PKIX Working Group Serguei Leontiev, CRYPTO-PRO Internet Draft DennisShefanovskij,Shefanovski, DEMOS Co Ltd ExpiresAugust 5, 2005 February 5,March 8, 2006 September 8, 2005 Intended Category: Informational Using the GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 algorithms with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile.<draft-ietf-pkix-gost-cppk-02.txt><draft-ietf-pkix-gost-cppk-03.txt> Status of this Memo By submitting this Internet-Draft,I certifyeach author represents that any applicable patent or other IPR claims of whichI amhe or she is aware have been or will be disclosed, and any of whichI becomehe or she becomes aware will be disclosed, in accordance withRFC 3668. This document is an Internet Draft and is subject to all provisions ofSection106 ofRFC2026. Internet DraftsBCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents asInternetInternet- Drafts.Internet DraftsInternet-Drafts are draft documents valid for a maximum of6six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to useInternet DraftsInternet-Drafts as reference material or to cite them other thanasa "work inprogress".progress." The list of currentInternet DraftsInternet-Drafts can be accessed athttp://www.ietf.org/1id-abstracts.htmlhttp://www.ietf.org/1id-abstracts.html. The list ofInternet DraftInternet-Draft Shadow Directories can be accessed athttp://www.ietf.org/shadow.htmlhttp://www.ietf.org/shadow.html. This Internet-Draft will expire on March 8, 2006. Copyright Notice Copyright (C) The Internet Society (2005).All Rights Reserved.Abstract This document supplements RFC 3279. It describes encoding formats, identifiers andappropriate parametersparameter formats for the algorithms GOST R 34.10-94, GOST R34.10-2001,34.10-2001 and GOST R34.11-94, and also ASN.1 encoding scheme34.11-94 fordigital signatures and public keys, useduse in Internet X.509 Public Key Infrastructure (PKI).This specification extends [RFC3279], "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" and, correspondingly, [RFC3280], "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile". All implementations of this specification MUST also satisfy the requirements of [RFC3280].Table of Contents 1 Introduction. . . . . . . . . . . . . . . . . . . . . . 2 2 Algorithm Support . . . . . . . . . . . . . . . . . . . 3 2.1 One-way Hash Function . . . . . . . . . . . . . . . . . 3 2.1.1 One-way Hash Function GOST R 34.11-94 . . . . . . . . . 3 2.2 Signature Algorithms. . . . . . . . . . . . . . . . . .43 2.2.1 Signature Algorithm GOST R 34.10-94 . . . . . . . . . . 4 2.2.2 Signature Algorithm GOST R 34.10-2001 . . . . . . . . . 5 2.3 Subject Public Key Algorithms . . . . . . . . . . . . .65 2.3.1 GOST R 34.10-94 Keys. . . . . . . . . . . . . . . . . . 6 2.3.2 GOST R 34.10-2001 Keys. . . . . . . . . . . . . . . . .87 3 Security Considerations . . . . . . . . . . . . . . . .109 4 Appendix Examples . . . . . . . . . . . . . . . . . . .1110 4.1 GOST R 34.10-94 Certificate . . . . . . . . . . . . . .1110 4.2 GOST R 34.10-2001 Certificate . . . . . . . . . . . . .1312 5 References. . . . . . . . . . . . . . . . . . . . . . .1615 Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . .1716 Author's Addresses . . . . . . . . . . . . . . . . . . . . . .1817 Full Copyright Statement . . . . . . . . . . . . . . . . . . .1918 1 Introduction The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. This documentdefines identifiers and corresponding algorithm parameters and attributes proposed by CRYPTO-PRO Company within "Russian Cryptographic Software Compatibility Agreement" communitysupplements RFC 3279 [PKALGS]. It describes the conventions for using thealgorithmsGOST R34.10-94,34.10-94 and GOST R34.10-2001,34.10-2001 signature algorithms, VKO GOST R34.11-94, key derivation algorithms based on34.10-94 and VKO GOST R34.10-94 public keys,34.10-2001 key derivationalgorithms based onalgorithms, and GOST R34.10-2001 public keys, and also ASN.1 encoding [X.660] for digital signatures and public keys, used34.11-94 one-way hash function in the Internet X.509 Public Key Infrastructure(PKI).