| draft-ietf-lamps-pkix-shake-15.txt | rfc8692.txt | |||
|---|---|---|---|---|
| LAMPS WG P. Kampanakis | Internet Engineering Task Force (IETF) P. Kampanakis | |||
| Internet-Draft Cisco Systems | Request for Comments: 8692 Cisco Systems | |||
| Updates: 3279 (if approved) Q. Dang | Updates: 3279 Q. Dang | |||
| Intended status: Standards Track NIST | Category: Standards Track NIST | |||
| Expires: January 22, 2020 July 21, 2019 | ISSN: 2070-1721 December 2019 | |||
| Internet X.509 Public Key Infrastructure: Additional Algorithm | Internet X.509 Public Key Infrastructure: Additional Algorithm | |||
| Identifiers for RSASSA-PSS and ECDSA using SHAKEs | Identifiers for RSASSA-PSS and ECDSA Using SHAKEs | |||
| draft-ietf-lamps-pkix-shake-15 | ||||
| Abstract | Abstract | |||
| Digital signatures are used to sign messages, X.509 certificates and | Digital signatures are used to sign messages, X.509 certificates, and | |||
| CRLs. This document updates the "Algorithms and Identifiers for the | Certificate Revocation Lists (CRLs). This document updates the | |||
| Internet X.509 Public Key Infrastructure Certificate and Certificate | "Algorithms and Identifiers for the Internet X.509 Public Key | |||
| Revocation List Profile" (RFC3279) and describes the conventions for | Infrastructure Certificate and Certificate Revocation List (CRL) | |||
| using the SHAKE function family in Internet X.509 certificates and | Profile" (RFC 3279) and describes the conventions for using the SHAKE | |||
| revocation lists as one-way hash functions with the RSA Probabilistic | function family in Internet X.509 certificates and revocation lists | |||
| signature and ECDSA signature algorithms. The conventions for the | as one-way hash functions with the RSA Probabilistic signature and | |||
| associated subject public keys are also described. | Elliptic Curve Digital Signature Algorithm (ECDSA) signature | |||
| algorithms. The conventions for the associated subject public keys | ||||
| are also described. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on January 22, 2020. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc8692. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Identifiers | |||
| 4. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 4. Use in PKIX | |||
| 5. Use in PKIX . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1. Signatures | |||
| 5.1. Signatures . . . . . . . . . . . . . . . . . . . . . . . 6 | 4.1.1. RSASSA-PSS Signatures | |||
| 5.1.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 7 | 4.1.2. ECDSA Signatures | |||
| 5.1.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 | 4.2. Public Keys | |||
| 5.2. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 | 5. IANA Considerations | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. References | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 7.1. Normative References | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7.2. Informative References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | Appendix A. ASN.1 Module | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | Acknowledgements | |||
| Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | ||||
| 1. Change Log | ||||
| [ EDNOTE: Remove this section before publication. ] | ||||
| o draft-ietf-lamps-pkix-shake-15: | ||||
| * Minor editorial nits. | ||||
| o draft-ietf-lamps-pkix-shake-14: | ||||
| * Fixing error with incorrect preimage resistance bits for SHA128 | ||||
| and SHA256. | ||||
| o draft-ietf-lamps-pkix-shake-13: | ||||
| * Addressing one applicable comment from Dan M. about sec levels | ||||
| while in secdir review of draft-ietf-lamps-cms-shakes. | ||||
| * Addressing comment from Scott B.'s opsdir review about | ||||
| references in the abstract. | ||||
| o draft-ietf-lamps-pkix-shake-12: | ||||
| * Nits identified by Roman, Eric V. Ben K., Barry L. in ballot | ||||
| position review. | ||||
| o draft-ietf-lamps-pkix-shake-11: | ||||
| * Nits identified by Roman in AD Review. | ||||
| o draft-ietf-lamps-pkix-shake-10: | ||||
| * Updated IANA considerations section to request for OID | ||||
| assignments. | ||||
| o draft-ietf-lamps-pkix-shake-09: | ||||
| * Fixed minor text nits. | ||||
| * Added text name allocation for SHAKEs in IANA considerations. | ||||
| * Updates in Sec Considerations section. | ||||
| o draft-ietf-lamps-pkix-shake-08: | ||||
| * Small nits from Russ while in WGLC. | ||||
| o draft-ietf-lamps-pkix-shake-07: | ||||
| * Incorporated Eric's suggestion from WGLC. | ||||
| o draft-ietf-lamps-pkix-shake-06: | ||||
| * Added informative references. | ||||
| * Updated ASN.1 so it compiles. | ||||
| * Updated IANA considerations. | ||||
| o draft-ietf-lamps-pkix-shake-05: | ||||
| * Added RFC8174 reference and text. | ||||
| * Explicitly explained why RSASSA-PSS-params are omitted in | ||||
| section 5.1.1. | ||||
| * Simplified Public Keys section by removing redundant info from | ||||
| RFCs. | ||||
| o draft-ietf-lamps-pkix-shake-04: | ||||
| * Removed paragraph suggesting KMAC to be used in generating k in | ||||
| Deterministic ECDSA. That should be RFC6979-bis. | ||||
| * Removed paragraph from Security Considerations that talks about | ||||
| randomness of k because we are using deterministic ECDSA. | ||||
| * Various ASN.1 fixes. | ||||
| * Text fixes. | ||||
| o draft-ietf-lamps-pkix-shake-03: | ||||
| * Updates based on suggestions and clarifications by Jim. | ||||
| * Added ASN.1. | ||||
| o draft-ietf-lamps-pkix-shake-02: | ||||
| * Significant reorganization of the sections to simplify the | ||||
| introduction, the new OIDs and their use in PKIX. | ||||
| * Added new OIDs for RSASSA-PSS that hardcode hash, salt and MGF, | ||||
| according the WG consensus. | ||||
| * Updated Public Key section to use the new RSASSA-PSS OIDs and | ||||
| clarify the algorithm identifier usage. | ||||
| * Removed the no longer used SHAKE OIDs from section 3.1. | ||||
| * Consolidated subsection for message digest algorithms. | ||||
| * Text fixes. | ||||
