idnits 2.17.1 draft-ietf-smime-pss-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** Missing expiration date. The document expiration date should appear on the first and last page. ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 4) being 61 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Unrecognized Status in 'Category: Standards', assuming Proposed Standard (Expected one of 'Standards Track', 'Full Standard', 'Draft Standard', 'Proposed Standard', 'Best Current Practice', 'Informational', 'Experimental', 'Informational', 'Historic'.) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 2003) is 7432 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Missing reference section? '1' on line 13 looks like a reference -- Missing reference section? 'STDWORDS' on line 44 looks like a reference -- Missing reference section? 'CMS' on line 51 looks like a reference -- Missing reference section? 'RSA-ALGS' on line 115 looks like a reference -- Missing reference section? 'RANDOM' on line 174 looks like a reference Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 S/MIME Working Group J Schaad 3 Internet Draft Soaring Hawk Consulting 4 Document: draft-ietf-smime-pss-03.txt December 2003 5 Category: Standards 7 Use of the RSA PSS Signature Algorithm in CMS 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026 [1]. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. Internet-Drafts are draft documents valid for a maximum of 18 six months and may be updated, replaced, or obsoleted by other 19 documents at any time. It is inappropriate to use Internet- Drafts 20 as reference material or to cite them other than as "work in 21 progress." 23 The list of current Internet-Drafts can be accessed at 24 http://www.ietf.org/ietf/1id-abstracts.txt 26 The list of Internet-Draft Shadow Directories can be accessed at 27 http://www.ietf.org/shadow.html. 29 Comments or suggestions for improvement may be made on the "ietf- 30 smime" mailing list, or directly to the author. 32 Abstract 34 This document specifies the conventions for using the RSA 35 Probabilistic Signature Scheme (RSASSA-PSS) digital signature 36 algorithm with the Cryptographic Message Syntax (CMS). 38 Conventions used in this document 40 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 41 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in 42 this document are to be interpreted as described in RFC 2119 43 [STDWORDS]. 45 1. Overview 47 This document specifies the conventions for using the RSASSA-PSS (RSA 49 Signature Scheme with Appendix - Probabilistic Signature Scheme) 50 [P1v2.1] digital signature algorithm with the Cryptographic Message 51 Syntax [CMS] signed-data content type. 53 CMS and PSS Signature December 2003 55 CMS values are generated using ASN.1 [X.208-88], using the Basic 56 Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules 57 (DER) [X.509-88]. 59 This document is written to be used in conjunction with RFC XXX [RSA- 60 ALGS]. All of the ASN.1 structures referenced in this document are 61 defined in RFC XXX. 63 1.1 PSS Algorithm 65 Although there are no known defects with the PKCS #1 v1.5 [P1v1.5] 66 signature algorithm, RSASSA-PSS [P1v2.1] was developed in an effort 67 to have more mathematically provable security. PKCS #1 v1.5 68 signatures were developed in an ad hoc manner, RSASSA-PSS was 69 developed based on mathematical foundations. 71 2. Algorithm Identifiers and Parameters 73 2.1 Certificate Identifiers 75 The RSASSA-PSS signature algorithm is defined in RFC 3447 [P1v2.1]. 76 Conventions for encoding the public key are defined in RFC XXX [RSA- 77 ALGS]. 79 Two algorithm identifiers for RSA subject public keys in 80 certificates are used. These are: 82 rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } 84 and 86 id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } 88 When the rsaEncryption algorithm identifier is used for a public 89 key, the AlgorithmIdentifier parameters field MUST contain NULL. 90 Complete details can be found in [RSA-ALGS]. 92 When the id-RSASSA-PSS algorithm identifier is used for a public 93 key, the AlgorithmIdentifier parameters field MUST either be absent 94 or contain RSASSA-PSS-params. Again, complete details can be found 95 in [RSA-ALGS]. 97 In both cases, the RSA public key, which is composed of a modulus 98 and a public exponent, MUST be encoded using the RSAPublicKey type. 99 The output of this encoding is carried in the certificate subject 100 public key. 102 RSAPublicKey ::= SEQUENCE { 103 modulus INTEGER, -- n 104 publicExponent INTEGER } -- e 106 2.2 Signature Identifiers 107 CMS and PSS Signature December 2003 109 The algorithm identifier for RSASAA-PSS signatures is: 111 id-RSASSA-PSS OBJECT IDENTIFER ::= {pkcs-1 10 } 113 When the id-RSASSA-PSS algorithm identifier is used for a signature, 114 the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- 115 params. Information about RSASSA-PSS-params can be found in [RSA- 116 ALGS]. 118 When signing, the RSA algorithm generates a single value, and that 119 value is used directly as the signature value. 121 3. Signed-data Conventions 123 digestAlgorithms SHOULD contain the one-way hash function used to 124 compute the message digest on the eContent value. 126 The same one-way hash function SHOULD be used for computing the 127 message digest on both the eContent and the signedAttributes value 128 if signedAttributes exist. 130 The same one-way hash function MUST be used for computing the 131 message digest on the signedAttributes and as the hashAlgorithm in 132 the RSA-PSS-params structure. 