| < draft-vangeest-x509-hash-sigs-02.txt | draft-vangeest-x509-hash-sigs-03.txt > | |||
|---|---|---|---|---|
| Network Working Group D. Van Geest | Network Working Group D. Van Geest | |||
| Internet-Draft ISARA Corporation | Internet-Draft ISARA Corporation | |||
| Intended status: Standards Track S. Fluhrer | Intended status: Standards Track S. Fluhrer | |||
| Expires: September 12, 2019 Cisco Systems | Expires: September 12, 2019 Cisco Systems | |||
| March 11, 2019 | March 11, 2019 | |||
| Algorithm Identifiers for HSS and XMSS for Use in the Internet X.509 | Algorithm Identifiers for HSS and XMSS for Use in the Internet X.509 | |||
| Public Key Infrastructure | Public Key Infrastructure | |||
| draft-vangeest-x509-hash-sigs-02 | draft-vangeest-x509-hash-sigs-03 | |||
| Abstract | Abstract | |||
| This document specifies algorithm identifiers and ASN.1 encoding | This document specifies algorithm identifiers and ASN.1 encoding | |||
| formats for the Hierarchical Signature System (HSS), eXtended Merkle | formats for the Hierarchical Signature System (HSS), eXtended Merkle | |||
| Signature Scheme (XMSS), and XMSS^MT, a multi-tree variant of XMSS. | Signature Scheme (XMSS), and XMSS^MT, a multi-tree variant of XMSS. | |||
| This specification applies to the Internet X.509 Public Key | This specification applies to the Internet X.509 Public Key | |||
| infrastructure (PKI) when digital signatures are used to sign | infrastructure (PKI) when digital signatures are used to sign | |||
| certificates and certificate revocation lists (CRLs). | certificates and certificate revocation lists (CRLs). | |||
| skipping to change at page 2, line 18 ¶ | skipping to change at page 2, line 18 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Subject Public Key Algorithms . . . . . . . . . . . . . . . . 3 | 2. Subject Public Key Algorithms . . . . . . . . . . . . . . . . 3 | |||
| 2.1. HSS Public Keys . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. HSS Public Keys . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.2. XMSS Public Keys . . . . . . . . . . . . . . . . . . . . 4 | 2.2. XMSS Public Keys . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2.3. XMSS^MT Public Keys . . . . . . . . . . . . . . . . . . . 4 | 2.3. XMSS^MT Public Keys . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Key Usage Bits . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Key Usage Bits . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 5 | 4. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.1. HSS Signature Algorithm . . . . . . . . . . . . . . . . . 6 | 4.1. HSS Signature Algorithm . . . . . . . . . . . . . . . . . 6 | |||
| 4.2. XMSS Signature Algorithm . . . . . . . . . . . . . . . . 7 | 4.2. XMSS Signature Algorithm . . . . . . . . . . . . . . . . 6 | |||
| 4.3. XMSS^MT Signature Algorithm . . . . . . . . . . . . . . . 7 | 4.3. XMSS^MT Signature Algorithm . . . . . . . . . . . . . . . 6 | |||
| 5. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 8 | 5. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 6.1. Algorithm Security Considerations . . . . . . . . . . . . 13 | 6.1. Algorithm Security Considerations . . . . . . . . . . . . 9 | |||
| 6.2. Implementation Security Considerations . . . . . . . . . 14 | 6.2. Implementation Security Considerations . . . . . . . . . 10 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 10 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 15 | 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| The Hierarchical Signature System (HSS) is described in | The Hierarchical Signature System (HSS) is described in | |||
| [I-D.mcgrew-hash-sigs]. | [I-D.mcgrew-hash-sigs]. | |||
| The eXtended Merkle Signature Scheme (XMSS), and its multi-tree | The eXtended Merkle Signature Scheme (XMSS), and its multi-tree | |||
| variant XMSS^MT, are described in [RFC8391]. | variant XMSS^MT, are described in [RFC8391]. | |||
| These signature algorithms are based on well-studied Hash Based | These signature algorithms are based on well-studied Hash Based | |||
| skipping to change at page 3, line 47 ¶ | skipping to change at page 3, line 47 ¶ | |||
