| < draft-ietf-smime-pss-02.txt | draft-ietf-smime-pss-03.txt > | |||
|---|---|---|---|---|
| S/MIME Working Group J Schaad | S/MIME Working Group J Schaad | |||
| Internet Draft Soaring Hawk Consulting | Internet Draft Soaring Hawk Consulting | |||
| Document: draft-ietf-smime-pss-02.txt November 2003 | Document: draft-ietf-smime-pss-03.txt December 2003 | |||
| Category: Standards | Category: Standards | |||
| Use of the RSA PSS Signature Algorithm in CMS | Use of the RSA PSS Signature Algorithm in CMS | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||
| all provisions of Section 10 of RFC2026 [1]. | all provisions of Section 10 of RFC2026 [1]. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| skipping to change at line 53 ¶ | skipping to change at line 53 ¶ | |||
| [STDWORDS]. | [STDWORDS]. | |||
| 1. Overview | 1. Overview | |||
| This document specifies the conventions for using the RSASSA-PSS (RSA | This document specifies the conventions for using the RSASSA-PSS (RSA | |||
| Signature Scheme with Appendix - Probabilistic Signature Scheme) | Signature Scheme with Appendix - Probabilistic Signature Scheme) | |||
| [P1v2.1] digital signature algorithm with the Cryptographic Message | [P1v2.1] digital signature algorithm with the Cryptographic Message | |||
| Syntax [CMS] signed-data content type. | Syntax [CMS] signed-data content type. | |||
| CMS and PSS Signature February 2003 | CMS and PSS Signature December 2003 | |||
| CMS values are generated using ASN.1 [X.208-88], using the Basic | CMS values are generated using ASN.1 [X.208-88], using the Basic | |||
| Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules | Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules | |||
| (DER) [X.509-88]. | (DER) [X.509-88]. | |||
| This document is written to be used in conjunction with RFC XXX [RSA- | ||||
| ALGS]. All of the ASN.1 structures referenced in this document are | ||||
| defined in RFC XXX. | ||||
| 1.1 PSS Algorithm | 1.1 PSS Algorithm | |||
| Although there are no known defects with the PKCS #1 v1.5 [P1v1.5] | Although there are no known defects with the PKCS #1 v1.5 [P1v1.5] | |||
| signature algorithm, RSASSA-PSS [P1v2.1] was developed in an effort | signature algorithm, RSASSA-PSS [P1v2.1] was developed in an effort | |||
| to have more mathematically provable security. PKCS #1 v1.5 | to have more mathematically provable security. PKCS #1 v1.5 | |||
| signatures were developed in an ad hoc manner, RSASSA-PSS was | signatures were developed in an ad hoc manner, RSASSA-PSS was | |||
| developed based on mathematical foundations. | developed based on mathematical foundations. | |||
| 2. Algorithm Identifiers and Parameters | 2. Algorithm Identifiers and Parameters | |||
| skipping to change at line 103 ¶ | skipping to change at line 107 ¶ | |||
| In both cases, the RSA public key, which is composed of a modulus | In both cases, the RSA public key, which is composed of a modulus | |||
| and a public exponent, MUST be encoded using the RSAPublicKey type. | and a public exponent, MUST be encoded using the RSAPublicKey type. | |||
| The output of this encoding is carried in the certificate subject | The output of this encoding is carried in the certificate subject | |||
| public key. | public key. | |||
| RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
| modulus INTEGER, -- n | modulus INTEGER, -- n | |||
| publicExponent INTEGER } -- e | publicExponent INTEGER } -- e | |||
| 2.2 Signature Identifiers | 2.2 Signature Identifiers | |||
| CMS and PSS Signature December 2003 | ||||
| The algorithm identifier for RSASAA-PSS signatures is: | The algorithm identifier for RSASAA-PSS signatures is: | |||
| id-RSASSA-PSS OBJECT IDENTIFER ::= {pkcs-1 10 } | id-RSASSA-PSS OBJECT IDENTIFER ::= {pkcs-1 10 } | |||
| CMS and PSS Signature February 2003 | ||||
| When the id-RSASSA-PSS algorithm identifier is used for a signature, | When the id-RSASSA-PSS algorithm identifier is used for a signature, | |||
| the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- | the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- | |||
| params. Information about RSASSA-PSS-params can be found in [RSA- | params. Information about RSASSA-PSS-params can be found in [RSA- | |||
| ALGS]. | ALGS]. | |||
| When signing, the RSA algorithm generates a single value, and that | When signing, the RSA algorithm generates a single value, and that | |||
| value is used directly as the signature value. | value is used directly as the signature value. | |||
| 3. Signed-data Conventions | 3. Signed-data Conventions | |||
