idnits 2.17.1 

draft-chudov-cryptopro-cpxmldsig-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 17.

  -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
     line 854.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 865.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 872.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 878.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust Copyright Line does not match the
     current year

  == Line 49 has weird spacing: '...ryption  synta...'

  == Line 110 has weird spacing: '...ryption  synta...'

  == The document seems to lack the recommended RFC 2119 boilerplate, even if
     it appears to use RFC 2119 keywords -- however, there's a paragraph with
     a matching beginning. Boilerplate error?

     (The document does seem to have the reference to RFC 2119 which the
     ID-Checklist requires).
  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (December 12, 2008) is 5615 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  == Missing Reference: '0-2' is mentioned on line 710, but not defined

  == Missing Reference: '1-3' is mentioned on line 710, but not defined

  == Missing Reference: '0-9' is mentioned on line 710, but not defined

  ** Obsolete normative reference: RFC 2396 (Obsoleted by RFC 3986)


     Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                          G. Chudov
3	Internet-Draft                                               S. Leontiev
4	Intended status: Informational                              A. Chelpanov
5	Expires: June 15, 2009                                        P. Smirnov
6	                                                              CRYPTO-PRO
7	                                                       December 12, 2008

9	        GOST based Security Uniform Resource Identifiers (URIs).
10	                  draft-chudov-cryptopro-cpxmldsig-01

12	Status of this Memo

14	   By submitting this Internet-Draft, each author represents that any
15	   applicable patent or other IPR claims of which he or she is aware
16	   have been or will be disclosed, and any of which he or she becomes
17	   aware will be disclosed, in accordance with Section 6 of BCP 79.

19	   Internet-Drafts are working documents of the Internet Engineering
20	   Task Force (IETF), its areas, and its working groups.  Note that
21	   other groups may also distribute working documents as Internet-
22	   Drafts.

24	   Internet-Drafts are draft documents valid for a maximum of six months
25	   and may be updated, replaced, or obsoleted by other documents at any
26	   time.  It is inappropriate to use Internet-Drafts as reference
27	   material or to cite them other than as "work in progress."

29	   The list of current Internet-Drafts can be accessed at
30	   http://www.ietf.org/ietf/1id-abstracts.txt.

32	   The list of Internet-Draft Shadow Directories can be accessed at
33	   http://www.ietf.org/shadow.html.

35	   This Internet-Draft will expire on June 15, 2009.

37	Abstract

39	   This document specifies how to use Russian national cryptographic
40	   standards GOST R 34.10-2001, GOST R 34.10-94, GOST R 34.11-94
41	   GOST 28147-89 with XML Signatures and XML encryption.  The mechanism
42	   specified provides integrity, message authentication, and/or data
43	   encryption and/or signer authentication services.

45	Table of Contents

47	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
48	   2.  GOST R 34.10-94/2001 . . . . . . . . . . . . . . . . . . . . .  3
49	   3.  Specifying GOST within XMLDSIG and XML encryption  syntax
50	       and processing . . . . . . . . . . . . . . . . . . . . . . . .  3
51	     3.1.  Version, Namespaces and Identifiers  . . . . . . . . . . .  3
52	     3.2.  XML Schema Preamble and DTD Replacement  . . . . . . . . .  4
53	       3.2.1.  XML Schema Preamble  . . . . . . . . . . . . . . . . .  4
54	       3.2.2.  DTD Replacement  . . . . . . . . . . . . . . . . . . .  4
55	     3.3.  Public Key Signature Algorithms  . . . . . . . . . . . . .  4
56	     3.4.  DigestMethod Algorithms  . . . . . . . . . . . . . . . . .  5
57	     3.5.  Hash Message Authentication Code Algorithms  . . . . . . .  5
58	     3.6.  GOST Key Values  . . . . . . . . . . . . . . . . . . . . .  5
59	       3.6.1.  Key Value Root Element . . . . . . . . . . . . . . . .  5
60	       3.6.2.  GOST R 34.10 Parameters  . . . . . . . . . . . . . . .  7
61	     3.7.  EncryptionMethod Algorithms  . . . . . . . . . . . . . . .  8
62	     3.8.  Key Agreement Algorithms . . . . . . . . . . . . . . . . .  9
63	     3.9.  Key Transport Algorithm  . . . . . . . . . . . . . . . . . 10
64	     3.10. Symmetric Key Wrap . . . . . . . . . . . . . . . . . . . . 10
65	       3.10.1. GOST 28147-89 Key Wrap . . . . . . . . . . . . . . . . 10
66	       3.10.2. CryptoPro Key Wrap . . . . . . . . . . . . . . . . . . 11
67	   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
68	   5.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
69	     5.1.  Signed message . . . . . . . . . . . . . . . . . . . . . . 12
70	   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
71	   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
72	     7.1.  Normative references . . . . . . . . . . . . . . . . . . . 13
73	     7.2.  Informative references . . . . . . . . . . . . . . . . . . 15
74	   Appendix A.  Aggregate XML Schema  . . . . . . . . . . . . . . . . 15
75	   Appendix B.  Aggregate DTD . . . . . . . . . . . . . . . . . . . . 17
76	   Appendix C.  Examples  . . . . . . . . . . . . . . . . . . . . . . 17
77	     C.1.  Signed document  . . . . . . . . . . . . . . . . . . . . . 17
78	   Appendix D.  Acknowledgments . . . . . . . . . . . . . . . . . . . 18
79	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
80	   Intellectual Property and Copyright Statements . . . . . . . . . . 21

82	1.  Introduction

84	   This document specifies how to use GOST R 34.10-2001, GOST R 34.10-94
85	   digital signatures and public keys, GOST R 34.11-94 hash,
86	   GOST 28147-89 encryption algorithms with XML Signatures [XMLDSIG] and
87	   XML Encryption.