| The object identifier for an HSS public key is id-alg-hss-lms- | The object identifier for an HSS public key is id-alg-hss-lms- | |||
| hashsig: | hashsig: | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) 17 } | |||
| Note that the id-alg-hss-lms-hashsig algorithm identifier is also | Note that the id-alg-hss-lms-hashsig algorithm identifier is also | |||
| referred to as id-alg-mts-hashsig. This synonym is based on the | referred to as id-alg-mts-hashsig. This synonym is based on the | |||
| terminology used in an early draft of the document that became | terminology used in an early draft of the document that became | |||
| [I-D.ietf-lamps-cms-hash-sig]. | [I-D.mcgrew-hash-sigs]. | |||
| The HSS public key's properties are defined as follows: | The HSS public key's properties are defined as follows: | |||
| pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-hss-lms-hashsig | IDENTIFIER id-alg-hss-lms-hashsig | |||
| KEY HSS-LMS-HashSig-PublicKey | KEY HSS-LMS-HashSig-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| skipping to change at page 6, line 5 ¶ | skipping to change at page 6, line 5 ¶ | |||
| lms-hashsig, which is the same as for the keys above. | lms-hashsig, which is the same as for the keys above. | |||
| 4. Signature Algorithms | 4. Signature Algorithms | |||
| This section identifies OIDs for signing using HSS, XMSS, and | This section identifies OIDs for signing using HSS, XMSS, and | |||
| XMSS^MT. When these algorithm identifiers appear in the algorithm | XMSS^MT. When these algorithm identifiers appear in the algorithm | |||
| field as an AlgorithmIdentifier, the encoding MUST omit the | field as an AlgorithmIdentifier, the encoding MUST omit the | |||
| parameters field. That is, the AlgorithmIdentifier SHALL be a | parameters field. That is, the AlgorithmIdentifier SHALL be a | |||
| SEQUENCE of one component, one of the OIDs defined below. | SEQUENCE of one component, one of the OIDs defined below. | |||
| The data to be signed is prepared for signing. With the OIDs id-alg- | The data to be signed is prepared for signing. For the algorithms | |||
| hss-lms-hashsig, id-alg-xmss and id-alg-xmssmt the full data is | used in this document, the data is signed directly by the signature | |||
| signed directly. With the other OIDs defined in this document, an | algorithm, the data is not hashed before processing. Then, a private | |||
| appropriate hash function is applied first and the resulting digest | key operation is performed to generate the signature value. For HSS, | |||
| is signed. Then, a private key operation is performed to generate | the signature value is described in section 3.3 of | |||
| the signature value. For HSS, the signature value is described in | [I-D.mcgrew-hash-sigs]. For XMSS and XMSS^MT the signature values | |||
| section 3.3 of [I-D.mcgrew-hash-sigs]. For XMSS and XMSS^MT the | are described in sections B.2 and C.2 of [RFC8391] respectively. The | |||
| signature values are described in sections B.2 and C.2 of [RFC8391] | octet string representing the signature is encoded directly in the | |||
| respectively. The octet string representing the signature is encoded | BIT STRING without adding any additional ASN.1 wrapping. For the | |||
| directly in the BIT STRING without adding any additional ASN.1 | Certificate and CertificateList structures, the signature value is | |||
| wrapping. For the Certificate and CertificateList structures, the | wrapped in the "signatureValue" BIT STRING field. | |||
| signature value is wrapped in the "signatureValue" BIT STRING field. | ||||
| 4.1. HSS Signature Algorithm | 4.1. HSS Signature Algorithm | |||
| The HSS public key OID is also used to specify that an HSS signature | The HSS public key OID is also used to specify that an HSS signature | |||
| was generated on the full message, i.e. the message was not hashed | was generated on the full message, i.e. the message was not hashed | |||
| before being processed by the HSS signature algorithm. | before being processed by the HSS signature algorithm. | |||
