Network Working Group S. Josefsson Internet-Draft SJD AB Intended status: Informational N. Mavrogiannopoulos Expires: March 26, 2016 Red Hat, Inc. September 23, 2015 Using EdDSA in the Internet X.509 Public Key Infrastructure draft-josefsson-pkix-eddsa-03 Abstract This document specify algorithm identifiers and ASN.1 encoding formats for EdDSA digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKIX) for Certificates and CRLs. Parameters for Ed25519 are defined. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on March 26, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Josefsson & MavrogiannopoExpires March 26, 2016 [Page 1] Internet-Draft PKIX OIDs for EdDSA September 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Requirements Terminology . . . . . . . . . . . . . . . . . . 2 3. Subject Public Key Information Fields . . . . . . . . . . . . 2 4. EdDSA Public Keys . . . . . . . . . . . . . . . . . . . . . . 3 5. Key Usage Bits . . . . . . . . . . . . . . . . . . . . . . . 4 6. EdDSA Signatures . . . . . . . . . . . . . . . . . . . . . . 4 7. Human Readable Algorithm Names . . . . . . . . . . . . . . . 5 8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Example SHA512-Ed25519 Public Key . . . . . . . . . . . . 6 8.2. Example SHA512-Ed25519 Certificate . . . . . . . . . . . 6 8.3. Example SHA512-Ed25519 Private Key . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 11. Security Considerations . . . . . . . . . . . . . . . . . . . 9 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 12.1. Normative References . . . . . . . . . . . . . . . . . . 9 12.2. Informative References . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 1. Introduction In [Ed25519], an elliptic curve signature system EdDSA was introduced, and a recommended choice of curve Ed25519 is chosen. EdDSA and Ed25519 was designed with performance and security in mind. Specification, test vectors and a sample implementation is available in [I-D.josefsson-eddsa-ed25519]. This RFC defines ASN.1 object identifiers for EdDSA for use in the Internet X.509 PKI [RFC5280], and parameters for Ed25519. This document serves a similar role as [RFC3279] does for RSA (and more), [RFC4055] for RSA-OAEP/PSS, and [RFC5758] for SHA2-based (EC)DSA. 2. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Subject Public Key Information Fields In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax: Josefsson & MavrogiannopoExpires March 26, 2016 [Page 2] Internet-Draft PKIX OIDs for EdDSA September 2015 SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } The fields in SubjectPublicKeyInfo have the following meanings: o algorithm is the algorithm identifier and parameters for the public key (see below). o subjectPublicKey is the EdDSA public key. The AlgorithmIdentifier type, which is included for convenience, is defined as follows: AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } The fields in AlgorithmIdentifier have the following meanings: o algorithm identifies the cryptographic algorithm with an object identifier. This is the EdDSA OID defined below. o parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field. 4. EdDSA Public Keys Certificates conforming to [RFC5280] may convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. This algorithm identifier is an OID and optionally associated parameters. This section identify the OID and parameters for the EdDSA algorithm. Conforming CAs MUST use the identified OIDs when issuing certificates containing EdDSA public keys. Conforming applications supporting EdDSA MUST, at a minimum, recognize the OID identified in this section. The id-EdDSAPublicKey OID is used for identifying EdDSA public keys. id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1.3.101.100 } The id-EdDSAPublicKey OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. Josefsson & MavrogiannopoExpires March 26, 2016 [Page 3] Internet-Draft PKIX OIDs for EdDSA September 2015 EdDSA public keys use the parameter field to specify the particular instantiation of EdDSA parameters. The parameters field have the ASN.1 type EdDSAParameters as follows. EdDSAParameters ::= ENUMERATED { ed25519 (1), sha512-ed25519 (2) } The EdDSAParameters enumeration may be extended in the future. The value 'ed25519' means the set of "pure" EdDSA parameters associated with Ed25519, including internal hash function (SHA512) and curve. The value 'sha512-ed25519' means that the SHA512 algorithm will be used as the prehash parameter and the