89	   This document uses both XML Schemas ([XML-SCHEMA-1], [XML-SCHEMA-2])
90	   (normative) and DTDs [XML] (informational) for specifying the
91	   corresponding XML structures.

93	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
94	   NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
95	   this document are to be interpreted as described in [KEYWORDS].

97	2.  GOST R 34.10-94/2001

99	   Algorithms GOST R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94
100	   have been developed by Russian Federal Agency of Governmental
101	   Communication and Information (FAGCI) and "All-Russian Scientific and
102	   Research Institute of Standardization".  They are described in
103	   [GOSTR341094], [GOSTR341001] and [GOSTR341194] ([GOST3431095],
104	   [GOST3431004] and [GOST3431195]).  RECOMMENDED parameters for those
105	   algorithms are described in [CPALGS].

107	   The only hash function used with GOST R 34.10-94/2001 is
108	   GOST R 34.11-94.

110	3.  Specifying GOST within XMLDSIG and XML encryption  syntax and
111	    processing

113	   This section specifies the details of how to use GOST algorithms with
114	   XML Signature Syntax and Processing [XMLDSIG] and XML Encryption
115	   Syntax and Processing [XMLENC-CORE].  It relies heavily on syntaxes
116	   and namespaces defined in [XMLDSIG] and [XMLENC-CORE].

118	3.1.  Version, Namespaces and Identifiers

120	   This specification makes no provision for an explicit version number
121	   in the syntax.  If a future version is needed, it will use a
122	   different namespace.

124	   The XML namespace [XML-NS] URI [RFC2396] that MUST be used by
125	   implementations of this (dated) specification is:

127	      http://www.w3.org/2006/10/xmldsig-gost#

129	   Elements in the namespace of the [XMLDSIG] specification are marked
130	   as such by using the namespace prefix "dsig" in the remaining
131	   sections of this document.

133	   Elements in the namespace of the [XMLENC-CORE] specification are
134	   marked as such by using the namespace prefix "xenc" in the remaining
135	   sections of this document.

137	3.2.  XML Schema Preamble and DTD Replacement

139	3.2.1.  XML Schema Preamble

141	   The subsequent preamble is to be used with the XML Schema definitions
142	   given in the remaining sections of this document.

144	     <xs:schema
145	       xmlns:gost="http://www.w3.org/2006/10/xmldsig-gost#"
146	       xmlns:xs="http://www.w3.org/2001/XMLSchema"
147	       targetNamespace="http://www.w3.org/2006/10/xmldsig-gost#"
148	       elementFormDefault="qualified" attributeFormDefault="unqualified"
149	       version="0.3">

151	3.2.2.  DTD Replacement

153	   In order to include GOST XML-signature syntax, the following
154	   definition of the entity Key.ANY SHOULD replace the one in [XMLDSIG]:

156	     <!ENTITY % KeyValue.ANY '| gost:KeyValue1994| gost:KeyValue2001'>

158	3.3.  Public Key Signature Algorithms

160	   The input to the GOST R 34.10-94/2001 algorithms is the canonicalized
161	   representation of the dsig:SignedInfo element as specified in Section
162	   3 of [XMLDSIG].

164	   The signature value (text value of element dsig:SignatureValue - see
165	   section 4.2 of [XMLDSIG]) consists of the base64 encoding of the 64
166	   octets as described in section 2.2 of [CPPK].

168	   The identifier for the GOST R 34.10-94 signature algorithm is:
169	      http://www.w3.org/2006/10/xmldsig-gost#gostr341094-gostr3411

171	   The identifier for the GOST R 34.10-2001 signature algorithm is:
172	      http://www.w3.org/2006/10/xmldsig-gost#gostr34102001-gostr3411

174	3.4.  DigestMethod Algorithms

176	   The identifier for the GOST R 34.11-94 digest algorithm is:
177	      http://www.w3.org/2006/10/xmldsig-gost#gostr3411

179	   The DigestMethod may contain optional element gost:ParametersR3411.
180	   ParametersR3411 contains one OID specified in section 8.2.  [CPALGS].
181	   If ParametersR3411 is missed, the application implicitly knows about
182	   it from other means.

184	   It is RECOMMENDED to use parameters defined by id-GostR3411-94-
185	   CryptoProParamSet if ParametersR3411 is omitted (see Section 11.2
186	   [CPALGS]).

