idnits 2.17.1 draft-ietf-pkix-ecc-subpubkeyinfo-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1642. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1653. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1660. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1666. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 6 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- -- The first octets (the first characters of the first line) of this draft are 'PK', which can make Internet Explorer erroneously think that it is a zip file. It is recommended that you change this, for instance by inserting a blank line before the line starting with 'PK'. == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3279, updated by this document, for RFC5378 checks: 2000-07-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (April 16, 2008) is 5847 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 3280 (Obsoleted by RFC 5280) -- Possible downref: Non-RFC (?) normative reference: ref. 'SHS' -- Possible downref: Non-RFC (?) normative reference: ref. 'SEC1' Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 PKIX WG Sean Turner, IECA 2 Internet Draft Daniel Brown, Certicom 3 Intended Status: Standard Track Kelvin Yiu, Microsoft 4 Updates: 3279 (once approved) Russ Housley, Vigil Security 5 Expires: October 16, 2008 Tim Polk, NIST 6 April 16, 2008 8 Elliptic Curve Cryptography Subject Public Key Information 9 draft-ietf-pkix-ecc-subpubkeyinfo-05.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html 34 This Internet-Draft will expire on October 16, 2008. 36 Copyright Notice 38 Copyright (C) The IETF Trust (2008). 40 Abstract 42 This document specifies the syntax and semantics for the Subject 43 Public Key Information field in certificates that support Elliptic 44 Curve Cryptography. This document updates RFC 3279. 46 Table of Contents 48 1. Introduction...................................................2 49 1.1. Terminology...............................................3 50 2. Subject Public Key Information Fields..........................3 51 2.1. Elliptic Curve Cryptography Public Key 52 Algorithm Identifiers.....................................4 53 2.1.1. Unrestricted Identifiers and Parameters..............5 54 2.1.1.1. Named Curve.....................................6 55 2.1.1.2. Specified Curve.................................7 56 2.1.1.2.1. Specified Curve Version....................8 57 2.1.1.2.2. Field Identifiers..........................9 58 2.1.1.2.2.1. Prime-p..............................10 59 2.1.1.2.2.2. Characteristic-two...................10 60 2.1.1.2.3. Curve.....................................12 61 2.1.1.2.4. Base......................................12 62 2.1.1.2.5. Hash......................................13 63 2.1.2. Restricted Algorithm Identifiers and Parameters.....14 64 2.2. Subject Public Key.......................................15 65 3. KeyUsage Bits.................................................16 66 4. Security Considerations.......................................16 67 5. IANA Considerations...........................................16 68 6. References....................................................17 69 6.1. Normative References.....................................17 70 6.2. Informative References...................................17 71 Appendix A. ASN.1 Modules........................................18 72 Appendix A.1. 1988 ASN.1 Module...............................18 73 Appendix A.2. 2004 ASN.1 Module...............................26 75 1. Introduction 77 This document specifies the format of the subjectPublicKeyInfo field 78 in X.509 certificates [RFC3280] that use Elliptic Curve Cryptography 79 (ECC). It updates [RFC3279]. This document specifies the encoding 80 formats for public keys used with the following ECC algorithms: 82 Elliptic Curve Digital Signature Algorithm (ECDSA); 84 Elliptic Curve Diffie-Hellman (ECDH) family schemes; and, 86 Elliptic Curve Menezes-Qu-Vanstone (ECMQV) family schemes. 88 Two methods for specifying the algorithms that can be used with the 89 subjectPublicKey are defined. One method does not restrict the 90 algorithms the key can be used with while the other method does 91 restrict the algorithms the key can be used with. To promote 92 interoperability, this document indicates which is required to 93 implement. 95 Three methods for specifying the algorithm's parameters are also 96 defined. One allows for complete specification of the Elliptic Curve 97 (EC), one allows for the EC to be identified by an object identifier, 98 and one allows for the EC to be inherited from the issuer's 99 certificate. To promote interoperability, this document indicates 100 which options are required to implement. 102 Specification of all EC parameters is complicated with many options. 103 To promote interoperability, this document indicates which options 104 are required to implement. 106 1.1. Terminology 108 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 109 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 110 document are to be interpreted as described in [RFC2119]. 112 2. Subject Public Key Information Fields 114 In the X.509 certificate, the subjectPublicKeyInfo field has the 115 SubjectPublicKeyInfo type, which has the following ASN.1 syntax: 117 SubjectPublicKeyInfo ::= SEQUENCE { 118 algorithm AlgorithmIdentifier {{PKAlgorithms}}, 119 subjectPublicKey BIT STRING 120 } 122 The fields in SubjectPublicKeyInfo have the following meanings: 124 algorithm is the algorithm identifier and algorithm parameters 125 for the ECC public key. See paragraph 2.1. 127 subjectPublicKey is the ECC public key. See paragraph 2.2. 129 The class ALGORITHM parameterizes the AlgorithmIdentifier type with 130 sets of legal values (this class is used in many places in this 131 document): 133 ALGORITHM ::= CLASS { 134 &id OBJECT IDENTIFIER UNIQUE, 135 &Type OPTIONAL 136 } 137 WITH SYNTAX { OID &id [PARMS &Type] } 139 The type AlgorithmIdentifier is parameterized to allow legal sets of 140 values to be specified by constraining the type with an information 141 object set. There are two parameterized types for AlgorithmIdentifier 142 defined in this document: PKAlgorithms (see paragraph 2.1) and 143 HashFunctions (see paragraph 2.1.1.2.5). 145 AlgorithmIdentifier {ALGORITHM:IOSet} ::= SEQUENCE { 146 algorithm ALGORITHM.