idnits 2.17.1 draft-ietf-lamps-cmp-algorithms-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC4210, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords -- however, there's a paragraph with a matching beginning. Boilerplate error? (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). (Using the creation date from RFC4210, updated by this document, for RFC5378 checks: 2000-03-07) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (20 January 2021) is 1191 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5480' is mentioned on line 378, but not defined == Outdated reference: A later version (-23) exists of draft-ietf-lamps-cmp-updates-06 ** Downref: Normative reference to an Informational RFC: RFC 2104 ** Downref: Normative reference to an Informational RFC: RFC 3394 ** Downref: Normative reference to an Informational RFC: RFC 5753 ** Downref: Normative reference to an Informational RFC: RFC 8017 ** Downref: Normative reference to an Informational RFC: RFC 8018 ** Downref: Normative reference to an Informational RFC: RFC 8032 == Outdated reference: A later version (-21) exists of draft-ietf-lamps-lightweight-cmp-profile-04 Summary: 6 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LAMPS Working Group H. Brockhaus, Ed. 3 Internet-Draft H. Aschauer 4 Updates: 4210 (if approved) Siemens 5 Intended status: Standards Track M. Ounsworth 6 Expires: 24 July 2021 S. Mister 7 Entrust 8 20 January 2021 10 CMP Algorithms 11 draft-ietf-lamps-cmp-algorithms-02 13 Abstract 15 This document describes the conventions for using concrete 16 cryptographic algorithms with the Certificate Management Protocol 17 (CMP). CMP is used to enroll and further manage the lifecycle of 18 X.509 certificates. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on 24 July 2021. 37 Copyright Notice 39 Copyright (c) 2021 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 44 license-info) in effect on the date of publication of this document. 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. Code Components 47 extracted from this document must include Simplified BSD License text 48 as described in Section 4.e of the Trust Legal Provisions and are 49 provided without warranty as described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 54 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 55 2. Message Digest Algorithms . . . . . . . . . . . . . . . . . . 3 56 2.1. SHA2 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2.2. SHAKE . . . . . . . . . . . . . . . . . . . . . . . . . . 4 58 3. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 4 59 3.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 60 3.2. ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 3.3. EdDSA . . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 4. Key Management Algorithms . . . . . . . . . . . . . . . . . . 7 63 4.1. Key Agreement Algorithms . . . . . . . . . . . . . . . . 7 64 4.1.1. Diffie-Hellman . . . . . . . . . . . . . . . . . . . 8 65 4.1.2. ECDH . . . . . . . . . . . . . . . . . . . . . . . . 8 66 4.2. Key Transport Algorithms . . . . . . . . . . . . . . . . 10 67 4.2.1. RSA . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 4.3. Symmetric Key-Encryption Algorithms . . . . . . . . . . . 11 69 4.3.1. AES Key Wrap . . . . . . . . . . . . . . . . . . . . 11 70 4.4. Key Derivation Algorithms . . . . . . . . . . . . . . . . 12 71 4.4.1. Password-based Key Derivation Function 2 . . . . . . 12 72 5. Content Encryption Algorithms . . . . . . . . . . . . . . . . 12 73 5.1. AES-CBC . . . . . . . . . . . . . . . . . . . . . . . . . 13 74 6. Message Authentication Code Algorithms . . . . . . . . . . . 13 75 6.1. Password-based MAC . . . . . . . . . . . . . . . . . . . 13 76 6.1.1. PasswordBasedMac . . . . . . . . . . . . . . . . . . 13 77 6.1.2. PBMAC1 . . . . . . . . . . . . . . . . . . . . . . . 14 78 6.2. Symmetric-key-based MAC . . . . . . . . . . . . . . . . . 14 79 6.2.1. SHA2-based HMAC . . . . . . . . . . . . . . . . . . . 14 80 6.2.2. AES-GMAC . . . . . . . . . . . . . . . . . . . . . . 15 81 6.2.3. SHAKE-based KMAC . . . . . . . . . . . . . . . . . . 15 82 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 83 8. Security Considerations . . . . . . . . . . . . . . . . . . . 16 84 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 85 10. Normative References . . . . . . . . . . . . . . . . . . . . 16 86 11. Informative References . . . . . . . . . . . . . . . . . . . 20 87 Appendix A. Algorithm Use Profiles . . . . . . . . . . . . . . . 21 88 A.1. Algorithm selection guideline . . . . . . . . . . . . . . 21 89 A.2. Algorithm Profile for PKI Management Message Profiles . . 21 90 A.3. Algorithm Profile for Lightweight CMP Profile . . . . . . 23 91 Appendix B. History of changes . . . . . . . . . . . . . . . . . 25 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 27 94 1. Introduction 96 [RFC Editor: please delete]: !!! The change history was moved to 97 Appendix B !!! 99 1.1. Terminology 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in BCP 14 [RFC2119] 104 [RFC8174] when, and only when, they appear in all capitals, as shown 105 here. 107 2. Message Digest Algorithms 109 This section provides references to object identifiers and 110 conventions to be employed by CMP implementations that support SHA2 111 or SHAKE message digest algorithms. 113 Digest algorithm identifiers are located in the hashAlg field of 114 OOBCertHash, the owf field of Challenge, PBMParameter, and 115 DHBMParameter, and the digestAlgorithms field of SignedData and the 116 digestAlgorithm field of SignerInfo. 118 Digest values are located in the hashVal field of OOBCertHash, the 119 witness field of Challenge, and the certHash field of CertStatus. In 120 addition, digest values are input to signature algorithms. 