| id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| smime(16) alg(3) 17 } | smime(16) alg(3) 17 } | |||
| The ASN.1 OIDs used to specify that an HSS signature was generated on | ||||
| a SHA-256, SHA-384 or SHA-512 hash of an object are, respectively: | ||||
| id-alg-hss-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) hss(12) 2 } | ||||
| id-alg-hss-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) hss(12) 3 } | ||||
| id-alg-hss-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) hss(12) 1 } | ||||
| [I-D.ietf-lamps-cms-hash-sig] contains more information on the | [I-D.ietf-lamps-cms-hash-sig] contains more information on the | |||
| contents and format of an HSS signature. | contents and format of an HSS signature. | |||
| 4.2. XMSS Signature Algorithm | 4.2. XMSS Signature Algorithm | |||
| The XMSS public key OID is also used to specify that an XMSS | The XMSS public key OID is also used to specify that an XMSS | |||
| signature was generated on the full message, i.e. the message was not | signature was generated on the full message, i.e. the message was not | |||
| hashed before being processed by the XMSS signature algorithm. | hashed before being processed by the XMSS signature algorithm. | |||
| id-alg-xmss OBJECT IDENTIFIER ::= { itu-t(0) | id-alg-xmss OBJECT IDENTIFIER ::= { itu-t(0) | |||
| identified-organization(4) etsi(0) reserved(127) | identified-organization(4) etsi(0) reserved(127) | |||
| etsi-identified-organization(0) isara(15) algorithms(1) | etsi-identified-organization(0) isara(15) algorithms(1) | |||
| asymmetric(1) xmss(13) 0 } | asymmetric(1) xmss(13) 0 } | |||
| The ASN.1 OIDs used to specify that an XMSS signature was generated | ||||
| on a SHA-256, SHA-384 or SHA-512 hash of an object are, respectively: | ||||
| id-alg-xmss-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 2 } | ||||
| id-alg-xmss-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 3 } | ||||
| id-alg-xmss-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 1 } | ||||
| The format of an XMSS signature is is formally defined using XDR | The format of an XMSS signature is is formally defined using XDR | |||
| [RFC4506] and is defined in Appendix B.2 of [RFC8391]. | [RFC4506] and is defined in Appendix B.2 of [RFC8391]. | |||
| 4.3. XMSS^MT Signature Algorithm | 4.3. XMSS^MT Signature Algorithm | |||
| The XMSS^MT public key OID is also used to specify that an XMSS^MT | The XMSS^MT public key OID is also used to specify that an XMSS^MT | |||
| signature was generated on the full message, i.e. the message was not | signature was generated on the full message, i.e. the message was not | |||
| hashed before being processed by the XMSS^MT signature algorithm. | hashed before being processed by the XMSS^MT signature algorithm. | |||
| id-alg-xmssmt OBJECT IDENTIFIER ::= { itu-t(0) | id-alg-xmssmt OBJECT IDENTIFIER ::= { itu-t(0) | |||
| identified-organization(4) etsi(0) reserved(127) | identified-organization(4) etsi(0) reserved(127) | |||
| etsi-identified-organization(0) isara(15) algorithms(1) | etsi-identified-organization(0) isara(15) algorithms(1) | |||
| asymmetric(1) xmssmt(14) 0 } | asymmetric(1) xmssmt(14) 0 } | |||
| The ASN.1 OIDs used to specify that an XMSS^MT signature was | ||||
| generated on a SHA-256, SHA384 or SHA-512 hash of an object are, | ||||
| respectively: | ||||
| id-alg-xmssmt-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 2 } | ||||
| id-alg-xmssmt-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 3 } | ||||
| id-alg-xmssmt-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 1 } | ||||
| The format of an XMSS^MT signature is is formally defined using XDR | The format of an XMSS^MT signature is is formally defined using XDR | |||
| [RFC4506] and is defined in Appendix C.2 of [RFC8391]. | [RFC4506] and is defined in Appendix C.2 of [RFC8391]. | |||
| 5. ASN.1 Module | 5. ASN.1 Module | |||
| For reference purposes, the ASN.1 syntax is presented as an ASN.1 | For reference purposes, the ASN.1 syntax is presented as an ASN.1 | |||
| module here. | module here. | |||
| -- ASN.1 Module | -- ASN.1 Module | |||