&id({IOSet}), 147 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL 148 } 150 The fields in AlgorithmIdentifier have the following meaning: 152 algorithm identifies a cryptographic algorithm. The OBJECT 153 IDENTIFIER component identifies the algorithm. The contents of 154 the optional parameters field will vary according to the 155 algorithm identified. 157 parameters, which is optional, varies based on the algorithm 158 identified. 160 2.1. Elliptic Curve Cryptography Public Key Algorithm Identifiers 162 The algorithm field in the SubjectPublicKeyInfo structure indicates 163 the algorithms and any associated parameters for the ECC public key 164 (see paragraph 2.2). The algorithms are restricted to the 165 PKAlgorithms parameterized type, which uses the following ASN.1 166 structure: 168 PKAlgorithms ALGORITHM ::= { 169 pk-ec | 170 pk-ecDH | 171 pk-ecMQV, 172 ... -- Extensible 173 } 175 The algorithms defined are as follows: 177 pk-ec indicates that the algorithms that can be used with the 178 subject public key are not restricted (i.e., they are 179 unrestricted). The key is only restricted by the values 180 indicated in the key usage certificate extension. The pk-ec 181 CHOICE MUST be supported. See paragraph 2.1.1. This value is 182 also used when a key is used with ECDSA. 184 pk-ecDH and pk-ecMQV MAY be supported. See paragraph 2.1.2. 186 2.1.1. Unrestricted Identifiers and Parameters 188 The "unrestricted" algorithm is defined as follows: 190 pk-ec ALGORITHM ::= { 191 OID id-ecPublicKey PARMS ECParameters } 193 The algorithm identifier is: 195 id-ecPublicKey OBJECT IDENTIFIER ::= { 196 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 198 The parameters for id-ecPublicKey are as follows and they MUST always 199 be present: 201 ECParameters ::= CHOICE { 202 namedCurve CURVE.&id({NamedCurve}), 203 specifiedCurve SpecifiedCurve, 204 implicitCurve NULL 205 } 207 The fields in ECParameters have the following meanings: 209 namedCurve allows all the required values for a particular set of 210 elliptic curve domain parameters to be represented by an object 211 identifier. This choice MUST be supported. See paragraph 212 2.1.1.1. 214 specifiedCurve allows all of the required values to be explicitly 215 specified. This choice MAY be supported, and if it is, 216 implicitCurve MUST also be supported. See paragraph 2.1.1.2. 218 implicitCurve allows the elliptic curve parameters to be 219 inherited from the issuer's certificate. This choice MAY be 220 supported, but if subordinate certificates use the same 221 namedCurve as their superior, then the subordinate certificate 222 MUST use the namedCurve option. That is, implicitCurve is only 223 supported if the superior doesn't use the namedCurve option. 225 2.1.1.1. Named Curve 227 The namedCurve field in ECParameters uses the class CURVE to 228 constrain the set of legal values from NamedCurve, which are object 229 identifiers: 231 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 232 WITH SYNTAX { ID &id } 234 The NamedCurve parameterized type is defined as follows: 236 NamedCurve CURVE ::= { 237 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 238 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 239 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 240 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 241 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 242 ... -- Extensible 243 } 245 The curve identifiers are the fifteen NIST recommended curves: 247 -- Note in ANSIX9.62 the curves are referred to as 'ansiX9' as 248 -- opposed to 'sec'. For example secp192r1 is the same curve as 249 -- ansix9p192r1. 251 -- Note that in RFC 3279 the secp192r1 curve was referred to as 252 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 254 secp192r1 OBJECT IDENTIFIER ::= { 255 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 256 prime(1) 1 } 258 sect163k1 OBJECT IDENTIFIER ::= { 259 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 261 sect163r2 OBJECT IDENTIFIER ::= { 262 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 264 secp224r1 OBJECT IDENTIFIER ::= { 265 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 267 sect233k1 OBJECT IDENTIFIER ::= { 268 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 270 sect233r1 OBJECT IDENTIFIER ::= { 271 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 273 secp256r1 OBJECT IDENTIFIER ::= { 274 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 275 prime(1) 7 } 277 sect283k1 OBJECT IDENTIFIER ::= { 278 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 280 sect283r1 OBJECT IDENTIFIER ::= { 281 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 283 secp384r1 OBJECT IDENTIFIER ::= { 284 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 286 sect409k1 OBJECT IDENTIFIER ::= { 287 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 289 sect409r1 OBJECT IDENTIFIER ::= { 290 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 292 secp521r1 OBJECT IDENTIFIER ::= { 293 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 295 sect571k1 OBJECT IDENTIFIER ::= { 296 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 298 sect571r1 OBJECT IDENTIFIER ::= { 299 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 301 2.1.1.2. Specified Curve 303 The specifiedCurve field in ECParameters is of SpecifiedCurve type. 304 SpecifiedCurve uses the following ASN.1 structure: 306 SpecifiedCurve ::= SEQUENCE { 307 version SpecifiedCurveVersion 308 ( ecpVer1 | ecpVer2 | ecpVer3, ... ), 309 fieldID FieldID {{FieldTypes}}, 310 curve Curve, -- Curve E 311 base ECPoint, -- Base point P 312 order INTEGER, -- Order n of the base point 313 cofactor INTEGER OPTIONAL, -- The integer h = #E(Fq)/n 314 hash HashAlgorithm OPTIONAL, 315 ... -- Extensible 316 } 318 The fields in SpecifiedCurve have the following meaning: 320 version specifies the version number of the elliptic curve 321 parameters. See paragraph 2.1.1.2.1. 323 fieldID identifies the finite field over which the elliptic 324 curve, specified in the curve field, is defined. See paragraph 325 2.1.1.2.2. 327 curve specifies the elliptic curve E. See paragraph 2.1.1.2.3. 329 base specifies the base point P on the elliptic curve E, 330 specified in the curve field. See paragraph 2.1.1.2.4. 332 order specifies the order n of the base point P, specified in 333 base. 335 cofactor is the order of the curve, specified in the curve field, 336 divided by the order, specified in the order field, of the base 337 point, specified in the base field (i.e., h = #E(Fq)/n). 