idnits 2.17.1 draft-popov-cryptopro-cpalgs-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 17. -- Found old boilerplate from RFC 3978, Section 5.5 on line 2541. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. ** The document seems to lack an RFC 3979 Section 5, para. 1 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 2 IPR Disclosure Acknowledgement. ** The document seems to lack an RFC 3979 Section 5, para. 3 IPR Disclosure Invitation. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- ** The document seems to lack a 1id_guidelines paragraph about 6 months document validity -- however, there's a paragraph with a matching beginning. Boilerplate error? Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 741 has weird spacing: '...modules gostR...' == Line 747 has weird spacing: '...modules gostR...' == Line 751 has weird spacing: '...modules gostR...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 15, 2005) is 6832 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 859 -- Looks like a reference, but probably isn't: '1' on line 420 -- Looks like a reference, but probably isn't: '7' on line 416 -- Looks like a reference, but probably isn't: '8' on line 431 == Missing Reference: 'GOST341194' is mentioned on line 546, but not defined ** Obsolete normative reference: RFC 2246 (ref. 'TLS') (Obsoleted by RFC 4346) Summary: 10 errors (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Draft Vladimir Popov, CRYPTO-PRO 3 Igor Kurepkin, CRYPTO-PRO 4 Expires January 15, 2006 Serguei Leontiev, CRYPTO-PRO 5 Intended Category: Informational July 15, 2005 7 Additional cryptographic algorithms for use with GOST 28147-89, 8 GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 algorithms. 10 12 Status of this Memo 14 By submitting this Internet-Draft, each author represents that any 15 applicable patent or other IPR claims of which he or she is aware 16 have been or will be disclosed, and any of which he or she becomes 17 aware will be disclosed, in accordance with Section 6 of BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than a "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/1id-abstracts.html 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html 35 Copyright Notice 37 Copyright (C) The Internet Society (2005). 39 Abstract 41 This document describes the cryptographic algorithms and parameters 42 supplementary to the original GOST specifications GOST 28147-89, GOST 43 R 34.10-94, GOST R 34.10-2001 and GOST R 34.11-94 for use in Internet 44 applications. 46 Table of Contents 47 1 Introduction . . . . . . . . . . . . . . . . . . . . . . 2 48 1.2 Terminology. . . . . . . . . . . . . . . . . . . . . . . 2 49 2 Cipher modes and parameters. . . . . . . . . . . . . . . 3 50 2.1 GOST 28147-89 CBC mode . . . . . . . . . . . . . . . . . 4 51 2.2 GOST 28147-89 padding modes. . . . . . . . . . . . . . . 4 52 2.3 Key Meshing Algorithms . . . . . . . . . . . . . . . . . 4 53 2.3.1 Null Key Meshing . . . . . . . . . . . . . . . . . . . . 5 54 2.3.2 CryptoPro Key Meshing. . . . . . . . . . . . . . . . . . 5 55 3 HMAC_GOSTR3411 . . . . . . . . . . . . . . . . . . . . . 6 56 4 PRF_GOSTR3411. . . . . . . . . . . . . . . . . . . . . . 6 57 5 Key Derivation Algorithms. . . . . . . . . . . . . . . . 6 58 5.1 VKO GOST R 34.10-94. . . . . . . . . . . . . . . . . . . 6 59 5.2 VKO GOST R 34.10-2001. . . . . . . . . . . . . . . . . . 7 60 6 Key Wrap algorithms. . . . . . . . . . . . . . . . . . . 7 61 6.1 GOST 28147-89 Key Wrap . . . . . . . . . . . . . . . . . 7 62 6.2 GOST 28147-89 Key Unrap. . . . . . . . . . . . . . . . . 