122 2.1. SHA2 124 The SHA2 algorithm family is defined in FIPS Pub 180-4 125 [NIST.FIPS.180-4]. 127 The message digest algorithms SHA-224, SHA-256, SHA-384, and SHA-512 128 are identified by the following OIDs: 130 id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 131 us(840) organization(1) gov(101) csor(3) nistalgorithm(4) 132 hashalgs(2) 4 } 133 id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 134 us(840) organization(1) gov(101) csor(3) nistalgorithm(4) 135 hashalgs(2) 1 } 136 id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 137 us(840) organization(1) gov(101) csor(3) nistalgorithm(4) 138 hashalgs(2) 2 } 139 id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 140 us(840) organization(1) gov(101) csor(3) nistalgorithm(4) 141 hashalgs(2) 3 } 143 Specific conventions to be considered are specified in RFC 5754 144 Section 2 [RFC5754]. 146 2.2. SHAKE 148 The SHAKE algorithm family is defined in FIPS Pub 202 149 [NIST.FIPS.202]. 151 The message digest algorithms SHAKE128 and SHAKE256 are identified by 152 the following OIDs: 154 id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 155 us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 156 hashalgs(2) 11 } 157 id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) 158 us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 159 hashalgs(2) 12 } 161 Specific conventions to be considered are specified in RFC 8702 162 Section 3.1 [RFC8702]. 164 3. Signature Algorithms 166 This section provides references to object identifiers and 167 conventions to be employed by CMP implementations that support RSA, 168 ECDSA, or EdDSA signature algorithms. 170 The signature algorithm is referred to as MSG_SIG_ALG in RFC 4210 171 Appendix D and E [RFC4210] and in the Lightweight CMP Profile 172 [I-D.ietf-lamps-lightweight-cmp-profile]. 174 Signature algorithm identifiers are located in the protectionAlg 175 field of PKIHeader, the algorithmIdentifier field of POPOSigningKey, 176 signatureAlgorithm field of CertificationRequest, SignKeyPairTypes, 177 and the SignerInfo signatureAlgorithm field of SignedData. 179 Signature values are located in the protection field of PKIMessage, 180 signature field of POPOSigningKey, signature field of 181 CertificationRequest, and SignerInfo signature field of SignedData. 183 3.1. RSA 185 The RSA (RSASSA-PSS and PKCS#1 version 1.5) signature algorithm is 186 defined in RFC 8017 [RFC8017]. 188 The algorithm identifiers for RSASAA-PSS signatures used with SHA2 189 message digest algorithms is identified by the following OID: 191 id-RSASSA-PSS OBJECT IDENTIFIER ::= { iso(1) member-body(2) 192 us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10 } 194 Specific conventions to be considered are specified in RFC 4056 195 [RFC4056]. 197 The signature algorithm RSASSA-PSS used with SHAKE message digest 198 algorithms are identified by the following OIDs: 200 id-RSASSA-PSS-SHAKE128 OBJECT IDENTIFIER ::= { iso(1) 201 identified-organization(3) dod(6) internet(1) security(5) 202 mechanisms(5) pkix(7) algorithms(6) 30 } 203 id-RSASSA-PSS-SHAKE256 OBJECT IDENTIFIER ::= { iso(1) 204 identified-organization(3) dod(6) internet(1) security(5) 205 mechanisms(5) pkix(7) algorithms(6) 31 } 207 Specific conventions to be considered are specified in RFC 8702 208 Section 3.2.1 [RFC8702]. 210 The signature algorithm PKCS#1 version 1.5 used with SHA2 message 211 digest algorithms is identified by the following OIDs: 213 sha224WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 214 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 14 } 215 sha256WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 216 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 11 } 217 sha384WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 218 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 12 } 219 sha512WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) 220 member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 13 } 222 Specific conventions to be considered are specified in RFC 5754 223 Section 3.2 [RFC5754]. 225 3.2. ECDSA 227 The ECDSA signature algorithm is defined in FIPS Pub 186-4 228 [NIST.FIPS.186-4]. 230 The signature algorithm ECDSA used with SHA2 message digest 231 algorithms is identified by the following OIDs: 233 ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 234 us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } 235 ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 236 us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } 237 ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 238 us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } 239 ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 240 us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } 242 As specified in RFC 5480 [RFC5480] the NIST-recommended SECP curves 243 are identified by the following OIDs: 245 secp192r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 246 us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } 247 secp224r1 OBJECT IDENTIFIER ::= { iso(1) 248 identified-organization(3) certicom(132) curve(0) 33 } 249 secp256r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 250 us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } 251 secp384r1 OBJECT IDENTIFIER ::= { iso(1) 252 identified-organization(3) certicom(132) curve(0) 34 } 253 secp521r1 OBJECT IDENTIFIER ::= { iso(1) 254 identified-organization(3) certicom(132) curve(0) 35 } 256 Specific conventions to be considered are specified in RFC 5754 257 Section 3.3 [RFC5754]. 