hash function for the signature. For the definitions see [EdDSA-prehash]. The raw binary EdDSA public key is encoded directly in the subjectPublicKey BIT STRING object. Note that unlike some other schemes, there is no additional OCTET STRING encoding step. 5. Key Usage Bits The intended application for the key MAY be indicated in the keyUsage certificate extension. If the keyUsage extension is present in an end-entity certificate that conveys an EdDSA public key with the id-EdDSAPublicKey object identifier, then the keyUsage extension MUST contain one or both of the following values: nonRepudiation; and digitalSignature. If the keyUsage extension is present in a certification authority certificate that conveys an EdDSA public key with the id- EdDSAPublicKey object identifier, then the keyUsage extension MUST contain one or more of the following values: nonRepudiation; digitalSignature; keyCertSign; and cRLSign. 6. EdDSA Signatures Certificates and CRLs conforming to [RFC5280] may be signed with any public key signature algorithm. The certificate or CRL indicates the algorithm through an algorithm identifier which appears in the signatureAlgorithm field within the Certificate or CertificateList. Josefsson & MavrogiannopoExpires March 26, 2016 [Page 4] Internet-Draft PKIX OIDs for EdDSA September 2015 This algorithm identifier is an OID and has optionally associated parameters. For illustration the Certificate structure is reproduced here: Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } Recall the definition of the AlgorithmIdentifier type: AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } This document identify an AlgorithmIdentifier OID for EdDSA signatures. No parameters are defined. The EdDSA parameters follow from the public-key parameters. The data to be signed is prepared for EdDSA. Then, a private key operation is performed to generate the signature value. This value is the opaque value ENC(R) || ENC'(S) described in section 4.3 of [I-D.josefsson-eddsa-ed25519]. This signature value is then ASN.1 encoded as a BIT STRING and included in the Certificate or CertificateList in the signatureValue field. The id-EdDSASignature OID is used for identifying EdDSA signatures. id-EdDSASignature OBJECT IDENTIFIER ::= { 1.3.101.101 } The id-EdDSASignature OID is intended to be used in the algorithm field of a value of type AlgorithmIdentifier. The parameters field MUST be absent. To further clarify how to encode the parameters field, due to historical misunderstandings in this area, it MUST NOT have an ASN.1 type NULL. 7. Human Readable Algorithm Names For the purpose of consistent cross-implementation naming this section establish human readable names for the algorithms specified in this document. Implementations SHOULD use these names when referring to the algorithms. If there is a strong reason to deviate from these names -- for example, if the implementation has a different naming convention and wants to maintain internal consistency -- it is encouraged to deviate as little as possible from the names given here. For example, if a naming convention is to not Josefsson & MavrogiannopoExpires March 26, 2016 [Page 5] Internet-Draft PKIX OIDs for EdDSA September 2015 use hyphen ("-") then instead of "SHA512-Ed25519" the string "SHA512Ed25519" could be used. Use the string "EdDSA" when referring to a public key or signature when the parameter set is not known or relevant. When the EdDSAParameters value is known, use a more specific string. For the ed25519(1) value use the string "Ed25519". For the sha512-ed25519(2) value use the string "SHA512-Ed25519". 8. Examples This section contains illustrations of EdDSA public keys and certificates, illustrating parameter choices. 8.1. Example SHA512-Ed25519 Public Key An example of a SHA512-Ed25519 public key: Public Key Information: Public Key Algorithm: EdDSA Algorithm Security Level: High (256 bits) Parameters: SHA512-Ed25519 Public Key Usage: Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b -----BEGIN PUBLIC KEY----- MC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE= -----END PUBLIC KEY----- 8.2. Example SHA512-Ed25519 Certificate An example of a PKIX certificate using SHA512-Ed25519 would be: X.509 Certificate Information: Version: 3 Serial Number (hex): 5601474a2a8dc326 Issuer: CN=Test Ed25519-SHA512 certificate Validity: Not Before: Tue Sep 22 12:19:24 UTC 2015 Not After: Fri Dec 31 23:59:59 UTC 9999 Subject: CN=Test Ed25519-SHA512 certificate Subject Public