(PKI) [PROFILE]. Thisspecification extends [RFC3279], "Algorithmsdocument is a proposal put forward by the CRYPT-PRO Company to provide supplemental information andIdentifiers forspecifications needed by theInternet X.509 Public Key Infrastructure Certificate"Russian Cryptographic Software Compatibility Agreement" community. The algorithm identifiers andCertificate Revocation List (CRL) Profile" and, correspondingly, [RFC3280], "Internet X.509 Public Key Infrastructure: Certificateassociated parameters for subject public keys that employ the GOST R 34.10-94 [GOSTR341094] / VKO GOST R 34.10-94 [CPALGS] or the GOST R 34.10-2001 [GOSTR341001] / VKO GOST R 34.10-2001 [CPALGS] algorithms, andCertificate Revocation List (CRL) Profile". All implementations of this specification MUST also satisfytherequirements of [RFC3280]. This specification definesencoding format for thecontent ofsignatures produced by these algorithms are specified. Also, thesignatureAlgorithm, signatureValue, signature, and subjectPublicKeyInfo fields within Internet X.509 certificates and CRLs. This document definesalgorithm identifiers for using theuse of one-way hash-functionGOST R 34.11-94[GOST3411] with digital signatures. This algorithm is used in conjunction with digital signature algorithms. This specification describes the encoding of digital signatures, generatedone-way hash function with thefollowing cryptographic algorithms: *GOST R34.10-94; *34.10-94 and GOST R34.10-2001.34.10-2001 signature algorithms are specified. Thisdocument alsospecification defines the contents of the signatureAlgorithm, signatureValue, signature, and subjectPublicKeyInfofield forfields within Internet X.509certificates.Certificates and CRLs. For each algorithm, the appropriate alternatives for the keyUsage certificate extension are provided.This specification describes encoding formats for public keys used with the following cryptographic algorithms: * GOST R 34.10-94 [GOST341094]; * GOST R 34.10-2001 [GOST34102001]; * Key derivation algorithm VKO GOST R 34.10-94 [CPALGS]; * Key derivation algorithm VKO GOST R 34.10-2001 [CPALGS];ASN.1 modules, including all the definitions used in this document can be found in [CPALGS]. 2 Algorithm Support This section is an overview of cryptographic algorithms, that may be used within the Internet X.509 certificates and CRL profile[RFC3280].[PROFILE]. It describes one-way hash functions and digital signature algorithms, that may be used to sign certificates and CRLs, and identifies OIDs and ASN.1 encoding for public keys contained in a certificate. The conforming CAs and/or applications MUST fully support digital signatures and public keys for at least one of the specified algorithms. 2.1 One-way Hash Function This section identifies the use of one-way, collision free hash function GOST R 34.11-94 - the only one that can be used in digital signature algorithms GOST R 34.10-94/2001. The data that is hashed for certificates and CRL signing is fully described in[RFC3280].RFC 3280 [PROFILE]. 2.1.1 One-way Hash Function GOST R 34.11-94 GOST R 34.11-94 has been developed by "GUBS of Federal Agency Government Communication and Information" and "All-Russian Scientific and Research Institute of Standardization". The algorithm GOST R 34.11-94 produces a 256-bit hash value of the arbitrary finite bit length input. This document does not contain the full GOST R 34.11-94fullspecification, which can be found in [GOSTR3411] in Russian.It's brief technical description in english can be found in [Schneier95],[Schneier95] ch. 18.11, p. 454. contains a brief technical description in English. This functionisMUST always be used withdefaultparameter setgostR3411CryptoProParamSetAIidentified by id-GostR3411-94-CryptoProParamSet (see section 8.2 of [CPALGS]). 2.2 Signature Algorithms Conforming CAs may use GOST R 34.10-94 or GOST R 34.10-2001 signature algorithms to sign certificates and CRLs.The signatureAlgorithm field of Certificate or CertificateList indicates theThese signaturealgorithm ID, and associated parameters. This section also defines algorithm identifiers and parameters that MUST be used in the signatureAlgorithm field in a Certificate or CertificateList. SignaturealgorithmsareMUST always be usedconjointlywith a one-way hash function GOST R 34.11-94 as indicated in [GOSTR341094] and[GOSTR34102001].[GOSTR341001]. This sectionidentifies OIDs for GOST R 34.10-94 and GOST R 34.10-2001 algorithms. The contents of the parameters component for eachdefines algorithmmay varyidentifiers anddetails are provided below for each algorithm separately.parameters to be used in the signatureAlgorithm field in a Certificate or CertificateList. 2.2.1 Signature Algorithm GOST R 34.10-94 GOST R 34.10-94 has been developed by "GUBS of Federal Agency Government Communication and Information" and "All-Russian Scientific and Research Institute of Standardization". Thissignature algorithm MUST be used conjointly with one-way, collision free hash function GOST R 34.11-94. Thisdocument does not contain the full GOST R 34.10-94standard description,specification, whichis fully described in [GOSTR341094] in Russian, and brief description in English couldcan be found in [GOSTR341094] in Russian. [Schneier95] ch. 20.3, p.495.495 contains a brief technical description in English. The ASN.1OIDobject identifier used to identifyGOST R 34.10-94this signature algorithmin fields signatureAlgorithm in Certificate and CertificateListis:id-CryptoPro-algorithmsid-GostR3411-94-with-GostR3410-94 OBJECT