259 The signature algorithm ECDSA used with SHAKE message digest 260 algorithms are identified by the following OIDs: 262 id-ecdsa-with-shake128 OBJECT IDENTIFIER ::= { iso(1) 263 identified-organization(3) dod(6) internet(1) security(5) 264 mechanisms(5) pkix(7) algorithms(6) 32 } 265 id-ecdsa-with-shake256 OBJECT IDENTIFIER ::= { iso(1) 266 identified-organization(3) dod(6) internet(1) security(5) 267 mechanisms(5) pkix(7) algorithms(6) 33 } 269 Specific conventions to be considered are specified in RFC 8702 270 Section 3.2.2 [RFC8702]. 272 3.3. EdDSA 274 The EdDSA signature algorithm is defined in RFC 8032 Section 3.3 275 [RFC8032] and FIPS Pub 186-5 (Draft) [NIST.FIPS.186-5]. 277 The signature algorithm Ed25519 MUST be used with SHA-512 message 278 digest algorithms is identified by the following OIDs: 280 id-Ed25519 OBJECT IDENTIFIER ::= { iso(1) 281 identified-organization(3) thawte(101) 112 } 283 The signature algorithm Ed448 MUST be used with SHAKE256 message 284 digest algorithms is identified by the following OIDs: 286 id-Ed448 OBJECT IDENTIFIER ::= { iso(1) 287 identified-organization(3) thawte(101) 113 } 289 Specific conventions to be considered are specified in RFC 8419 290 [RFC8419]. 292 4. Key Management Algorithms 294 CMP utilizes the following general key management techniques: key 295 agreement, key transport, and passwords. 297 CRMF [RFC4211] and CMP Updates [I-D.ietf-lamps-cmp-updates] promotes 298 the use of CMS [RFC5652] EnvelopedData by deprecating the use of 299 EncryptedValue. 301 4.1. Key Agreement Algorithms 303 The key agreement algorithm is referred to as PROT_ENC_ALG in 304 RFC 4210 Appendix D and E [RFC4210] and in the Lightweight CMP 305 Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 307 Key agreement algorithms are only used in CMP when using CMS 308 [RFC5652] EnvelopedData together with the key agreement key 309 management technique. When a key agreement algorithm is used, a key- 310 encryption algorithm (Section 4.3) is needed next to the content- 311 encryption algorithm (Section 5). 313 Key agreement algorithm identifiers are located in the EnvelopedData 314 RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm fields. 316 Key encryption algorithm identifiers are located in the EnvelopedData 317 RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm field. 319 Wrapped content-encryption keys are located in the EnvelopedData 320 RecipientInfos KeyAgreeRecipientInfo RecipientEncryptedKeys 321 encryptedKey field. 323 4.1.1. Diffie-Hellman 325 Diffie-Hellman key agreement is defined in RFC 2631 [RFC2631] and 326 SHALL be used in the ephemeral-static as specified in RFC 3370 327 [RFC3370]. Static-static variants SHALL NOT be used. 329 The Diffie-Hellman key agreement algorithm is identified by the 330 following OID: 332 id-alg-ESDH OBJECT IDENTIFIER ::= { iso(1) member-body(2) 333 us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 5 } 335 Specific conventions to be considered are specified in RFC 3370 336 Section 4.1 [RFC3370]. 338 4.1.2. ECDH 340 Elliptic Curve Diffie-Hellman (ECDH) key agreement is defined in 341 RFC 5753 [RFC5753] and SHALL be used in the ephemeral-static variant 342 as specified in RFC 5753 [RFC5753] or the 1-Pass ECMQV variant as 343 specified in RFC 5753 [RFC5753]. Static-static variants SHALL NOT be 344 used. 346 The ECDH key agreement algorithm used together with NIST-recommended 347 SECP curves are identified by the following OIDs: 349 dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 350 identified-organization(3) certicom(132) schemes(1) 11(11) 0 } 351 dhSinglePass-stdDH-sha256kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 352 identified-organization(3) certicom(132) schemes(1) 11(11) 1 } 353 dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 354 identified-organization(3) certicom(132) schemes(1) 11(11) 2 } 355 dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 356 identified-organization(3) certicom(132) schemes(1) 11(11) 3 } 357 dhSinglePass-cofactorDH-sha224kdf-scheme OBJECT IDENTIFIER ::= { 358 iso(1) identified-organization(3) certicom(132) schemes(1) 359 14(14) 0 } 360 dhSinglePass-cofactorDH-sha256kdf-scheme OBJECT IDENTIFIER ::= { 361 iso(1) identified-organization(3) certicom(132) schemes(1) 362 14(14) 1 } 363 dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= { 364 iso(1) identified-organization(3) certicom(132) schemes(1) 365 14(14) 2 } 366 dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= { 367 iso(1) identified-organization(3) certicom(132) schemes(1) 368 14(14) 3 } 369 mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 370 identified-organization(3) certicom(132) schemes(1) 15(15) 0 } 371 mqvSinglePass-sha256kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 372 identified-organization(3) certicom(132) schemes(1) 15(15) 1 } 373 mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 374 identified-organization(3) certicom(132) schemes(1) 15(15) 2 } 375 mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= { iso(1) 376 identified-organization(3) certicom(132) schemes(1) 15(15) 3 } 378 As specified in RFC 5480 [RFC5480] the NIST-recommended SECP curves 379 are identified by the following OIDs: 381 secp192r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 382 us(840) ansi-X9-62(10045) curves(3) prime(1) 1 } 383 secp224r1 OBJECT IDENTIFIER ::= { iso(1) 384 identified-organization(3) certicom(132) curve(0) 33 } 385 secp256r1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 386 us(840) ansi-X9-62(10045) curves(3) prime(1) 7 } 387 secp384r1 OBJECT IDENTIFIER ::= { iso(1) 388 identified-organization(3) certicom(132) curve(0) 34 } 389 secp521r1 OBJECT IDENTIFIER ::= { iso(1) 390 identified-organization(3) certicom(132) curve(0) 35 } 392 Specific conventions to be considered are specified in RFC 5753 393 [RFC5753]. 