| < draft-ietf-cose-hash-sig-02.txt | draft-ietf-cose-hash-sig-03.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Network Working Group R. Housley | |||
| Internet-Draft Vigil Security | Internet-Draft Vigil Security | |||
| Intended status: Standards Track April 05, 2019 | Intended status: Standards Track May 10, 2019 | |||
| Expires: October 7, 2019 | Expires: November 11, 2019 | |||
| Use of the Hash-based Signature Algorithm with CBOR Object Signing and | Use of the Hash-based Signature Algorithm with CBOR Object Signing and | |||
| Encryption (COSE) | Encryption (COSE) | |||
| draft-ietf-cose-hash-sig-02 | draft-ietf-cose-hash-sig-03 | |||
| Abstract | Abstract | |||
| This document specifies the conventions for using the HSS/LMS hash- | This document specifies the conventions for using the HSS/LMS hash- | |||
| based signature algorithm with the CBOR Object Signing and Encryption | based signature algorithm with the CBOR Object Signing and Encryption | |||
| (COSE) syntax. The HSS/LMS algorithm is one form of hash-based | (COSE) syntax. The HSS/LMS algorithm is one form of hash-based | |||
| digital signature; it is described in RFC 8554. | digital signature; it is described in RFC 8554. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 34 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 7, 2019. | This Internet-Draft will expire on November 11, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Algorithm Security Considerations . . . . . . . . . . . . 3 | 1.1. Algorithm Security Considerations . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. LMS Digital Signature Algorithm Overview . . . . . . . . . . 4 | 2. LMS Digital Signature Algorithm Overview . . . . . . . . . . 4 | |||
| 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 | |||
| 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 5 | 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 5 | |||
| 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 6 | 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 6 | |||
| 3. Hash-based Signature Algorithm Identifiers . . . . . . . . . 7 | 3. Hash-based Signature Algorithm Identifiers . . . . . . . . . 7 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 8 | |||
| 4.1. Implementation Security Considerations . . . . . . . . . 7 | 4.1. Implementation Security Considerations . . . . . . . . . 8 | |||
| 5. Operational Considerations . . . . . . . . . . . . . . . . . 8 | 5. Operational Considerations . . . . . . . . . . . . . . . . . 9 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. COSE Algorithms Registry Entry . . . . . . . . . . . . . 9 | 6.1. COSE Algorithms Registry Entry . . . . . . . . . . . . . 9 | |||
| 6.2. COSE Key Types Registry Entry . . . . . . . . . . . . . . 9 | 6.2. COSE Key Types Registry Entry . . . . . . . . . . . . . . 10 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 10 | 7.2. Informative References . . . . . . . . . . . . . . . . . 10 | |||
| Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 11 | Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| A.1. Example COSE Full Message Signature . . . . . . . . . . . 11 | A.1. Example COSE Full Message Signature . . . . . . . . . . . 11 | |||
| A.2. Example COSE_Sign0 Message . . . . . . . . . . . . . . . 16 | A.2. Example COSE_Sign0 Message . . . . . . . . . . . . . . . 17 | |||
| Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 21 | Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 22 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 21 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| This document specifies the conventions for using the HSS/LMS hash- | This document specifies the conventions for using the HSS/LMS hash- | |||
| based signature algorithm with the CBOR Object Signing and Encryption | based signature algorithm with the CBOR Object Signing and Encryption | |||
| (COSE) [RFC8152] syntax. The Leighton-Micali Signature (LMS) system | (COSE) [RFC8152] syntax. The Leighton-Micali Signature (LMS) system | |||
| provides a one-time digital signature that is a variant of Merkle | provides a one-time digital signature that is a variant of Merkle | |||
| Tree Signatures (MTS). The Hierarchical Signature System (HSS) is | Tree Signatures (MTS). The Hierarchical Signature System (HSS) is | |||
| built on top of the LMS system to efficiently scale for a larger | built on top of the LMS system to efficiently scale for a larger | |||
| numbers of signatures. The HSS/LMS algorithm is one form of hash- | numbers of signatures. The HSS/LMS algorithm is one form of hash- | |||
| skipping to change at page 3, line 7 ¶ | skipping to change at page 3, line 7 ¶ | |||
| signing operations. The number of signing operations depends upon | signing operations. The number of signing operations depends upon | |||
| the size of the tree. The HSS/LMS signature algorithm uses small | the size of the tree. The HSS/LMS signature algorithm uses small | |||
| public keys, and it has low computational cost; however, the | public keys, and it has low computational cost; however, the | |||
| signatures are quite large. The HSS/LMS private key can be very | signatures are quite large. The HSS/LMS private key can be very | |||
| small when the signer is willing to perform additional computation at | small when the signer is willing to perform additional computation at | |||
| signing time; alternatively, the private key can consume additional | signing time; alternatively, the private key can consume additional | |||
| memory and provide a faster signing time. | memory and provide a faster signing time. | |||
| 1.1. Algorithm Security Considerations | 1.1. Algorithm Security Considerations | |||
| There have been recent advances in cryptanalysis and advances in the | ||||
| development of quantum computers. Each of these advances pose a | ||||