| o draft-ietf-lamps-pkix-shake-01: | ||||
| * Changed titles and section names. | ||||
| * Removed DSA after WG discussions. | ||||
| * Updated shake OID names and parameters, added MGF1 section. | ||||
| * Updated RSASSA-PSS section. | ||||
| * Added Public key algorithm OIDs. | ||||
| * Populated Introduction and IANA sections. | ||||
| o draft-ietf-lamps-pkix-shake-00: | ||||
| * Initial version | ||||
| 2. Introduction | 1. Introduction | |||
| [RFC3279] defines cryptographic algorithm identifiers for the | [RFC3279] defines cryptographic algorithm identifiers for the | |||
| Internet X.509 Certificate and Certificate Revocation Lists (CRL) | "Internet X.509 Public Key Infrastructure Certificate and Certificate | |||
| profile [RFC5280]. This document updates RFC3279 and defines | Revocation List (CRL) Profile" [RFC5280]. This document updates RFC | |||
| identifiers for several cryptographic algorithms that use variable | 3279 and defines identifiers for several cryptographic algorithms | |||
| length output SHAKE functions introduced in [SHA3] which can be used | that use variable-length output SHAKE functions introduced in [SHA3] | |||
| with . | which can be used with RFC 5280. | |||
| In the SHA-3 family, two extendable-output functions (SHAKEs), | In the SHA-3 family, two extendable-output functions (SHAKEs) are | |||
| SHAKE128 and SHAKE256, are defined. Four other hash function | defined: SHAKE128 and SHAKE256. Four other hash function instances, | |||
| instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also | SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also defined but are | |||
| defined but are out of scope for this document. A SHAKE is a | out of scope for this document. A SHAKE is a variable-length hash | |||
| variable length hash function defined as SHAKE(M, d) where the output | function defined as SHAKE(M, d) where the output is a d-bits-long | |||
| is a d-bits-long digest of message M. The corresponding collision | digest of message M. The corresponding collision and second- | |||
| and second-preimage-resistance strengths for SHAKE128 are | preimage-resistance strengths for SHAKE128 are min(d/2, 128) and | |||
| min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). | min(d, 128) bits, respectively (see Appendix A.1 of [SHA3]). And the | |||
| And the corresponding collision and second-preimage-resistance | corresponding collision and second-preimage-resistance strengths for | |||
| strengths for SHAKE256 are min(d/2,256) and min(d,256) bits, | SHAKE256 are min(d/2, 256) and min(d, 256) bits, respectively. | |||
| respectively. | ||||
| A SHAKE can be used as the message digest function (to hash the | A SHAKE can be used as the message digest function (to hash the | |||
| message to be signed) in RSASSA-PSS [RFC8017] and ECDSA [X9.62] and | message to be signed) in RSA Probabilistic Signature Scheme (RSASSA- | |||
| as the hash in the mask generation function (MGF) in RSASSA-PSS. | PSS) [RFC8017] and ECDSA [X9.62] and as the hash in the mask | |||
| generation function (MGF) in RSASSA-PSS. | ||||
| 3. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 4. Identifiers | 3. Identifiers | |||
| This section defines four new object identifiers (OIDs), for RSASSA- | This section defines four new object identifiers (OIDs), for RSASSA- | |||
| PSS and ECDSA with each of SHAKE128 and SHAKE256. The same algorithm | PSS and ECDSA with each of SHAKE128 and SHAKE256. The same algorithm | |||
| identifiers can be used for identifying a public key in RSASSA-PSS. | identifiers can be used for identifying a public key in RSASSA-PSS. | |||
| The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | The new identifiers for RSASSA-PSS signatures using SHAKEs are below. | |||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { iso(1) | id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD1 } | 30 } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD2 } | 31 } | |||
| The new algorithm identifiers of ECDSA signatures using SHAKEs are | The new algorithm identifiers of ECDSA signatures using SHAKEs are | |||
| below. | below. | |||
| id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD3 } | 32 } | |||
| id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD4 } | 33 } | |||
| The parameters for the four identifiers above MUST be absent. That | The parameters for the four identifiers above MUST be absent. That | |||
| is, the identifier SHALL be a SEQUENCE of one component, the OID. | is, the identifier SHALL be a SEQUENCE of one component: the OID. | |||
| Section 5.1.1 and Section 5.1.2 specify the required output length | Sections 4.1.1 and 4.1.2 specify the required output length for each | |||
| for each use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In | use of SHAKE128 or SHAKE256 in RSASSA-PSS and ECDSA. In summary, | |||
| summary, when hashing messages to be signed, output lengths of | when hashing messages to be signed, output lengths of SHAKE128 and | |||
| SHAKE128 and SHAKE256 are 256 and 512 bits respectively. When the | SHAKE256 are 256 and 512 bits, respectively. When the SHAKEs are | |||
| SHAKEs are used as mask generation functions RSASSA-PSS, their output | used as MGFs in RSASSA-PSS, their output length is (8*ceil((n-1)/8) - | |||
| length is (8*ceil((n-1)/8) - 264) or (8*ceil((n-1)/8) - 520) bits, | 264) or (8*ceil((n-1)/8) - 520) bits, respectively, where n is the | |||
| respectively, where n is the RSA modulus size in bits. | RSA modulus size in bits. | |||
| 5. Use in PKIX | 4. Use in PKIX | |||
| 5.1. Signatures | 4.1. Signatures | |||
| Signatures are used in a number of different ASN.1 structures. As | Signatures are used in a number of different ASN.1 structures. As | |||
| shown in the ASN.1 representation from [RFC5280] below, in an X.509 | shown in the ASN.1 representation from [RFC5280] below, in an X.509 | |||
| certificate, a signature is encoded with an algorithm identifier in | certificate, a signature is encoded with an algorithm identifier in | |||