395 The ECDH key agreement algorithm used together with curve25519 or 396 curve448 are identified by the following OIDs: 398 id-X25519 OBJECT IDENTIFIER ::= { iso(1) 399 identified-organization(3) thawte(101) 110 } 400 id-X448 OBJECT IDENTIFIER ::= { iso(1) 401 identified-organization(3) thawte(101) 111 } 403 Specific conventions to be considered are specified in RFC 8418 404 [RFC8418]. 406 4.2. Key Transport Algorithms 408 The key transport algorithm is also referred to as PROT_ENC_ALG in 409 RFC 4210 Appendix D and E [RFC4210] and in the Lightweight CMP 410 Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 412 Key transport algorithms are only used in CMP when using CMS 413 [RFC5652] EnvelopedData together with the key transport key 414 management technique. 416 Key transport algorithm identifiers are located in the EnvelopedData 417 RecipientInfos KeyTransRecipientInfo keyEncryptionAlgorithm field. 419 Key transport encrypted content-encryption keys are located in the 420 EnvelopedData RecipientInfos KeyTransRecipientInfo encryptedKey 421 field. 423 4.2.1. RSA 425 The RSA key transport algorithm is the RSA encryption scheme defined 426 in RFC 8017 [RFC8017]. 428 The algorithm identifier for RSA (PKCS #1 v1.5) is 430 rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) 431 us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 433 The algorithm identifier for RSAES-OAEP is: 435 id-RSAES-OAEP OBJECT IDENTIFIER ::= { iso(1) member-body(2) 436 us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 7 } 438 Further conventions to be considered for PKCS #1 v1.5 are specified 439 in RFC 3370 Section 4.2.1 [RFC3370] and for RSAES-OAEP in RFC 3560 440 [RFC3560]. 442 4.3. Symmetric Key-Encryption Algorithms 444 The symmetric key-encryption algorithm is also referred to as 445 PROT_SYM_ALG in RFC 4210 Appendix D and E [RFC4210] and in the 446 Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 448 As symmetric key-encryption key management technique is not used by 449 CMP, the symmetric key-encryption algorithm is only needed when using 450 the key agreement or password-based key management technique with CMS 451 [RFC5652] EnvelopedData. 453 Key-encryption algorithm identifiers are located in the EnvelopedData 454 RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm and 455 EnvelopedData RecipientInfos PasswordRecipientInfo 456 keyEncryptionAlgorithm fields. 458 Wrapped content-encryption keys are located in the EnvelopedData 459 RecipientInfos KeyAgreeRecipientInfo RecipientEncryptedKeys 460 encryptedKey and EnvelopedData RecipientInfos PasswordRecipientInfo 461 encryptedKey fields. 463 4.3.1. AES Key Wrap 465 The AES encryption algorithm is defined in FIPS Pub 197 466 [NIST.FIPS.197] and the key wrapping is defined in RFC 3394 467 [RFC3394]. 469 AES key encryption has the algorithm identifier: 471 id-aes128-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 472 country(16) us(840) organization(1) gov(101) csor(3) 473 nistAlgorithm(4) aes(1) 5 } 474 id-aes192-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 475 country(16) us(840) organization(1) gov(101) csor(3) 476 nistAlgorithm(4) aes(1) 25 } 477 id-aes256-wrap OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 478 country(16) us(840) organization(1) gov(101) csor(3) 479 nistAlgorithm(4) aes(1) 45 } 481 The underlying encryption functions for the key wrap and content- 482 encryption algorithms (as specified in Section 5) and the key sizes 483 for the two algorithms MUST be the same (e.g., AES-128 key wrap 484 algorithm with AES-128 content-encryption algorithm), see also 485 RFC 8551 [RFC8551]. 487 Further conventions to be considered for AES key wrap are specified 488 in RFC 3394 Section 2.2 [RFC3394] and RFC 3565 Section 2.3.2 489 [RFC3565]. 491 4.4. Key Derivation Algorithms 493 Key derivation algorithms are only used in CMP when using CMS 494 [RFC5652] EnvelopedData together with password-based key management 495 technique. 497 Key derivation algorithm identifiers are located in the EnvelopedData 498 RecipientInfos PasswordRecipientInfo keyDerivationAlgorithm field. 500 When using the password-based key management technique with 501 EnvelopedData as specified in CMP Updates together with MAC-based 502 PKIProtection, a different salt MUST be used with the password-based 503 MAC and KDF to ensure usage of different symmetric keys. 505 4.4.1. Password-based Key Derivation Function 2 507 The password-based key derivation function 2 (PBKDF2) is defined in 508 RFC 8018 [RFC8018]. 510 Password-based key derivation function 2 has the algorithm 511 identifier: 513 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 514 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 516 Further conventions to be considered for PBKDF2 are specified in 517 RFC 3370 Section 4.4.1 [RFC3370] and RFC 8018 Section 5.2 [RFC8018]. 519 5. Content Encryption Algorithms 521 The content encryption algorithm is also referred to as PROT_SYM_ALG 522 in RFC 4210 Appendix D and E [RFC4210] and in the Lightweight CMP 523 Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 525 Content encryption algorithms are only used in CMP when using CMS 526 [RFC5652] EnvelopedData to transport a signed private key package in 527 case of central key generation or key archiving, a certificate to 528 facilitate implicit prove-of-possession, or a revocation passphrase 529 in encrypted form. 531 Content encryption algorithm identifiers are located in the 532 EnvelopedData EncryptedContentInfo contentEncryptionAlgorithm field. 534 Encrypted content is located in the EnvelopedData 535 EncryptedContentInfo encryptedContent field. 537 5.1. AES-CBC 539 The AES encryption algorithm is defined in FIPS Pub 197 540 [NIST.FIPS.197]. 