Network Working Group W. Conner Internet-Draft A. Langley Intended status: Informational R. Sleevi Expires:OctoberDecember 16, 2017 Google A. Popov MicrosoftAprilJune 14, 2017 BLAKE2 Algorithms and Identifiers for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profiledraft-wconner-blake2sigs-00draft-wconner-blake2sigs-01 Abstract This document describes the conventions for using the BLAKE2b-512 hash function with each of the followingsignaturealgorithms: RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP), RSA Probabilistic Signature Scheme (RSASSA-PSS), RSA Public-Key Cryptography Standards #1 version 1.5(RSA(RSASSA PKCS#1 v1.5),RSA ProbabilisticDigital SignatureScheme (RSASSA-PSS), RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP),Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and Edwards-curve Digital Signature Algorithm (EdDSA). This specification applies to the Internet X.509 Public Key Infrastructure (PKI) when digital signatures are used to sign certificates and certificate revocation lists (CRLs). This document also specifies the object identifiers(OIDs)for the combinations of the BLAKE2b-512 hash function with the aforementionedsignaturealgorithms. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onOctoberDecember 16, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Algorithm Support . . . . . . . . . . . . . . . . . . . . . . 3 2.1.RSA PKCS#1 v1.5BLAKE2b-512 One-Way Hash Function . . . . . . . . . . . . 3 2.2. BLAKE2b-512 Mask Generation Function . . . . . . . . . . 32.2. RSASSA-PSS2.3. RSAES-OAEP with BLAKE2b-512 . . . . . . . . . . . . . . . 4 2.4. RSASSA-PSS with BLAKE2b-512 . . . . . . . .3 2.3. RSAES-OAEP. . . . . . . 5 2.5. RSASSA PKCS#1 v1.5 with BLAKE2b-512 . . . . . . . . . . . 5 2.6. DSA with BLAKE2b-512 . . . . .3 2.4. ECDSA. . . . . . . . . . . . . 6 2.7. ECDSA with BLAKE2b-512 . . . . . . . . . . . . .4 2.5.. . . . 6 2.8. EdDSA with BLAKE2b-512 . . . . . . . . . . . . . . . . . 6 3. Security Considerations . . . . . . . . . . .4 3.. . . . . . . . 6 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . .4 4.7 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .4 5.7 6. Normative References . . . . . . . . . . . . . . . . . . . .47 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .58 1. Introduction The SHA-2 family of hash functions is currently the only secure and widely supported option for digital signatures in the PKIXecosystem.ecosystem [FIPS-180-4]. While there is no reason to be seriously concerned about the security of SHA-2, which is still acceptable according to NIST SP 800-131A rev. 1 [SP-800-131A], numerous previous hash functions have eventually suffered from collision attacks and needed to be replaced. Since it takes a very long time to establish support for new primitives in the PKIX ecosystem, it seems prudent to have an alternative prepared. This document specifies object identifiers(OIDs)to identify the combination of the BLAKE2b-512 [BLAKE2] hash function with each ofRSARSAES-OAEP, RSASSA-PSS, RSASSA PKCS#1 v1.5,RSASSA-PSS, RSAES-OAEP,DSA, ECDSA, and EdDSA. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Algorithm Support This section describes thesignaturealgorithms and correspondingOIDs,object identifiers, which may be used in conjunction with the BLAKE2b-512 hash function. 