188	   Schema Definition:

190	     <xs:element name="ParametersR3411"
191	                 type="gost:ObjectIdentifierType"/>

193	   DTD Definition:

195	     <!ELEMENT ParametersR3411 (#PCDATA) >

197	3.5.  Hash Message Authentication Code Algorithms

199	   GOST R 34.11-94 can also be used in HMAC [HMAC] as described in
200	   section 6.3.1 of [XMLDSIG].  Identifier:
201	      http://www.w3.org/2006/10/xmldsig-gost#hmac-gostr3411

203	   The Hash Message Authentication Code Algorithms contain the same
204	   parameters as DigestMethod Algorithms.

206	   If ParametersR3411 is missed, the parameters, identified by id-
207	   GostR3411-94-CryptoProParamSet, are RECOMMENDED to use (see Section
208	   11.2 [CPALGS]).

210	3.6.  GOST Key Values

212	3.6.1.  Key Value Root Element

214	   Elements of KeyValue1994Type and KeyValue2001Type types are used for
215	   GOST public keys encoding.  The usage of these elements with
216	   [XMLDSIG] or [XMLENC-CORE] is the same as for dsig:RSAKeyValue or
217	   xenc:DHKeyValue predefined elements in dsig:KeyValue.

219	   The elements consist of an optional subelement PublicKeyParameters
220	   and the mandatory subelement PublicKey.  If PublicKeyParameters are
221	   missing in an instance, this means that the application knows about
222	   them from other means (implicitly).

224	   Schema Definition:

226	     <xs:element name="KeyValue1994"
227	                 type="gost:KeyValue1994Type"/>

229	     <xs:complexType name="KeyValue1994Type">
230	       <xs:sequence>
231	         <xs:element name="PublicKeyParameters"
232	                     type="gost:PublicKeyParameters1994Type"
233	                     minOccurs="0"/>
234	         <xs:element name="PublicKey" type="xs:base64Binary"/>
235	       </xs:sequence>
236	     </xs:complexType>

238	     <xs:element name="KeyValue2001"
239	                 type="gost:KeyValue2001Type"/>

241	     <xs:complexType name="KeyValue2001Type">
242	       <xs:sequence>
243	         <xs:element name="PublicKeyParameters"
244	                     type="gost:PublicKeyParameters2001Type"
245	                     minOccurs="0"/>
246	         <xs:element name="PublicKey" type="xs:base64Binary"/>
247	       </xs:sequence>
248	     </xs:complexType>

250	   DTD Definition:

252	     <!ELEMENT KeyValue1994 (
253	                 PublicKeyParameters1994?, PublicKey) >
254	     <!ELEMENT KeyValue2001 (
255	                 PublicKeyParameters2001?, PublicKey) >
256	     <!ELEMENT PublicKey (#PCDATA) >

258	   If KeyValue2001Type PublicKeyParameters subelement is missed, the
259	   parameters, identified by DefaultPublicKeyParameters2001, are
260	   RECOMMENDED to use.

262	   DefaultPublicKeyParameters2001:

264	     <PublicKeyParameters>
265	       <publicKeyParamSet>1.2.643.2.2.35.1</publicKeyParamSet>
266	         <!-- id-GostR3410-2001-CryptoPro-A-ParamSet -->
267	       <digestParamSet>1.2.643.2.2.30.1</digestParamSet>
268	         <!-- id-GostR3411-94-CryptoProParamSet -->
269	       <encryptionParamSet>1.2.643.2.2.31.1</encryptionParamSet>
270	         <!-- id-Gost28147-89-CryptoPro-A-ParamSet -->
271	     </PublicKeyParameters>

273	   If KeyValue1994Type PublicKeyParameters subelement is missed, the
274	   parameters, defined by DefaultPublicKeyParameters1994, are
275	   RECOMMENDED to use.

277	   DefaultPublicKeyParameters1994:

279	     <PublicKeyParameters>
280	       <publicKeyParamSet>1.2.643.2.2.32.2</publicKeyParamSet>
281	         <!-- id-GostR3410-94-CryptoPro-A-ParamSet -->
282	       <digestParamSet>1.2.643.2.2.30.1</digestParamSet>
283	         <!-- id-GostR3411-94-CryptoProParamSet -->
284	       <encryptionParamSet>1.2.643.2.2.31.1</encryptionParamSet>
285	         <!-- id-Gost28147-89-CryptoPro-A-ParamSet -->
286	     </PublicKeyParameters>

288	3.6.2.  GOST R 34.10 Parameters

290	   Gost paramaters contain three OIDs: publicKeyParamSet, digestParamSet
291	   and optional encryptionParamSet.  Parameter values, corresponding to
292	   these OIDs, can be found in [CPALGS].

294	   Schema Definition:

296	     <xs:complexType name="PublicKeyParameters1994Type">
297	        <xs:sequence>
298	           <xs:element name="publicKeyParamSet"
299	                       type="gost:ObjectIdentifierType"/>
300	           <xs:element name="digestParamSet"
301	                       type="gost:ObjectIdentifierType"/>
302	           <xs:element name="encryptionParamSet"
303	                       type="gost:ObjectIdentifierType"
304	                       minOccurs="0"/>
305	        </xs:sequence>
306	     </xs:complexType>
307	     <xs:complexType name="PublicKeyParameters2001Type">
308	        <xs:sequence>
309	           <xs:element name="publicKeyParamSet"
310	                       type="gost:ObjectIdentifierType"/>
311	           <xs:element name="digestParamSet"
312	                       type="gost:ObjectIdentifierType"/>
313	           <xs:element name="encryptionParamSet"
314	                       type="gost:ObjectIdentifierType"
315	                       minOccurs="0"/>
316	        </xs:sequence>
317	     </xs:complexType>

