Internet Engineering Task Force Y. Liu Internet Draft Z. Li Intended status: Experimental J. Chen Expires: August 24 2023 X. Fan China Academy of Information and Communications Technology February 24, 2023 ShangMi(SM) Cipher for OpenPGP draft-liu-sm-for-openpgp-00 Abstract This document introduces the Shang Mi(SM) cryptographic algorithm for openpgp protocol. Status of this Memo Internet-Drafts are working documents of the Internet Engineering Task This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on August 24, 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Liu, et al. Expires August 24, 2023 [Page 1] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 Table of Contents 1. Introduction...................................................2 1.1. The SM Algorithms.........................................2 1.2. Terminology...............................................3 2. Supported Public Key Algorithm: SM2............................3 2.1. Point Format..............................................3 2.2. Curve OID.................................................3 2.3. Key Algorithms id.........................................3 3. Supported Symmetric-Key Algorithm: SM4.........................4 4. Supported Hash Algorithm: SM3..................................4 4.1. Algorithm ID..............................................4 4.2. Hash OID..................................................5 5. IANA Considerations............................................5 6. Security Considerations........................................5 7. References.....................................................5 7.1. Normative References......................................5 7.2. Informative References....................................6 8. Acknowledgments................................................7 1. Introduction The OpenPGP specification in [RFC4880] defines the RSA, Elgamal, and DSA public key algorithms. [RFC6637] adds support for Elliptic Curve Cryptography and specifies the ECDSA and ECDH algorithms. This document specifies how to use the SM cryptographic algorithms with the OpenPGP standard. The IETF has not recommended the use of the cryptographic algorithms defined in this daft. The SM algorithms are becoming mandatory in China, so this document provides a description of how to use them in OpenPGP. 1.1. The SM Algorithms This document describes several different SMs cryptographic algorithms, including SM2 for authentication, SM4 for encryption, and SM3 as the hash function. SM2 is a suite of cryptographic algorithms based on elliptic curve cryptography, including a digital signature, public key encryption and key exchange scheme. This document only deals with the SM2 digital signature algorithm and public key encryption algorithm that have been added to ISO/IEC 14888-3:2018 [ISO- SM2] add [GBT.32918.2-2016]). SM4 is a block cipher algorithm defined in [GBT.32907-2016] and now is being standardized by ISO to ISO/IEC 18033-3:2010 [ISO-SM4]. SM3 is a hash function that outputs Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 256 bits. SM3 has already listed in ISO/IEC 10118-3:2018 [ISO- SM3] and has also been described by [GBT.32905-2016]. 1.2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Supported Public Key Algorithm: SM2 2.1. Point Format This document only defines the uncompressed point format. The point is encoded in the Multiprecision Integer (MPI) format [RFC4880]. The content of the MPI is the following: B = 04 || x || y where x and y are coordinates of the point P = (x, y), each encoded in the big-endian format and zero-padded to the adjusted underlying field size. The adjusted underlying field size is the underlying field size that is rounded up to the nearest 8-bit boundary. Therefore, the exact size of the MPI payload is 515 bits for "P256V1Curve" used in sm2. 2.2. Curve OID The SM2 key parameter curve OID is an array of octets that defines a named curve. The table below specifies the exact sequence of bytes for each named curve referenced in this document: +---------------------+------+------------------------+----------+ | OID | Len | Encoding in hex format | Name | +----------------------+------+------------------------+----------+ | 1.2.156.10197.1.301 | 8 | 2a 81 1c cf 55 01 82 2d| Sm2p256v1| | | | | | +----------------------+------+------------------------+----------+ 2.3. Key Algorithms id The following public key algorithm IDs are added to expand Section 9.1 of [RFC4880], "Public-Key Algorithms": Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 ID Description of Algorithm -- -------------------------- TID1 SM2 public key algorithm 3. Supported Symmetric-Key Algorithm: SM4 SM4 is a 128-bit symmetric block cipher (the same as AES and Twofish in OpenPGP) that supports 128-bit. This document defines the use of SM4 in OpenPGP. +---------------------+----------------------------------------+ | SM4 Key Length | OpenPGP Symmetric-Key Algorithm Number | +---------------------+----------------------------------------+ | 128 | TID2 | +---------------------+----------------------------------------+ OpenPGP applications MAY implement SM4. If implemented, SM4 may be used in any place in OpenPGP where a symmetric cipher is usable, and it is subject to the same usage requirements (such as its presence in the Preferred Symmetric Algorithms signature subpacket) as the other symmetric ciphers in OpenPGP. While the OpenPGP algorithm preferences system prevents interoperability problems with public key encrypted messages, if SM4 (or any other optional cipher) is used for encrypting private keys, there could be interoperability problems when migrating a private key from one system to another. A similar issue can arise when using an optional cipher for symmetrically encrypted messages, as this OpenPGP message type does not use the algorithm preferences system. Those using optional ciphers in this manner should take care they are using a cipher that their intended recipient can decrypt. 4. Supported Hash Algorithm: SM3 For a message m with length l ( l<2^64 ), SM3 hash algorithm generates a 256-bit hash value after padding and iterative compression. 4.1. Algorithm ID The following algorithm ID is added to expand section 9.4 of [RFC4880], " Hash Algorithms": ID Algorithm Text Name -- --------- --------- TID3 SM3[ISO-SM3] "SM3" Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 4.2. Hash OID The table below specifies the exact sequence of bytes for the sm3 hash OID: +------------------------+------+------------------------+------+ | OID | Len | Encoding in hex format | Name | +------------------------+------+------------------------+------+ | 1.2.156.10197.1.401 | 8 | 2a 81 1c cf 55 01 83 11| sm3 | | | | | | +------------------------+------+------------------------+------+ 5. IANA Considerations IANA is requested to assign an algorithm number from the OpenPGP Public-Key Algorithms range(See section 2),a symmetric-key algorithm number from openPGP Symmetric-key Algorithm range(section 3),an hash Algorithm id from OpenPGP hash Algorithm range(section 4). +-------+-----------------------------+------------+ | ID | Algorithm | Reference | +-------+-----------------------------+------------+ | TID1 | SM2 public key algorithm | This doc | +-------+-----------------------------+------------+ | TID2 | SM4 symmetric-key algorithm | This doc | +-------+-----------------------------+------------+ | TID3 | SM3 hash algorithm | This doc | 6. Security Considerations At the time of writing, there are no known weak keys for SM cryptographic algorithms SM2, SM3 and SM4, and no security issues have been found for these algorithms. 7. References 7.1. Normative References [ISO-SM2] International Organization for Standardization, "ITSecurity techniques -- Digital signatures with appendix -- Part 3: Discrete logarithm based mechanisms", ISO/IEC 14888-3:2018, November 2018, . [ISO-SM3] International Organization for Standardization, "IT Security techniques -- Hash-functions -- Part 3: Dedicated hash- Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 functions", ISO/IEC 10118-3:2018, October 2018, . [ISO-SM4] International Organization for Standardization, "Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers", ISO/IEC 18033- 3:2010, December 2010, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, November 2007. [RFC6637] Jivsov, A., "Elliptic Curve Cryptography (ECC) in OpenPGP", RFC 6637, June 2012. 7.2. Informative References [GBT.32905-2016] Standardization Administration of China, "Information security technology --- SM3 cryptographic hash algorithm", GB/T 32905-2016, March 2017, . [GBT.32907-2016] Standardization Administration of the People's Republic of China, "Information security technology -- SM4 block cipher algorithm", GB/T 32907-2016, March 2017, . [GBT.32918.2-2016] Standardization Administration of the People's Republic of China, "Information security technology --- Public key cryptographic algorithm SM2 based on elliptic curves --- Part 2: Digital signature algorithm", GB/T 32918.2-2016, March 2017, . Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 8. Acknowledgments This document reference draft [draft-ietf-regext-data-escrow-03], thus, would like to thank the draft author G. Lozano. And would like to thank X. Fan, J. Chen, C. Ma, M. Chen, Z. Li who provided special important suggestions and invaluable comments. This document was prepared using 2-Word-v2.0.template.dot. Authors' Addresses Yao Liu CAICT No.52 Huayuan North Road, Haidian District Beijing, Beijing, 100191 China Phone: +86 136 8310 4106 Email: liuyao1@caict.ac.cn Zhiping Li CAICT No.52 Huayuan North Road, Haidian District Beijing, Beijing, 100191 China Phone: +86 185 1107 1386 Email: lizhiping@caict.ac.cn Jian Chen CAICT No.52 Huayuan North Road, Haidian District Beijing, Beijing, 100191 China Phone: +86 138 1103 3332 Email: chenjian3@caict.ac.cn Liu, et al. Expires August 24, 2023 [Page 2] Internet-Draft ShangMi(SM) Cipher for OpenPGP February 2023 Xiaotian Fan CAICT No.52 Huayuan North Road, Haidian District Beijing, Beijing, 100191 China Phone: +86 134 0108 6945 Email: fanxiaotian@caict.ac.cn Liu, et al. Expires August 24, 2023 [Page 2]