| the signatureAlgorithm attribute and a signatureValue attribute that | the signatureAlgorithm attribute and a signatureValue attribute that | |||
| contains the actual signature. | contains the actual signature. | |||
| Certificate ::= SEQUENCE { | Certificate ::= SEQUENCE { | |||
| tbsCertificate TBSCertificate, | tbsCertificate TBSCertificate, | |||
| signatureAlgorithm AlgorithmIdentifier, | signatureAlgorithm AlgorithmIdentifier, | |||
| signatureValue BIT STRING } | signatureValue BIT STRING } | |||
| The identifiers defined in Section 4 can be used as the | The identifiers defined in Section 3 can be used as the | |||
| AlgorithmIdentifier in the signatureAlgorithm field in the sequence | AlgorithmIdentifier in the signatureAlgorithm field in the sequence | |||
| Certificate and the signature field in the sequence TBSCertificate in | Certificate and the signature field in the sequence TBSCertificate in | |||
| X.509 [RFC5280]. The parameters of these signature algorithms are | X.509 [RFC5280]. The parameters of these signature algorithms are | |||
| absent as explained in Section 4. | absent, as explained in Section 3. | |||
| Conforming CA implementations MUST specify the algorithms explicitly | Conforming Certification Authority (CA) implementations MUST specify | |||
| by using the OIDs specified in Section 4 when encoding RSASSA-PSS or | the algorithms explicitly by using the OIDs specified in Section 3 | |||
| ECDSA with SHAKE signatures in certificates and CRLs. Conforming | when encoding RSASSA-PSS or ECDSA with SHAKE signatures in | |||
| client implementations that process certificates and CRLs using | certificates and CRLs. Conforming client implementations that | |||
| RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs. | process certificates and CRLs using RSASSA-PSS or ECDSA with SHAKE | |||
| Encoding rules for RSASSA-PSS and ECDSA signature values are | MUST recognize the corresponding OIDs. Encoding rules for RSASSA-PSS | |||
| specified in [RFC4055] and [RFC5480], respectively. | and ECDSA signature values are specified in [RFC4055] and [RFC5480], | |||
| respectively. | ||||
| When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA | When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA | |||
| curve order SHOULD be chosen in line with the SHAKE output length. | curve order SHOULD be chosen in line with the SHAKE output length. | |||
| Refer to Section 7 for more details. | Refer to Section 6 for more details. | |||
| 5.1.1. RSASSA-PSS Signatures | 4.1.1. RSASSA-PSS Signatures | |||
| The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 (specified in Section 3) is | |||
| used, the encoding MUST omit the parameters field. That is, the | used, the encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- | AlgorithmIdentifier SHALL be a SEQUENCE of one component: id-RSASSA- | |||
| PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- | |||
| PSS-params that are used to define the algorithms and inputs to the | PSS-params that is used to define the algorithms and inputs to the | |||
| algorithm. This specification does not use parameters because the | algorithm. This specification does not use parameters because the | |||
| hash, mask generation algorithm, trailer and salt are embedded in the | hash, mask generation algorithm, trailer, and salt are embedded in | |||
| OID definition. | the OID definition. | |||
| The hash algorithm to hash a message being signed and the hash | The hash algorithm to hash a message being signed and the hash | |||
| algorithm used as the mask generation function in RSASSA-PSS MUST be | algorithm used as the MGF in RSASSA-PSS MUST be the same: both | |||
| the same: both SHAKE128 or both SHAKE256. The output length of the | SHAKE128 or both SHAKE256. The output length of the hash algorithm | |||
| hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or | that hashes the message SHALL be 32 bytes (for SHAKE128) or 64 bytes | |||
| 64 bytes (for SHAKE256). | (for SHAKE256). | |||
| The mask generation function takes an octet string of variable length | The MGF takes an octet string of variable length and a desired output | |||
| and a desired output length as input, and outputs an octet string of | length as input and outputs an octet string of the desired length. | |||
| the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be | In RSASSA-PSS with SHAKEs, the SHAKEs MUST be used natively as the | |||
| used natively as the MGF function, instead of the MGF1 algorithm that | MGF, instead of the MGF1 algorithm that uses the hash function in | |||
| uses the hash function in multiple iterations as specified in | multiple iterations, as specified in Appendix B.2.1 of [RFC8017]. In | |||
| Section B.2.1 of [RFC8017]. In other words, the MGF is defined as | other words, the MGF is defined as the SHAKE128 or SHAKE256 output of | |||
| the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- | the mgfSeed for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, | |||
| SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is | respectively. The mgfSeed is the seed from which the mask is | |||
| the seed from which mask is generated, an octet string [RFC8017]. As | generated, an octet string [RFC8017]. As explained in Step 9 of | |||
| explained in Step 9 of section 9.1.1 of [RFC8017], the output length | Section 9.1.1 of [RFC8017], the output length of the MGF is emLen - | |||
| of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message | hLen - 1 bytes. emLen is the maximum message length ceil((n-1)/8), | |||
| length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 | where n is the RSA modulus in bits. hLen is 32 and 64 bytes for id- | |||
| and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, | RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. Thus, | |||
| respectively. Thus when SHAKE is used as the MGF, the SHAKE output | when SHAKE is used as the MGF, the SHAKE output length maskLen is | |||
| length maskLen is (8*emLen - 264) or (8*emLen - 520) bits, | (8*emLen - 264) or (8*emLen - 520) bits, respectively. For example, | |||