542 AES-CBC content encryption has the algorithm identifier: 544 id-aes128-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 545 country(16) us(840) organization(1) gov(101) csor(3) 546 nistAlgorithm(4) aes(1) 2 } 547 id-aes192-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 548 country(16) us(840) organization(1) gov(101) csor(3) 549 nistAlgorithm(4) aes(1)22 } 550 id-aes256-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 551 country(16) us(840) organization(1) gov(101) csor(3) 552 nistAlgorithm(4) aes(1)42 } 554 Specific conventions to be considered for AES-CBC content encryption 555 are specified in RFC 3565 [RFC3565]. 557 6. Message Authentication Code Algorithms 559 The message authentication code is either used for shared-secret- 560 based CMP message protection or together with the password-based key 561 derivation function (PBKDF2). 563 The message authentication code algorithm is also referred to as 564 MSG_MAC_ALG in RFC 4210 Appendix D and E [RFC4210] and in the 565 Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 567 6.1. Password-based MAC 569 Password-based MAC algorithms combine the derivation of a symmetric- 570 key from a password and a symmetric-key-based MAC function as 571 specified in Section 6.2 using this derived key. 573 Message authentication code algorithm identifiers are located in the 574 protectionAlg field of PKIHeader. 576 Message authentication code values are located in the PKIProtection 577 field. 579 6.1.1. PasswordBasedMac 581 The PasswordBasedMac algorithm is defined in RFC 4210 Section 5.1.3.1 582 [RFC4210] and Algorithm Requirements Update to the Internet X.509 583 Public Key Infrastructure Certificate Request Message Format (CRMF) 584 [I-D.ietf.lamps-crmf-update-algs]. 586 The PasswordBasedMac algorithm is identified by the following OID: 588 id-PasswordBasedMac OBJECT IDENTIFIER ::= { iso(1) member-body(2) 589 us(840) nt(113533) nsn(7) algorithms(66) 13 } 591 Further conventions to be considered for password-based MAC are 592 specified in RFC 4210 Section 5.1.3.1 [RFC4210] and Algorithm 593 Requirements Update to the Internet X.509 Public Key Infrastructure 594 Certificate Request Message Format (CRMF) 595 [I-D.ietf.lamps-crmf-update-algs]. 597 6.1.2. PBMAC1 599 The password-based message authentication code 1 (PBMAC1) is defined 600 in RFC 8018 [RFC8018]. PBMAC1 combines a password-based key 601 derivation function like PBKDF2 (Section 4.4.1) with an underlying 602 message authentication scheme. 604 PBMAC1 has the following OID: 606 id-PBKDF2 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 607 rsadsi(113549) pkcs(1) pkcs-5(5) 12 } 609 Specific conventions to be considered for PBMAC1 are specified in 610 RFC 8018 Section 7.1 and A.5 [RFC8018]. 612 6.2. Symmetric-key-based MAC 614 Symmetric-key-based MAC algorithms are used for deriving the 615 symmetric encryption key when using PBKDF2 as described in 616 Section 4.4.1. 618 Message authentication code algorithm identifiers are located in the 619 protectionAlg field of PKIHeader, the mac field of PBMParameter, the 620 messageAuthScheme field of PBMAC1, and the prf field of 621 PBKDF2-params. 623 Message authentication code values are located in the PKIProtection 624 field. 626 6.2.1. SHA2-based HMAC 628 The HMAC algorithm is defined in RFC 2104 [RFC2104] and 629 FIPS Pub 198-1 [NIST.FIPS.198-1]. 631 The HMAC algorithm used with SHA2 message digest algorithms is 632 identified by the following OIDs: 634 id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 635 us(840) rsadsi(113549) digestAlgorithm(2) 8 } 636 id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 637 us(840) rsadsi(113549) digestAlgorithm(2) 9 } 638 id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 639 us(840) rsadsi(113549) digestAlgorithm(2) 10 } 640 id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) 641 us(840) rsadsi(113549) digestAlgorithm(2) 11 } 643 Specific conventions to be considered for SHA2-based HMAC are 644 specified in RFC 4231 Section 3.1 [RFC4231]. 646 6.2.2. AES-GMAC 648 The AES-GMAC algorithm is defined in FIPS Pub 197 [NIST.FIPS.197] and 649 FIPS SP 800-38d [NIST.SP.800-38d]. 651 The AES-GMAC algorithm is identified by the following OIDs: 653 id-aes128-GMAC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 654 country(16) us(840) organization(1) gov(101) csor(3) 655 nistAlgorithm(4) aes(1) 9 } 656 id-aes192-GMAC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 657 country(16) us(840) organization(1) gov(101) csor(3) 658 nistAlgorithm(4) aes(1) 29 } 659 id-aes256-GMAC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 660 country(16) us(840) organization(1) gov(101) csor(3) 661 nistAlgorithm(4) aes(1) 49 } 663 Specific conventions to be considered for AES-GMAC are specified in 664 [draft-housley-lamps-cms-aes-mac- 665 alg].draft-ietf-lamps-cms-aes-gmac-alg 666 [I-D.ietf.lamps-cms-aes-gmac-alg]. 668 6.2.3. SHAKE-based KMAC 670 The KMAC algorithm is defined in RFC 2104 [RFC2104] and 671 FIPS SP 800-195 [NIST.SP.800-195]. 673 The HMAC algorithm used with SHA2 message digest algorithms is 674 identified by the following OIDs: 676 id-KmacWithSHAKE128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 677 country(16) us(840) organization(1) gov(101) csor(3) 678 nistAlgorithm(4) 2 19 } 679 id-KmacWithSHAKE256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) 680 country(16) us(840) organization(1) gov(101) csor(3) 681 nistAlgorithm(4) 2 20 } 683 Specific conventions to be considered for KMAC with SHAKE are 684 specified in RFC 8702 Section 3.4 [RFC8702]. 686 7. IANA Considerations 688 This document does not request changes to the IANA registry. 