319	     <xs:simpleType name="ObjectIdentifierType">
320	        <xs:restriction base="xs:token">
321	           <xs:pattern value="[0-2](\.[1-3]?[0-9]?(\.\d+)*)?"/>
322	        </xs:restriction>
323	     </xs:simpleType>

325	   DTD Definition:

327	     <!ELEMENT PublicKeyParameters1994 (
328	                    publicKeyParamSet, digestParamSet,
329	                    encryptionParamSet?) >
330	     <!ELEMENT PublicKeyParameters2001 (
331	                    publicKeyParamSet, digestParamSet,
332	                    encryptionParamSet?) >
333	     <!ELEMENT publicKeyParamSet (#PCDATA) >
334	     <!ELEMENT digestParamSet (#PCDATA) >
335	     <!ELEMENT encryptionParamSet (#PCDATA) >

337	3.7.  EncryptionMethod Algorithms

339	   This subsection gives identifiers and information for GOST 28147-89
340	   EncryptionMethod Algorithms.

342	   The identifier for the GOST 28147-89 encryption algorithm is:
343	      http://www.w3.org/2006/10/xmldsig-gost#gost28147

345	   Complete description of GOST 28147-89 can be found in [GOST28147] (in
346	   Russian).

348	   256-bit key, 64-bit Initialization Vector (IV), and optional
349	   parameters are used in GOST 28147-89 encryption method algorithms.

351	   The resulting cipher text is prefixed by the IV.  If included in XML
352	   output, it is then base64 encoded.

354	   GostParameters28147 specifies the set of corresponding Gost28147-89-
355	   ParamSetParameters (see Section 8.1 of [CPALGS] ).  Encryption mode
356	   is specified by mode parameter of Gost28147-89-ParamSetParameters
357	   structure.  CFB and CNT modes are RECOMMENDED to use.  If
358	   ParametersR3411 is missed, the application implicitly knows about it
359	   from other means.

361	   If GostParameters28147 is omitted, the parameters, defined by id-
362	   Gost28147-89-CryptoPro-A-ParamSet, are RECOMMENDED to use (see
363	   Section 8.1 [CPALGS]).

365	   Schema Definition:

367	     <xs:simpleType name="Parameters28147Type">
368	       <xs:restriction base="gost:ObjectIdentifierType" />
369	     </xs:simpleType>

371	   DTD Definition:

373	     <!ELEMENT Parameters28147 (#PCDATA) >

375	3.8.  Key Agreement Algorithms

377	   Key agreement algorithms based on GOST R 34.10-94/2001 public keys
378	   (see Section 5 [CPALGS]) involves the derivation of shared secret
379	   information based on compatible keys from the sender and recipient.

381	   The identifiers for the algorithms based on GOST R 34.10-94/2001 are:
382	      http://www.w3.org/2006/10/xmldsig-gost#agree-gost1994
383	      http://www.w3.org/2006/10/xmldsig-gost#agree-gost2001

385	   The shared keying material for algorithm based on GOST R 34.10-94
386	   needed will be calculated as a result of function VKO GOST R 34.10-94
387	   (see Section 5.1 [CPALGS]), which generates GOST KEK using two
388	   GOST R 34.10-94 keypairs.

390	   The shared keying material for algorithm based on GOST R 34.10-2001
391	   needed will be calculated as a result of function VKO GOST R 34.10-
392	   2001 (see Section 5.2 [CPALGS]), which generates GOST KEK using two
393	   GOST R 34.10-2001 keypairs and UKM.  KA-Nonce field of
394	   AgreementMethod contains base64 encoded 64-bits value of UKM, if UKM
395	   is used.

397	3.9.  Key Transport Algorithm

399	   The key transport alogorithms based on VKO GOST R 34.10-2001 or VKO
400	   GOST R 34.10-1994, specified in [CPALGS], are public key encryption
401	   algorithms, which MUST be used for key encryption/decryption only.

403	   The identifiers for the algorithms based on VKO GOST R 34.10-94/2001
404	   are:
405	      http://www.w3.org/2006/10/xmldsig-gost#transport-gost1994
406	      http://www.w3.org/2006/10/xmldsig-gost#transport-gost2001

408	   The CipherValue for such encrypted key is the base64 encoding of the
409	   [X.208-88] encoding structure GostR3410-KeyTransport (see section
410	   4.2.1 [CPCMS]).

412	   In order to produce the KEK, the algorithm VKO GOST R 34.10-94/2001
413	   (described in [CPALGS]) is used with the secret key, which
414	   corresponds to the GostR3410-TransportParameters ephemeralPublicKey,
415	   and recipient's public key.

417	   If the CryptoPro key wrap algorithm is used to produce CEK_ENC,
418	   CEK_MAC, and UKM, then GostR3410-TransportParameters
419	   encryptionParamSet is used for all encryption operations.

421	   The resulting encrypted key (CEK_ENC) is placed in the Gost28147-89-
422	   EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the
423	   Gost28147-89-EncryptedKey macKey field, and UKM is placed in the
424	   GostR3410-TransportParameters ukm field.

426	3.10.  Symmetric Key Wrap

428	   Symmetric Key Wrap algorithms are shared secret key encryption
429	   algorithms, which MUST be used for symmetric keys encryption/
430	   decryption only.