| respectively. For example, when RSA modulus n is 2048, the output | when RSA modulus n is 2048 bits, the output length of SHAKE128 or | |||
| length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits | SHAKE256 as the MGF will be 1784 or 1528 bits when id-RSASSA-PSS- | |||
| when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, | SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, respectively. | |||
| respectively. | ||||
| The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 | The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 | |||
| or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField | or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField | |||
| MUST be 1, which represents the trailer field with hexadecimal value | MUST be 1, which represents the trailer field with hexadecimal value | |||
| 0xBC [RFC8017]. | 0xBC [RFC8017]. | |||
| 5.1.2. ECDSA Signatures | 4.1.2. ECDSA Signatures | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | |||
| [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 | |||
| (specified in Section 4) algorithm identifier appears, the respective | (specified in Section 3) algorithm identifier appears, the respective | |||
| SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | SHAKE function (SHAKE128 or SHAKE256) is used as the hash. The | |||
| encoding MUST omit the parameters field. That is, the | encoding MUST omit the parameters field. That is, the | |||
| AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id- | AlgorithmIdentifier SHALL be a SEQUENCE of one component: the OID id- | |||
| ecdsa-with-shake128 or id-ecdsa-with-shake256. | ecdsa-with-shake128 or id-ecdsa-with-shake256. | |||
| For simplicity and compliance with the ECDSA standard specification, | For simplicity and compliance with the ECDSA standard specification | |||
| the output length of the hash function must be explicitly determined. | [X9.62], the output length of the hash function must be explicitly | |||
| The output length, d, for SHAKE128 or SHAKE256 used in ECDSA MUST be | determined. The output length, d, for SHAKE128 or SHAKE256 used in | |||
| 256 or 512 bits, respectively. | ECDSA MUST be 256 or 512 bits, respectively. | |||
| Conforming CA implementations that generate ECDSA with SHAKE | Conforming CA implementations that generate ECDSA with SHAKE | |||
| signatures in certificates or CRLs SHOULD generate such signatures | signatures in certificates or CRLs SHOULD generate such signatures | |||
| with a deterministically generated, non-random k in accordance with | with a deterministically generated, nonrandom k in accordance with | |||
| all the requirements specified in [RFC6979]. They MAY also generate | all the requirements specified in [RFC6979]. They MAY also generate | |||
| such signatures in accordance with all other recommendations in | such signatures in accordance with all other recommendations in | |||
| [X9.62] or [SEC1] if they have a stated policy that requires | [X9.62] or [SEC1] if they have a stated policy that requires | |||
| conformance to those standards. Those standards have not specified | conformance to those standards. Those standards have not specified | |||
| SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 | SHAKE128 and SHAKE256 as hash algorithm options. However, SHAKE128 | |||
| and SHAKE256 with output length being 32 and 64 octets, respectively, | and SHAKE256 with output length being 32 and 64 octets, respectively, | |||
| can be used instead of 256 and 512-bit output hash algorithms such as | can be used instead of 256- and 512-bit output hash algorithms such | |||
| SHA256 and SHA512. | as SHA256 and SHA512. | |||
| 5.2. Public Keys | 4.2. Public Keys | |||
| Certificates conforming to [RFC5280] can convey a public key for any | Certificates conforming to [RFC5280] can convey a public key for any | |||
| public key algorithm. The certificate indicates the public key | public key algorithm. The certificate indicates the public key | |||
| algorithm through an algorithm identifier. This algorithm identifier | algorithm through an algorithm identifier. This algorithm identifier | |||
| is an OID and optionally associated parameters. The conventions and | is an OID with optionally associated parameters. The conventions and | |||
| encoding for RSASSA-PSS and ECDSA public keys algorithm identifiers | encoding for RSASSA-PSS and ECDSA public key algorithm identifiers | |||
| are as specified in Section 2.3.1 and 2.3.5 of [RFC3279], Section 3.1 | are as specified in Sections 2.3.1 and 2.3.5 of [RFC3279], | |||
| of [RFC4055] and Section 2.1 of [RFC5480]. | Section 3.1 of [RFC4055] and Section 2.1 of [RFC5480]. | |||
| Traditionally, the rsaEncryption object identifier is used to | Traditionally, the rsaEncryption object identifier is used to | |||
| identify RSA public keys. The rsaEncryption object identifier | identify RSA public keys. The rsaEncryption object identifier | |||
| continues to identify the subject public key when the RSA private key | continues to identify the subject public key when the RSA private key | |||
| owner does not wish to limit the use of the public key exclusively to | owner does not wish to limit the use of the public key exclusively to | |||
| RSASSA-PSS with SHAKEs. When the RSA private key owner wishes to | RSASSA-PSS with SHAKEs. When the RSA private key owner wishes to | |||
| limit the use of the public key exclusively to RSASSA-PSS with | limit the use of the public key exclusively to RSASSA-PSS with | |||
| SHAKEs, the AlgorithmIdentifiers for RSASSA-PSS defined in Section 4 | SHAKEs, the AlgorithmIdentifiers for RSASSA-PSS defined in Section 3 | |||
| SHOULD be used as the algorithm field in the SubjectPublicKeyInfo | SHOULD be used as the algorithm field in the SubjectPublicKeyInfo | |||
| sequence [RFC5280]. Conforming client implementations that process | sequence [RFC5280]. Conforming client implementations that process | |||