IDENTIFIER ::= { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) gostR3411-94-with-gostR3410-94(4) }id-GostR3411-94-with-GostR3410-94 OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms gostR3411-94-with-gostR3410-94(4)} GostR3410-94-CertificateSignatureAlgorithms ALGORITHM-IDENTIFIER ::= { { NULL IDENTIFIED BY id-GostR3411-94-with-GostR3410-94 } | { GostR3410-94-PublicKeyParameters IDENTIFIED BY id-GostR3411-94-with-GostR3410-94 } } GostR3410-94-PublicKeyParameters are defined in section 2.3.1.When the id-GostR3411-94-with-GostR3410-94 algorithm identifier appears as the algorithm field in anAlgorithmIdentifier and parameters are omitted,AlgorithmIdentifier, theparameters fromencoding SHALL omit thepublic key ofparameters field. That is, thesigner's certificate MUSTAlgorithmIdentifier SHALL beused. Ifa SEQUENCE of one component: the OBJECT IDENTIFIER id-GostR3411-94-with-GostR3410-94. The parametersfromin thepublic keysubjectPublicKeyInfo field of thesigner'scertificateare also omited, and it's issuer's certificate hasof thesame public key algorithm, parameters fromissuer SHALL apply to thepublic keyverification of theissuer's certificate MUST be used, and so on.signature. Signature algorithm GOST R 34.10-94 generates digital signature in the form of two 256-bit numbers r' and s. Its octet string representation consists of 64 octets, where first 32 octets contain big endian representation of s and second 32 octets contain big endian representation of r'. Signature values in CMS [CMS] are represented as octet strings, and the output is used directly. However, signature values in certificates and CRLs [PROFILE] are represented as bit strings, and conversion is needed. To convert abinary 512-bit vector (<r'>256||<s>256). That is,signature value to a bit string, theleast-significant (1-st)most significant bit ofsignatureValue BIT STRING containstheleast-significant (1-st)first octet of the signature value SHALL become the first bit of<s>,the bit string, and so on through themost-significant (512th)least significant bit ofsignatureValue containsthemost-significant (256th)last octet of the signature value, which SHALL become the last bit of<r'>.the bit string. 2.2.2 Signature Algorithm GOST R 34.10-2001 GOST R 34.10-2001 was developed by "GUBS of Federal Agency Government Communication and Information" and "All-Russian Scientific and Research Institute of Standardization". Thissignature algorithm MUST be used conjointly with one-way, collision free hash function GOST R 34.11-94. Thisdocument does not contain the full GOST R 34.10-2001standard description,specification, whichis fully describedcan be found in[GOSTR34102001].[GOSTR341001] in Russian. The ASN.1OIDobject identifier used to identifyGOST R 34.10-2001this signature algorithmin fields signatureAlgorithm of Certificate and CertificateListis: id-GostR3411-94-with-GostR3410-2001 OBJECT IDENTIFIER ::= {id-CryptoPro-algorithmsiso(1) member-body(2) ru(643) rans(2) cryptopro(2) gostR3411-94-with-gostR3410-2001(3) }GostR3410-2001-CertificateSignatureAlgorithms ALGORITHM-IDENTIFIER ::= { { NULL IDENTIFIED BY id-GostR3411-94-with-GostR3410-2001 } | { GostR3410-2001-PublicKeyParameters IDENTIFIED BY id-GostR3411-94-with-GostR3410-2001 } } GostR3410-2001-PublicKeyParameters are defined in section 2.3.2.When the id-GostR3411-94-with-GostR3410-2001 algorithm identifier appears as the algorithm field in anAlgorithmIdentifier and parameters are omitted,AlgorithmIdentifier, theparameters fromencoding SHALL omit thepublic key ofparameters field. That is, thesigner's certificate MUSTAlgorithmIdentifier SHALL beused. Ifa SEQUENCE of one component: the OBJECT IDENTIFIER id-GostR3411-94-with-GostR3410-2001. The parametersfromin thepublic keysubjectPublicKeyInfo field of thesigner's certificate are also omited, and it's issuer'scertificatehasof thesame public key algorithm, parameters fromissuer SHALL apply to thepublic keyverification of theissuer's certificate MUST be used, and so on.signature. Signature algorithm GOST R 34.10-2001 generates digital signature in the form of two 256-bit numbers r' and s. Its octet string representation consists of 64 octets, where first 32 octets contain big endian representation of s and second 32 octets contain big endian representation of r'. Signature values in CMS [CMS] are represented as octet strings, and the output is used directly. However, signature values in certificates and CRLs [PROFILE] are represented as bit strings, and conversion is needed. To convert abinary 512-bit vector (<r'>256||<s>256). That is,signature value to a bit string, theleast-significant (1-st)most significant bit ofsignatureValue BIT STRING containstheleast-significant (1-st)first octet of the signature value SHALL become the first bit of<s>,the bit string, and so on through themost-significant (512th)least significant bit ofsignatureValue containsthemost-significant (256th)last octet of the signature value, which SHALL become the last bit of<r'>.the bit string. 