bits of collision and 512-bits of preimage resistance. | collision and preimage resistance. Thus, the SHAKE256 OIDs in this | |||
| Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with | specification are RECOMMENDED with 4096-bit RSA modulus or higher or | |||
| 4096-bit RSA modulus or higher or curves with group order of 384-bits | curves with group order of 521-bits (256-bit security) or higher. | |||
| (256-bit security) or higher. Note that we recommended 4096-bit RSA | Note that we recommended 4096-bit RSA because we would need 15360-bit | |||
| because we would need 15360-bit modulus for 256-bits of security | modulus for 256-bits of security which is impractical for today's | |||
| which is impractical for today's technology. | technology. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | |||
| their valuable contributions to this document. | their valuable contributions to this document. | |||
| The authors would like to thank Russ Housley for his guidance and | The authors would like to thank Russ Housley for his guidance and | |||
| very valuable contributions with the ASN.1 module. | very valuable contributions with the ASN.1 module. | |||
| 9. References | 9. References | |||
| End of changes. 6 change blocks. | ||||
| 18 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||