8 63 6.3 CryptoPro Key Wrap . . . . . . . . . . . . . . . . . . . 8 64 6.4 CryptoPro Key Unwrap . . . . . . . . . . . . . . . . . . 9 65 6.5 CryptoPro KEK Diversification Algorithm. . . . . . . . . 9 66 7 Secret Key Diversification . . . . . . . . . . . . . . . 9 67 8 Algorithm parameters . . . . . . . . . . . . . . . . . . 10 68 8.1 Encryption algorithm parameters . . . . . . . . . . . . 10 69 8.2 Digest algorithm parameters. . . . . . . . . . . . . . . 11 70 8.3 GOST R 34.10-94 public key algorithm parameters . . . . 12 71 8.4 GOST R 34.10-2001 public key algorithm parameters. . . . 13 72 9 Security Considerations. . . . . . . . . . . . . . . . . 14 73 10 Appendix ASN.1 Modules . . . . . . . . . . . . . . . . . 14 74 11 References . . . . . . . . . . . . . . . . . . . . . . . 50 75 12 Acknowledgments. . . . . . . . . . . . . . . . . . . . . 51 76 Author's Addresses. . . . . . . . . . . . . . . . . . . . . . . 52 77 Full Copyright Statement. . . . . . . . . . . . . . . . . . . . 53 79 1 Introduction 81 Russian cryptographic standards that define the algorithms GOST 82 28147-89 [GOST28147], GOST R 34.10-94 [GOSTR341094], GOST R 83 34.10-2001 [GOSTR341001] and GOST R34.11-94 [GOSTR341194] provide 84 basic information about how the algorithms work, but need 85 supplemental specifications to effectively use the algorithms (a 86 brief english technical description of these algorithms can be found 87 in [Schneier95]). 89 This document is a proposal put forward by the CRYPT-PRO Company to 90 provide supplemental information and specifications needed by the 91 "Russian Cryptographic Software Compatibility Agreement" community. 93 1.2 Terminology 95 In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, 96 SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described 97 in [RFC 2119]. 99 The following functions and operators are also used in this document: 101 '|' stands for concatenation. 103 encryptECB (K, D) - is D, encrypted with key K using GOST 28147-89 in 104 "prostaya zamena" (ECB) mode. 106 decryptECB (K, D) - is D, decrypted with key K using GOST 28147-89 in 107 ECB mode. 109 encryptCFB (IV, K, D) - is D, encrypted with key K using GOST 110 28147-89 in "gammirovanie s obratnoj svyaziyu" (64-bit CFB) mode, and 111 IV as initialization vector. 113 encryptCNT (IV, K, D) - is D, encrypted with key K using GOST 114 28147-89 in "gammirovanie" (counter) mode, and IV as initialization 115 vector. 117 gostR3411 (D) - is the 256-bit result of GOST R 34.11-94 hash 118 function, used with zero intitialization vector, and S-Box parameter, 119 defined by gostR3411CryptoProParamSetAI (see Appendix, 120 GostR3411-94-ParamSetSyntax module). 122 gost28147IMIT (IV, K, D) - is the 32-bit result of GOST 28147-89 in 123 "imitovstavka" (MAC) mode, used with D as plaintext, K as key and IV 124 as initialization vector. Note, that standard specifies it's use in 125 this mode only with zero initialization vector. 127 When keys and initialization vectors are converted to/from byte 128 arrays, little-endian byte order is assumed. 130 2 Cipher modes and parameters 132 This document defines four cipher properties that allow an 133 implementer to vary cipher operations. The four parameters are the 134 cipher mode, the key meshing algorithm, the padding mode, and the S- 135 box. 137 [GOST28147] defines only three cipher modes for GOST 28147-89: ECB, 138 CFB and counter mode. This document defines an additional cipher 139 mode, CBC. 141 When GOST 28147-89 is used to process large amounts of data, a 142 symmetric key should be protected by key meshing algorithm. Key 143 meshing transforms a symmetric key after some amount of data has been 144 processed. This document defines CryptoPro key meshing algorithm. 