690 8. Security Considerations 692 RFC 4210 Appendix D.2 [RFC4210] contains a set of algorithms, 693 mandatory to be supported by conforming implementations. Theses 694 algorithms were appropriate at the time CMP was released, but as 695 cryptographic algorithms weaken over time, some of them should not be 696 used anymore. In general, new attacks are emerging due to research 697 cryptoanalysis or increase in computing power. New algorithms were 698 introduced that are more resistant to today's attacks. 700 This document lists many cryptographic algorithms usable with CMP to 701 offer implementers a more up to date choice. Finally, the algorithms 702 to be supported also heavily depend on the utilized certificates in 703 the target environment. 705 In the appendix of this document there is also an update to the 706 Appendix D.2 of RFC 4210 [RFC4210] and a set of algorithms to be 707 supported when implementing the Lightweight CMP Profile 708 [I-D.ietf-lamps-lightweight-cmp-profile]. 710 To keep the list of algorithms to be used with CMP up to date and to 711 enlist secure algorithms resisting known attack scenarios, future 712 algorithms should be added and weakened algorithms should be 713 deprecated. 715 9. Acknowledgements 717 Thanks to Russ Housley for supporting this draft with submitting 718 [I-D.ietf.lamps-cms-aes-gmac-alg] and 719 [I-D.ietf.lamps-crmf-update-algs]. 721 May thanks also to all reviewers like John Gray, Mark Ferreira, 722 Yuefei Lu, Tomas Gustavsson, Lijun Liao, David von Oheimb and Steffen 723 Fries for their input and feedback to this document. Apologies to 724 all not mentioned reviewers and supporters. 726 10. Normative References 728 [I-D.ietf-lamps-cmp-updates] 729 Brockhaus, H., "CMP Updates", Work in Progress, Internet- 730 Draft, draft-ietf-lamps-cmp-updates-06, 2 November 2020, 731 . 734 [I-D.ietf.lamps-cms-aes-gmac-alg] 735 Housley, R., "Using the AES-GMAC Algorithm with the 736 Cryptographic Message Syntax (CMS)", Work in Progress, 737 Internet-Draft, draft-ietf-lamps-cms-aes-gmac-alg-00, 2 738 December 2020, . 741 [I-D.ietf.lamps-crmf-update-algs] 742 Housley, R., "Algorithm Requirements Update to the 743 Internet X.509 Public Key Infrastructure Certificate 744 Request Message Format (CRMF)", Work in Progress, 745 Internet-Draft, draft-ietf-lamps-crmf-update-algs-00, 10 746 December 2020, . 749 [NIST.FIPS.180-4] 750 Dang, Quynh H., "Secure Hash Standard", NIST NIST FIPS 751 180-4, DOI 10.6028/NIST.FIPS.180-4, July 2015, 752 . 755 [NIST.FIPS.186-4] 756 National Institute of Standards and Technology (NIST), 757 "Digital Signature Standard (DSS)", NIST NIST FIPS 186-4, 758 DOI 10.6028/NIST.FIPS.186-4, July 2013, 759 . 762 [NIST.FIPS.186-5] 763 National Institute of Standards and Technology (NIST), 764 "FIPS Pub 186-5 (Draft): Digital Signature Standard 765 (DSS)", October 2019, 766 . 769 [NIST.FIPS.197] 770 National Institute of Standards and Technology (NIST), 771 "Advanced encryption standard (AES)", NIST NIST FIPS 197, 772 DOI 10.6028/NIST.FIPS.197, November 2001, 773 . 776 [NIST.FIPS.198-1] 777 National Institute of Standards and Technology (NIST), 778 "The Keyed-Hash Message Authentication Code (HMAC)", 779 NIST NIST FIPS 198-1, DOI 10.6028/NIST.FIPS.198-1, July 780 2008, . 783 [NIST.FIPS.202] 784 Dworkin, Morris J., "SHA-3 Standard: Permutation-Based 785 Hash and Extendable-Output Functions", NIST NIST FIPS 202, 786 DOI 10.6028/NIST.FIPS.202, July 2015, 787 . 790 [NIST.SP.800-195] 791 O'Reilly, Patrick., Rigopoulos, Kristina., Feldman, 792 Larry., and Greg. Witte, "2016 NIST/ITL cybersecurity 793 program: annual report", NIST NIST SP 800-195, 794 DOI 10.6028/NIST.SP.800-195, September 2017, 795 . 798 [NIST.SP.800-38d] 799 Dworkin, M J., "Recommendation for block cipher modes of 800 operation :GaloisCounter Mode (GCM) and GMAC", NIST NIST 801 SP 800-38d, DOI 10.6028/NIST.SP.800-38d, 2007, 802 . 805 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 806 Hashing for Message Authentication", RFC 2104, 807 DOI 10.17487/RFC2104, February 1997, 808 . 810 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 811 Requirement Levels", BCP 14, RFC 2119, 812 DOI 10.17487/RFC2119, March 1997, 813 . 815 [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", 816 RFC 2631, DOI 10.17487/RFC2631, June 1999, 817 . 819 [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) 820 Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002, 821 . 823 [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard 824 (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, 825 September 2002, . 827 [RFC3560] Housley, R., "Use of the RSAES-OAEP Key Transport 828 Algorithm in Cryptographic Message Syntax (CMS)", 829 RFC 3560, DOI 10.17487/RFC3560, July 2003, 830 . 832 [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) 833 Encryption Algorithm in Cryptographic Message Syntax 834 (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, 835 . 837 [RFC4056] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in 838 Cryptographic Message Syntax (CMS)", RFC 4056, 839 DOI 10.17487/RFC4056, June 2005, 840 . 842 [RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen, 843 "Internet X.509 Public Key Infrastructure Certificate 844 Management Protocol (CMP)", RFC 4210, 845 DOI 10.17487/RFC4210, September 2005, 846 . 848 [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure 849 Certificate Request Message Format (CRMF)", RFC 4211, 850 DOI 10.17487/RFC4211, September 2005, 851 . 853 [RFC4231] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA- 854 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", 855 RFC 4231, DOI 10.17487/RFC4231, December 2005, 856 . 858 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 859 RFC 5652, DOI 10.17487/RFC5652, September 2009, 860 . 