432	3.10.1.  GOST 28147-89 Key Wrap

434	   The GOST 28147-89 Key Wrap algorithms wrap (encrypt) a key (the
435	   wrapped key, WK) under a GOST 28147-89 Key Wrap (specified in
436	   sections 6.1, 6.2 [CPALGS]).

438	   Note: These algorithms MUST NOT be used without Key Agreement
439	   algorithm, because such WK is constant for every wrappnig-encrypting
440	   pair.  The encryption of many different keys with the same constant
441	   WK may reveal that WK.

443	   The identifier for the GOST 28147-89 Key Wrap algorithms is
444	      http://www.w3.org/2006/10/xmldsig-gost#kw-gost

446	   The CipherValue for such wrapped key is the base64 encoding of the
447	   [X.208-88] DER encoding structure GostR3410-KeyWrap.

449	   ASN.1 structure:

451	     GostR3410-KeyWrap ::=
452	         SEQUENCE {
453	             encryptedKey Gost28147-89-EncryptedKey,
454	             encryptedParameters Gost28147-89-KeyWrapParameters
455	          }

457	   Gost28147-89-KeyWrapParameters is described in section 4.1.1 of
458	   [CPCMS].  KA-Nonce field of AgreementMethod tag MUST be used as ukm.

460	   The resulting wrapped key (WK) is placed in the Gost28147-89-
461	   EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the
462	   Gost28147-89-EncryptedKey macKey field. ukm field of Gost28147-89-
463	   KeyWrapParameters MUST be absent.

465	3.10.2.  CryptoPro Key Wrap

467	   The CryptoPro Key Wrap algorithm wraps (encrypts) a key (wrapped key,
468	   WK) under a CryptoPro Key Wrap (specified in sections 6.3, 6.4
469	   [CPALGS]).

471	   The identifier for the CryptoPro Key Wrap algorithms is
472	      http://www.w3.org/2006/10/xmldsig-gost#kw-cp

474	   The CipherValue for such wrapped key is the base64 encoding of the
475	   [X.208-88] DER encoding structure GostR3410-KeyWrap (See 'GOST
476	   28147-89 Key Wrap').

478	   The resulting wrapped key (WK) is placed in the Gost28147-89-
479	   EncryptedKey encryptedKey field, its mac (CEK_MAC) is placed in the
480	   Gost28147-89-EncryptedKey macKey field.

482	   If CryptoPro Key wrap algorithm is combined with Key Agreement
483	   Algorithm, KA-Nonce field of AgreementMethod tag MUST be used as ukm.
484	   ukm field of Gost28147-89-KeyWrapParameters type must be absent.

486	   If CryptoPro Key wrap algorithm is not combined with Key Agreement
487	   Algorithm, ukm field of Gost28147-89-KeyWrapParameters type MUST be
488	   present.

490	4.  Security Considerations

492	   Conforming applications MUST use unique values for ukm and iv.
493	   Recipients MAY verify that ukm and iv, specified by the sender, are
494	   unique.

496	   It is RECOMMENDED that software applications verify signature values,
497	   subject public keys and algorithm parameters to conform to
498	   [GOSTR341001], [GOSTR341094] standards before to use them.

500	   Cryptographic algorithm parameters affect algorithm strength.  The
501	   use of parameters not listed in [CPALGS] is NOT RECOMMENDED (see the
502	   Security Considerations section of [CPALGS]).

504	   Use of the same key for signature and key derivation is NOT
505	   RECOMMENDED.

507	   SHOULD NOT use XML encryption without XML signature or HMAC.

509	5.  Examples

511	5.1.  Signed message

513	   This message is signed using the sample certificate.

515	6.  IANA Considerations

517	   IANA has assigned the following values for GOST 28147-89 mode ciphers
518	   definitions:

520	   IANA has assigned the following XML namespace [XML-NS] URN:
521	      http://www.w3.org/2006/10/xmldsig-gost#

523	   [IANA please remove] Note: The above URN have not yet been
524	   registered.

526	7.  References
527	7.1.  Normative references

529	   [CPALGS]   Popov, V., Kurepkin, I., and S. Leontiev, "Additional
530	              Cryptographic Algorithms for Use with GOST 28147-89,
531	              GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
532	              Algorithms", RFC 4357, January 2006.

534	   [CPCMS]    Leontiev, S. and G. Chudov, "Using the GOST 28147-89,
535	              GOST R 34.11-94, GOST R 34.10-94, and GOST R 34.10-2001
536	              Algorithms with Cryptographic Message Syntax (CMS)",
537	              RFC 4490, May 2006.

539	   [CPPK]     Leontiev, S. and D. Shefanovski, "Using the
540	              GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
541	              Algorithms with the Internet X.509 Public Key
542	              Infrastructure Certificate and CRL Profile", RFC 4491,
543	              May 2006.

545	   [GOST28147]
546	              Government Committee of the USSR for Standards,
547	              "Cryptographic Protection for Data Processing System,
548	              Gosudarstvennyi Standard of USSR (In Russian)",
549	              GOST 28147-89, 1989.