146 The cipher mode, key meshing algorithm, padding mode, and S-box are 147 specified by algorithm parameters. 149 2.1 GOST 28147-89 CBC mode 151 This section provides the supplemental information to GOST 28147-89 152 (a block to block primitive) needed to operate in CBC mode. 154 Before each plaintext block is encrypted, it is combined with the 155 cipher text of the previous block via a bitwise XOR operation. This 156 ensures that even if the plaintext contains many identical blocks, 157 each block will encrypt to a different cipher text block. The 158 initialization vector is combined with the first plaintext block by a 159 bitwise XOR operation before the block is encrypted. 161 2.2 GOST 28147-89 padding modes 163 This section provides the supplemental information to GOST 28147-89, 164 needed to operate on plaintext where the length is not divisible by 165 GOST 28147-89 block size (8 bytes). 167 Let x (0 < x < 8) be the number of bytes in the last, possibly 168 incomplete, block of data. 170 There are three padding modes: 171 * Zero padding: 8-x remaining bytes are filled with zero 172 * PKCS#5 padding: 8-x remaining bytes are filled with value of 8-x. 173 If there's no incomplete block, one extra block filled with 174 value 8 is added. 175 * Random padding: 8-x remaining bytes of the last block are 176 set to random. 178 2.3 Key Meshing Algorithms 180 Key meshing algorithms transform the key after processing a certain 181 amount of data. In applications that must be strictly robust to 182 attacks based on timing and EMI analysis one symmetric key should not 183 be used for quantities of plaintext larger than 1024 octets. 185 Key meshing algorithm affects internal cipher state; it is not a 186 protocol level feature. Its role is similar to that of a cipher mode. 187 The choice of key meshing algorithm is usually dictated by the 188 encryption algorithm parameters, but some protocols explicitly 189 specify applicable key meshing algorithms. 191 All encryption parameter sets defined in this document specify the 192 use of CryptoPro key meshing algorithm, except for id- 193 Gost28147-89-TestParamSet, which specifies use of null key meshing 194 algorithm. 196 2.3.1 Null Key Meshing 198 The null key meshing algorithm never changes a key. 200 The identifier for this algorithm is: 202 id-Gost28147-89-None-KeyMeshing OBJECT IDENTIFIER ::= 203 { id-CryptoPro-algorithms keyMeshing(14) none(0) } 205 There are no meaningful parameters to this algorithm. If present, 206 AlgorithmIdentifier.parameters MUST contain NULL. 208 2.3.2 CryptoPro Key Meshing 210 The CryptoPro key meshing algorithm transforms the key and 211 initialization vector every 1024 octets (8192 bits, or 256 64-bit 212 blocks) of plaintext data. 214 This algorithm has the same drawback as OFB cipher mode - it is 215 impossible to re-establish crypto synch while decrypting a 216 ciphertext, when some parts of encrypted data are corrupted, lost or 217 processed out of order. Furthermore, it is impossible to re-synch 218 even if an IV for each data packet is provided explicitly. Use of 219 this algorithm in such protocols as IPsec ESP requires special care. 221 The identifier for this algorithm is: 223 id-Gost28147-89-CryptoPro-KeyMeshing OBJECT IDENTIFIER ::= 224 { id-CryptoPro-algorithms keyMeshing(14) cryptoPro(1) } 226 There are no meaningful parameters to this algorithm. If present, 227 AlgorithmIdentifier.parameters MUST contain NULL. 