2.3 Subject Public Key AlgorithmsIn according to [RFC3280] the certificates may contain a public key for any algorithm. Within the framework of this specification the only GOST R 34.10-94 and GOST R 34.10-2001 public key algorithms defined. The algorithm and associated parameters are definable as OID in certificate through ASN.1 structure AlgorithmIdentifier.This sectionidentifiesdefinesOIDOIDs and public key parameters for public keys that employ the GOST R 34.10-94and[GOSTR341094] / VKO GOST R 34.10-94 [CPALGS] or the GOST R 34.10-2001 [GOSTR341001] / VKO GOST R 34.10-2001 [CPALGS] algorithms.The appropriate CA MUST useUse of thepredefined OID issuing certificates containing public keyssame key forthese algorithms.both signature and key derivation is NOT RECOMMENDED. Theappropriate applications supporting any of these algorithms MUST fully recognizeintended application for theOID identifiedkey MAY be indicated inthis sectionthe keyUsage certificate extension (see [PROFILE], Section 4.2.1.3). 2.3.1 GOST R 34.10-94 KeysThis section defines OID and parameter encoding for inclusion ofGOST R 34.10-94 publickey in certificate. Such public keykeys can be used fordigitalsignaturevalidationalgorithm GOST R 34.10-94[GOSTR341094],[GOSTR341094] and for key derivation algorithm VKO GOST R 34.10-94 [CPALGS].An assumed cryptographic key usage MAY be specified by keyUsage extension [RFC3280]. The usage of the same key for signature and key derivation is NOT RECOMMENDED, but possible. Public key OID forGOST R 34.10-94declared in this document is:public keys are identified by the following OID: id-GostR3410-94 OBJECT IDENTIFIER ::= {id-CryptoPro-algorithmsiso(1) member-body(2) ru(643) rans(2) cryptopro(2) gostR3410-94(20) } SubjectPublicKeyInfo.algorithm.algorithm field (see[RFC3280])RFC 3280 [PROFILE]) for GOST R 34.10-94 keys MUST beid-GostR3410-94; SubjectPublicKeyInfo.algorithm.parametersid-GostR3410-94. When the id-GostR3410-94 algorithm identifier appears as the algorithm field in an AlgorithmIdentifier, the encoding MAY completely omit the parameters field or set it to null. Otherwise thiscasefield MUST have the following structure: GostR3410-94-PublicKeyParameters ::= SEQUENCE { publicKeyParamSet OBJECT IDENTIFIER, digestParamSet OBJECT IDENTIFIER, encryptionParamSet OBJECT IDENTIFIEROPTIONALDEFAULT id-Gost28147-89-CryptoPro-A-ParamSet } where: * publicKeyParamSet - public key parameters identifier for GOST R 34.10-94 (see section 8.3 of [CPALGS]) * digestParamSet - parameters identifier for GOST R 34.11-94 (see section 8.2 of [CPALGS]) * encryptionParamSet -optionalparameters identifier for GOST 28147-89 (see section 8.1 of [CPALGS])MAYAbsence of parameters SHALL bepresentprocessed as described inany certificate and MUST be present if keyUsage includes keyAgreement or keyEnchiperment. If GOST R 34.10-94 algorithmRFC 3280 [PROFILE], section 6.1, that is, parameters areomitted in subjectPublicKeyInfo, and CA signs subject certificate using GOST R 34.10-94, then GOST R 34.10-94 parameters takeninherited fromsubjectPublicKeyInfo field ofthe issuer certificateare applicable to public key ofif possible. The GOST R 34.10-94subject. That is, cryptographic parameters inheritance takes place. If subjectPublicKeyInfo AlgorithmIdentifier field contain no parameters, but CA sign certificate using signature algorithm different from GOST R 34.10-94, such certificate MUST be rejected by conforming applications. Publicpublic keyGOST R 34.10-94MUST be ASN.1 DER encodedin following way. In GOST R 34.10-94as an OCTET STRING; this encoding shall be used as the contents (i.e., the value) of the subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo data element. GostR3410-94-PublicKey ::= OCTET STRING -- public key, Y GostR3410-94-PublicKey MUST must contain 128 octets of the little- endian representation of the public keyis a number yY = a^x (mod p), where a and p -parameters, and y is a bit-vector (<y>1024), at that encoding should present <y>1024 (BIT STRING) as a vector holding data in a little-endian. At first, a key is presented as an OCTET STRING, and then, being DER-encoded, presented as a BIT STRING. GostR3410-94-PublicKey ::= BIT STRING GostR3410-94-PublicKeyOctetString ::= OCTET STRINGparameters. If the keyUsage extension is present in an end-entity certificate, which contains a GOST R 34.10-94 public key, the following values MAY be present: digitalSignature; nonRepudiation. keyEncipherment; keyAgreement. If the keyAgreement or keyEnchiperment extension is present in a certificate GOST R 34.10-94 public key, the following values MAY be present as well: encipherOnly; decipherOnly. The keyUsage extension MUST NOT assert both encipherOnly and decipherOnly. If the keyUsage extension is present in an CA or CRL signer certificate whichcontaincontains a GOST R 34.10-94 public key, the following values MAY be present: digitalSignature; nonRepudiation; keyCertSign; cRLSign. 