551	   [GOST3431004]
552	              Council for Standardization, Metrology and Certification
553	              of the Commonwealth of Independence States (EASC), Minsk,
554	              "Information technology. Cryptographic Data Security.
555	              Formation and verification processes of (electronic)
556	              digital signature based on Asymmetric Cryptographic
557	              Algorithm (In Russian)", GOST 34.310-2004, 2004.

559	   [GOST3431095]
560	              Council for Standardization, Metrology and Certification
561	              of the Commonwealth of Independence States (EASC), Minsk,
562	              "Information technology. Cryptographic Data Security.
563	              Produce and check procedures of Electronic Digital
564	              Signature based on Asymmetric Cryptographic Algorithm (In
565	              Russian)", GOST 34.310-95, 1995.

567	   [GOST3431195]
568	              Council for Standardization, Metrology and Certification
569	              of the Commonwealth of Independence States (EASC), Minsk,
570	              "Information technology. Cryptographic Data Security.
571	              Cashing function (In Russian)", GOST 34.311-95, 1995.

573	   [GOSTR341001]
574	              Government Committee of the Russia for Standards,
575	              "Information technology. Cryptographic Data
576	              Security.Signature and verification processes of
577	              [electronic] digital signature, Gosudarstvennyi Standard
578	              of Russian Federation (In Russian)", GOST R 34.10-2001,
579	              2001.

581	   [GOSTR341094]
582	              Government Committee of the Russia for Standards,
583	              "Information technology. Cryptographic Data Security.
584	              Produce and check procedures of Electronic Digital
585	              Signatures based on Asymmetric Cryptographic Algorithm,
586	              Gosudarstvennyi Standard of Russian Federation (In
587	              Russian)", GOST R 34.10-94, 1994.

589	   [GOSTR341194]
590	              Government Committee of the Russia for Standards,
591	              "Information technology. Cryptographic Data Security.
592	              Hashing function, Gosudarstvennyi Standard of Russian
593	              Federation (In Russian)", GOST R 34.11-94, 1994.

595	   [HMAC]     Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
596	              Hashing for Message Authentication", RFC 2104,
597	              February 1997.

599	   [KEYWORDS]
600	              Bradner, S., "Key words for use in RFCs to Indicate
601	              Requirement Levels", BCP 14, RFC 2119, March 1997.

603	   [RFC2396]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
604	              Resource Identifiers (URI): Generic Syntax", RFC 2396,
605	              August 1998.

607	   [X.208-88]
608	              International International Telephone and Telegraph
609	              Consultative Committee, "Specification of Abstract Syntax
610	              Notation One (ASN.1)", CCITT Recommendation X.208,
611	              November 1988.

613	   [XML-NS]   Bray, T., Hollander, D., Layman, A., and R. Tobin,
614	              "Namespaces in XML (Second Edition)", W3C REC-xml-names,
615	              August 2006,
616	              <http://www.w3.org/TR/REC-xml-names-20060816>.

618	   [XML-SCHEMA-1]
619	              Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn,
620	              "XML Schema Part 1: Structures Second Edition", W3C REC-
621	              xmlschema-1, October 2004,
622	              <http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/>.

624	   [XML-SCHEMA-2]
625	              Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes
626	              Second Edition", W3C REC-xmlschema-2, October 2004,
627	              <http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/>.

629	   [XMLDSIG]  Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
630	              Language) XML-Signature Syntax and  Processing", RFC 3275,
631	              March 2002.

633	   [XMLENC-CORE]
634	              Eastlake, D. and J. Reagle , "XML Encryption Syntax and
635	              Processing", W3C Candidate Recommendation xmlenc-core,
636	              August 2002, <http://www.w3.org/TR/xmlenc-core/>.

638	7.2.  Informative references

640	   [RFC4134]  Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
641	              July 2005.

643	   [XML]      Bray, T., Paoli, J., Sperberg-McQueen, C., Maler, E., and
644	              F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fourth
645	              Edition)", W3C REC-xml, August 2006,
646	              <http://www.w3.org/TR/2006/REC-xml-20060816>.

648	Appendix A.  Aggregate XML Schema

650	   <?xml version="1.0" encoding="UTF-8"?>

652	   <xs:schema
653	     xmlns:gost="http://www.w3.org/2006/10/xmldsig-gost#"
654	     xmlns:xs="http://www.w3.org/2001/XMLSchema"
655	     targetNamespace="http://www.w3.org/2006/10/xmldsig-gost#"
656	     elementFormDefault="qualified" attributeFormDefault="unqualified"
657	     version="0.3">

659	     <xs:element name="KeyValue1994" type="gost:KeyValue1994Type"/>

661	     <xs:complexType name="KeyValue1994Type">
662	       <xs:sequence>
663	         <xs:element name="PublicKeyParameters1994"
664	                     type="gost:PublicKeyParameters1994Type"
665	                     minOccurs="0"/>
666	         <xs:element name="PublicKey" type="xs:base64Binary"/>
667	       </xs:sequence>
668	     </xs:complexType>
669	     <xs:element name="KeyValue2001" type="gost:KeyValue2001Type"/>

671	     <xs:complexType name="KeyValue2001Type">
672	       <xs:sequence>
673	         <xs:element name="PublicKeyParameters2001"
674	                     type="gost:PublicKeyParameters2001Type"
675	                     minOccurs="0"/>
676	         <xs:element name="PublicKey" type="xs:base64Binary"/>
677	       </xs:sequence>
678	     </xs:complexType>