229 Encryption or decryption starts with key K[0] = K, IV0[0] = IV, i = 230 0. Let IV[0] be the value of the initialization vector after 231 processing the first 1024 octets of data. Encryption or decryption of 232 the next 1024 octets will start with K[1] and IV0[1], which are 233 calculated using the formula: 235 K[i+1] = decryptECB (K[i], C); 236 IV0[i+1] = encryptECB (K[i+1],IV[i]) 238 Where C = {0x69, 0x00, 0x72, 0x22, 0x64, 0xC9, 0x04, 0x23, 239 0x8D, 0x3A, 0xDB, 0x96, 0x46, 0xE9, 0x2A, 0xC4, 240 0x18, 0xFE, 0xAC, 0x94, 0x00, 0xED, 0x07, 0x12, 241 0xC0, 0x86, 0xDC, 0xC2, 0xEF, 0x4C, 0xA9, 0x2B}; 243 After processing every 1024 octets of data: 244 * the resulting initialization vector is stored as IV[i]. 245 * K[i+1] and IV0[i+1] are calculated 246 * i is incremented. 247 * Encryption or decryption of next 1024 bytes starts, using 248 the new key and IV. 249 The process is repeated until all the data has been processed. 251 3 HMAC_GOSTR3411 253 HMAC_GOSTR3411 (K,text) function is based on hash function GOST R 254 34.11-94, as defined in [HMAC], with the following parameter values: 255 B = 32, L = 32. 257 4 PRF_GOSTR3411 259 PRF_GOSTR3411 is a pseudorandom function, based on HMAC_GOSTR3411. 260 It is calculated as P_hash, defined in section 5 of [TLS]. 261 PRF_GOSTR3411(secret,label,seed) = P_GOSTR3411 (secret,label|seed). 263 5 Key Derivation Algorithms 265 Standards [GOSTR341094] and [GOSTR341001] do not define any key 266 derivation algorithms. 268 Section 5.1 specifies algorithm VKO GOST R 34.10-94, which generates 269 GOST KEK using two GOST R 34.10-94 keypairs. 271 Section 5.2 specifies algorithm VKO GOST R 34.10-2001, which 272 generates GOST KEK using two GOST R 34.10-2001 keypairs and UKM. 274 Keypairs MUST have identical parameters. 276 5.1 VKO GOST R 34.10-94 278 This algorithm creates a key encryption key (KEK) using the sender's 279 private key and the recipient's public key (or vice versa). 281 Exchange key KEK is a 256-bit hash of the 1024-bit shared secret that 282 is generated using Diffie-Hellman key agreement. 284 1) Let K(x,y) = a^(x*y) (mod p), where 285 x - sender's private key, a^x - sender's public key 286 y - recipient's private key, a^y - recipient's public key 287 a, p - parameters 288 2) Calculate a 256-bit hash of K(x,y): 289 KEK(x,y) = gostR3411 (K(x,y)) 291 Keypairs x and y MUST comply with [GOSTR341094]. 293 This algorithm MUST NOT be used when a^x = a (mod p) or a^y = a (mod 294 p). 296 5.2 VKO GOST R 34.10-2001 298 This algorithm creates a key encryption key (KEK) using 64 bit UKM, 299 the sender's private key and the recipient's public key (or the 300 reverse of the latter pair). 302 1) Let K(x,y,UKM) = ((UKM*x)(mod q)) . (y.P) (512 bit), where 303 x - sender's private key (256 bit) 304 x.P - sender's public key (512 bit) 305 y - recipient's private key (256 bit) 306 y.P - recipient's public key (512 bit) 307 UKM - User Keying Material (64 bit) 308 P - base point on the elliptic curve (two 256-bit coordinates) 309 UKM*x - x multiplied by UKM as integers 310 x.P - a multiple point 312 2) Calculate a 256-bit hash of K(x,y,UKM): 313 KEK(x,y,UKM) = gostR3411 (K(x,y,UKM)) 315 Keypairs x and y MUST comply with [GOSTR341001]. 317 This algorithm MUST NOT be used when x.P = P, y.P = P 319 6 Key Wrap algorithms 321 This document defines two key wrap algorithms: GOST 28147-89 Key Wrap 322 and CryptoPro Key Wrap. These are used to encrypt a Content 323 Encryption Key (CEK) with a Key Encryption Key (KEK). 325 6.1 GOST 28147-89 Key Wrap 327 This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. 