2.3.2 GOST R 34.10-2001 KeysThis section defines OID and parameter encoding for inclusion ofGOST R 34.10-2001 publickey in certificate. Such public keykeys can be used fordigitalsignaturevalidationalgorithm GOST R 34.10-2001[GOSTR34102001],[GOSTR341001] and for key derivation algorithm VKO GOST R 34.10-2001 [CPALGS].An assumed cryptographic key usage MAY be specified by keyUsage extension [RFC3280]. The usage of the same key for signature and key derivation is NOT RECOMMENDED, but possible. Public key OID forGOST R 34.10-2001declared in this document is:public keys are identified by the following OID: id-GostR3410-2001 OBJECT IDENTIFIER ::= {id-CryptoPro-algorithmsiso(1) member-body(2) ru(643) rans(2) cryptopro(2) gostR3410-2001(19) } SubjectPublicKeyInfo.algorithm.algorithm field (see[RFC3280])RFC 3280 [PROFILE]) for GOST R 34.10-2001 keys MUST beid-GostR3410-2001; SubjectPublicKeyInfo.algorithm.parametersid-GostR3410-2001. When the id-GostR3410-2001 algorithm identifier appears as the algorithm field in an AlgorithmIdentifier, the encoding MAY completely omit the parameters field or set it to null. Otherwise thiscasefield MUST have the following structure: GostR3410-2001-PublicKeyParameters ::= SEQUENCE { publicKeyParamSet OBJECT IDENTIFIER, digestParamSet OBJECT IDENTIFIER, encryptionParamSet OBJECT IDENTIFIEROPTIONALDEFAULT id-Gost28147-89-CryptoPro-A-ParamSet } where: * publicKeyParamSet - public key parameters identifier for GOST R 34.10-2001 (see section 8.4 of [CPALGS]) * digestParamSet - parameters identifier for GOST R 34.11-94 (see section 8.2 of [CPALGS]) * encryptionParamSet -optionalparameters identifier for GOST 28147-89 (see section 8.1 of [CPALGS])MAYAbsence of parameters SHALL bepresentprocessed as described inany certificate and MUST be present if keyUsage includes keyAgreement or keyEnchiperment. If GOST R 34.10-2001 algorithmRFC 3280 [PROFILE], section 6.1, that is, parameters areomitted in subjectPublicKeyInfo, and CA signs subject certificate using GOST R 34.10-2001, then GOST R 34.10-2001 parameters takeninherited fromsubjectPublicKeyInfo field ofthe issuer certificateare applicable to public key of GOST R 34.10-2001 subject. That is, cryptographic parameters inheritance takes place. If subjectPublicKeyInfo AlgorithmIdentifier field contain no parameters, but CA sign certificate using signature algorithm different from GOST R 34.10-2001, such certificate MUST be rejected by conforming applications.if possible. The GOST R 34.10-2001 public key MUST be ASN.1 DER encodedin a following way. GOST R 34.10-2001 specifies thatas an OCTET STRING; this encoding shall be used as the contents (i.e., the value) of the subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo data element. GostR3410-2001-PublicKey ::= OCTET STRING -- public key vector, Q According to [GOSTR341001], public key is a point on the elliptic curve Q =dP,(x,y). GostR3410-2001-PublicKey MUST must contain 64 octets, whered is a private key, P is a base point, and Q presents in a way of 512-bit vector (<Xq>256||<Yq>256). This vector is DER-encoded as two data blocks. At first, <Xq>256 block, then <Yq>256 block. subjectPublicKey field BIT STRING type is presented as a taken up object GostR3410-2001-PublicKeyOctetString. At that, least-significant of thefirstoctet (GostR3410-2001-PublicKeyOctetString[0]) corresponds to least- significant (1-st)32 octets contain little endian representation ofvector <Xq>256||<Yq>256 (Yq1 = (GostR3410-2001-PublicKeyOctetString[0] & 1)). Whereas most-significantx and second 32 octets contain little endian representation of64-th octet (GostR3410-2001-PublicKeyOctetString[63])y. This corresponds tomost- significant (512-d) of vector <Xq>256||<Yq>256 (Xq256 = ((GostR3410-2001-PublicKeyOctetString[63] & 0x80)>>7)). In other words, <Xq>256||<Yq>256 vector is stored in little-endian, that correspondthe binaryvector form and their concatenation in GOST R 34.10-2001representation of (<y>256||<x>256) from [GOSTR341001], ch. 5.3.At first, key is placed in OCTET STRING, than is DER-encoded and placed in BIT STRING. GostR3410-2001-PublicKey ::= BIT STRING GostR3410-2001-PublicKeyOctetString ::= OCTET STRINGIf the keyUsage extension is present in an end-entity certificate, whichconveyscontains a GOST R 34.10-2001 public key, the following values MAY be present: digitalSignature, nonRepudiation, keyEncipherment, keyAgreement. If the keyAgreement or keyEnchiperment extension is present in a certificate, the following values MAY be present: encipherOnly, decipherOnly. The keyUsage extension MUST NOT assert both encipherOnly and decipherOnly. If the keyUsage extension is present in an CA or CRL signer certificate whichcontaincontains a GOST R 34.10-2001 public key, the following values MAY be present: digitalSignature, nonRepudiation, keyCertSign, cRLSign. 