Key Algorithm: SHA512-EdDSA Algorithm Security Level: High (256 bits) Extensions: Basic Constraints (critical): Josefsson & MavrogiannopoExpires March 26, 2016 [Page 6] Internet-Draft PKIX OIDs for EdDSA September 2015 Certificate Authority (CA): FALSE Key Usage (critical): Digital signature. Subject Key Identifier (not critical): 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b Signature Algorithm: SHA512-Ed25519 Signature: be:9d:f8:b4:19:07:99:c9:04:12:21:e7:85:33:55:76 b0:5f:29:70:77:bd:69:7a:a6:db:33:fe:c4:f5:3d:79 d2:ba:77:6d:68:9b:a3:e9:53:bc:a6:56:54:3f:fa:f4 1c:37:89:4e:c7:43:c0:3b:77:68:5d:98:f6:19:9d:05 Other Information: SHA1 fingerprint: a3b75d83a56e127d0728ed8563233cadf943757e SHA256 fingerprint: cab1d7df29bdf82270d2192997c81f1b333dc37e670d7e88068fbe9dd747da3a Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b Public key's random art: +-[SHA512Ed25519]-+ | . | | o ..| | o.=| | . . +=| | S o .+oo| | o o.++o| | o ...*.o.| | o Eo.oo | | ooo ..o| +-----------------+ -----BEGIN CERTIFICATE----- MIIBUTCCAQKgAwIBAgIIVgFHSiqNwyYwBgYEK2VkATAqMSgwJgYDVQQDEx9UZXN0 IEVkMjU1MTktU0hBNTEyIGNlcnRpZmljYXRlMCAXDTE1MDkyMjEyMTkyNFoYDzk5 OTkxMjMxMjM1OTU5WjAqMSgwJgYDVQQDEx9UZXN0IEVkMjU1MTktU0hBNTEyIGNl cnRpZmljYXRlMC0wCAYDK2VkCgECAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbL DFw4rXAxZuGjQDA+MAwGA1UdEwEB/wQCMAAwDwYDVR0PAQH/BAUDAweAADAdBgNV HQ4EFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBgYEK2VkAQNBAL6d+LQZB5nJBBIh 54UzVXawXylwd71peqbbM/7E9T150rp3bWibo+lTvKZWVD/69Bw3iU7HQ8A7d2hd mPYZnQU= -----END CERTIFICATE----- 8.3. Example SHA512-Ed25519 Private Key An example of a SHA512-Ed25519 private key: Josefsson & MavrogiannopoExpires March 26, 2016 [Page 7] Internet-Draft PKIX OIDs for EdDSA September 2015 Public Key Info: Public Key Algorithm: EdDSA Key Security Level: High (256 bits) parameters: SHA512-Ed25519 private key: d4:ee:72:db:f9:13:58:4a:d5:b6:d8:f1:f7:69:f8:ad 3a:fe:7c:28:cb:f1:d4:fb:e0:97:a8:8f:44:75:58:42 x: 19:bf:44:09:69:84:cd:fe:85:41:ba:c1:67:dc:3b:96 c8:50:86:aa:30:b6:b6:cb:0c:5c:38:ad:70:31:66:e1 Public Key ID: 9B:1F:5E:ED:ED:04:33:85:E4:F7:BC:62:3C:59:75:B9:0B:C8:BB:3B Public key's random art: +-[SHA512Ed25519]-+ | . | | o ..| | o.=| | . . +=| | S o .+oo| | o o.++o| | o ...*.o.| | o Eo.oo | | ooo ..o| +-----------------+ -----BEGIN EDDSA PRIVATE KEY----- MCUKAQEEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC -----END EdDSA PRIVATE KEY----- 9. Acknowledgements Text and/or inspiration were drawn from [RFC5280], [RFC3279], [RFC4055], [RFC5480], and [RFC5639]. The following people discussed the document and provided feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick Andrews, Rob Stradling. A big thank you to Symantec for kindly donating the OIDs used in this draft. Josefsson & MavrogiannopoExpires March 26, 2016 [Page 8] Internet-Draft PKIX OIDs for EdDSA September 2015 10. IANA Considerations None. 11. Security Considerations The security considerations of [RFC5280] and [I-D.josefsson-eddsa-ed25519] apply accordingly. A common misconception may be that a Ed25519 public key can be used to create SHA512-Ed25519 signatures, or vice versa. This leads to cross-key attacks, and is not permitted. 12. References 12.1. Normative References [I-D.josefsson-eddsa-ed25519] Josefsson, S. and N. Moller, "EdDSA and Ed25519", draft- josefsson-eddsa-ed25519-02 (work in progress), February 2015. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. 12.2. Informative References [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002. [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005. [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009. Josefsson & MavrogiannopoExpires March 26, 2016 [Page 9] Internet-Draft PKIX OIDs for EdDSA September 2015 [RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, March 2010. [RFC5758] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. Polk, "Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA", RFC 5758, January 2010. [Ed25519] Bernstein, J., Duif, , Lange, , Schwabe, , and Yang, "Ed25519: High-speed high-security signatures", WWW http://ed25519.cr.yp.to/ed25519-20110926.pdf, September 2011. [EdDSA-prehash] Bernstein, J., Josefsson, , Lange, , Schwabe, , and Yang, "EdDSA for more curves", WWW http://ed25519.cr.yp.to/eddsa-20150704.pdf, July 2015. Authors' Addresses Simon Josefsson SJD AB Email: simon@josefsson.org Nikos Mavrogiannopoulos Red Hat, Inc. Email: nmav@redhat.com Josefsson & MavrogiannopoExpires March 26, 2016 [Page 10]