329 Note: This algorithm MUST NOT be used with a KEK produced by VKO GOST 330 R 34.10-94, because such a KEK is constant for every sender-recipient 331 pair. Encrypting many different content encryption keys on the same 332 constant KEK may reveal that KEK. 334 The identifier for this algorithm is: 336 id-Gost28147-89-None-KeyWrap OBJECT IDENTIFIER ::= 337 { id-CryptoPro-algorithms keyWrap(13) none(0) } 339 The GOST 28147-89 key wrap algorithm is: 341 1) For a unique symmetric KEK, generate 8 octets at random, call the 342 result UKM. For a KEK, produced by VKO GOST R 34.10-2001, use the 343 UKM that was used for key derivation. 344 2) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK, CEK). 345 Call the result CEK_MAC. 346 3) Encrypt the CEK in ECB mode using the KEK. Call the ciphertext 347 CEK_ENC. 348 4) The wrapped content-encryption key is (UKM | CEK_ENC | CEK_MAC). 350 6.2 GOST 28147-89 Key Unwrap 352 This algorithm decrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. 353 The GOST 28147-89 key unwrap algorithm is: 355 1) If the wrapped content-encryption key is not 44 octets, then 356 error. 357 2) Decompose the the wrapped content-encryption key into UKM, 358 CEK_ENC and CEK_MAC. UKM is the most significant (first) 8 359 octets. CEK_ENC is next 32 octets, and CEK_MAC is the least 360 significant (last) 4 octets. 361 3) Decrypt CEK_ENC in ECB mode using the KEK. Call the output CEK. 362 4) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK, CEK), 363 compare the result with CEK_MAC. If not equal, then error. 365 6.3 CryptoPro Key Wrap 367 This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. 368 It can be used with any KEK (e.g. produced by VKO GOST R 34.10-94 or 369 VKO GOST R 34.10-2001) because unique UKM is used to diversify the 370 KEK. 372 Identifier for this algorithm: 374 id-Gost28147-89-CryptoPro-KeyWrap OBJECT IDENTIFIER ::= 375 { id-CryptoPro-algorithms keyWrap(13) cryptoPro(1) } 377 The CryptoPro key wrap algorithm is: 379 1) For a unique symmetric KEK or a KEK produced by VKO GOST R 380 34.10-94, generate 8 octets at random. Call the result UKM. For 381 a KEK, produced by VKO GOST R 34.10-2001, use the UKM that was 382 used for key derivation. 383 2) Diversify KEK, using the CryptoPro KEK Diversification Algorithm, 384 described in section 6.5. Call the result KEK(UKM). 385 3) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK(UKM), 386 CEK). Call the result CEK_MAC. 387 4) Encrypt CEK in ECB mode using KEK(UKM). Call the ciphertext 388 CEK_ENC. 389 5) The wrapped content-encryption key is (UKM | CEK_ENC | CEK_MAC). 391 6.4 CryptoPro Key Unrap 393 This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. 394 The CryptoPro key unwrap algorithm is: 396 1) If the wrapped content-encryption key is not 44 octets, then 397 error. 398 2) Decompose the the wrapped content-encryption key into UKM, 399 CEK_ENC and CEK_MAC. UKM is the most significant (first) 8 400 octets. CEK_ENC is next 32 octets, and CEK_MAC is the least 401 significant (last) 4 octets. 402 3) Diversify KEK using the CryptoPro KEK Diversification Algorithm, 403 described in section 6.5. Call the result KEK(UKM). 404 4) Decrypt CEK_ENC in ECB mode using KEK(UKM). Call the output CEK. 405 5) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK(UKM), 406 CEK), compare the result with CEK_MAC. If not equal, then error. 408 6.5 CryptoPro KEK Diversification Algorithm 410 Given a random 64-bit UKM, and a GOST 28147-89 key K, this algorithm 411 creates a new GOST 28147-89 key K(UKM). 413 1) Let K[0] = K; 415 2) UKM is split into components a[i,j]: 416 UKM = a[0]|..