134 signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm 135 parameters field MUST contain RSASSA-PSS-params. 137 signature contains the single value resulting from the signing 138 operation. 140 If the subjectPublicKeyInfo algorithm identifier for the public key 141 in the certificate is id-RSASSA-PSS and the parameters field is 142 present, the following additional steps MUST be done as part of 143 signature validation: 145 1. The hashAlgorithm field in the certificate 146 subjectPublicKey.algorithm parameters and the signatureAlgorithm 147 parameters MUST be the same. 148 2. The maskGenAlgorithm field in the certificate 149 subjectPublicKey.algorithm parameters and the signatureAlgorithm 150 parameters MUST be the same. 151 3. The saltLength in the signatureAlgorithm parameters MUST be 152 greater or equal to the saltLength in the certificate 153 subjectPublicKey.algorithm parameters. 154 4. The trailerField in the certificate subjectPublicKey.algorithm 155 parameters and signatureAlgorithm parameters MUST be the same. 157 In doing the above comparisons, default values are considered to be 158 the same as extant values. If any of the above four steps is not 159 true, the signature checking algorithm MUST fail validation. 161 CMS and PSS Signature December 2003 163 4. Security Considerations 165 Implementations must protect the RSA private key. Compromise of the 166 RSA private key may result in the ability to forge signatures. 168 The generation of RSA private key relies on random numbers. The use 169 of inadequate pseudo-random number generators (PRNGs) to generate 170 these values can result in little or no security. An attacker may 171 find it much easier to reproduce the PRNG environment that produced 172 the keys, searching the resulting small set of possibilities, rather 173 than brute force searching the whole key space. The generation of 174 quality random numbers is difficult. RFC 1750 [RANDOM] offers 175 important guidance in this area. 177 Using the same private key for different algorithms has the potential 179 of allowing an attacker to get extra information about the key. It 180 is strongly suggested that the same key not be used for both the PKCS 182 #1 v1.5 and RSASSA-PSS signature algorithms. 184 When computing signatures, the same hash function should be used for 185 all operations. This reduces the number of failure points in the 186 signature process. 188 The parameter checking procedures outlined in section 3 are of 189 special importance. It is possible to forge signatures by changing 190 (especially to weaker values) these parameter values. Signers using 191 this algorithm should take care that only one set of parameter values 193 is used as this decreases the possibility of leaking information. 195 5. Normative References 197 CMS Housley, R, "Cryptographic Message Syntax", 198 RFC 3369, August 2002. 200 P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA 201 Cryptography Specification Version 2.1", 202 RFC 3447, February 2003. 204 RSA-ALGS Schaad, J., B. Kaliski and R Housley, "Additional 205 Algorithms and Identifiers for RSA Cryptography 206 for use in the Internet X.509 Public Key 207 Infrastructure Certificate and Certificate 208 Revocation List (CRL) Profile", 209 draft-ietf-pkix-rsa-pkalgs-01.txt, 210 November 2003. 212 STDWORDS S. Bradner, "Key Words for Use in RFCs to 213 Indicate Requirement Levels", RFC 2119, March 214 1997. 216 X.208-88 CCITT Recommendation X.208: Specification of 217 Abstract Syntax Notation One (ASN.1), 1998. 219 CMS and PSS Signature December 2003 221 X.209-88 CCITT Recommendation X.209: Specification of 222 Basic Encoding Rules for Abstract Syntax 223 Notation One (ASN.1), 1988. 225 X.509-88 CCITT Recommendation X.509: The Directory 226 Authentication Framework, 1988. 228 6. Informational References 230 P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption, 231 Version 2.0, RFC 2437, October 1998. 233 PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers 234 for the Internet X.509 Public Key Infrastructure 235 Certificate and Certificate Revocation List (CRL) Profile", 236 RFC 3279, April 2002. 238 RANDOM Eastlake, D., S. Crocker and J. Schiller 239 "Randomness Recommendations for Security", 240 RFC 1750, December 1994. 242 7. Author's Address 244 Jim Schaad 245 Soaring Hawk Consulting 246 PO Box 675 247 Gold Bar, WA 98251 249 Email: jimsch@exmsft.com 251 Full Copyright Statement 253 "Copyright (C) The Internet Society (2003). All Rights Reserved. 255 This document and translations of it may be copied and furnished to 256 others, and derivative works that comment on or otherwise explain it 257 or assist in its implementation may be prepared, copied, published 258 and distributed, in whole or in part, without restriction of any 259 kind, provided that the above copyright notice and this paragraph 260 are included on all such copies and derivative works. However, this 261 document itself may not be modified in any way, such as by removing 262 the copyright notice or references to the Internet Society or other 263 Internet organizations, except as needed for the purpose of 264 developing Internet standards in which case the procedures for 265 copyrights defined in the Internet Standards process must be 266 followed, or as required to translate it into languages other than 267 English. 269 The limited permissions granted above are perpetual and will not be 270 revoked by the Internet Society or its successors or assigns. 272 CMS and PSS Signature December 2003