338 Inclusion of the cofactor is optional; however, it is strongly 339 RECOMMENDED that that the cofactor be included in order to 340 facilitate interoperability between implementations. 342 hash is the hash algorithm used to generate the elliptic curve E, 343 specified in the curve field, and/or base point P, specified in 344 the base field, verifiably pseudorandomly. If the hash field is 345 omitted, then the hash algorithm shall be SHA1. See paragraph 346 2.1.1.2.5. 348 SpecifiedCurve is extensible. Extending SpecifiedCurve with new 349 fields or defining a new version number MUST be coordinated with the 350 ANSI X9.62 WG. 352 2.1.1.2.1. Specified Curve Version 354 The version field in SpecifiedCurve is of SpecifiedCurveVersion type. 355 SpecifiedCurveVersion uses the following ASN.1 structure: 357 SpecifiedCurveVersion ::= INTEGER { 358 ecpVer1(1), 359 ecpVer2(2), 360 ecpVer3(3) 361 } 363 SpecfifiedCurveVersion is ecdpVer1, ecdpVer2, or ecdpVer3. If 364 version is ecdpVer1, then the elliptic curve may or may not be 365 verifiably pseudorandomly according to whether curve.seed (see 366 paragraph 2.1.1.2.3) is present, and the base point P (see paragraph 367 2.1.1.2.4) is not generated verifiably pseudorandomly. If version is 368 ecdpVer2, then the curve and the base point P shall be generated 369 verifiably pseudorandomly, and curve.seed shall be present. If 370 version is ecdpVer3, then the curve is not generated verifiably 371 pseudorandomly but the base point P shall be generated verifiably 372 pseudorandomly from curve.seed, which shall be present. 374 Implementations of this document MUST support ecpVer1. 376 2.1.1.2.2. Field Identifiers 378 The fieldID field in SpecifiedCurve is of FieldID type. Finite fields 379 are represented by values of the parameterized type FieldID, 380 constrained to the values of the objects defined in the information 381 object set FieldTypes. 383 The type FIELD-ID is defined by the following: 385 FIELD-ID ::= TYPE-IDENTIFIER 387 The FieldID parameterized type is defined as follows: 389 FieldID { FIELD-ID:IOSet } ::= SEQUENCE { 390 fieldType FIELD-ID.&id({IOSet}), 391 parameters FIELD-ID.&Type({IOSet}{@fieldType}) 392 } 394 Field types are given in the following information object set: 396 FieldTypes FIELD-ID ::= { 397 { Prime-p IDENTIFIED BY prime-field } | 398 { Characteristic-two IDENTIFIED BY characteristic-two-field }, 399 ... -- Extensible 400 } 402 Two FieldTypes are defined herein: prime-p (see paragraph 403 2.1.1.2.2.1) and characteristic-two (see paragraph 2.1.1.2.2.2). 404 Implementations claiming conformance to this specification MUST 405 support the prime-p field type and MAY support the characteristic-two 406 field type. FieldTypes is extensible and other documents can specify 407 additional values for FieldTypes. 409 2.1.1.2.2.1. Prime-p 411 A prime finite field is specified in FieldID.fieldType by the 412 following object identifier: 414 prime-field OBJECT IDENTIFIER ::= { 415 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 1 } 417 The prime finite field parameters specified in FIELD-ID parameters 418 has the following ASN.1 structure: 420 Prime-p ::= INTEGER 422 Prime-p is an integer which is the size of the field. 424 2.1.1.2.2.2. Characteristic-two 426 A characteristic-two finite field is specified in FieldID.fieldType 427 by the following object identifier: 429 characteristic-two-field OBJECT IDENTIFIER ::= { 430 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 2 } 432 The characteristic-two finite field parameters specified in 433 FieldID.parameters have the following ASN.1 structure: 435 Characteristic-two ::= SEQUENCE { 436 m INTEGER, -- Field size 2^m 437 basis CHARACTERISTIC-TWO.&id({BasisTypes}), 438 parameters CHARACTERISTIC-TWO.&Type({BasisTypes}{@basis}) 439 } 441 The fields in Characteristic-two have the following meanings: 443 m is the size of the field. 445 basis is the type of basis used to express elements of the field. 447 parameters is the polynomial used to generate the field. The 448 parameters vary based on the basis. 450 The type CHARACTERISTIC-TWO is defined by the following: 452 CHARACTERISTIC-TWO ::= TYPE-IDENTIFIER 454 The characteristic-two field basis types are given in the following 455 information object set: 457 BasisTypes CHARACTERISTIC-TWO ::= { 458 { NULL IDENTIFIED BY gnBasis } | 459 { Trinomial IDENTIFIED BY tpBasis } | 460 { Pentanomial IDENTIFIED BY ppBasis }, 461 ... -- Extensible 462 } 464 Three basis types are defined herein: normal bases, trinomial bases, 465 and pentanomial bases. Implementation claiming conformance to this 466 document MUST support normal basis and MAY support trimonial and 467 pentanomial bases. BasisTypes is extensible and other documents can 468 specify additional values for BasisTypes. 470 Normal bases are specified in the basis field by the object 471 identifier: 473 gnBasis OBJECT IDENTIFIER ::= { 474 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 475 characteristic-two-basis(2) 1 } 477 A normal base has NULL parameters. 479 A trinomial base specifies the degree of the middle term in the 480 defining trinomial. A trinomial base is identified in the basis field 481 by the object identifier: 483 tpBasis OBJECT IDENTIFIER ::= { 484 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 485 characteristic-two-basis(2) 2 } 487 A trinomial base has the following parameters: 489 Trinomial ::= INTEGER 491 A pentanomial base specifies the degrees of the three middle terms in 492 the defining pentanomial. A pentanomial base is identified in the 493 basis field by the object identifier: 495 ppBasis OBJECT IDENTIFIER ::= { 496 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 497 characteristic-two-basis(2) 3 } 499 A pentanomial base has the following parameters: 501 Pentanomial ::= SEQUENCE { 502 k1 INTEGER, -- k1 > 0 503 k2 INTEGER, -- k2 > k1 504 k3 INTEGER -- k3 > k2 505 } 507 2.1.1.2.3. Curve 509 The curve field in SpecifiedCurve is of Curve type. Curve uses the 510 following ASN.1 structure: 512 Curve ::= SEQUENCE { 513 a FieldElement, 514 b FieldElement, 515 seed BIT STRING OPTIONAL 516 -- Shall be present if used in SpecifiedCurve 517 -- with version of ecdpVer2 or ecdpVer3 518 } 520 FieldElement ::= OCTET STRING 522 The fields in Curve have the following meanings: 524 a and b are the coefficients a and b, respectively, of the 525 elliptic curve E. Each coefficient, a and b, shall be represented 526 as a value of type FieldElement. Conversion routines for field 527 element to octet string are found in [SEC1]. 