3 Security Considerations It isRECCOMENDED,RECOMMENDED, that applications verify signature values and subject public keys to conform to[GOSTR34102001],[GOSTR341001] [GOSTR341094] standards prior to their use. When certificate is used as analogue to a manual signing, in the context of Russian Federal Digital Signature Law [RFDSL], certificate MUST contain keyUsage extension, it MUST be critical, and keyUsage MUST NOT include keyEncipherment and keyAgreement. When certificate validity period (typicaly 5 years for end entities and 7 years for CAs in Russia) is not equal to the private key validity period (typicaly 15 months in Russia) it isRECOMENDEDRECOMMENDED to use private key usage period extension. For security discussion concerning use of algorithm parameters, see section Security Considerations from [CPALGS]. 4 Appendix Examples 4.1 GOST R 34.10-94 Certificate -----BEGIN CERTIFICATE----- MIICCzCCAboCECMO42BGlSTOxwvklBgufuswCAYGKoUDAgIEMGkxHTAbBgNVBAMM FEdvc3RSMzQxMC05NCBleGFtcGxlMRIwEAYDVQQKDAlDcnlwdG9Qcm8xCzAJBgNV BAYTAlJVMScwJQYJKoZIhvcNAQkBFhhHb3N0UjM0MTAtOTRAZXhhbXBsZS5jb20w HhcNMDUwODE2MTIzMjUwWhcNMTUwODE2MTIzMjUwWjBpMR0wGwYDVQQDDBRHb3N0 UjM0MTAtOTQgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRvUHJvMQswCQYDVQQGEwJS VTEnMCUGCSqGSIb3DQEJARYYR29zdFIzNDEwLTk0QGV4YW1wbGUuY29tMIGlMBwG BiqFAwICFDASBgcqhQMCAiACBgcqhQMCAh4BA4GEAASBgLuEZuF5nls02CyAfxOo GWZxV/6MVCUhR28wCyd3RpjG+0dVvrey85NsObVCNyaE4g0QiiQOHwxCTSs7ESuo v2Y5MlyUi8Go/htjEvYJJYfMdRv05YmKCYJo01x3pg+2kBATjeM+fJyR1qwNCCw+ eMG1wra3Gqgqi0WBkzIydvp7MAgGBiqFAwICBANBABHHCH4S3ALxAiMpR3aPRyqB g1DjB8zy5DEjiULIc+HeIveF81W9lOxGkZxnrFjXBSqnjLeFKgF1hffXOAP7zUM= -----END CERTIFICATE----- 0 30527:523: SEQUENCE { 4 30444:442: SEQUENCE { 8 02 16: INTEGER :17 31 2A C2 1B D2 08 58 BC 04 1E 52 37 D0 74 5023 0E E3 60 46 95 24 CE C7 0B E4 94 18 2E 7E EB 26 3010:8: SEQUENCE { 28 06 6: OBJECT IDENTIFIER :id_GostR3411_94_with_GostR3410_94 : ( 1id-GostR3411-94-with-GostR3410-94 (1 2 643 2 2 4)36 05 0: NULL: }3836 30 105: SEQUENCE {4038 31 29: SET {4240 30 27: SEQUENCE {4442 06 3: OBJECT IDENTIFIER:commonName (2 5 4 3)4947 0C 20: UTF8String 'GostR3410-94 example' : } : }7169 31 18: SET {7371 30 16: SEQUENCE {7573 06 3: OBJECT IDENTIFIER:organizationName (2 5 4 10)8078 0C 9: UTF8String 'CryptoPro' : } : }9189 31 11: SET {9391 30 9: SEQUENCE {9593 06 3: OBJECT IDENTIFIER:countryName (2 5 4 6)10098 13 2: PrintableString 'RU' : } : }104102 31 39: SET {106104 30 37: SEQUENCE {108106 06 9: OBJECT IDENTIFIER:emailAddress (1 2 840 113549 1 9 1)119117 16 24: IA5String 'GostR3410-94@example.com' : } : } : }145143 30 30: SEQUENCE {147145 17 13: UTCTime'050203151651Z' 162'050816123250Z' 160 17 13: UTCTime'150203151651Z''150816123250Z' : }177175 30 105: SEQUENCE {179177 31 29: SET {181179 30 27: SEQUENCE {183181 06 3: OBJECT IDENTIFIER:commonName (2 5 4 3)188186 0C 20: UTF8String 'GostR3410-94 example' : } : }210208 31 18: SET {212210 30 16: SEQUENCE {214212 06 3: OBJECT IDENTIFIER:organizationName (2 5 4 10)219217 0C 9: UTF8String 'CryptoPro' : } : }230228 31 11: SET {232230 30 9: SEQUENCE {234232 06 3: OBJECT IDENTIFIER:countryName (2 5 4 6)239237 13 2: PrintableString 'RU' : } : }243241 31 39: SET {245243 30 37: SEQUENCE {247245 06 9: OBJECT IDENTIFIER:emailAddress (1 2 840 113549 1 9 1)258256 16 24: IA5String 'GostR3410-94@example.com' : } : } : }284282 30 165: SEQUENCE {287285 30 28: SEQUENCE {289287 06 6: OBJECT IDENTIFIER: id_GostR3410_94 ( 1id-GostR3410-94 (1 2 643 2 2 20)297295 30 18: SEQUENCE {299297 06 7: OBJECT IDENTIFIER :id_GostR3410_94_CryptoPro_A_ParamSetid-GostR3410-94-CryptoPro-A-ParamSet :( 1(1 2 643 2 2 32 2)308306 06 7: OBJECT IDENTIFIER :id_GostR3411_94_CryptoProParamSetid-GostR3411-94-CryptoProParamSet :( 1(1 2 643 2 2 30 1) : } : }317315 03 132: BIT STRING 0 unused bits, encapsulates {321319 04 128: OCTET STRING : BB 84 66 E1 79 9E 5B 34 D8 2C 80 7F 13 A8 19 66 : 71 57 FE 8C 54 25 21 47 6F 30 0B 27 77 46 98 C6 : FB 47 55 BE B7 B2 F3 93 6C 39 B5 42 37 26 84 E2 : 0D 10 8A 24 0E 1F 0C 42 4D 2B 3B 11 2B A8 BF 66 : 39 32 5C 94 8B C1 A8 FE 1B 63 12 F6 09 25 87 CC : 75 1B F4 E5 89 8A 09 82 68 D3 5C 77 A6 0F B6 90 : 10 13 8D E3 3E 7C 9C 91 D6 AC 0D 08 2C 3E 78 C1 : B5 C2 B6 B7 1A A8 2A 8B 45 81 93 32 32 76 FA 7B : } : } : }452450 3010:8: SEQUENCE {454452 06 6: OBJECT IDENTIFIER :id_GostR3411_94_with_GostR3410_94 ( 1id-GostR3411-94-with-GostR3410-94 (1 2 643 2 2 4)462 05 0: NULL: }464460 03 65: BIT STRING 0 unused bits :71 28 D8 4E 9A 38 33 FE 2E 4211 C7 08 7E 12 DC 