| skipping to change at page 9, line 4 ¶ | skipping to change at page 7, line 32 ¶ | |||
| DEFINITIONS EXPLICIT TAGS ::= | DEFINITIONS EXPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| IMPORTS | IMPORTS | |||
| PUBLIC-KEY, SIGNATURE-ALGORITHM | PUBLIC-KEY, SIGNATURE-ALGORITHM | |||
| FROM AlgorithmInformation-2009 | FROM AlgorithmInformation-2009 | |||
| {iso(1) identified-organization(3) dod(6) internet(1) security(5) | {iso(1) identified-organization(3) dod(6) internet(1) security(5) | |||
| mechanisms(5) pkix(7) id-mod(0) | mechanisms(5) pkix(7) id-mod(0) | |||
| id-mod-algorithmInformation-02(58)} | id-mod-algorithmInformation-02(58)} | |||
| ; | ; | |||
| -- | ||||
| -- HSS Signatures | ||||
| -- | ||||
| -- HSS Object Identifiers | -- Object Identifiers | |||
| -- | -- | |||
| -- id-alg-hss-lms-hashsig is defined in [ietf-lamps-cms-hash-sig] | -- id-alg-hss-lms-hashsig is defined in [ietf-lamps-cms-hash-sig] | |||
| -- | -- | |||
| -- id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | -- id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) | |||
| -- member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | -- member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) | |||
| -- smime(16) alg(3) 17 } | -- smime(16) alg(3) 17 } | |||
| id-alg-hss-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | id-alg-xmss OBJECT IDENTIFIER ::= { itu-t(0) | |||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) hss(12) 2 } | ||||
| id-alg-hss-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | identified-organization(4) etsi(0) reserved(127) | |||
| etsi-identified-organization(0) isara(15) algorithms(1) | etsi-identified-organization(0) isara(15) algorithms(1) | |||
| asymmetric(1) hss(12) 3 } | asymmetric(1) xmss(13) 0 } | |||
| id-alg-hss-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | id-alg-xmssmt OBJECT IDENTIFIER ::= { itu-t(0) | |||
| identified-organization(4) etsi(0) reserved(127) | identified-organization(4) etsi(0) reserved(127) | |||
| etsi-identified-organization(0) isara(15) algorithms(1) | etsi-identified-organization(0) isara(15) algorithms(1) | |||
| asymmetric(1) hss(12) 1 } | asymmetric(1) xmssmt(14) 0 } | |||
| -- HSS Signature Algorithms and Public Key | -- Signature Algorithms and Public Keys | |||
| -- | -- | |||
| -- sa-HSS-LMS-HashSig is defined in [ietf-lamps-cms-hash-sig] | -- sa-HSS-LMS-HashSig is defined in [ietf-lamps-cms-hash-sig] | |||
| -- | -- | |||
| -- sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | -- sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { | |||
| -- IDENTIFIER id-alg-hss-lms-hashsig | -- IDENTIFIER id-alg-hss-lms-hashsig | |||
| -- PARAMS ARE absent | -- PARAMS ARE absent | |||
| -- PUBLIC-KEYS { pk-HSS-LMS-HashSig } | -- PUBLIC-KEYS { pk-HSS-LMS-HashSig } | |||
| -- SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | -- SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } | |||
| sa-HSS-with-SHA256 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-with-SHA256 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha256 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-with-SHA256 } } | ||||
| sa-HSS-with-SHA384 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-with-SHA384 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha384 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-with-SHA384 } } | ||||
| sa-HSS-with-SHA512 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-hss-with-SHA512 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha512 } | ||||
| PUBLIC-KEYS { pk-HSS-LMS-HashSig } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-hss-with-SHA512 } } | ||||
| -- | -- | |||
| -- pk-HSS-LMS-HashSig is defined in [ietf-lamps-cms-hash-sig] | -- pk-HSS-LMS-HashSig is defined in [ietf-lamps-cms-hash-sig] | |||
| -- | -- | |||
| -- pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | -- pk-HSS-LMS-HashSig PUBLIC-KEY ::= { | |||
| -- IDENTIFIER id-alg-hss-lms-hashsig | -- IDENTIFIER id-alg-hss-lms-hashsig | |||
| -- KEY HSS-LMS-HashSig-PublicKey | -- KEY HSS-LMS-HashSig-PublicKey | |||
| -- PARAMS ARE absent | -- PARAMS ARE absent | |||