529 seed is an optional parameter that is used to derive the 530 coefficients of a randomly generated elliptic curve. seed MUST 531 be present if SpecifiedECDomain is either ecdpVer2 or ecdpVer3. 533 2.1.1.2.4. Base 535 The base field in SpecifiedCurve is of ECPoint type. ECPoint uses 536 the following ASN.1 syntax: 538 ECPoint ::= OCTET STRING 540 The contents of ECPoint is the octet string representation of an 541 elliptic curve point. Conversion routines for point to octet string 542 are found in [SEC1]. Note that these octet strings may represent an 543 elliptic curve point in compressed or uncompressed form. 544 Implementations that support elliptic curve according to this 545 document MUST support the uncompressed form and MAY support the 546 compressed form. 548 2.1.1.2.5. Hash 550 The hash field in SpecifiedCurve is of HashAlgorithm type. 551 HashAlgorithm uses the following ASN.1 syntax: 553 HashAlgorithm ::= AlgorithmIdentifier {{CurveHashFunctions}} 555 CurveHashAlgorithm is restricted to the HashFunctions parameterized 556 type, which uses the following ASN.1 structure: 558 CurveHashFunctions ALGORITHM ::= { 559 ow-sha1 | 560 ow-sha224 | 561 ow-sha256 | 562 ow-sha384 | 563 ow-sha512, 564 ... -- Extensible 565 } 567 SHA1 [SHS] is defined as follows: 569 ow-sha1 ALGORITHM ::= { 570 OID id-sha1 PARMS NULL } 572 It has the following object identifier: 574 id-sha1 OBJECT IDENTIFIER ::= { 575 iso(1) identified-organization(3) oiw(14) secsig(3) 576 algorithm(2) 26 } 578 SHA224 [SHS] is defined as follows: 580 ow-sha224 ALGORITHM ::= { 581 OID id-sha224 PARMS NULL } 583 It has the following object identifier: 585 id-sha224 OBJECT IDENTIFIER ::= { 586 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 587 csor(3) nistalgorithm(4) hashalgs(2) 4 } 589 SHA256 [SHS] is defined as follows: 591 ow-sha256 ALGORITHM ::= { 592 OID id-sha256 PARMS NULL } 594 It has the following object identifier: 596 id-sha256 OBJECT IDENTIFIER ::= { 597 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 598 csor(3) nistalgorithm(4) hashalgs(2) 1 } 600 SHA384 [SHS] is defined as follows: 602 ow-sha384 ALGORITHM ::= { 603 OID id-sha384 PARMS NULL } 605 It has the following object identifier: 607 id-sha384 OBJECT IDENTIFIER ::= { 608 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 609 csor(3) nistalgorithm(4) hashalgs(2) 2 } 611 SHA512 [SHS] is defined as follows: 613 ow-sha512 ALGORITHM ::= { 614 OID id-sha512 PARMS NULL } 616 It has the following object identifier: 618 id-sha512 OBJECT IDENTIFIER ::= { 619 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 620 csor(3) nistalgorithm(4) hashalgs(2) 3 } 622 An implementation of this document SHOULD accept values of the 623 parameterized type HashAlgorithm that have no parameters (also called 624 absent) and values that have NULL parameters. These values SHALL be 625 treated equally. (Of course, future extensions to the type parameter 626 HashFunctions might include information objects whose parameters 627 field is more meaningful.) An implementation of this document SHOULD 628 omit (leave absent) the parameters. 630 2.1.2. Restricted Algorithm Identifiers and Parameters 632 Algorithms used with elliptic curve cryptography fall in to different 633 categories: signature and key agreement algorithms. ECDSA uses the 634 pk-ec described in 2.1.1. Two sets of key agreement algorithms are 635 identified herein: the Elliptic Curve Diffie-Hellman (ECDH) key 636 agreement scheme and the Elliptic Curve Menezes-Qu-Vanstone (ECMQV) 637 key agreement scheme. All algorithms are identified by an OID and 638 have PARMS. The OID varies based on the algorithm but the PARMS are 639 always ECParameters and they MUST always be present (see paragraph 640 2.1.1). 642 The ECDH is defined as follows: 644 pk-ecDH ALGORITHM ::= { 645 OID id-ecDH PARMS ECParameters } 647 The algorithm identifier is: 649 id-ecDH OBJECT IDENTIFIER ::= { 650 iso(1) identified-organization(3) certicom(132) schemes(1) 651 ecdh(12) } 653 The ECMQV is defined as follows: 655 pk-ecMQV ALGORITHM ::= { 656 OID id-ecMQV PARMS ECParameters } 658 The algorithm identifier is: 660 id-ecMQV OBJECT IDENTIFIER ::= { 661 iso(1) identified-organization(3) certicom(132) schemes(1) 662 ecmqv(13) } 664 2.2. Subject Public Key 666 The subjectPublicKey from SubjectPublicKeyInfo is the ECC public key. 667 Implementations of elliptic curve cryptography according to this 668 document MUST support the uncompressed form and MAY support the 669 compressed form of the ECC public key. As specified in [SEC1]: 671 The first byte of the key indicates whether the key is compressed 672 or uncompressed. The uncompressed form is indicated by 0x04 and 673 the compressed form is indicated by either 0x02 or 0x03 (see 674 2.3.3 in [SEC1]). 676 The elliptic curve public key (a value of type ECPoint which is 677 an OCTET STRING) is mapped to a subjectPublicKey (a value of type 678 BIT STRING) as follows: the most significant bit of the OCTET 679 STRING value becomes the most significant bit of the BIT STRING 680 value, and so on; the least significant bit of the OCTET STRING 681 becomes the least significant bit of the BIT STRING. 683 3. KeyUsage Bits 685 If the keyUsage extension is present in a CA certificate that 686 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 687 the following values MAY be present: 689 digitalSignature; 690 nonRepudiation; 691 keyAgreement; 692 keyCertSign; and 693 cRLSign. 695 If the CA certificate keyUsage extension asserts keyAgreement then it 696 MAY assert either encipherOnly or decipherOnly. However, this 697 specification RECOMMENDS that if keyCertSign or cRLSign is present, 698 keyAgreement, encipherOnly, and decipherOnly SHOULD NOT be present. 700 If the keyUsage extension is present in an EE certificate that 701 indicates id-ecPublicKey in subjectPublicKeyInfo, any combination of 702 the following values MAY be present: 704 digitalSignature; 705 nonRepudiation; and 706 keyAgreement. 708 If the EE certificate keyUsage extension asserts keyAgreement then it 709 MAY assert either encipherOnly or decipherOnly. 711 If the keyUsage extension is present in a certificate that indicates 712 ecDH or ecMQV in subjectPublicKeyInfo, keyAgreement MUST be present 713 and digitalSignature, nonRepudiation, keyTransport, keyCertSign, and 714 cRLSign MUST NOT be present. If this certificate keyUsage extension 715 asserts keyAgreement then it MAY assert either encipherOnly or 716 decipherOnly. 