| digestAlgorithms SHOULD contain the one-way hash function used to | digestAlgorithms SHOULD contain the one-way hash function used to | |||
| compute the message digest on the eContent value. | compute the message digest on the eContent value. | |||
| The same one-way hash function SHOULD be used for computing the | The same one-way hash function SHOULD be used for computing the | |||
| message digest on both the eContent and the signedAttributes value | message digest on both the eContent and the signedAttributes value | |||
| if signedAttributes exist. | if signedAttributes exist. | |||
| The same one-way hash function SHOULD be used for computing the | The same one-way hash function MUST be used for computing the | |||
| message digest on the signedAttributes and as the hashAlgorithm in | message digest on the signedAttributes and as the hashAlgorithm in | |||
| the RSA-PSS-params structure. | the RSA-PSS-params structure. | |||
| signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm | signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm | |||
| parameters field MUST contain RSASSA-PSS-params. | parameters field MUST contain RSASSA-PSS-params. | |||
| signature contains the single value resulting from the signing | signature contains the single value resulting from the signing | |||
| operation. | operation. | |||
| If the subjectPublicKeyInfo algorithm identifier for the public key | If the subjectPublicKeyInfo algorithm identifier for the public key | |||
| skipping to change at line 157 ¶ | skipping to change at line 161 ¶ | |||
| 3. The saltLength in the signatureAlgorithm parameters MUST be | 3. The saltLength in the signatureAlgorithm parameters MUST be | |||
| greater or equal to the saltLength in the certificate | greater or equal to the saltLength in the certificate | |||
| subjectPublicKey.algorithm parameters. | subjectPublicKey.algorithm parameters. | |||
| 4. The trailerField in the certificate subjectPublicKey.algorithm | 4. The trailerField in the certificate subjectPublicKey.algorithm | |||
| parameters and signatureAlgorithm parameters MUST be the same. | parameters and signatureAlgorithm parameters MUST be the same. | |||
| In doing the above comparisons, default values are considered to be | In doing the above comparisons, default values are considered to be | |||
| the same as extant values. If any of the above four steps is not | the same as extant values. If any of the above four steps is not | |||
| true, the signature checking algorithm MUST fail validation. | true, the signature checking algorithm MUST fail validation. | |||
| CMS and PSS Signature December 2003 | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| CMS and PSS Signature February 2003 | ||||
| Implementations must protect the RSA private key. Compromise of the | Implementations must protect the RSA private key. Compromise of the | |||
| RSA private key may result in the ability to forge signatures. | RSA private key may result in the ability to forge signatures. | |||
| The generation of RSA private key relies on random numbers. The use | The generation of RSA private key relies on random numbers. The use | |||
| of inadequate pseudo-random number generators (PRNGs) to generate | of inadequate pseudo-random number generators (PRNGs) to generate | |||
| these values can result in little or no security. An attacker may | these values can result in little or no security. An attacker may | |||
| find it much easier to reproduce the PRNG environment that produced | find it much easier to reproduce the PRNG environment that produced | |||
| the keys, searching the resulting small set of possibilities, rather | the keys, searching the resulting small set of possibilities, rather | |||
| than brute force searching the whole key space. The generation of | than brute force searching the whole key space. The generation of | |||
| skipping to change at line 183 ¶ | skipping to change at line 188 ¶ | |||
| of allowing an attacker to get extra information about the key. It | of allowing an attacker to get extra information about the key. It | |||
| is strongly suggested that the same key not be used for both the PKCS | is strongly suggested that the same key not be used for both the PKCS | |||
| #1 v1.5 and RSASSA-PSS signature algorithms. | #1 v1.5 and RSASSA-PSS signature algorithms. | |||
| When computing signatures, the same hash function should be used for | When computing signatures, the same hash function should be used for | |||