| -- CERT-KEY-USAGE | -- CERT-KEY-USAGE | |||
| -- { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | -- { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| -- | -- | |||
| -- HSS-LMS-HashSig-PublicKey ::= OCTET STRING | -- HSS-LMS-HashSig-PublicKey ::= OCTET STRING | |||
| -- | ||||
| -- XMSS Keys and Signatures | ||||
| -- | ||||
| -- XMSS Object Identifiers | ||||
| id-alg-xmss OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 0 } | ||||
| id-alg-xmss-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 2 } | ||||
| id-alg-xmss-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 3 } | ||||
| id-alg-xmss-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmss(13) 1 } | ||||
| -- XMSS Signature Algorithms and Public Key | ||||
| sa-XMSS SIGNATURE-ALGORITHM ::= { | sa-XMSS SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-alg-xmss | IDENTIFIER id-alg-xmss | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| PUBLIC-KEYS { pk-XMSS } | PUBLIC-KEYS { pk-XMSS } | |||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmss } } | SMIME-CAPS { IDENTIFIED BY id-alg-xmss } } | |||
| sa-XMSS-with-SHA256 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmss-with-SHA256 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha256 } | ||||
| PUBLIC-KEYS { pk-XMSS } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmss-with-SHA256 } } | ||||
| sa-XMSS-with-SHA384 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmss-with-SHA384 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha384 } | ||||
| PUBLIC-KEYS { pk-XMSS } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmss-with-SHA384 } } | ||||
| sa-XMSS-with-SHA512 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmss-with-SHA512 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha512 } | ||||
| PUBLIC-KEYS { pk-XMSS } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmss-with-SHA512 } } | ||||
| pk-XMSS PUBLIC-KEY ::= { | pk-XMSS PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-xmss | IDENTIFIER id-alg-xmss | |||
| KEY XMSS-PublicKey | KEY XMSS-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| XMSS-PublicKey ::= OCTET STRING | XMSS-PublicKey ::= OCTET STRING | |||
| -- | ||||
| -- XMSS^MT Keys and Signatures | ||||
| -- | ||||
| -- XMSS^MT Object Identifiers | ||||
| id-alg-xmssmt OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 0 } | ||||
| id-alg-xmssmt-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 2 } | ||||
| id-alg-xmssmt-with-SHA384 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 3 } | ||||
| id-alg-xmssmt-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0) | ||||
| identified-organization(4) etsi(0) reserved(127) | ||||
| etsi-identified-organization(0) isara(15) algorithms(1) | ||||
| asymmetric(1) xmssmt(14) 1 } | ||||
| -- XMSS^MT Signature Algorithms and Public Key | ||||
| sa-XMSSMT SIGNATURE-ALGORITHM ::= { | sa-XMSSMT SIGNATURE-ALGORITHM ::= { | |||
| IDENTIFIER id-alg-xmssmt | IDENTIFIER id-alg-xmssmt | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| PUBLIC-KEYS { pk-XMSSMT } | PUBLIC-KEYS { pk-XMSSMT } | |||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt } } | SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt } } | |||
| sa-XMSSMT-with-SHA256 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmssmt-with-SHA256 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha256 } | ||||
| PUBLIC-KEYS { pk-XMSSMT } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-with-SHA256 } } | ||||
| sa-XMSSMT-with-SHA384 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmssmt-with-SHA384 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha384 } | ||||
| PUBLIC-KEYS { pk-XMSSMT } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-with-SHA384 } } | ||||
| sa-XMSSMT-with-SHA512 SIGNATURE-ALGORITHM ::= { | ||||
| IDENTIFIER id-alg-xmssmt-with-SHA512 | ||||
| PARAMS ARE absent | ||||
| HASHES { mda-sha512 } | ||||
| PUBLIC-KEYS { pk-XMSSMT } | ||||
| SMIME-CAPS { IDENTIFIED BY id-alg-xmssmt-with-SHA512 } } | ||||
| pk-XMSSMT PUBLIC-KEY ::= { | pk-XMSSMT PUBLIC-KEY ::= { | |||
| IDENTIFIER id-alg-xmssmt | IDENTIFIER id-alg-xmssmt | |||