2.1. BLAKE2b-512 One-Way Hash Function [BLAKE2] specifies the BLAKE2 family of hash functions, including the BLAKE2b-512 hash function. The BLAKE2b-512 hash function is optimized for 64-bit platforms and produces 64-byte message digests. TheOIDsobject identifier for the BLAKE2b-512 hash algorithm is specified in [RFC7693] and included below for reference. id-blake2b512 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) kudelski(1722) cryptography(12) hashAlgs(2) blake2b(1) 16 } The object identifiers for the encryption and signature algorithms that use the BLAKE2b-512 hash function willbe assignedappear under the followingOID arc, which is based on the OID treearcs derived from [RFC7693].sigAlgsencAlgs OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) kudelski(1722) cryptography(12) 4 }2.1. RSA PKCS#1 v1.5 [RFC2313]sigAlgs OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) kudelski(1722) cryptography(12) 5 } 2.2. BLAKE2b-512 Mask Generation Function [RFC4055] specifies theRSA PKCS #1 v1.5 signature algorithm.object identifier for the mask generation function MGF1, which is included below for reference. id-mgf1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 8 } The algorithm identifiers for the BLAKE2b-512 hash function and the mask generation function MGF1 that uses the BLAKE2b-512 hash function are the following. blake2b512Identifier AlgorithmIdentifier ::= { id-blake2b512, NULL } mgf1Blake2b512Identifier AlgorithmIdentifier ::= { id-mgf1, blake2b512Identifier } 2.3. RSAES-OAEP with BLAKE2b-512 [RFC4055] specifies the RSAES-OAEP algorithm and parameters. The sequence for the parameters is included below for reference. RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier } This section specifies a singleOIDobject identifier to identify the combination ofBLAKE2b-512RSAES-OAEP withRSA PKCS#1 v1.5. id-rsaEncryption-with-blake2b512BLAKE2b-512. id-RSAEP-OAEP-with-blake2b512 OBJECT IDENTIFIER ::=TBD 2.2.{ engAlgs 1 } Using id-RSAEP-OAEP-with-blake2b512 requires the following RSAES-OAEP parameters. RSAES-OAEP-blake2b512-params RSAES-OAEP-params ::= { hashFunc blake2b512Identifier, maskGenFunc mgf1Blake2b512Identifier, pSourceFunc pSpecifiedEmptyIdentifier } 2.4. RSASSA-PSS with BLAKE2b-512 [RFC4055] specifies the RSASSA-PSSsignature algorithm.algorithm and parameters. The sequence for the parameters is included below for reference. RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 } This section specifies a singleOIDobject identifier to identify the combination ofBLAKE2b-512RSASSA-PSS withRSASSA-PSS.BLAKE2b-512. id-RSASSA-PSS-with-blake2b512 OBJECT IDENTIFIER ::=TBD 2.3. RSAES-OAEP [RFC4055]{ sigAlgs 1 } Using id-RSASSA-PSS-with-blake2b512 requires the following RSASSA-PSS parameters. RSASSA-PSS-blake2b512-params RSASSA-PSS-params ::= { hashAlgorithm blake2b512Identifier, maskGenAlgorithm mgf1Blake2b512Identifier, saltLength 20, trailerField 1 } 2.5. RSASSA PKCS#1 v1.5 with BLAKE2b-512 [RFC2313] specifies theRSAES-OAEPRSASSA PKCS #1 v1.5 signature algorithm. This section specifies a singleOIDobject identifier to identify the combination of RSASSA PKCS#1 v1.5 with BLAKE2b-512. id-rsassa-pkcs1-v1_5-with-blake2b512 OBJECT IDENTIFIER ::= { sigAlgs 2 } 2.6. DSA with BLAKE2b-512 NIST FIPS PUB 186-4 [FIPS-186-4] specifies the DSA signature algorithm. This section specifies a single object identifier to identify the combination of DSA withRSAES-OAEP. id-RSAEP-OAEP-with-blake2b512BLAKE2b-512. id-dsa-with-blake2b512 OBJECT IDENTIFIER ::=TBD 2.4.{ sigAlgs 3 } 2.7. ECDSA with BLAKE2b-512 NIST FIPS PUB 186-4 [FIPS-186-4] specifies the ECDSA signature algorithm. [RFC5758] specifies identifiers for using the SHA-2 family of hash functions with ECDSA. This section specifies a singleOIDobject identifier to identify the combination ofBLAKE2b-512ECDSA withECDSA.BLAKE2b- 512. id-ecdsa-with-blake2b512 OBJECT IDENTIFIER ::=TBD 2.5.