| RSASSA-PSS with SHAKE public keys when processing certificates and | RSASSA-PSS with SHAKE public keys when processing certificates and | |||
| CRLs MUST recognize the corresponding OIDs. | CRLs MUST recognize the corresponding OIDs. | |||
| Conforming CA implementations MUST specify the X.509 public key | Conforming CA implementations MUST specify the X.509 public key | |||
| algorithm explicitly by using the OIDs specified in Section 4 when | algorithm explicitly by using the OIDs specified in Section 3 when | |||
| encoding ECDSA with SHAKE public keys in certificates and CRLs. | encoding ECDSA with SHAKE public keys in certificates and CRLs. | |||
| Conforming client implementations that process ECDSA with SHAKE | Conforming client implementations that process ECDSA with SHAKE | |||
| public keys when processing certificates and CRLs MUST recognize the | public keys when processing certificates and CRLs MUST recognize the | |||
| corresponding OIDs. | corresponding OIDs. | |||
| The identifier parameters, as explained in Section 4, MUST be absent. | The identifier parameters, as explained in Section 3, MUST be absent. | |||
| 6. IANA Considerations | 5. IANA Considerations | |||
| One object identifier for the ASN.1 module in Appendix A is requested | One object identifier for the ASN.1 module in Appendix A has been | |||
| for the SMI Security for PKIX Module Identifiers (1.3.6.1.5.5.7.0) | assigned in the "SMI Security for PKIX Module Identifier" | |||
| registry: | (1.3.6.1.5.5.7.0) registry: | |||
| +---------+--------------------------+--------------------+ | +---------+--------------------------+------------+ | |||
| | Decimal | Description | References | | | Decimal | Description | References | | |||
| +---------+--------------------------+--------------------+ | +=========+==========================+============+ | |||
| | TBD | id-mod-pkix1-shakes-2019 | [EDNOTE: THIS RFC] | | | 94 | id-mod-pkix1-shakes-2019 | RFC 8692 | | |||
| +---------+--------------------------+--------------------+ | +---------+--------------------------+------------+ | |||
| IANA is requested to update the SMI Security for PKIX Algorithms | Table 1 | |||
| [SMI-PKIX] (1.3.6.1.5.5.7.6) registry with four additional entries: | ||||
| +---------+------------------------+--------------------+ | IANA has updated the "SMI Security for PKIX Algorithms" | |||
| | Decimal | Description | References | | (1.3.6.1.5.5.7.6) registry [SMI-PKIX] with four additional entries: | |||
| +---------+------------------------+--------------------+ | ||||
| | TBD1 | id-RSASSA-PSS-SHAKE128 | [EDNOTE: THIS RFC] | | ||||
| | TBD2 | id-RSASSA-PSS-SHAKE256 | [EDNOTE: THIS RFC] | | ||||
| | TBD3 | id-ecdsa-with-shake128 | [EDNOTE: THIS RFC] | | ||||
| | TBD4 | id-ecdsa-with-shake256 | [EDNOTE: THIS RFC] | | ||||
| +---------+------------------------+--------------------+ | ||||
| IANA is also requested to update the Hash Function Textual Names | +---------+------------------------+------------+ | |||
| Registry [Hash-Texts] with two additional entries for SHAKE128 and | | Decimal | Description | References | | |||
| SHAKE256: | +=========+========================+============+ | |||
| | 30 | id-RSASSA-PSS-SHAKE128 | RFC 8692 | | ||||
| +---------+------------------------+------------+ | ||||
| | 31 | id-RSASSA-PSS-SHAKE256 | RFC 8692 | | ||||
| +---------+------------------------+------------+ | ||||
| | 32 | id-ecdsa-with-shake128 | RFC 8692 | | ||||
| +---------+------------------------+------------+ | ||||
| | 33 | id-ecdsa-with-shake256 | RFC 8692 | | ||||
| +---------+------------------------+------------+ | ||||
| +--------------------+-------------------------+--------------------+ | Table 2 | |||
| | Hash Function Name | OID | Reference | | ||||
| +--------------------+-------------------------+--------------------+ | ||||
| | shake128 | 2.16.840.1.101.3.4.2.11 | [EDNOTE: THIS RFC] | | ||||
| | shake256 | 2.16.840.1.101.3.4.2.12 | [EDNOTE: THIS RFC] | | ||||
| +--------------------+-------------------------+--------------------+ | ||||
| 7. Security Considerations | IANA has updated the "Hash Function Textual Names" registry | |||
| [Hash-Texts] with two additional entries for SHAKE128 and SHAKE256: | ||||
| This document updates [RFC3279]. The security considerations section | +--------------------+-------------------------+-----------+ | |||
| | Hash Function Name | OID | Reference | | ||||
| +====================+=========================+===========+ | ||||
| | shake128 | 2.16.840.1.101.3.4.2.11 | RFC 8692 | | ||||
| +--------------------+-------------------------+-----------+ | ||||
| | shake256 | 2.16.840.1.101.3.4.2.12 | RFC 8692 | | ||||
| +--------------------+-------------------------+-----------+ | ||||
| Table 3 | ||||
| 6. Security Considerations | ||||
| This document updates [RFC3279]. The Security Considerations section | ||||
| of that document applies to this specification as well. | of that document applies to this specification as well. | |||
| NIST has defined appropriate use of the hash functions in terms of | NIST has defined appropriate use of the hash functions in terms of | |||
| the algorithm strengths and expected time frames for secure use in | the algorithm strengths and expected time frames for secure use in | |||
| Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | Special Publications (SPs) [SP800-78-4] and [SP800-107]. These | |||
| documents can be used as guides to choose appropriate key sizes for | documents can be used as guides to choose appropriate key sizes for | |||
| various security scenarios. | various security scenarios. | |||
| SHAKE128 with output length of 256-bits offers 128-bits of collision | SHAKE128 with output length of 256 bits offers 128 bits of collision | |||
| and preimage resistance. Thus, SHAKE128 OIDs in this specification | and preimage resistance. Thus, SHAKE128 OIDs in this specification | |||
| are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit | are RECOMMENDED with 2048- (112-bit security) or 3072-bit (128-bit | |||
