| < draft-ietf-lamps-crmf-update-algs-00.txt | draft-ietf-lamps-crmf-update-algs-01.txt > | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Network Working Group R. Housley | |||
| Internet-Draft Vigil Security | Internet-Draft Vigil Security | |||
| Updates: 4211 (if approved) 10 December 2020 | Updates: 4211 (if approved) 18 December 2020 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 13 June 2021 | Expires: 21 June 2021 | |||
| Algorithm Requirements Update to the Internet X.509 Public Key | Algorithm Requirements Update to the Internet X.509 Public Key | |||
| Infrastructure Certificate Request Message Format (CRMF) | Infrastructure Certificate Request Message Format (CRMF) | |||
| draft-ietf-lamps-crmf-update-algs-00 | draft-ietf-lamps-crmf-update-algs-01 | |||
| Abstract | Abstract | |||
| This document updates the cryptographic algorithm requirements for | This document updates the cryptographic algorithm requirements for | |||
| the Password-Based Message Authentication Code in the Internet X.509 | the Password-Based Message Authentication Code in the Internet X.509 | |||
| Public Key Infrastructure Certificate Request Message Format (CRMF) | Public Key Infrastructure Certificate Request Message Format (CRMF) | |||
| specified in RFC 4211. | specified in RFC 4211. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 13 June 2021. | This Internet-Draft will expire on 21 June 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 16 ¶ | skipping to change at page 2, line 16 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Password-Based Message Authentication Code . . . . . . . . . 2 | 3. Password-Based Message Authentication Code . . . . . . . . . 2 | |||
| 3.1. Introduction Paragraph . . . . . . . . . . . . . . . . . 2 | 3.1. Introduction Paragraph . . . . . . . . . . . . . . . . . 2 | |||
| 3.2. One-Way Function . . . . . . . . . . . . . . . . . . . . 3 | 3.2. One-Way Function . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.3. Iteration Count . . . . . . . . . . . . . . . . . . . . . 3 | 3.3. Iteration Count . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.4. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 | 3.4. MAC Algorithm . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 7 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| This document updates the cryptographic algorithm requirements for | This document updates the cryptographic algorithm requirements for | |||
| the Password-Based Message Authentication Code (MAC) in the Internet | the Password-Based Message Authentication Code (MAC) in the Internet | |||
| X.509 Public Key Infrastructure Certificate Request Message Format | X.509 Public Key Infrastructure Certificate Request Message Format | |||
| (CRMF) [RFC4211]. The algorithms specified in [RFC4211] were | (CRMF) [RFC4211]. The algorithms specified in [RFC4211] were | |||
| appropriate in 2005; however, these algorithms are no longer | appropriate in 2005; however, these algorithms are no longer | |||
| considered the best choices. This update specifies algorithms that | considered the best choices. This update specifies algorithms that | |||
| skipping to change at page 4, line 9 ¶ | skipping to change at page 4, line 9 ¶ | |||
| iterations as the minimum value. The trade off here is between | iterations as the minimum value. The trade off here is between | |||
| protection of the password from attacks and the time spent by the | protection of the password from attacks and the time spent by the | |||
| server processing all of the different iterations in deriving | server processing all of the different iterations in deriving | |||
| passwords. Hashing is generally considered a cheap operation but | passwords. Hashing is generally considered a cheap operation but | |||
| this may not be true with all hash functions in the future. | this may not be true with all hash functions in the future. | |||
| NEW: | NEW: | |||
| iterationCount identifies the number of times the hash is applied | iterationCount identifies the number of times the hash is applied | |||
| during the key computation process. The iterationCount MUST be a | during the key computation process. The iterationCount MUST be a | |||
| least 10,000 [NISTSP800-63B]. There is a trade off between | minimum of 100; however, the iterationCount SHOULD be as large as | |||
| protection of the password from attacks and the time spent by the | server performance will allow, typically at least 10,000 | |||
| server processing the iterations. | [NISTSP800-63B]. There is a trade off between protection of the | |||
| password from attacks and the time spent by the server processing | ||||
| the iterations. | ||||