| threat to widely deployed digital signature algorithms. | ||||
| At Black Hat USA 2013, some researchers gave a presentation on the | At Black Hat USA 2013, some researchers gave a presentation on the | |||
| current state of public key cryptography. They said: "Current | current state of public key cryptography. They said: "Current | |||
| cryptosystems depend on discrete logarithm and factoring which has | cryptosystems depend on discrete logarithm and factoring which has | |||
| seen some major new developments in the past 6 months" [BH2013]. Due | seen some major new developments in the past 6 months" [BH2013]. Due | |||
| to advances in cryptanalysis, they encouraged preparation for a day | to advances in cryptanalysis, they encouraged preparation for a day | |||
| when RSA and DSA cannot be depended upon. | when RSA and DSA cannot be depended upon. | |||
| If large-scale quantum computers are ever built, these computers will | Peter Shor showed that a large-scale quantum computer could be used | |||
| be able to break many of the public-key cryptosystems currently in | to factor a number in polynomial time [S1997], effectively breaking | |||
| use. A post-quantum cryptosystem [PQC] is a system that is secure | RSA. If large-scale quantum computers are ever built, these | |||
| against quantum computers that have more than a trivial number of | computers will be able to break many of the public-key cryptosystems | |||
| quantum bits (qu-bits). It is open to conjecture when it will be | currently in use. A post-quantum cryptosystem [PQC] is a system that | |||
| feasible to build such computers; however, RSA, DSA, ECDSA, and EdDSA | is secure against quantum computers that have more than a trivial | |||
| are all vulnerable if large-scale quantum computers come to pass. | number of quantum bits (qu-bits). It is open to conjecture when it | |||
| will be feasible to build such computers; however, RSA, DSA, ECDSA, | ||||
| and EdDSA are all vulnerable if large-scale quantum computers come to | ||||
| pass. | ||||
| The HSS/LMS signature algorithm does not depend on the difficulty of | The HSS/LMS signature algorithm does not depend on the difficulty of | |||
| discrete logarithm or factoring, as a result these algorithms are | discrete logarithm or factoring, as a result these algorithms are | |||
| considered to be post-quantum secure. | considered to be post-quantum secure. | |||
| Hash-based signatures [HASHSIG] are currently defined to use | Hash-based signatures [HASHSIG] are currently defined to use | |||
| exclusively SHA-256 [SHS]. An IANA registry is defined so that other | exclusively SHA-256 [SHS]. An IANA registry is defined so that other | |||
| hash functions could be used in the future. LM-OTS signature | hash functions could be used in the future. LM-OTS signature | |||
| generation prepends a random string as well as other metadata before | generation prepends a random string as well as other metadata before | |||
| computing the hash value. The inclusion of the random value reduces | computing the hash value. The inclusion of the random value reduces | |||
| skipping to change at page 9, line 43 ¶ | skipping to change at page 10, line 22 ¶ | |||
| Value: TBD (Value to be assigned by IANA) | Value: TBD (Value to be assigned by IANA) | |||
| Description: Public key for HSS/LMS hash-based digital signature | Description: Public key for HSS/LMS hash-based digital signature | |||
| Reference: This document (Number to be assigned by RFC Editor) | Reference: This document (Number to be assigned by RFC Editor) | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [HASHSIG] McGrew, D., Curcio, M., and S. Fluhrer, "Hash-Based | [HASHSIG] McGrew, D., Curcio, M., and S. Fluhrer, "Leighton-Micali | |||
| Signatures", draft-mcgrew-hash-sigs-15 (work in progress), | Hash-Based Signatures", RFC 8554, April 2019, | |||
| January 2019. | <https://rfc-editor.org/rfc/rfc8554.txt>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
| RFC 8152, DOI 10.17487/RFC8152, July 2017, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
| <https://www.rfc-editor.org/info/rfc8152>. | <https://www.rfc-editor.org/info/rfc8152>. | |||
| skipping to change at page 11, line 11 ¶ | skipping to change at page 11, line 35 ¶ | |||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
| DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
| <https://www.rfc-editor.org/info/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [S1997] Shor, P., "Polynomial-time algorithms for prime | ||||
| factorization and discrete logarithms on a quantum | ||||
| computer", SIAM Journal on Computing 26(5), 1484-26, 1997, | ||||
| <http://dx.doi.org/10.1137/S0097539795293172>. | ||||
| Appendix A. Examples | Appendix A. Examples | |||
| This appendix provides an example of a COSE full message signature | This appendix provides an example of a COSE full message signature | |||
| and an example of a COSE_Sign0 message. | and an example of a COSE_Sign0 message. | |||
| The programs that were used to generate the examples can be found at | ||||
| https://github.com/cose-wg/Examples. | ||||
| A.1. Example COSE Full Message Signature | A.1. Example COSE Full Message Signature | |||
| This section provides an example of a COSE full message signature. | This section provides an example of a COSE full message signature. | |||
| { | { | |||
| "title":"HSS LMS Hash based signature - hsssig-01", | "title":"HSS LMS Hash based signature - hsssig-01", | |||
| "input":{ | "input":{ | |||
| "plaintext":"This is the content.", | "plaintext":"This is the content.", | |||
| "sign":{ | "sign":{ | |||
| "protected":{ | "protected":{ | |||
| End of changes. 12 change blocks. | ||||
| 24 lines changed or deleted | 39 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||