862 [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve 863 Cryptography (ECC) Algorithms in Cryptographic Message 864 Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January 865 2010, . 867 [RFC5754] Turner, S., "Using SHA2 Algorithms with Cryptographic 868 Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January 869 2010, . 871 [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, 872 "PKCS #1: RSA Cryptography Specifications Version 2.2", 873 RFC 8017, DOI 10.17487/RFC8017, November 2016, 874 . 876 [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: 877 Password-Based Cryptography Specification Version 2.1", 878 RFC 8018, DOI 10.17487/RFC8018, January 2017, 879 . 881 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 882 Signature Algorithm (EdDSA)", RFC 8032, 883 DOI 10.17487/RFC8032, January 2017, 884 . 886 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 887 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 888 May 2017, . 890 [RFC8418] Housley, R., "Use of the Elliptic Curve Diffie-Hellman Key 891 Agreement Algorithm with X25519 and X448 in the 892 Cryptographic Message Syntax (CMS)", RFC 8418, 893 DOI 10.17487/RFC8418, August 2018, 894 . 896 [RFC8419] Housley, R., "Use of Edwards-Curve Digital Signature 897 Algorithm (EdDSA) Signatures in the Cryptographic Message 898 Syntax (CMS)", RFC 8419, DOI 10.17487/RFC8419, August 899 2018, . 901 [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash 902 Functions in the Cryptographic Message Syntax (CMS)", 903 RFC 8702, DOI 10.17487/RFC8702, January 2020, 904 . 906 11. Informative References 908 [ECRYPT.CSA.D5.4] 909 University of Bristol, "Algorithms, Key Size and Protocols 910 Report (2018)", March 2015, 911 . 914 [I-D.ietf-lamps-lightweight-cmp-profile] 915 Brockhaus, H., Fries, S., and D. Oheimb, "Lightweight CMP 916 Profile", Work in Progress, Internet-Draft, draft-ietf- 917 lamps-lightweight-cmp-profile-04, 2 November 2020, 918 . 921 [NIST.SP.800-57pt1r5] 922 Barker, Elaine., "Recommendation for key management:part 1 923 - general", NIST NIST SP 800-57pt1r5, 924 DOI 10.6028/NIST.SP.800-57pt1r5, May 2020, 925 . 928 [RFC8551] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ 929 Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 930 Message Specification", RFC 8551, DOI 10.17487/RFC8551, 931 April 2019, . 933 Appendix A. Algorithm Use Profiles 935 This appendix provides profiles of algorithms and respective 936 conventions for different application use cases. 938 A.1. Algorithm selection guideline 940 To promote interoperability, based on the recommendations of NIST 941 SP 800-57 Recommendation for Key Management [NIST.SP.800-57pt1r5] and 942 ECRYPT Algorithms, Key Size and Protocols Report (2018) 943 [ECRYPT.CSA.D5.4], the following choices are RECOMMENDED: 945 < To be done. > 947 A.2. Algorithm Profile for PKI Management Message Profiles 949 The following table contains definitions of algorithms used within 950 PKI Management Message Profiles as defined in CMP Appendix D.2 951 [RFC4210]. 953 The columns in the table are: 955 Name: an identifier used for message profiles 957 Use: description of where and for what the algorithm is used 959 Mandatory: algorithms which MUST be supported by conforming 960 implementations 961 +==============+=================================+==================+ 962 | Name | Use | Mandatory | 963 +==============+=================================+==================+ 964 | MSG_SIG_ALG | protection of PKI messages | RSA | 965 | | using signature | | 966 +--------------+---------------------------------+------------------+ 967 | MSG_MAC_ALG | protection of PKI messages | PasswordBasedMac | 968 | | using MACing | | 969 +--------------+---------------------------------+------------------+ 970 | SYM_PENC_ALG | symmetric encryption of an | AES-wrap | 971 | | end entity's private key | | 972 | | where symmetric key is | | 973 | | distributed out-of-band | | 974 +--------------+---------------------------------+------------------+ 975 | PROT_ENC_ALG | asymmetric algorithm used for | D-H | 976 | | encryption of (symmetric keys | | 977 | | for encryption of) private | | 978 | | keys transported in | | 979 | | PKIMessages | | 980 +--------------+---------------------------------+------------------+ 981 | PROT_SYM_ALG | symmetric encryption | AES | 982 | | algorithm used for encryption | | 983 | | of private key bits (a key of | | 984 | | this type is encrypted using | | 985 | | PROT_ENC_ALG) | | 986 +--------------+---------------------------------+------------------+ 988 Table 1 990 Mandatory Algorithm Identifiers and Specifications: 992 RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1 994 PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id- 995 sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as 996 the mac parameter, see Section 6.2.1) 998 D-H: id-alg-ESDH, see Section 4.1.1 1000 AES-wrap: id-aes256-wrap, see Section 4.3.1 1002 AES: id-aes256-CBC, see Section 5.1 1004 < To be checked. > 1006 A.3. Algorithm Profile for Lightweight CMP Profile 1008 The following table contains definitions of algorithms which MUST be 1009 supported by conforming implementations This profile is referenced in 1010 the Lightweight CMP Profile [I-D.ietf-lamps-lightweight-cmp-profile]. 