| 3.4. MAC Algorithm | 3.4. MAC Algorithm | |||
| Change the paragraph describing the "mac" as follows: | Change the paragraph describing the "mac" as follows: | |||
| OLD: | OLD: | |||
| mac identifies the algorithm and associated parameters of the MAC | mac identifies the algorithm and associated parameters of the MAC | |||
| function to be used. All implementations MUST support HMAC-SHA1 | function to be used. All implementations MUST support HMAC-SHA1 | |||
| [HMAC]. All implementations SHOULD support DES-MAC and Triple- | [HMAC]. All implementations SHOULD support DES-MAC and Triple- | |||
| skipping to change at page 5, line 30 ¶ | skipping to change at page 5, line 34 ¶ | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document makes no requests of the IANA. | This document makes no requests of the IANA. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The security of the password-based MAC relies on the number of times | The security of the password-based MAC relies on the number of times | |||
| the hash function is applied as well as the entropy of the shared | the hash function is applied as well as the entropy of the shared | |||
| secret (the password). Hardware support for hash calculation is | secret (the password). Hardware support for hash calculation is | |||
| available at very low cost [CHIP], which reduces the protection | available at very low cost [PHS], which reduces the protection | |||
| provided by a high iterationCount value. Therefore, the entropy of | provided by a high iterationCount value. Therefore, the entropy of | |||
| the used shared secret (the password) is crucial for the security of | the password is crucial for the security of password-based MAC | |||
| password-based MAC function. High entropy can be achieved by using | function. In 2010, researchers showed that about half of the real- | |||
| randomly generated strings. For example, assuming an alphabet of 60 | world passwords can be broken with less than 150 million trials, | |||
| characters a randomly chosen password with 10 characters offers 59 | indicating a median entropy of only 27 bits [DMR]. Higher entropy | |||
| bits a entropy, and 20 characters offers 118 bits of entropy. Using | can be achieved by using randomly generated strings. For example, | |||
| a one-time password also increases the security of the MAC, assuming | assuming an alphabet of 60 characters a randomly chosen password with | |||
| that the integrity-protected transaction will complete before the | 10 characters offers 59 bits a entropy, and 20 characters offers 118 | |||
| attacker is able to learn the password with an offline attack. | bits of entropy. Using a one-time password also increases the | |||
| security of the MAC, assuming that the integrity-protected | ||||
| transaction will complete before the attacker is able to learn the | ||||
| password with an offline attack. | ||||
| Cryptographic algorithms age; they become weaker with time. As new | Cryptographic algorithms age; they become weaker with time. As new | |||
| cryptanalysis techniques are developed and computing capabilities | cryptanalysis techniques are developed and computing capabilities | |||
| improve, the work required to break a particular cryptographic | improve, the work required to break a particular cryptographic | |||
| algorithm will reduce, making an attack on the algorithm more | algorithm will reduce, making an attack on the algorithm more | |||
| feasible for more attackers. While it is unknown how cryptoanalytic | feasible for more attackers. While it is unknown how cryptoanalytic | |||
| attacks will evolve, it is certain that they will get better. It is | attacks will evolve, it is certain that they will get better. It is | |||
| unknown how much better they will become or when the advances will | unknown how much better they will become or when the advances will | |||
| happen. For this reason, the algorithm requirements for CRMF are | happen. For this reason, the algorithm requirements for CRMF are | |||
| updated by this specification. | updated by this specification. | |||
| When a Password-Based MAC is used, implementations must protect the | When a Password-Based MAC is used, implementations must protect the | |||
| password and the MAC key. Compromise of either the password or the | password and the MAC key. Compromise of either the password or the | |||
| MAC key may result in the ability of an attacker to undermine | MAC key may result in the ability of an attacker to undermine | |||
| authentication. | authentication. | |||
| 6. References | 6. Acknowledgements | |||
| 6.1. Normative References | Many thanks to Hans Aschauer, Hendrik Brockhaus, Quynh Dang, Tomas | |||