| all operations. This reduces the number of failure points in the | all operations. This reduces the number of failure points in the | |||
| signature process. | signature process. | |||
| The parameter checking procedures outlined in section 3 are of | ||||
| special importance. It is possible to forge signatures by changing | ||||
| (especially to weaker values) these parameter values. Signers using | ||||
| this algorithm should take care that only one set of parameter values | ||||
| is used as this decreases the possibility of leaking information. | ||||
| 5. Normative References | 5. Normative References | |||
| CMS Housley, R, "Cryptographic Message Syntax", | CMS Housley, R, "Cryptographic Message Syntax", | |||
| RFC 3369, August 2002. | RFC 3369, August 2002. | |||
| P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA | P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA | |||
| Cryptography Specification Version 2.1", | Cryptography Specification Version 2.1", | |||
| RFC 3447, February 2003. | RFC 3447, February 2003. | |||
| RSA-ALGS Schaad, J., B. Kaliski and R Housley, "Additional | RSA-ALGS Schaad, J., B. Kaliski and R Housley, "Additional | |||
| skipping to change at line 207 ¶ | skipping to change at line 219 ¶ | |||
| draft-ietf-pkix-rsa-pkalgs-01.txt, | draft-ietf-pkix-rsa-pkalgs-01.txt, | |||
| November 2003. | November 2003. | |||
| STDWORDS S. Bradner, "Key Words for Use in RFCs to | STDWORDS S. Bradner, "Key Words for Use in RFCs to | |||
| Indicate Requirement Levels", RFC 2119, March | Indicate Requirement Levels", RFC 2119, March | |||
| 1997. | 1997. | |||
| X.208-88 CCITT Recommendation X.208: Specification of | X.208-88 CCITT Recommendation X.208: Specification of | |||
| Abstract Syntax Notation One (ASN.1), 1998. | Abstract Syntax Notation One (ASN.1), 1998. | |||
| CMS and PSS Signature December 2003 | ||||
| X.209-88 CCITT Recommendation X.209: Specification of | X.209-88 CCITT Recommendation X.209: Specification of | |||
| Basic Encoding Rules for Abstract Syntax | Basic Encoding Rules for Abstract Syntax | |||
| Notation One (ASN.1), 1988. | Notation One (ASN.1), 1988. | |||
| X.509-88 CCITT Recommendation X.509: The Directory | X.509-88 CCITT Recommendation X.509: The Directory | |||
| Authentication Framework, 1988. | Authentication Framework, 1988. | |||
| 6. Informational References | 6. Informational References | |||
| CMS and PSS Signature February 2003 | ||||
| P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption, | P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption, | |||
| Version 2.0, RFC 2437, October 1998. | Version 2.0, RFC 2437, October 1998. | |||
| PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers | PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers | |||
| for the Internet X.509 Public Key Infrastructure | for the Internet X.509 Public Key Infrastructure | |||
| Certificate and Certificate Revocation List (CRL) Profile", | Certificate and Certificate Revocation List (CRL) Profile", | |||
| RFC 3279, April 2002. | RFC 3279, April 2002. | |||
| RANDOM Eastlake, D., S. Crocker and J. Schiller | RANDOM Eastlake, D., S. Crocker and J. Schiller | |||
| skipping to change at line 258 ¶ | skipping to change at line 271 ¶ | |||
| document itself may not be modified in any way, such as by removing | document itself may not be modified in any way, such as by removing | |||
| the copyright notice or references to the Internet Society or other | the copyright notice or references to the Internet Society or other | |||
| Internet organizations, except as needed for the purpose of | Internet organizations, except as needed for the purpose of | |||
| developing Internet standards in which case the procedures for | developing Internet standards in which case the procedures for | |||
| copyrights defined in the Internet Standards process must be | copyrights defined in the Internet Standards process must be | |||
| followed, or as required to translate it into languages other than | followed, or as required to translate it into languages other than | |||
| English. | English. | |||
| The limited permissions granted above are perpetual and will not be | The limited permissions granted above are perpetual and will not be | |||
| revoked by the Internet Society or its successors or assigns. | revoked by the Internet Society or its successors or assigns. | |||
| CMS and PSS Signature December 2003 | ||||
| End of changes. 12 change blocks. | ||||
| 6 lines changed or deleted | 19 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||