{ sigAlgs 4 } 2.8. EdDSA with BLAKE2b-512 [RFC8032] specifies the EdDSAsignaturealgorithm. This section specifiestwo OIDsa single object identifier to identify the combination ofBLAKE2b-512EdDSA with theedwards25519 andedwards448curves. id-Ed25519-with-blake2b512 OBJECT IDENTIFIER ::= TBDcurve and BLAKE2b-512 hash function. id-Ed448-with-blake2b512 OBJECT IDENTIFIER ::=TBD{ sigAlgs 5 } 3.IANASecurity ConsiderationsNoneFor BLAKE2-specific security considerations, Section 4 of [BLAKE2] includes a brief security analysis of the BLAKE2 hash algorithm. The BLAKE hash algorithm, which was the predecessor of BLAKE2, was analyzed as part of the SHA-3 competition [BLAKE]. The BLAKE2 hash algorithm builds on BLAKE with some tweaks. For general PKIX Certificate and CRL Profile security considerations, Section 8 of [RFC5280] provides a good overview. 4. IANA Considerations Although the algorithm identifiers are currently specified under the object identifier arc specified in [RFC7693], the authors would not oppose the assignment of these algorithms to object identifiers in a more suitable location under the IANA object identifier space in future drafts. 5. Acknowledgements The authors would like to thank the [BLAKE2] designers for answering our questions about BLAKE2 and allowing us to use their object identifier space. In particular, our email exchanges with Jean- Philippe Aumasson were very helpful.5.The authors would also like to thank the participants of the LAMPS working group who provided valuable feedback. 6. Normative References [BLAKE] Aumasson, J., Henzen, L., Meier, W., and R. Phan, "SHA-3 proposal BLAKE", December 2010, <https://131002.net/blake/ blake.pdf>. [BLAKE2] Aumasson, J., Neves, S., Wilcox-O'Hearn, Z., and C. Winnerlein, "BLAKE2: simpler, smaller, fast as MD5", January 2013, <https://blake2.net/blake2_20130129.pdf>. [FIPS-180-4] National Institute of Standards and Technology, "Secure Hash Standard (SHS)", FIPS PUB 180-4, August 2015, <https://dx.doi.org/10.6028/NIST.FIPS.180-4.pdf>. [FIPS-186-4] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS PUB 186-4, July 2013, <https://dx.doi.org/10.6028/NIST.FIPS.186-4>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, DOI 10.17487/RFC2313, March 1998, <http://www.rfc-editor.org/info/rfc2313>. [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, DOI 10.17487/RFC4055, June 2005, <http://www.rfc-editor.org/info/rfc4055>. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <http://www.rfc-editor.org/info/rfc5280>. [RFC5758] Dang, Q., Santesson, S., Moriarty, K., Brown, D., and T. Polk, "Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA", RFC 5758, DOI 10.17487/RFC5758, January 2010, <http://www.rfc-editor.org/info/rfc5758>. [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)", RFC 7693, DOI 10.17487/RFC7693, November 2015, <http://www.rfc-editor.org/info/rfc7693>. [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <http://www.rfc-editor.org/info/rfc8032>. [SP-800-131A] Barker, E. and A. Roginsky, "Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths", NIST Special Publication 800-131A Rev. 1, November 2015, <http://dx.doi.org/10.6028/NIST.SP.800-131Ar1>. Authors' Addresses William Conner Google 320 N Morgan St #600 Chicago, IL 60607 USA Email: wconner@google.com Adam Langley Google 340 Main St Venice, CA 90291 USA Email: agl@google.com Ryan Sleevi Google 200 W Franklin St #300 Chapel Hill, NC 27516 USA Email: sleevi@google.com Andrei Popov Microsoft One Microsoft Way Redmond, WA 98052 USA Email: Andrei.Popov@microsoft.com