| KEY XMSSMT-PublicKey | KEY XMSSMT-PublicKey | |||
| PARAMS ARE absent | PARAMS ARE absent | |||
| CERT-KEY-USAGE | CERT-KEY-USAGE | |||
| { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | { digitalSignature, nonRepudiation, keyCertSign, cRLSign } } | |||
| XMSSMT-PublicKey ::= OCTET STRING | XMSSMT-PublicKey ::= OCTET STRING | |||
| END | END | |||
| skipping to change at page 13, line 47 ¶ | skipping to change at page 9, line 40 ¶ | |||
| real quantum computer, the pre-image quantum security of SHA-256 is | real quantum computer, the pre-image quantum security of SHA-256 is | |||
| closer to 190 bits. All parameter sets for the signature algorithms | closer to 190 bits. All parameter sets for the signature algorithms | |||
| in this document currently use SHA-256 internally and thus have at | in this document currently use SHA-256 internally and thus have at | |||
| least 128 bits of quantum pre-image resistance, or 190 bits using the | least 128 bits of quantum pre-image resistance, or 190 bits using the | |||
| security assumptions in [Fluhrer17]. | security assumptions in [Fluhrer17]. | |||
| [Zhandry15] shows that hash collisions can be found using an | [Zhandry15] shows that hash collisions can be found using an | |||
| algorithm with a lower bound on the number of oracle queries on the | algorithm with a lower bound on the number of oracle queries on the | |||
| order of 2^(n/3) on the number of bits, however [DJB09] demonstrates | order of 2^(n/3) on the number of bits, however [DJB09] demonstrates | |||
| that the quantum memory requirements would be much greater. | that the quantum memory requirements would be much greater. | |||
| Therefore a pre-hash using SHA-256 would have at least 128 bits of | Therefore a parameter set using SHA-256 would have at least 128 bits | |||
| quantum collision-resistance as well as the pre-image resistance | of quantum collision-resistance as well as the pre-image resistance | |||
| mentioned in the previous paragraph. | mentioned in the previous paragraph. | |||
| Given the quantum collision and pre-image resistance of SHA-256 | Given the quantum collision and pre-image resistance of SHA-256 | |||
| estimated above, the algorithm identifiers id-alg-hss-with-SHA256, | estimated above, the current parameter sets used by id-alg-hss-lms- | |||
| id-alg-xmss-with-SHA256 and id-alg-xmssmt-with-SHA256 defined in this | hashsig, id-alg-xmss and id-alg-xmssmt provide 128 bits or more of | |||
| document provide 128 bits or more of quantum security. This is | quantum security. This is believed to be secure enough to protect | |||
| believed to be secure enough to protect X.509 certificates for well | X.509 certificates for well beyond any reasonable certificate | |||
| beyond any reasonable certificate lifetime, although the SHA-384 and | lifetime. | |||
| SHA-512 variants could be used if there are any doubts. | ||||
| 6.2. Implementation Security Considerations | 6.2. Implementation Security Considerations | |||
| Implementations MUST protect the private keys. Compromise of the | Implementations MUST protect the private keys. Compromise of the | |||
| private keys may result in the ability to forge signatures. Along | private keys may result in the ability to forge signatures. Along | |||
| with the private key, the implementation MUST keep track of which | with the private key, the implementation MUST keep track of which | |||
| leaf nodes in the tree have been used. Loss of integrity of this | leaf nodes in the tree have been used. Loss of integrity of this | |||
| tracking data can cause a one-time key to be used more than once. As | tracking data can cause a one-time key to be used more than once. As | |||
| a result, when a private key and the tracking data are stored on non- | a result, when a private key and the tracking data are stored on non- | |||
| volatile media or stored in a virtual machine environment, care must | volatile media or stored in a virtual machine environment, care must | |||
| End of changes. 21 change blocks. | ||||
| 221 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||