02CEF1 02 23 29 47 76 8F 47 2A : 81 83 50 E3 07 CC F2 E4 31 23 89 42 C8AC B373 E1 DE :F6 9122 F7 85 F3 55 BD 94 EC 4690 37 1A CA 6B 16 6191 9C 67 AC 58 D7 0595 BF B0 99 D2:94 CC F02A A7 8CCC CE 45B7 85 2A 015B 71 87 B1 48 C2 16 96 : A7 15 90 DF 83 6C EE 37 ED E4 4F EE BD E2 7F 4175 85 F7 D7 38 03 FB CD 43 : } In the signature of the above certificate, r' equals to 0x22F785F355BD94EC46919C67AC58D7052AA78CB7852A017585F7D73803FBCD43 and s equals to 0x11C7087E12DC02F102232947768F472A818350E307CCF2E431238942C873E1DE 4.2 GOST R 34.10-2001 Certificate -----BEGIN CERTIFICATE----- MIIB0DCCAX8CECv1xh7CEb0Xx9zUYma0LiEwCAYGKoUDAgIDMG0xHzAdBgNVBAMM Fkdvc3RSMzQxMC0yMDAxIGV4YW1wbGUxEjAQBgNVBAoMCUNyeXB0b1BybzELMAkG A1UEBhMCUlUxKTAnBgkqhkiG9w0BCQEWGkdvc3RSMzQxMC0yMDAxQGV4YW1wbGUu Y29tMB4XDTA1MDgxNjE0MTgyMFoXDTE1MDgxNjE0MTgyMFowbTEfMB0GA1UEAwwW R29zdFIzNDEwLTIwMDEgZXhhbXBsZTESMBAGA1UECgwJQ3J5cHRvUHJvMQswCQYD VQQGEwJSVTEpMCcGCSqGSIb3DQEJARYaR29zdFIzNDEwLTIwMDFAZXhhbXBsZS5j b20wYzAcBgYqhQMCAhMwEgYHKoUDAgIkAAYHKoUDAgIeAQNDAARAhJVodWACGkB1 CM0TjDGJLP3lBQN6Q1z0bSsP508yfleP68wWuZWIA9CafIWuD+SN6qa7flbHy7Df D2a8yuoaYDAIBgYqhQMCAgMDQQA8L8kJRLcnqeyn1en7U23Sw6pkfEQu3u0xFkVP vFQ/3cHeF26NG+xxtZPz3TaTVXdoiYkXYiD02rEx1bUcM97i -----END CERTIFICATE----- 0 30468:464: SEQUENCE { 4 30385:383: SEQUENCE { 8 02 16: INTEGER :48 E9 54 A5 CF E9 692B F5C9 5C F7 55 E7 83 41 AFC6 1E C2 11 BD 17 C7 DC D4 62 66 B4 2E 21 26 3010:8: SEQUENCE { 28 06 6: OBJECT IDENTIFIER :id_GostR3411_94_with_GostR3410_2001 : ( 1id-GostR3411-94-with-GostR3410-2001 (1 2 643 2 2 3)36 05 0: NULL: }3836 30 109: SEQUENCE {4038 31 31: SET {4240 30 29: SEQUENCE {4442 06 3: OBJECT IDENTIFIER:commonName (2 5 4 3)4947 0C 22: UTF8String 'GostR3410-2001 example' : } : }7371 31 18: SET {7573 30 16: SEQUENCE {7775 06 3: OBJECT IDENTIFIER:organizationName (2 5 4 10)8280 0C 9: UTF8String 'CryptoPro' : } : }9391 31 11: SET {9593 30 9: SEQUENCE {9795 06 3: OBJECT IDENTIFIER:countryName (2 5 4 6)102100 13 2: PrintableString 'RU' : } : }106104 31 41: SET {108106 30 39: SEQUENCE {110108 06 9: OBJECT IDENTIFIER:emailAddress (1 2 840 113549 1 9 1)121119 16 26: IA5String 'GostR3410-2001@example.com' : } : } : }149147 30 30: SEQUENCE {151149 17 13: UTCTime'050203151646Z' 166'050816141820Z' 164 17 13: UTCTime'150203151646Z''150816141820Z' : }181179 30 109: SEQUENCE {183181 31 31: SET {185183 30 29: SEQUENCE {187185 06 3: OBJECT IDENTIFIER:commonName (2 5 4 3)192190 0C 22: UTF8String 'GostR3410-2001 example' : } : }216214 31 18: SET {218216 30 16: SEQUENCE {220218 06 3: OBJECT IDENTIFIER:organizationName (2 5 4 10)225223 0C 9: UTF8String 'CryptoPro' : } : }236234 31 11: SET {238236 30 9: SEQUENCE {240238 06 3: OBJECT IDENTIFIER:countryName (2 5 4 6)245243 13 2: PrintableString 'RU' : } : }249247 31 41: SET {251249 30 39: SEQUENCE {253251 06 9: OBJECT IDENTIFIER:emailAddress (1 2 840 113549 1 9 1)264262 16 26: IA5String 'GostR3410-2001@example.com' : } : } : }292290 30 99: SEQUENCE {294292 30 28: SEQUENCE {296294 06 6: OBJECT IDENTIFIER: id_GostR3410_2001 ( 1id-GostR3410-2001 (1 2 643 2 2 19)304302 30 18: SEQUENCE {306304 06 7: OBJECT IDENTIFIER :id_GostR3410_2001_CryptoPro_XchA_ParamSetid-GostR3410-2001-CryptoPro-XchA-ParamSet :( 1(1 2 643 2 2 36 0)315313 06 7: OBJECT IDENTIFIER :id_GostR3411_94_CryptoProParamSetid-GostR3411-94-CryptoProParamSet :( 1(1 2 643 2 2 30 1) : } : }324322 03 67: BIT STRING 0 unused bits, encapsulates {327325 04 64: OCTET STRING : 84 95 68 75 60 02 1A 40 75 08 CD 13 8C 31 89 2C : FD E5 05 03 7A 43 5C F4 6D 2B 0F E7 4F 32 7E 57 : 8F EB CC 16 B9 95 88 03 D0 9A 7C 85 AE 0F E4 8D : EA A6 BB 7E 56 C7 CB B0 DF 0F 66 BC CA EA 1A 60 : } : } : }393391 3010:8: SEQUENCE {395393 06 6: OBJECT IDENTIFIER :id_GostR3411_94_with_GostR3410_2001 ( 1id-GostR3411-94-with-GostR3410-2001 (1 2 643 2 2 3)403 05 0: NULL: }405401 03 65: BIT STRING 0 unused bits :1F 0E 5D3C 2F C9 09 44 B7 27 A9 EC A7 D5 E9 FB 53 6D D2 : C3F6 B0 FC E8 8D BC 7C 8E 13 AEAA 64BF7C 44 2E DE ED 31 16 45 4F BC 54 3F DD :2A 38 1E 9D 2C 7F 3D DC B0 CE 94 52 4A 75 D1 53C1 DE 17 6E 8D 1B EC 71 B5 93 F3 DD 36 93 55 77 :B6 E3 BA 1F 34 92 B7 B6 C2 DB68 89 89 17 62 20 F4 DA B1 31 D5 B5 1C 33 DE E2E3 51 AA B3 : 79 FA E5 19 BD 75 5A 91 D8 AE F5 85 83 E1 5C 2C: } In the public key of the above certificate, x equals to 0x577E324FE70F2B6DF45C437A0305E5FD2C89318C13CD0875401A026075689584 and y equals to 0x601AEACABC660FDFB0CBC7567EBBA6EA8DE40FAE857C9AD0038895B916CCEB8F In the signature of the above certificate, r' equals to 0xC1DE176E8D1BEC71B593F3DD36935577688989176220F4DAB131D5B51C33DEE2 and s equals to 0x3C2FC90944B727A9ECA7D5E9FB536DD2C3AA647C442EDEED3116454FBC543FDD 5 References Normative references: [GOST28147] "Cryptographic Protection for Data ProcessingSys- tem",System", GOST 28147-89, Gosudarstvennyi Standard of USSR,GovernmentGov- ernment Committee of the USSR