718 4. Security Considerations 720 The security considerations in [RFC3279] apply. No new security 721 considerations are introduced by this document. 723 5. IANA Considerations 725 None. Please remove this section prior to publication as an RFC. 727 6. References 729 6.1. Normative References 731 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 732 Requirement Levels", BCP 14, RFC 2119, March 1997. 734 [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet 735 X.509 Public Key Infrastructure Certificate and 736 Certification Revocation List (CRL) Profile", RFC 3280, 737 April 2002. 739 [SHS] National Institute of Standards and Technology (NIST), 740 FIPS Publication 180-2: Secure Hash Standard, 2002. 742 [SEC1] Standards for Efficient Cryptography, "SEC 1: Elliptic 743 Curve Cryptography", Version 1.0, September 2000. 745 [X.208] CCITT Recommendation X.208: Specification of Abstract 746 Syntax Notation One (ASN.1), 1988. 748 [X.680] ITU-T Recommendation X.680: Information Technology - 749 Abstract Syntax Notation One, 1997. 751 [X.681] ITU-T Recommendation X.680: Information Technology - 752 Abstract Syntax Notation One: Information Object 753 Spcification, 1997. 755 6.2. Informative References 757 [RFC3279] Polk, W., Housley, R. and L. Bassham, "Algorithm 758 Identifiers for the Internet X.509 Public Key 759 Infrastructure", RFC 3279, April 2002. 761 Appendix A. ASN.1 Modules 763 Appendix A.1 provides the normative ASN.1 definitions for the 764 structures described in this specification using ASN.1 as defined in 765 [X.208]. 767 Appendix A.2 provides an informative ASN.1 definitions for the 768 structures described in this specification using ASN.1 as defined in 769 [X.680,X.681]. This appendix contains the same information as 770 Appendix A.1 in a more recent (and precise) ASN.1 notation, however 771 Appendix A.1 takes precedence in case of conflict. 773 These modules includes more than the ASN.1 updates described in the 774 text of this document. It also includes additional ASN.1 from RFC3279 775 because we needed to update the entire ASN.1 module. 777 Appendix A.1. 1988 ASN.1 Module 779 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 780 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 782 DEFINITIONS EXPLICIT TAGS ::= 784 BEGIN 786 -- EXPORTS ALL 788 IMPORTS 790 AlgorithmIdentifier 791 FROM PKIX1Explicit88 792 { iso(1) identified-organization(3) dod(6) 793 internet(1) security(5) mechanisms(5) pkix(7) mod(0) 794 pkix1-explicit(18) } 795 ; 797 -- 798 -- Public Key (pk) Algorithms 799 -- 801 -- RSA PK Algorithm, Parameters, and Keys 803 rsaEncryption OBJECT IDENTIFIER ::= { 804 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 806 RSAPublicKey ::= SEQUENCE { 807 modulus INTEGER, -- n 808 publicExponent INTEGER -- e 809 } 811 -- DSA PK Algorithm and Parameters 813 id-dsa OBJECT IDENTIFIER ::= { 814 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 816 DSAPublicKey ::= INTEGER -- public key, y 818 DSS-Parms ::= SEQUENCE { 819 p INTEGER, 820 q INTEGER, 821 g INTEGER 822 } 824 -- Diffie-Hellman PK Algorithm, Keys, and Parameters 826 dhpublicnumber OBJECT IDENTIFIER ::= { 827 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 829 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 831 DomainParameters ::= SEQUENCE { 832 p INTEGER, -- odd prime, p=jq +1 833 g INTEGER, -- generator, g 834 q INTEGER, -- factor of p-1 835 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 836 validationParms ValidationParms OPTIONAL } 838 ValidationParms ::= SEQUENCE { 839 seed BIT STRING, 840 pgenCounter INTEGER } 842 -- KEA PK Algorithm and Parameters 844 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 845 2 16 840 1 101 2 1 1 22 } 847 KEA-Parms-Id ::= OCTET STRING 849 -- Sec 2.1.1 Unrestricted Algorithms and Parameters (including ECDSA) 851 id-ecPublicKey OBJECT IDENTIFIER ::= { 852 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 854 -- Sec 2.1.2 Restricted Algorithms and Parameters 856 id-ecDH OBJECT IDENTIFIER ::= { 857 iso(1) identified-organization(3) certicom(132) schemes(1) 858 ecdh(12) } 860 -- Sec 2.1.2 Restricted Algorithms and Parameters 862 id-ecMQV OBJECT IDENTIFIER ::= { 863 iso(1) identified-organization(3) certicom(132) schemes(1) 864 ecmqv(13) } 866 -- Parameters for both Restricted and Unrestricted 868 ECParameters ::= CHOICE { 869 namedCurve OBJECT IDENTIFIER, 870 specifiedCurve SpecifiedCurve, 871 implicitCurve NULL 872 } 874 -- Sec 2.1.1.1 Named Curves 876 -- Note in ANSIX9.62 the curves are referred to as 'ansiX9' as 877 -- opposed to 'sec'. For example secp192r1 is the same curve as 878 -- ansix9p192r1. 880 -- Note that in RFC 3279 the secp192r1 curve was referred to as 881 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 883 secp192r1 OBJECT IDENTIFIER ::= { 884 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 885 prime(1) 1 } 887 sect163k1 OBJECT IDENTIFIER ::= { 888 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 890 sect163r2 OBJECT IDENTIFIER ::= { 891 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 893 secp224r1 OBJECT IDENTIFIER ::= { 894 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 896 sect233k1 OBJECT IDENTIFIER ::= { 897 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 899 sect233r1 OBJECT IDENTIFIER ::= { 900 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 902 secp256r1 OBJECT IDENTIFIER ::= { 903 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 904 prime(1) 7 } 906 sect283k1 OBJECT IDENTIFIER ::= { 907 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 909 sect283r1 OBJECT IDENTIFIER ::= { 910 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 912 secp384r1 OBJECT IDENTIFIER ::= { 913 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 915 sect409k1 OBJECT IDENTIFIER ::= { 916 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 918 sect409r1 OBJECT IDENTIFIER ::= { 919 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 921 secp521r1 OBJECT IDENTIFIER ::= { 922 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 924 sect571k1 OBJECT IDENTIFIER ::= { 925 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 927 sect571r1 OBJECT IDENTIFIER ::= { 928 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 930 -- Sec 2.1.1.2 Specified Curve 932 SpecifiedCurve ::= SEQUENCE { 933 version