1012 The columns in the table are: 1014 Name: an identifier used for message profiles 1016 Use: description of where and for what the algorithm is used 1018 Mandatory: algorithms which MUST be supported by conforming 1019 implementations (only if a PKI management operation using the 1020 respective algorithms is supported) 1021 +==============+==============================+==================+ 1022 | Name | Use | Mandatory | 1023 +==============+==============================+==================+ 1024 | MSG_SIG_ALG | protection of PKI messages | RSA, ECDSA | 1025 | | using signature | | 1026 +--------------+------------------------------+------------------+ 1027 | MSG_MAC_ALG | protection of PKI messages | PasswordBasedMac | 1028 | | using MACing | | 1029 +--------------+------------------------------+------------------+ 1030 | KM_KA_ALG | asymmetric key agreement | D-H, ECDH | 1031 | | algorithm used for agreement | | 1032 | | of a symmetric keys for | | 1033 | | encryption of EnvelopedData, | | 1034 | | e.g., a private key | | 1035 | | transported in PKIMessages | | 1036 +--------------+------------------------------+------------------+ 1037 | KM_KT_ALG | asymmetric key encryption | RSA | 1038 | | algorithm used for transport | | 1039 | | of a symmetric keys for | | 1040 | | encryption of EnvelopedData, | | 1041 | | e.g., a private key | | 1042 | | transported in PKIMessages | | 1043 +--------------+------------------------------+------------------+ 1044 | KM_PB_ALG | symmetric derivation | PBKDF2 | 1045 | | algorithm used to derive a | | 1046 | | symmetric key for encryption | | 1047 | | of EnvelopedData, e.g., a | | 1048 | | private key transported in | | 1049 | | PKIMessages, from a password | | 1050 +--------------+------------------------------+------------------+ 1051 | KM_KW_ALG | symmetric key encryption | AES-wrap | 1052 | | algorithm to encrypt a | | 1053 | | content encryption key | | 1054 +--------------+------------------------------+------------------+ 1055 | PROT_SYM_ALG | symmetric content encryption | AES | 1056 | | algorithm used for | | 1057 | | encryption of, e.g., private | | 1058 | | key bits (a key of this type | | 1059 | | is encrypted using | | 1060 | | PROT_ENC_ALG) | | 1061 +--------------+------------------------------+------------------+ 1063 Table 2 1065 Mandatory Algorithm Identifiers and Specifications: 1067 RSA: sha256WithRSAEncryption with 2048 bit, see Section 3.1 1068 ECDSA: ecdsa-with-SHA256 with curve SECP-256, see Section 3.2 1070 PasswordBasedMac: id-PasswordBasedMac, see Section 6.1 (with id- 1071 sha256 as the owf parameter, see Section 2.1 and id-hmacWithSHA256 as 1072 the mac parameter, see Section 6.2.1) 1074 D-H: id-alg-ESDH, see Section 4.1.1 1076 ECDH: dhSinglePass-stdDH-sha256kdf-scheme, see Section 4.1.2 1078 RSA: rsaEncryption with 2048 bit, see Section 4.2.1 1080 PBKDF2: id-PBKDF2, see Section 4.4.1 1082 AES-wrap: id-aes256-wrap, see Section 4.3.1 1084 AES: id-aes256-CBC, see Section 5.1 1086 < To be checked. > 1088 Appendix B. History of changes 1090 Note: This appendix will be deleted in the final version of the 1091 document. 1093 From version 01 -> 02: 1095 * Added Hans Aschauer, Mike Ounsworth, and Serge Mister as co-author 1097 * Changed to XML V3 1099 * Added SHAKE digest algorithm to Section 2 as discussed at IETF 109 1101 * Deleted DSA from Section 3 as discussed at IETF 109 1103 * Added RSASSA-PSS with SHAKE to Section 3 1105 * Added SECP curves the section on ECDSA with SHA2, ECDSA with 1106 SHAKE, and EdDSA to Section 3 as discussed at IETF 109 1108 * Deleted static-static D-H and ECDH from Section 4.1 based on the 1109 discussion on the mailing list (see thread "[CMP Algorithms] 1110 Section 4.1.1 and 4.1.2 drop static-static (EC)DH key agreement 1111 algorithms for use in CMP") 1113 * Added ECDH OIDs and SECP curves, as well as ECDH with curve25519 1114 and curve448 to Section 4.1 as discussed at IETF 109 1116 * Deleted RSA-OAEP from Section 4.2 first as discussed at IETF 109, 1117 but re-added it after discussion on the mailing list (see thread 1118 "Mail regarding draft-ietf-lamps-cmp-algorithms") 1120 * Added a paragraph to Section 4.3.1 to explain that the algorithms 1121 and key length for content encryption and key wrapping must be 1122 aligned as discussed on the mailing list (see thread "[CMP 1123 Algorithms] Use Key-Wrap with or without padding in Section 4.3 1124 and Section 5") 1126 * Deleted AES-CCM and AES-GMC from and added AES-CBC to Section 5 as 1127 discussed at IETF 109 1129 * Added Section 6.1.2 to offer PBMAC1 as discusses on the mailing 1130 list (see thread "Mail regarding draft-ietf-lamps-crmf-update- 1131 algs-02") and restructured text in Section 6 to be easier to 1132 differentiate between password- and shared-key-based MAC 1134 * Deleted Diffie-Hellmann based MAC from Section 6 as is only 1135 relevant when using enrolling Diffie-Hellmann certificates 1137 * Added AES-GMAC and SHAKE-based KMAC to Section 6 as discussed at 1138 IETF 109 1140 * Extended Section 9 to mention Russ supporting with two additional 1141 I-Ds and name further supporters of the draft 1143 * Added a first draft of a generic algorithm selection guideline to 1144 Appendix A 1146 * Added a first proposal for mandatory algorithms for the 1147 Lightweight CMP Profile to Appendix A 1149 * Minor changes in wording 1151 From version 00 -> 01: 1153 * Changed sections Symmetric Key-Encryption Algorithms and Content 1154 Encryption Algorithms based on the discussion on the mailing list 1155 (see thread "[CMP Algorithms] Use Key-Wrap with or without padding 1156 in Section 4.3 and Section 5") 1158 * Added Appendix A with updated algorithms profile for RDC4210 1159 Appendix D.2 and first proposal for the Lightweight CMP Profile 1161 * Minor changes in wording 1163 Authors' Addresses 1165 Hendrik Brockhaus (editor) 1166 Siemens AG 1168 Email: hendrik.brockhaus@siemens.com 1170 Hans Aschauer 1171 Siemens AG 1173 Email: hans.aschauer@siemens.com 1175 Mike Ounsworth 1176 Entrust 1178 Email: mike.ounsworth@entrust.com 1180 Serge Mister 1181 Entrust 1183 Email: serge.mister@entrust.com