| security) RSA modulus or curves with group order of 256-bits (128-bit | security) RSA modulus or curves with group order of 256 bits (128-bit | |||
| security). SHAKE256 with 512-bits output length offers 256-bits of | security). SHAKE256 with a 512-bit output length offers 256 bits of | |||
| collision and preimage resistance. Thus, the SHAKE256 OIDs in this | collision and preimage resistance. Thus, the SHAKE256 OIDs in this | |||
| specification are RECOMMENDED with 4096-bit RSA modulus or higher or | specification are RECOMMENDED with 4096-bit RSA modulus or higher or | |||
| curves with group order of at least 521-bits (256-bit security). | curves with a group order of at least 512 bits, such as the NIST | |||
| Note that we recommended 4096-bit RSA because we would need 15360-bit | Curve P-521 (256-bit security). Note that we recommended a 4096-bit | |||
| modulus for 256-bits of security which is impractical for today's | RSA because we would need a 15360-bit modulus for 256 bits of | |||
| technology. | security, which is impractical for today's technology. | |||
| 8. Acknowledgements | ||||
| We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for | ||||
| their valuable contributions to this document. | ||||
| The authors would like to thank Russ Housley for his guidance and | ||||
| very valuable contributions with the ASN.1 module. | ||||
| 9. References | 7. References | |||
| 9.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
| skipping to change at page 12, line 5 ¶ | skipping to change at line 390 ¶ | |||
| [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
| "PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
| RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
| <https://www.rfc-editor.org/info/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SHA3] National Institute of Standards and Technology (NIST), | [SHA3] National Institute of Standards and Technology, "SHA-3 | |||
| "SHA-3 Standard - Permutation-Based Hash and Extendable- | Standard: Permutation-Based Hash and Extendable-Output | |||
| Output Functions FIPS PUB 202", August 2015, | Functions", DOI 10.6028/NIST.FIPS.202, FIPS PUB 202, | |||
| <https://www.nist.gov/publications/sha-3-standard- | August 2015, <https://doi.org/10.6028/NIST.FIPS.202>. | |||
| permutation-based-hash-and-extendable-output-functions>. | ||||
| 9.2. Informative References | 7.2. Informative References | |||
| [Hash-Texts] | [Hash-Texts] | |||
| IANA, "Hash Function Textual Names", July 2017, | IANA, "Hash Function Textual Names", | |||
| <https://www.iana.org/assignments/hash-function-text- | <https://www.iana.org/assignments/hash-function-text- | |||
| names/hash-function-text-names.xhtml>. | names/>. | |||
| [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
| Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
| DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | |||
| Algorithm (DSA) and Elliptic Curve Digital Signature | Algorithm (DSA) and Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | |||
| 2013, <https://www.rfc-editor.org/info/rfc6979>. | 2013, <https://www.rfc-editor.org/info/rfc6979>. | |||
| [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | [SEC1] Standards for Efficient Cryptography Group, "SEC 1: | |||
| Elliptic Curve Cryptography", May 2009, | Elliptic Curve Cryptography", May 2009, | |||
| <http://www.secg.org/sec1-v2.pdf>. | <http://www.secg.org/sec1-v2.pdf>. | |||
| [SMI-PKIX] | [SMI-PKIX] IANA, "SMI Security for PKIX Algorithms", | |||
| IANA, "SMI Security for PKIX Algorithms", March 2019, | <https://www.iana.org/assignments/smi-numbers>. | |||
| <https://www.iana.org/assignments/smi-numbers/ | ||||
| smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.6>. | ||||
| [SP800-107] | [SP800-107] | |||
| National Institute of Standards and Technology (NIST), | National Institute of Standards and Technology (NIST), | |||
| "SP800-107: Recommendation for Applications Using Approved | "Recommendation for Applications Using Approved Hash | |||
| Hash Algorithms", May 2014, | Algorithms", DOI 10.6028/NIST.SP.800-107r1, Revision 1, | |||
| <https://csrc.nist.gov/csrc/media/publications/sp/800-107/ | NIST Special Publication (SP) 800-107, August 2012, | |||
| rev-1/final/documents/draft_revised_sp800-107.pdf>. | <http://dx.doi.org/10.6028/NIST.SP.800-107r1>. | |||
| [SP800-78-4] | [SP800-78-4] | |||
| National Institute of Standards and Technology (NIST), | National Institute of Standards and Technology (NIST), | |||
| "SP800-78-4: Cryptographic Algorithms and Key Sizes for | "Cryptographic Algorithms and Key Sizes for Personal | |||
| Personal Identity Verification", May 2014, | Identity Verification", DOI 10.6028/NIST.SP.800-78-4, NIST | |||
| <https://csrc.nist.gov/csrc/media/publications/sp/800- | Special Publication (SP) 800-78-4, May 2015, | |||
| 78/4/final/documents/sp800_78-4_revised_draft.pdf>. | <http://dx.doi.org/10.6028/NIST.SP.800-78-4>. | |||
| [X9.62] American National Standard for Financial Services (ANSI), | [X9.62] ANSI, "Public Key Cryptography for the Financial Services | |||
| "X9.62-2005: Public Key Cryptography for the Financial | Industry: the Elliptic Curve Digital Signature Algorithm | |||
| Services Industry: The Elliptic Curve Digital Signature | (ECDSA)", ANSI X9.62, 2005. | |||
| Standard (ECDSA)", November 2005. | ||||
| Appendix A. ASN.1 module | Appendix A. ASN.1 Module | |||
| This appendix includes the ASN.1 module for SHAKEs in X.509. This | This appendix includes the ASN.1 module for SHAKEs in X.509. This | |||
| module does not come from any existing RFC. | module does not come from any previously existing RFC. This module | |||
| references [RFC5912]. | ||||
| PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6) | PKIXAlgsForSHAKE-2019 { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-shakes-2019(TBD) } | id-mod-pkix1-shakes-2019(94) } | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| -- EXPORTS ALL; | -- EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| -- FROM [RFC5912] | -- FROM RFC 5912 | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS | PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS | |||