SpecifiedCurveVersion, 934 fieldID FieldID, 935 curve Curve, -- Curve E 936 base ECPoint, -- Base point P 937 order INTEGER, -- Order n of the base point 938 cofactor INTEGER OPTIONAL, -- The integer h = #E(Fq)/n 939 hash HashAlgorithm OPTIONAL 940 } 942 SpecifiedCurveVersion ::= INTEGER { 943 ecpVer1(1), 944 ecpVer2(2), 945 ecpVer3(3) 946 } 947 FieldID ::= SEQUENCE { 948 fieldType OBJECT IDENTIFIER, 949 parameters ANY DEFINED BY fieldType 950 } 952 -- where fieldType is prime-field, the parameters are of type Prime-p 954 prime-field OBJECT IDENTIFIER ::= { 955 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 1 } 957 Prime-p ::= INTEGER 959 -- where fieldType is characteristic-two-field, the parameters are 960 -- of type Characteristic-two 962 characteristic-two-field OBJECT IDENTIFIER ::= { 963 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 2 } 965 Characteristic-two ::= SEQUENCE { 966 m INTEGER, -- Field size 2^m 967 basis OBJECT IDENTIFIER, 968 parameters ANY DEFINED BY basis 969 } 971 -- The object identifiers gnBasis, tpBasis and ppBasis name 972 -- three kinds of basis for characteristic-two finite fields 974 -- gnbasis is identified by OID gnBasis and indicates 975 -- parameters are NULL 977 gnBasis OBJECT IDENTIFIER ::= { 978 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 979 characteristic-two-basis(2) 1 } 981 -- trinomial basis is identified by OID tpBasis and indicates 982 -- parameters of type Pentanomial 984 tpBasis OBJECT IDENTIFIER ::= { 985 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 986 characteristic-two-basis(2) 2 } 988 Trinomial ::= INTEGER 990 -- for pentanomial basis is identified by OID ppBasis and indicates 991 -- parameters of type Pentanomial 992 ppBasis OBJECT IDENTIFIER ::= { 993 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 994 characteristic-two-basis(2) 3 } 996 -- Pentanomial basis representation of F2^m 997 -- reduction polynomial integers k1, k2, k3 998 -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1 1000 Pentanomial ::= SEQUENCE { 1001 k1 INTEGER, -- k1 > 0 1002 k2 INTEGER, -- k2 > k1 1003 k3 INTEGER -- k3 > k2 1004 } 1006 Curve ::= SEQUENCE { 1007 a FieldElement, -- Elliptic curve coefficient a 1008 b FieldElement, -- Elliptic curve coefficient b 1009 seed BIT STRING OPTIONAL 1010 -- Shall be present if used in SpecifiedCurve 1011 -- with version of ecdpVer2 or ecdpVer3 1012 } 1014 FieldElement ::= OCTET STRING 1016 ECPoint ::= OCTET STRING 1018 HashAlgorithm ::= AlgorithmIdentifier 1020 -- 1021 -- Signature Algorithms (sa) 1022 -- 1024 -- RSA with MD-2 1026 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1027 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 1029 -- RSA with MD-5 1031 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1032 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 1034 -- RSA with SHA-1 1036 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1037 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 1039 -- DSA with SHA-1 1041 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1042 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1044 -- ECDSA with SHA-1 1046 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1047 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 1049 -- 1050 -- Signature Values 1051 -- 1053 -- DSA 1055 DSA-Sig-Value ::= SEQUENCE { 1056 r INTEGER, 1057 s INTEGER 1058 } 1060 -- ECDSA 1062 ECDSA-Sig-Value ::= SEQUENCE { 1063 r INTEGER, 1064 s INTEGER 1065 } 1067 -- 1068 -- One-way (ow) Hash Algorithms 1069 -- 1071 -- MD-2 1073 id-md2 OBJECT IDENTIFIER ::= { 1074 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 1076 -- MD-5 1078 id-md5 OBJECT IDENTIFIER ::= { 1079 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 1081 -- SHA-1 1083 id-sha1 OBJECT IDENTIFIER ::= { 1084 iso(1) identified-organization(3) oiw(14) secsig(3) 1085 algorithm(2) 26 } 1087 -- SHA-224 1089 id-sha224 OBJECT IDENTIFIER ::= { 1090 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1091 csor(3) nistalgorithm(4) hashalgs(2) 4 } 1093 -- SHA-256 1095 id-sha256 OBJECT IDENTIFIER ::= { 1096 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1097 csor(3) nistalgorithm(4) hashalgs(2) 1 } 1099 -- SHA-384 1101 id-sha384 OBJECT IDENTIFIER ::= { 1102 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1103 csor(3) nistalgorithm(4) hashalgs(2) 2 } 1105 -- SHA-512 1107 id-sha512 OBJECT IDENTIFIER ::= { 1108 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1109 csor(3) nistalgorithm(4) hashalgs(2) 3 } 1111 END 1113 Appendix A.2. 2004 ASN.1 Module 1115 PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) 1116 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) TBD } 1118 DEFINITIONS EXPLICIT TAGS ::= 1120 BEGIN 1122 -- EXPORTS ALL 1124 -- IMPORTS NONE 1126 ALGORITHM ::= CLASS { 1127 &id OBJECT IDENTIFIER UNIQUE, 1128 &Type OPTIONAL 1129 } 1130 WITH SYNTAX { OID &id [PARMS &Type] } 1132 AlgorithmIdentifier {ALGORITHM:IOSet} ::= SEQUENCE { 1133 algorithm ALGORITHM.&id({IOSet}), 1134 parameters ALGORITHM.&Type({IOSet}{@algorithm}) OPTIONAL 1135 } 1137 -- 1138 -- Public Key (pk) Algorithms 1139 -- 1141 PKAlgorithms ALGORITHM ::= { 1142 pk-rsa | 1143 pk-dsa | 1144 pk-dh | 1145 pk-kea | 1146 pk-ec | 1147 pk-ecDH | 1148 pk-ecMQV, 1149 ... -- Extensible 1150 } 1152 -- RSA PK Algorithm, Parameters, and Keys 1154 pk-rsa ALGORITHM ::= { 1155 OID rsaEncryption PARMS NULL } 1157 rsaEncryption OBJECT IDENTIFIER ::= { 1158 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } 1160 RSAPublicKey ::= SEQUENCE { 1161 modulus INTEGER, -- n 1162 publicExponent INTEGER -- e 1163 } 1165 -- DSA PK Algorithm, Parameters, and Keys 1167 pk-dsa ALGORITHM ::= { 1168 OID id-dsa PARMS DSS-Parms } 1170 id-dsa OBJECT IDENTIFIER ::= { 1171 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } 1173 DSS-Parms ::= SEQUENCE { 1174 p INTEGER, 1175 q INTEGER, 1176 g INTEGER 1177 } 1179 DSAPublicKey ::= INTEGER -- public key, y 1181 -- Diffie-Hellman PK Algorithm, Parameters, and Keys 1183 pk-dh ALGORITHM ::= { 1184 OID dhpublicnumber PARMS DomainParameters } 1186 dhpublicnumber OBJECT IDENTIFIER ::= { 1187 iso(1) member-body(2) us(840) ansi-x942(10046) number-type(2) 1 } 1189 DomainParameters ::= SEQUENCE { 1190 p INTEGER, -- odd prime, p=jq +1 1191 g INTEGER, -- generator, g 1192 q INTEGER, -- factor of p-1 1193 j INTEGER OPTIONAL, -- subgroup factor, j>= 2 1194 validationParms ValidationParms OPTIONAL } 1196 ValidationParms ::= SEQUENCE { 1197 seed