680	     <xs:complexType name="PublicKeyParameters1994Type">
681	       <xs:sequence>
682	         <xs:element name="publicKeyParamSet"
683	                     type="gost:ObjectIdentifierType"/>
684	         <xs:element name="digestParamSet"
685	                     type="gost:ObjectIdentifierType"/>
686	         <xs:element name="encryptionParamSet"
687	                     type="gost:ObjectIdentifierType"
688	                     minOccurs="0"/>
689	       </xs:sequence>
690	     </xs:complexType>

692	     <xs:complexType name="PublicKeyParameters2001Type">
693	       <xs:sequence>
694	         <xs:element name="publicKeyParamSet"
695	                     type="gost:ObjectIdentifierType"/>
696	         <xs:element name="digestParamSet"
697	                     type="gost:ObjectIdentifierType"/>
698	         <xs:element name="encryptionParamSet"
699	                     type="gost:ObjectIdentifierType"
700	                     minOccurs="0"/>
701	       </xs:sequence>
702	     </xs:complexType>

704	     <xs:simpleType name="Parameters28147Type">
705	       <xs:restriction base="gost:ObjectIdentifierType" />
706	     </xs:simpleType>

708	     <xs:simpleType name="ObjectIdentifierType">
709	       <xs:restriction base="xs:token">
710	         <xs:pattern value="[0-2](\.[1-3]?[0-9]?(\.\d+)*)?"/>
711	       </xs:restriction>
712	     </xs:simpleType>

714	     <xs:element name="ParametersR3411"
715	       type="gost:ObjectIdentifierType"/>

717	   </xs:schema>

719	Appendix B.  Aggregate DTD

721	    <!ELEMENT KeyValue1994 (
722	                   PublicKeyParameters1994?, PublicKey) >
723	    <!ELEMENT KeyValue2001 (
724	                   PublicKeyParameters2001?, PublicKey) >
725	    <!ELEMENT PublicKey (#PCDATA) >
726	    <!ELEMENT PublicKeyParameters1994 (
727	                   publicKeyParamSet, digestParamSet,
728	                   encryptionParamSet?) >
729	    <!ELEMENT PublicKeyParameters2001 (
730	                   publicKeyParamSet, digestParamSet,
731	                   encryptionParamSet?) >
732	    <!ELEMENT publicKeyParamSet (#PCDATA) >
733	    <!ELEMENT digestParamSet (#PCDATA) >
734	    <!ELEMENT encryptionParamSet (#PCDATA) >
735	    <!ELEMENT Parameters28147 (#PCDATA) >
736	    <!ELEMENT ParametersR3411 (#PCDATA) >

738	Appendix C.  Examples

740	   Examples here are stored in the same format as the examples in
741	   [RFC4134] and can be extracted using the same program.

743	   If you want to extract without the program, copy all the lines
744	   between the "|>" and "|<" markers, remove any page breaks, and remove
745	   the "|" in the first column of each line.  The result is a valid
746	   Base64 blob that can be processed by any Base64 decoder.