| FROM AlgorithmInformation-2009 | FROM AlgorithmInformation-2009 | |||
| { iso(1) identified-organization(3) dod(6) internet(1) security(5) | { iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58) } | id-mod-algorithmInformation-02(58) } | |||
| -- FROM [RFC5912] | -- FROM RFC 5912 | |||
| RSAPublicKey, rsaEncryption, pk-rsa, pk-ec, | RSAPublicKey, rsaEncryption, pk-rsa, pk-ec, | |||
| CURVE, id-ecPublicKey, ECPoint, ECParameters, ECDSA-Sig-Value | CURVE, id-ecPublicKey, ECPoint, ECParameters, ECDSA-Sig-Value | |||
| FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) | |||
| internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-pkix1-algorithms2008-02(56) } | id-mod-pkix1-algorithms2008-02(56) } | |||
| ; | ; | |||
| -- | -- | |||
| -- Message Digest Algorithms (mda-) | -- Message Digest Algorithms (mda-) | |||
| -- | -- | |||
| DigestAlgorithms DIGEST-ALGORITHM ::= { | DigestAlgorithms DIGEST-ALGORITHM ::= { | |||
| -- This expands DigestAlgorithms from [RFC5912] | -- This expands DigestAlgorithms from RFC 5912 | |||
| mda-shake128 | | mda-shake128 | | |||
| mda-shake256, | mda-shake256, | |||
| ... | ... | |||
| } | } | |||
| -- | ||||
| -- One-Way Hash Functions | ||||
| -- | ||||
| -- SHAKE128 | -- | |||
| mda-shake128 DIGEST-ALGORITHM ::= { | -- One-Way Hash Functions | |||
| IDENTIFIER id-shake128 -- with output length 32 bytes. | -- | |||
| } | ||||
| id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | ||||
| us(840) organization(1) gov(101) | ||||
| csor(3) nistAlgorithm(4) | ||||
| hashAlgs(2) 11 } | ||||
| -- SHAKE256 | -- SHAKE128 | |||
| mda-shake256 DIGEST-ALGORITHM ::= { | mda-shake128 DIGEST-ALGORITHM ::= { | |||
| IDENTIFIER id-shake256 -- with output length 64 bytes. | IDENTIFIER id-shake128 -- with output length 32 bytes. | |||
| } | } | |||
| id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) | us(840) organization(1) gov(101) | |||
| csor(3) nistAlgorithm(4) | csor(3) nistAlgorithm(4) | |||
| hashAlgs(2) 12 } | hashAlgs(2) 11 } | |||
| -- | -- SHAKE256 | |||
| -- Public Key (pk-) Algorithms | mda-shake256 DIGEST-ALGORITHM ::= { | |||
| -- | IDENTIFIER id-shake256 -- with output length 64 bytes. | |||
| PublicKeys PUBLIC-KEY ::= { | } | |||
| -- This expands PublicKeys from [RFC5912] | id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| pk-rsaSSA-PSS-SHAKE128 | | us(840) organization(1) gov(101) | |||
| pk-rsaSSA-PSS-SHAKE256, | csor(3) nistAlgorithm(4) | |||
| ... | hashAlgs(2) 12 } | |||
| } | ||||
| -- The hashAlgorithm is mda-shake128 | -- | |||
| -- The maskGenAlgorithm is id-shake128 | -- Public Key (pk-) Algorithms | |||
| -- Mask Gen Algorithm is SHAKE128 with output length | -- | |||
| -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA | PublicKeys PUBLIC-KEY ::= { | |||
| -- modulus in bits. | -- This expands PublicKeys from RFC 5912 | |||
| -- The saltLength is 32. The trailerField is 1. | pk-rsaSSA-PSS-SHAKE128 | | |||
| pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE256, | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE128 | ... | |||
| KEY RSAPublicKey | } | |||
| PARAMS ARE absent | ||||
| -- Private key format not in this module -- | ||||
| CERT-KEY-USAGE { nonRepudiation, digitalSignature, | ||||
| keyCertSign, cRLSign } | ||||
| } | ||||
| -- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake128 | |||
| -- The maskGenAlgorithm is id-shake256 | -- The maskGenAlgorithm is id-shake128 | |||
| -- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE128 with output length | |||
| -- (8*ceil((n-1)/8) - 520)-bits, where n is the RSA | -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA | |||
| -- modulus in bits. | -- modulus in bits. | |||
| -- The saltLength is 64. The trailerField is 1. | -- The saltLength is 32. The trailerField is 1. | |||
| pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | pk-rsaSSA-PSS-SHAKE128 PUBLIC-KEY ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
| KEY RSAPublicKey | KEY RSAPublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| -- Private key format not in this module -- | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE { nonRepudiation, digitalSignature, | CERT-KEY-USAGE { nonRepudiation, digitalSignature, | |||
| keyCertSign, cRLSign } | keyCertSign, cRLSign } | |||
| } | } | |||
| -- | -- The hashAlgorithm is mda-shake256 | |||
| -- Signature Algorithms (sa-) | -- The maskGenAlgorithm is id-shake256 | |||
| -- | -- Mask Gen Algorithm is SHAKE256 with output length | |||
| SignatureAlgs SIGNATURE-ALGORITHM ::= { | -- (8*ceil((n-1)/8) - 520)-bits, where n is the RSA | |||
| -- This expands SignatureAlgorithms from [RFC5912] | -- modulus in bits. | |||
| sa-rsassapssWithSHAKE128 | | -- The saltLength is 64. The trailerField is 1. | |||
| sa-rsassapssWithSHAKE256 | | pk-rsaSSA-PSS-SHAKE256 PUBLIC-KEY ::= { | |||
| sa-ecdsaWithSHAKE128 | | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
| sa-ecdsaWithSHAKE256, | KEY RSAPublicKey | |||
| ... | PARAMS ARE absent | |||
| } | -- Private key format not in this module -- | |||
| CERT-KEY-USAGE { nonRepudiation, digitalSignature, | ||||
| keyCertSign, cRLSign } | ||||
| } | ||||
| -- | -- | |||
| -- SMIME Capabilities (sa-) | -- Signature Algorithms (sa-) | |||
| -- | -- | |||
| SMimeCaps SMIME-CAPS ::= { | SignatureAlgs SIGNATURE-ALGORITHM ::= { | |||
| -- The expands SMimeCaps from [RFC5912] | -- This expands SignatureAlgorithms from RFC 5912 | |||
| sa-rsassapssWithSHAKE128.&smimeCaps | | sa-rsassapssWithSHAKE128 | | |||
| sa-rsassapssWithSHAKE256.&smimeCaps | | sa-rsassapssWithSHAKE256 | | |||
| sa-ecdsaWithSHAKE128.&smimeCaps | | sa-ecdsaWithSHAKE128 | | |||
| sa-ecdsaWithSHAKE256.&smimeCaps, | sa-ecdsaWithSHAKE256, | |||
| ... | ... | |||
| } | } | |||
| -- RSASSA-PSS with SHAKE128 | -- | |||
| sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | -- SMIME Capabilities (sa-) | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE128 | -- | |||
| PARAMS ARE absent | SMimeCaps SMIME-CAPS ::= { | |||