BIT STRING, 1198 pgenCounter INTEGER } 1200 DHPublicKey ::= INTEGER -- public key, y = g^x mod p 1202 -- KEA PK Algorithm and Parameters 1204 pk-kea ALGORITHM ::= { 1205 OID id-keyExchangeAlgorithm PARMS KEA-Parms-Id } 1207 id-keyExchangeAlgorithm OBJECT IDENTIFIER ::= { 1208 2 16 840 1 101 2 1 1 22 } 1210 KEA-Parms-Id ::= OCTET STRING 1212 -- Sec 2.1.1 Unrestricted Algorithms and Parameters (including ECDSA) 1214 pk-ec ALGORITHM ::= { 1215 OID id-ecPublicKey PARMS ECParameters } 1217 id-ecPublicKey OBJECT IDENTIFIER ::= { 1218 iso(1) member-body(2) us(840) ansi-X9-62(10045) keyType(2) 1 } 1220 -- Sec 2.1.2 Restricted Algorithms and Parameters 1222 pk-ecDH ALGORITHM ::= { 1223 OID id-ecDH PARMS ECParameters } 1225 id-ecDH OBJECT IDENTIFIER ::= { 1226 iso(1) identified-organization(3) certicom(132) schemes(1) 1227 ecdh(12) } 1229 -- Sec 2.1.2 Restricted Algorithms and Parameters 1231 pk-ecMQV ALGORITHM ::= { 1232 OID id-ecMQV PARMS ECParameters } 1234 id-ecMQV OBJECT IDENTIFIER ::= { 1235 iso(1) identified-organization(3) certicom(132) schemes(1) 1236 ecmqv(13) } 1238 -- Parameters for both Restricted and Unrestricted 1240 ECParameters ::= CHOICE { 1241 namedCurve CURVE.&id({NamedCurve}), 1242 specifiedCurve SpecifiedCurve, 1243 implicitCurve NULL 1244 } 1246 -- Sec 2.1.1.1 Named Curve 1248 CURVE ::= CLASS { &id OBJECT IDENTIFIER UNIQUE } 1249 WITH SYNTAX { ID &id } 1251 NamedCurve CURVE ::= { 1252 { ID secp192r1 } | { ID sect163k1 } | { ID sect163r2 } | 1253 { ID secp224r1 } | { ID sect233k1 } | { ID sect233r1 } | 1254 { ID secp256r1 } | { ID sect283k1 } | { ID sect283r1 } | 1255 { ID secp384r1 } | { ID sect409k1 } | { ID sect409r1 } | 1256 { ID secp521r1 } | { ID sect571k1 } | { ID sect571r1 }, 1257 ... -- Extensible 1258 } 1260 -- Note in ANSIX9.62 the curves are referred to as 'ansiX9' as 1261 -- opposed to 'sec'. For example secp192r1 is the same curve as 1262 -- ansix9p192r1. 1264 -- Note that in RFC 3279 the secp192r1 curve was referred to as 1265 -- prime192v1 and the secp256v1 curve was referred to as secp256r1. 1267 secp192r1 OBJECT IDENTIFIER ::= { 1268 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1269 prime(1) 1 } 1271 sect163k1 OBJECT IDENTIFIER ::= { 1272 iso(1) identified-organization(3) certicom(132) curve(0) 1 } 1274 sect163r2 OBJECT IDENTIFIER ::= { 1275 iso(1) identified-organization(3) certicom(132) curve(0) 15 } 1277 secp224r1 OBJECT IDENTIFIER ::= { 1278 iso(1) identified-organization(3) certicom(132) curve(0) 33 } 1280 sect233k1 OBJECT IDENTIFIER ::= { 1281 iso(1) identified-organization(3) certicom(132) curve(0) 26 } 1283 sect233r1 OBJECT IDENTIFIER ::= { 1284 iso(1) identified-organization(3) certicom(132) curve(0) 27 } 1286 secp256r1 OBJECT IDENTIFIER ::= { 1287 iso(1) member-body(2) us(840) ansi-X9-62(10045) curves(3) 1288 prime(1) 7 } 1290 sect283k1 OBJECT IDENTIFIER ::= { 1291 iso(1) identified-organization(3) certicom(132) curve(0) 16 } 1293 sect283r1 OBJECT IDENTIFIER ::= { 1294 iso(1) identified-organization(3) certicom(132) curve(0) 17 } 1296 secp384r1 OBJECT IDENTIFIER ::= { 1297 iso(1) identified-organization(3) certicom(132) curve(0) 34 } 1299 sect409k1 OBJECT IDENTIFIER ::= { 1300 iso(1) identified-organization(3) certicom(132) curve(0) 36 } 1302 sect409r1 OBJECT IDENTIFIER ::= { 1303 iso(1) identified-organization(3) certicom(132) curve(0) 37 } 1305 secp521r1 OBJECT IDENTIFIER ::= { 1306 iso(1) identified-organization(3) certicom(132) curve(0) 35 } 1308 sect571k1 OBJECT IDENTIFIER ::= { 1309 iso(1) identified-organization(3) certicom(132) curve(0) 38 } 1311 sect571r1 OBJECT IDENTIFIER ::= { 1312 iso(1) identified-organization(3) certicom(132) curve(0) 39 } 1314 -- Sec 2.1.1.2 Specified Curve 1316 SpecifiedCurve ::= SEQUENCE { 1317 version SpecifiedCurveVersion 1318 ( ecpVer1 | ecpVer2 | ecpVer3, ... ), 1319 fieldID FieldID {{FieldTypes}}, 1320 curve Curve, -- Curve E 1321 base ECPoint, -- Base point P 1322 order INTEGER, -- Order n of the base point 1323 cofactor INTEGER OPTIONAL, -- The integer h = #E(Fq)/n 1324 hash HashAlgorithm OPTIONAL, 1325 ... -- Extensible 1326 } 1328 SpecifiedCurveVersion ::= INTEGER { 1329 ecpVer1(1), 1330 ecpVer2(2), 1331 ecpVer3(3) 1332 } 1334 FIELD-ID ::= TYPE-IDENTIFIER 1336 FieldID { FIELD-ID:IOSet } ::= SEQUENCE { 1337 fieldType FIELD-ID.&id({IOSet}), 1338 parameters FIELD-ID.&Type({IOSet}{@fieldType}) 1339 } 1341 FieldTypes FIELD-ID ::= { 1342 { Prime-p IDENTIFIED BY prime-field } | 1343 { Characteristic-two IDENTIFIED BY characteristic-two-field }, 1344 ... -- Extensible 1345 } 1346 -- where fieldType is prime-field, the parameters are of type Prime-p 1348 prime-field OBJECT IDENTIFIER ::= { 1349 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 1 } 1351 Prime-p ::= INTEGER 1353 -- where fieldType is characteristic-two-field, the parameters are 1354 -- of type Characteristic-two 1356 characteristic-two-field OBJECT IDENTIFIER ::= { 1357 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(1) 2 } 1359 Characteristic-two ::= SEQUENCE { 1360 m INTEGER, -- Field size 2^m 1361 basis CHARACTERISTIC-TWO.&id({BasisTypes}), 1362 parameters CHARACTERISTIC-TWO.&Type({BasisTypes}{@basis}) 1363 } 1365 CHARACTERISTIC-TWO ::= TYPE-IDENTIFIER 1367 -- The object identifiers gnBasis, tpBasis and ppBasis name 1368 -- three kinds of basis for characteristic-two finite fields 1370 BasisTypes CHARACTERISTIC-TWO ::= { 1371 { NULL IDENTIFIED BY gnBasis } | 1372 { Trinomial IDENTIFIED BY tpBasis } | 1373 { Pentanomial IDENTIFIED BY ppBasis }, 1374 ... -- Extensible 1375 } 1377 -- gnbasis is identified by OID gnBasis and indicates 1378 -- parameters are NULL 1380 gnBasis OBJECT IDENTIFIER ::= { 1381 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 1382 characteristic-two-basis(2) 1 } 1384 -- trinomial basis is identified by OID tpBasis and indicates 1385 -- parameters of type Pentanomial 1387 tpBasis OBJECT IDENTIFIER ::= { 1388 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 1389 characteristic-two-basis(2) 2 } 1391 Trinomial ::= INTEGER 1393 -- for pentanomial basis is identified by OID ppBasis and indicates 1394 -- parameters of type Pentanomial 1396 ppBasis OBJECT IDENTIFIER ::= { 1397 iso(1) member-body(2) us(840) ansi-X9-62(10045) fieldType(2) 1398 characteristic-two-basis(2) 3 } 1400 -- Pentanomial basis representation of F2^m 1401 -- reduction polynomial integers k1, k2, k3 1402 -- f(x) = x**m + x**k3 + x**k2 + x**k1 + 1 1404 Pentanomial ::= SEQUENCE { 1405 k1 