748	C.1.  Signed document

750	   This sample contain the signed XML document using the sample
751	   certificate from Section 4.2 of [CPPK].

753	   |>XmlDocSigned2001.xml
754	   |PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz48Q3J5cHRvUHJv
755	   |WE1MIFNpZ25lZD0idHJ1ZSI+SGVyZSBpcyBzb21lIGRhdGEgdG8gc2lnbi48U2ln
756	   |bmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcj
757	   |Ij48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09
758	   |Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1
759	   |IiAvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9y
760	   |Zy8yMDAxLzA0L3htbGRzaWctbW9yZSNnb3N0cjM0MTAyMDAxLWdvc3RyMzQxMSIg
761	   |Lz48UmVmZXJlbmNlIFVSST0iIj48VHJhbnNmb3Jtcz48VHJhbnNmb3JtIEFsZ29y
762	   |aXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3Bl
763	   |ZC1zaWduYXR1cmUiIC8+PC9UcmFuc2Zvcm1zPjxEaWdlc3RNZXRob2QgQWxnb3Jp
764	   |dGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNnb3N0
765	   |cjM0MTEiIC8+PERpZ2VzdFZhbHVlPi9Kd3RRc3Z5NWsvUjBWZUx6ZG0ySWlqUEJ0
766	   |U0o1cEpSalQ5RlVRSEV5VGc9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1Np
767	   |Z25lZEluZm8+PFNpZ25hdHVyZVZhbHVlPkZjYjNxNGlCdmRmZ1lvN245NUdhUUN1
768	   |ZDkxWVA3dzhvVjAzUjZ6a1JEZGxjK0RuQ2MwcjlNc0E1YS9iaFlDeVdQZC9jRVU4
769	   |K3FZRnJ5SmJjaXJ5d0hBPT08L1NpZ25hdHVyZVZhbHVlPjxLZXlJbmZvPjxYNTA5
770	   |RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUIwRENDQVg4Q0VDdjF4aDdDRWIwWHg5
771	   |elVZbWEwTGlFd0NBWUdLb1VEQWdJRE1HMHhIekFkQmdOVkJBTU1Ga2R2YzNSU016
772	   |UXhNQzB5TURBeElHVjRZVzF3YkdVeEVqQVFCZ05WQkFvTUNVTnllWEIwYjFCeWJ6
773	   |RUxNQWtHQTFVRUJoTUNVbFV4S1RBbkJna3Foa2lHOXcwQkNRRVdHa2R2YzNSU016
774	   |UXhNQzB5TURBeFFHVjRZVzF3YkdVdVkyOXRNQjRYRFRBMU1EZ3hOakUwTVRneU1G
775	   |b1hEVEUxTURneE5qRTBNVGd5TUZvd2JURWZNQjBHQTFVRUF3d1dSMjl6ZEZJek5E
776	   |RXdMVEl3TURFZ1pYaGhiWEJzWlRFU01CQUdBMVVFQ2d3SlEzSjVjSFJ2VUhKdk1R
777	   |c3dDUVlEVlFRR0V3SlNWVEVwTUNjR0NTcUdTSWIzRFFFSkFSWWFSMjl6ZEZJek5E
778	   |RXdMVEl3TURGQVpYaGhiWEJzWlM1amIyMHdZekFjQmdZcWhRTUNBaE13RWdZSEtv
779	   |VURBZ0lrQUFZSEtvVURBZ0llQVFOREFBUkFoSlZvZFdBQ0drQjFDTTBUakRHSkxQ
780	   |M2xCUU42UTF6MGJTc1A1MDh5ZmxlUDY4d1d1WldJQTlDYWZJV3VEK1NONnFhN2Zs
781	   |Ykh5N0RmRDJhOHl1b2FZREFJQmdZcWhRTUNBZ01EUVFBOEw4a0pSTGNucWV5bjFl
782	   |bjdVMjNTdzZwa2ZFUXUzdTB4RmtWUHZGUS8zY0hlRjI2TkcreHh0WlB6M1RhVFZY
783	   |ZG9pWWtYWWlEMDJyRXgxYlVjTTk3aTwvWDUwOUNlcnRpZmljYXRlPjwvWDUwOURh
784	   |dGE+PC9LZXlJbmZvPjwvU2lnbmF0dXJlPjwvQ3J5cHRvUHJvWE1MPg==
785	   |<XmlDocSigned2001.xml

787	Appendix D.  Acknowledgments

789	   The authors wish to thank:

791	      Microsoft Corporation Russia for provided information about
792	      company products and solutions, and also for technical consulting
793	      in PKI.

795	Authors' Addresses

797	   Grigorij S. Chudov
798	   CRYPTO-PRO, Ltd.
799	   16/5, Suschevskij val
800	   Moscow  127018
801	   Russia

803	   Phone: +7 (495) 780 48 20
804	   Fax:   +7 (495) 660 2330
805	   Email: chudov@CryptoPro.ru
806	   URI:   http://www.CryptoPro.ru

808	   Serguei E. Leontiev
809	   CRYPTO-PRO, Ltd.
810	   16/5, Suschevskij val
811	   Moscow  127018
812	   Russia

814	   Phone: +7 (495) 780 48 20
815	   Fax:   +7 (495) 660 2330
816	   Email: lse@CryptoPro.ru
817	   URI:   http://www.CryptoPro.ru

819	   Aleksandr V. Chelpanov
820	   CRYPTO-PRO, Ltd.
821	   16/5, Suschevskij val
822	   Moscow  127018
823	   Russia

825	   Phone: +7 (495) 780 48 20
826	   Fax:   +7 (495) 660 2330
827	   Email: cav@CryptoPro.ru
828	   URI:   http://www.CryptoPro.ru
829	   Pavel V. Smirnov
830	   CRYPTO-PRO, Ltd.
831	   16/5, Suschevskij val
832	   Moscow  127018
833	   Russia

835	   Phone: +7 (495) 780 48 20
836	   Fax:   +7 (495) 660 2330
837	   Email: spv@CryptoPro.ru
838	   URI:   http://www.CryptoPro.ru

840	Full Copyright Statement

842	   Copyright (C) The IETF Trust (2008).

844	   This document is subject to the rights, licenses and restrictions
845	   contained in BCP 78, and except as set forth therein, the authors
846	   retain all their rights.

848	   This document and the information contained herein are provided on an
849	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
850	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
851	   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
852	   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
853	   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
854	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

856	Intellectual Property

858	   The IETF takes no position regarding the validity or scope of any
859	   Intellectual Property Rights or other rights that might be claimed to
860	   pertain to the implementation or use of the technology described in
861	   this document or the extent to which any license under such rights
862	   might or might not be available; nor does it represent that it has
863	   made any independent effort to identify any such rights.  Information
864	   on the procedures with respect to rights in RFC documents can be
865	   found in BCP 78 and BCP 79.

867	   Copies of IPR disclosures made to the IETF Secretariat and any
868	   assurances of licenses to be made available, or the result of an
869	   attempt made to obtain a general license or permission for the use of
870	   such proprietary rights by implementers or users of this
871	   specification can be obtained from the IETF on-line IPR repository at
872	   http://www.ietf.org/ipr.

874	   The IETF invites any interested party to bring to its attention any
875	   copyrights, patents or patent applications, or other proprietary
876	   rights that may cover technology that may be required to implement
877	   this standard.  Please address the information to the IETF at
878	   ietf-ipr@ietf.org.