| -- The hashAlgorithm is mda-shake128 | -- The expands SMimeCaps from RFC 5912 | |||
| -- The maskGenAlgorithm is id-shake128 | sa-rsassapssWithSHAKE128.&smimeCaps | | |||
| -- Mask Gen Algorithm is SHAKE128 with output length | sa-rsassapssWithSHAKE256.&smimeCaps | | |||
| -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA | sa-ecdsaWithSHAKE128.&smimeCaps | | |||
| -- modulus in bits. | sa-ecdsaWithSHAKE256.&smimeCaps, | |||
| -- The saltLength is 32. The trailerField is 1 | ... | |||
| } | ||||
| HASHES { mda-shake128 } | -- RSASSA-PSS with SHAKE128 | |||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | sa-rsassapssWithSHAKE128 SIGNATURE-ALGORITHM ::= { | |||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | IDENTIFIER id-RSASSA-PSS-SHAKE128 | |||
| } | PARAMS ARE absent | |||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { iso(1) | -- The hashAlgorithm is mda-shake128 | |||
| identified-organization(3) dod(6) internet(1) | -- The maskGenAlgorithm is id-shake128 | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | -- Mask Gen Algorithm is SHAKE128 with output length | |||
| TBD1 } | -- (8*ceil((n-1)/8) - 264) bits, where n is the RSA | |||
| -- modulus in bits. | ||||
| -- The saltLength is 32. The trailerField is 1 | ||||
| HASHES { mda-shake128 } | ||||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE128 } | ||||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE128 } | ||||
| } | ||||
| id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { iso(1) | ||||
| identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) algorithms(6) | ||||
| 30 } | ||||
| -- RSASSA-PSS with SHAKE256 | -- RSASSA-PSS with SHAKE256 | |||
| sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | sa-rsassapssWithSHAKE256 SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-RSASSA-PSS-SHAKE256 | IDENTIFIER id-RSASSA-PSS-SHAKE256 | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| -- The hashAlgorithm is mda-shake256 | -- The hashAlgorithm is mda-shake256 | |||
| -- The maskGenAlgorithm is id-shake256 | -- The maskGenAlgorithm is id-shake256 | |||
| -- Mask Gen Algorithm is SHAKE256 with output length | -- Mask Gen Algorithm is SHAKE256 with output length | |||
| -- (8*ceil((n-1)/8) - 520)-bits, where n is the | -- (8*ceil((n-1)/8) - 520)-bits, where n is the | |||
| -- RSA modulus in bits. | -- RSA modulus in bits. | |||
| -- The saltLength is 64. The trailerField is 1. | -- The saltLength is 64. The trailerField is 1. | |||
| HASHES { mda-shake256 } | ||||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | ||||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | ||||
| } | ||||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | ||||
| identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) algorithms(6) | ||||
| 31 } | ||||
| -- ECDSA with SHAKE128 | ||||
| sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-ecdsa-with-shake128 | ||||
| VALUE ECDSA-Sig-Value | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-shake128 } | ||||
| PUBLIC-KEYS { pk-ec } | ||||
| SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | ||||
| } | ||||
| id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | ||||
| identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) algorithms(6) | ||||
| 32 } | ||||
| -- ECDSA with SHAKE256 | ||||
| sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-ecdsa-with-shake256 | ||||
| VALUE ECDSA-Sig-Value | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-shake256 } | HASHES { mda-shake256 } | |||
| PUBLIC-KEYS { pk-rsa | pk-rsaSSA-PSS-SHAKE256 } | PUBLIC-KEYS { pk-ec } | |||
| SMIME-CAPS { IDENTIFIED BY id-RSASSA-PSS-SHAKE256 } | SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | |||
| } | } | |||
| id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) | id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | |||
| identified-organization(3) dod(6) internet(1) | identified-organization(3) dod(6) internet(1) | |||
| security(5) mechanisms(5) pkix(7) algorithms(6) | security(5) mechanisms(5) pkix(7) algorithms(6) | |||
| TBD2 } | 33 } | |||
| -- ECDSA with SHAKE128 | END | |||
| sa-ecdsaWithSHAKE128 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-ecdsa-with-shake128 | ||||
| VALUE ECDSA-Sig-Value | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-shake128 } | ||||
| PUBLIC-KEYS { pk-ec } | ||||
| SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake128 } | ||||
| } | ||||
| id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) | ||||
| identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) algorithms(6) | ||||
| TBD3 } | ||||
| -- ECDSA with SHAKE256 | Acknowledgements | |||
| sa-ecdsaWithSHAKE256 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-ecdsa-with-shake256 | ||||
| VALUE ECDSA-Sig-Value | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-shake256 } | ||||
| PUBLIC-KEYS { pk-ec } | ||||
| SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-shake256 } | ||||
| } | ||||
| id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) | ||||
| identified-organization(3) dod(6) internet(1) | ||||
| security(5) mechanisms(5) pkix(7) algorithms(6) | ||||
| TBD4 } | ||||
| END | We would like to thank Sean Turner, Jim Schaad, and Eric Rescorla for | |||
| their valuable contributions to this document. | ||||
| The authors would like to thank Russ Housley for his guidance and | ||||
| very valuable contributions with the ASN.1 module. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Panos Kampanakis | Panos Kampanakis | |||
| Cisco Systems | Cisco Systems | |||
| Email: pkampana@cisco.com | Email: pkampana@cisco.com | |||
| Quynh Dang | Quynh Dang | |||
| NIST | NIST | |||
| 100 Bureau Drive, Stop 8930 | 100 Bureau Drive, Stop 8930 | |||
| Gaithersburg, MD 20899-8930 | Gaithersburg, MD 20899-8930 | |||
| USA | United States of America | |||
| Email: quynh.dang@nist.gov | Email: quynh.dang@nist.gov | |||
| End of changes. 93 change blocks. | ||||
| 504 lines changed or deleted | 385 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||