INTEGER, -- k1 > 0 1406 k2 INTEGER, -- k2 > k1 1407 k3 INTEGER -- k3 > k2 1408 } 1410 Curve ::= SEQUENCE { 1411 a FieldElement, 1412 b FieldElement, 1413 seed BIT STRING OPTIONAL 1414 -- Shall be present if used in SpecifiedCurve 1415 -- with version of ecdpVer2 or ecdpVer3 1416 } 1418 FieldElement ::= OCTET STRING 1420 ECPoint ::= OCTET STRING 1422 HashAlgorithm ::= AlgorithmIdentifier {{CurveHashFunctions}} 1424 CurveHashFunctions ALGORITHM ::= { 1425 ow-sha1 | 1426 ow-sha224 | 1427 ow-sha256 | 1428 ow-sha384 | 1429 ow-sha512, 1430 ... -- Extensible 1431 } 1432 -- 1433 -- Signature Algorithms (sa) 1434 -- 1436 SignatureAlgorithms ALGORITHM ::= { 1437 sa-rsaWithMD2 | 1438 sa-rsaWithMD5 | 1439 sa-rsaWithSHA1 | 1440 sa-dsawithSHA1 | 1441 sa-ecdsaWithSHA1, 1442 ... -- Extensible 1443 } 1445 -- RSA with MD-2 1447 sa-rsaWithMD2 ALGORITHM ::= { 1448 OID md2WithRSAEncryption PARMS NULL } 1450 md2WithRSAEncryption OBJECT IDENTIFIER ::= { 1451 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 2 } 1453 -- RSA with MD-5 1455 sa-rsaWithMD5 ALGORITHM ::= { 1456 OID md5WithRSAEncryption PARMS NULL } 1458 md5WithRSAEncryption OBJECT IDENTIFIER ::= { 1459 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 } 1461 -- RSA with SHA-1 1463 sa-rsaWithSHA1 ALGORITHM ::= { 1464 OID sha1WithRSAEncryption PARMS NULL } 1466 sha1WithRSAEncryption OBJECT IDENTIFIER ::= { 1467 iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } 1469 -- DSA with SHA-1 1471 sa-dsaWithSHA1 ALGORITHM ::= { 1472 OID dsa-with-sha1 PARMS NULL } 1474 dsa-with-sha1 OBJECT IDENTIFIER ::= { 1475 iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 3 } 1477 -- ECDSA with SHA-1 1479 sa-ecdsaWithSHA1 ALGORITHM ::= { 1480 OID ecdsa-with-sha1 PARMS NULL } 1482 ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { 1483 iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) 1 } 1485 -- 1486 -- Signature Values 1487 -- 1489 -- DSA 1491 DSA-Sig-Value ::= SEQUENCE { 1492 r INTEGER, 1493 s INTEGER 1494 } 1496 -- ECDSA 1498 ECDSA-Sig-Value ::= SEQUENCE { 1499 r INTEGER, 1500 s INTEGER 1501 } 1503 -- 1504 -- One-way (ow) Hash Algorithms 1505 -- 1507 HashAlgorithms ALGORITHM ::= { 1508 ow-md2 | 1509 ow-md5 | 1510 ow-sha1 | 1511 ow-sha224 | 1512 ow-sha256 | 1513 ow-sha384 | 1514 ow-sha512, 1515 ... -- Extensible 1516 } 1518 -- MD-2 1520 ow-md2 ALGORITHM ::= { 1521 OID id-md2 PARMS NULL } 1523 id-md2 OBJECT IDENTIFIER ::= { 1524 iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 2 } 1526 -- MD-5 1528 ow-md5 ALGORITHM ::= { 1529 OID id-md5 PARMS NULL } 1531 id-md5 OBJECT IDENTIFIER ::= { 1532 iso(1) member-body(2) us(840) rsadsi(113549)digestAlgorithm(2) 5 } 1534 -- SHA-1 1536 ow-sha1 ALGORITHM ::= { 1537 OID id-sha1 PARMS NULL } 1539 id-sha1 OBJECT IDENTIFIER ::= { 1540 iso(1) identified-organization(3) oiw(14) secsig(3) 1541 algorithm(2) 26 } 1543 -- SHA-224 1545 ow-sha224 ALGORITHM ::= { 1546 OID id-sha224 PARMS NULL } 1548 id-sha224 OBJECT IDENTIFIER ::= { 1549 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1550 csor(3) nistalgorithm(4) hashalgs(2) 4 } 1552 -- SHA-256 1554 ow-sha256 ALGORITHM ::= { 1555 OID id-sha256 PARMS NULL } 1557 id-sha256 OBJECT IDENTIFIER ::= { 1558 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1559 csor(3) nistalgorithm(4) hashalgs(2) 1 } 1561 -- SHA-384 1563 ow-sha384 ALGORITHM ::= { 1564 OID id-sha384 PARMS NULL } 1566 id-sha384 OBJECT IDENTIFIER ::= { 1567 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1568 csor(3) nistalgorithm(4) hashalgs(2) 2 } 1570 -- SHA-512 1572 ow-sha512 ALGORITHM ::= { 1573 OID id-sha512 PARMS NULL } 1575 id-sha512 OBJECT IDENTIFIER ::= { 1576 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 1577 csor(3) nistalgorithm(4) hashalgs(2) 3 } 1579 END 1581 Authors' Addresses 1583 Sean Turner 1585 IECA, Inc. 1586 3057 Nutley Street, Suite 106 1587 Fairfax, VA 22031 1588 USA 1590 EMail: turners@ieca.com 1592 Kelvin Yiu 1594 Microsoft 1595 One Microsoft Way 1596 Redmond, WA 98052-6399 1597 USA 1599 Email: kelviny@microsoft.com 1601 Daniel R. L. Brown 1603 Certicom Corp 1604 5520 Explorer Drive #400 1605 Mississauga, ON L4W 5L1 1606 CANADA 1608 EMail: dbrown@certicom.com 1610 Russ Housley 1612 Vigil Security, LLC 1613 918 Spring Knoll Drive 1614 Herndon, VA 20170 1615 USA 1617 EMail: housley@vigilsec.com 1619 Tim Polk 1621 NIST 1622 Building 820, Room 426 1623 Gaithersburg, MD 20899 1624 USA 1626 EMail: wpolk@nist.gov 1628 Full Copyright Statement 1630 Copyright (C) The IETF Trust (2008). 1632 This document is subject to the rights, licenses and restrictions 1633 contained in BCP 78, and except as set forth therein, the authors 1634 retain all their rights. 1636 This document and the information contained herein are provided on an 1637 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1638 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1639 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1640 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1641 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1642 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1644 Intellectual Property 1646 The IETF takes no position regarding the validity or scope of any 1647 Intellectual Property Rights or other rights that might be claimed to 1648 pertain to the implementation or use of the technology described in 1649 this document or the extent to which any license under such rights 1650 might or might not be available; nor does it represent that it has 1651 made any independent effort to identify any such rights. Information 1652 on the procedures with respect to rights in RFC documents can be 1653 found in BCP 78 and BCP 79. 1655 Copies of IPR disclosures made to the IETF Secretariat and any 1656 assurances of licenses to be made available, or the result of an 1657 attempt made to obtain a general license or permission for the use of 1658 such proprietary rights by implementers or users of this 1659 specification can be obtained from the IETF on-line IPR repository at 1660 http://www.ietf.org/ipr. 1662 The IETF invites any interested party to bring to its attention any 1663 copyrights, patents or patent applications, or other proprietary 1664 rights that may cover technology that may be required to implement 1665 this standard. Please address the information to the IETF at 1666 ietf-ipr@ietf.org. 1668 Acknowledgment 1670 Funding for the RFC Editor function is provided by the IETF 1671 Administrative Support Activity (IASA).