for Standards, 1989. (In Russian); [GOSTR341094] "Information technology. Cryptographic Data Security. Produce and check procedures of Electronic DigitalSignaturesSig- natures based on Asymmetric CryptographicAlgo- rithm.",Algorithm.", GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of theRus- siaRussia for Standards, 1994. (In Russian);[GOSTR34102001][GOSTR341001] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature.", GOST R 34.10-2001,Gosudarstven- nyiGosudarstvennyi Standard of Russian Federation, GovernmentCom- mitteeCommittee of the Russia for Standards, 2001. (InRus- sian);Russian); [GOSTR341194] "Information technology. Cryptographic Data Security. Hashing function.", GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of the Russia for Standards, 1994. (In Russian);[RFDSL] Russian Federal Digital Signature Law, 10 Jan 2002 N1-FZ[CPALGS] "Additional cryptographic algorithms for use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 algorithms", V. Popov, I.Kurep- kin,Kurepkin, S.Leontiev, February 2004, draft-popov-crypto- pro-cpalgs-01.txtLeon- tiev, September 2005, draft-popov-cryptopro- cpalgs-04.txt work in progress;[Schneier95] B. Schneier, Applied cryptography, second edition, John Wiley & Sons, Inc., 1995; [RFC3280][PROFILE] Housley, R., Polk, W., Ford, W. and D. Solo,"Internet"Inter- net X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.[RFC3279] Algorithms[PKALGS] L. Bassham, W. Polk, R. Housley, "Algorithms and Identifiers for the Internet X.509 Public KeyInfrastructureInfras- tructure Certificate and Certificate Revocation List (CRL)Profile. L. Bassham, W. Polk, R. Housley.Profile", RFC 3279, April 2002.[RFC2119] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [TLS] The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999, RFC 2246.[X.660] ITU-T Recommendation X.660 Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) andDis- tinguishedDistin- guished Encoding Rules (DER), 1997. Informative references: [Schneier95] B. Schneier, Applied cryptography, second edition, John Wiley & Sons, Inc., 1995; [RFDSL] Russian Federal Digital Signature Law, 10 Jan 2002 N1-FZ [RFC2119] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004. Acknowledgments This document was created in accordance with "Russian Cryptographic Software Compatibility Agreement", signed by FGUE STC "Atlas", CRYPTO-PRO,Factor-TC,Factor-TS, MD PREI, Infotecs GmbH, SPRCIS (SPbRCZI), Cryptocom, R-Alpha. The goal of this agreement is to achieve mutual compatibility of the products and solutions. The authors wish to thank: Microsoft Corporation Russia for provided information about company products and solutions, and also for technical consulting in PKI. RSA Security Russia and Demos Co Ltd for active colaboration and critical help in creation of this document. RSA Security Inc for compatibility testing of the proposed data formats while incorporating them into RSA Keon product. Baltimore Technology plc for compatibility testing of the proposed data formats while incorporating them into UniCERT product. Russ Hously (Vigil Security, LLC, housley@vigilsec.com) and Vasilij Sakharov (DEMOS Co Ltd, svp@dol.ru) for initiative creating this document. Grigorij Chudov for navigating the IETF process for this document. This document is based on a contribution of CRYPTO-PRO company. Any substantial use of the text from this document must reference CRYPTO- PRO. CRYPTO-PRO requests that all material mentioning or referencing this document identify this as "CRYPTO-PRO CPPK". Author's Addresses Serguei Leontiev CRYPTO-PRO 38, Obraztsova, Moscow, 127018, Russian Federation EMail: lse@cryptopro.ru Dennis Shefanovski DEMOS Co Ltd 6/1, Ovchinnikovskaja naberezhnaya, Moscow, 113035, Russian Federation EMail: sdb@dol.ru Grigorij Chudov CRYPTO-PRO 38, Obraztsova, Moscow, 127018, Russian Federation EMail: chudov@cryptopro.ru Alexandr AfanasievFactor-TCFactor-TS office 711, 14, Presnenskij val, Moscow, 123557, Russian Federation EMail:aaaf@factor-ts.ruafa1@factor-ts.ru Nikolaj Nikishin Infotecs GmbH p/b 35, 80-5, Leningradskij prospekt, Moscow, 125315, Russian Federation EMail: nikishin@infotecs.ru Boleslav Izotov FGUE STC "Atlas" 38, Obraztsova, Moscow, 127018, Russian Federation EMail:izotov@stcnet.ruizotov@nii.voskhod.ru Elena Minaeva MD PREI build 3, 6A, Vtoroj Troitskij per., Moscow, Russian Federation EMail:evminaeva@mo.msk.ruevminaeva@mail.ru Serguei Murugov R-Alpha 4/1, Raspletina, Moscow, 123060, Russian Federation EMail:msm@office.ru Igorimsm@top-cross.ru Igor Ustinov Cryptocom office 239, 51, Leninskij prospekt, Moscow, 119991, Russian Federation EMail: igus@cryptocom.ru Anatolij Erkin SPRCIS (SPbRCZI) 1, Obrucheva, St.Petersburg, 195220, Russian Federation EMail: erkin@nevsky.netFull Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society.