| Gustavsson, Jonathan Hammell, Lijun Liao, Tim Polk, Mike StJohns, and | ||||
| Sean Turner for their careful review and improvements. | ||||
| 7. References | ||||
| 7.1. Normative References | ||||
| [AES] "Advanced encryption standard (AES)", National Institute | [AES] "Advanced encryption standard (AES)", National Institute | |||
| of Standards and Technology report, | of Standards and Technology report, | |||
| DOI 10.6028/nist.fips.197, November 2001, | DOI 10.6028/nist.fips.197, November 2001, | |||
| <https://doi.org/10.6028/nist.fips.197>. | <https://doi.org/10.6028/nist.fips.197>. | |||
| [GMAC] Dworkin, M., "Recommendation for block cipher modes of | [GMAC] Dworkin, M., "Recommendation for block cipher modes of | |||
| operation :: GaloisCounter Mode (GCM) and GMAC", National | operation :: GaloisCounter Mode (GCM) and GMAC", National | |||
| Institute of Standards and Technology report, | Institute of Standards and Technology report, | |||
| DOI 10.6028/nist.sp.800-38d, 2007, | DOI 10.6028/nist.sp.800-38d, 2007, | |||
| skipping to change at page 6, line 44 ¶ | skipping to change at page 7, line 10 ¶ | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SHS] Dang, Q., "Secure Hash Standard", National Institute of | [SHS] Dang, Q., "Secure Hash Standard", National Institute of | |||
| Standards and Technology report, | Standards and Technology report, | |||
| DOI 10.6028/nist.fips.180-4, July 2015, | DOI 10.6028/nist.fips.180-4, July 2015, | |||
| <https://doi.org/10.6028/nist.fips.180-4>. | <https://doi.org/10.6028/nist.fips.180-4>. | |||
| 6.2. Informative References | 7.2. Informative References | |||
| [CHIP] Pham, H., Tran, T., Phan, T., Duong Le, V., Lam, D., and | [DMR] Dell'Amico, M., Michiardi, P., and Y. Roudier, "Password | |||
| Y. Nakashima, "Double SHA-256 Hardware Architecture With | Strength: An Empirical Analysis", 2010 Proceedings | |||
| Compact Message Expander for Bitcoin Mining", IEEE | IEEE INFOCOM, DOI 10.1109/infcom.2010.5461951, March 2010, | |||
| Access Vol. 8, pp. 139634-139646, | <https://doi.org/10.1109/infcom.2010.5461951>. | |||
| DOI 10.1109/access.2020.3012581, 2020, | ||||
| <https://doi.org/10.1109/access.2020.3012581>. | ||||
| [I-D.housley-lamps-cms-aes-mac-alg] | [I-D.housley-lamps-cms-aes-mac-alg] | |||
| Housley, R., "Using the AES-GMAC Algorithm with the | Housley, R., "Using the AES-GMAC Algorithm with the | |||
| Cryptographic Message Syntax (CMS)", Work in Progress, | Cryptographic Message Syntax (CMS)", Work in Progress, | |||
| Internet-Draft, draft-housley-lamps-cms-aes-mac-alg-00, 9 | Internet-Draft, draft-housley-lamps-cms-aes-mac-alg-00, 9 | |||
| November 2020, <http://www.ietf.org/internet-drafts/draft- | November 2020, <http://www.ietf.org/internet-drafts/draft- | |||
| housley-lamps-cms-aes-mac-alg-00.txt>. | housley-lamps-cms-aes-mac-alg-00.txt>. | |||
| [NISTSP800-63B] | [NISTSP800-63B] | |||
| Grassi, P., Fenton, J., Newton, E., Perlner, R., | Grassi, P., Fenton, J., Newton, E., Perlner, R., | |||
| Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N., | Regenscheid, A., Burr, W., Richer, J., Lefkovitz, N., | |||
| Danker, J., Choong, Y., Greene, K., and M. Theofanos, | Danker, J., Choong, Y., Greene, K., and M. Theofanos, | |||
| "Digital identity guidelines: authentication and lifecycle | "Digital identity guidelines: authentication and lifecycle | |||
| management", National Institute of Standards and | management", National Institute of Standards and | |||
| Technology report, DOI 10.6028/nist.sp.800-63b, June 2017, | Technology report, DOI 10.6028/nist.sp.800-63b, June 2017, | |||
| <https://doi.org/10.6028/nist.sp.800-63b>. | <https://doi.org/10.6028/nist.sp.800-63b>. | |||
| [PHS] Pathirana, A., Halgamuge, M., and A. Syed, "Energy | ||||
| efficient bitcoin mining to maximize the mining profit: | ||||
| Using data from 119 bitcoin mining hardware setups", | ||||
| International Conference on Advances in Business | ||||
| Management and Information Technology, pp 1-14, November | ||||
| 2019. | ||||
| [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- | [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- | |||
| 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | |||
| RFC 4231, DOI 10.17487/RFC4231, December 2005, | RFC 4231, DOI 10.17487/RFC4231, December 2005, | |||
| <https://www.rfc-editor.org/info/rfc4231>. | <https://www.rfc-editor.org/info/rfc4231>. | |||
| Author's Address | Author's Address | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| 516 Dranesville Road | 516 Dranesville Road | |||
| End of changes. 13 change blocks. | ||||
| 28 lines changed or deleted | 45 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||