|a[7] (a[i] - byte, a[i,0]..a[i,7] - it's bits) 418 3) Let i be 0. 420 4) K[1]..K[8] are calculated by repeating the 421 following algorithm eight times: 423 A) K[i] is split into components k[i,j]: 424 K[i] = k[i,0]|k[i,1]|..|k[i,7] (k[i,j] - 32-bit integer) 425 B) Vector S[i] is calculated: 426 S[i] = ((a[i,0]*k[i,0] + ... + a[i,7]*k[i,7]) mod 2^32) 427 | ((~a[i,0]*k[i,0] + ... + ~a[i,7]*k[i,7]) mod 2^32); 428 C) K[i+1] = encryptCFB (S[i], K[i], K[i]) 429 D) i = i + 1 431 5) Let K(UKM) be K[8]. 433 7 Secret Key Diversification 435 This algorithm creates a GOST 28147-89 key Kd, given GOST R 34.10-94 436 or GOST R 34.10-2001 secret key K and diversification data D of size 437 4..40 bytes. 439 1) 40-byte blob B is created from D by cloning it enough times to 440 fill all 40 bytes. For example, if D is 40-bytes long, B = D; If 441 D is 4-bytes long, B = D|D|D|D|D|D|D|D|D|D. 443 2) B is split into 8-byte UKM and 32-byte SRCKEY (B = UKM|SRCKEY). 445 3) The algorithm from section 6.5 is used to create K(UKM) from key 446 K and UKM with two differences: 447 * Instead of S[i], vector (0,0,0,UKM[i],ff,ff,ff,ff XOR UKM[i]) 448 is used. 449 * During each encryption step, only 8 out of 32 GOST 28147-89 450 rounds are done. 452 4) Kd is calculated: 453 Kd = encryptCFB (UKM, K(UKM), SRCKEY). 455 8 Algorithm parameters 457 Standards [GOST28147], [GOST341194], [GOSTR341094] and [GOSTR341001] 458 do not define specific values for algorithm parameters. 460 This document introduces the use of ASN.1 object identifiers (OIDs) 461 to specify algorithm parameters. 463 Identifiers and corresponding parameter values for all of the 464 proposed parameter sets can be found in the Appendix in the form of 465 ASN.1 modules [X.660]. 467 8.1 Encryption algorithm parameters 469 GOST 28147-89 can be used in several modes, additional CBC mode is 470 defined in section 2.1 this document. It also has an S-Box parameter 471 (see Algorithm Parameters part in [GOST28147] in Russian, description 472 in English see in [Schneier95] ch. 14.1, p. 331). 474 This table contains the list of proposed parameter sets for GOST 475 28147-89: 477 Gost28147-89-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= { 478 { Gost28147-89-ParamSetParameters IDENTIFIED BY 479 id-Gost28147-89-TestParamSet } | 480 { Gost28147-89-ParamSetParameters IDENTIFIED BY 481 id-Gost28147-89-CryptoPro-A-ParamSet } | 482 { Gost28147-89-ParamSetParameters IDENTIFIED BY 483 id-Gost28147-89-CryptoPro-B-ParamSet } | 484 { Gost28147-89-ParamSetParameters IDENTIFIED BY 485 id-Gost28147-89-CryptoPro-C-ParamSet } | 486 { Gost28147-89-ParamSetParameters IDENTIFIED BY 487 id-Gost28147-89-CryptoPro-D-ParamSet } | 488 { Gost28147-89-ParamSetParameters IDENTIFIED BY 489 id-Gost28147-89-CryptoPro-Simple-A-ParamSet } | 490 { Gost28147-89-ParamSetParameters IDENTIFIED BY 491 id-Gost28147-89-CryptoPro-Simple-B-ParamSet } | 492 { Gost28147-89-ParamSetParameters IDENTIFIED BY 493 id-Gost28147-89-CryptoPro-Simple-C-ParamSet } | 494 { Gost28147-89-ParamSetParameters IDENTIFIED BY 495 id-Gost28147-89-CryptoPro-Simple-D-ParamSet } 496 } 498 Identifier values are in the Appendix. 500 Parameters for GOST 28147-89 are presented in the following form: 502 Gost28147-89-ParamSetParameters ::= SEQUENCE { 503 eUZ Gost28147-89-UZ, 504 mode INTEGER { 505 gost28147-89-CNT(0), 506 gost28147-89-CFB(1), 507 cryptoPro-CBC(2) 508 }, 509 shiftBits INTEGER { gost28147-89-block(64) }, 510 keyWrap AlgorithmIdentifier, 511 keyMeshing AlgorithmIdentifier 512 } 513 Gost28147-89-UZ ::= OCTET STRING (SIZE (64)) 514 Gost28147-89-KeyMeshingAlgorithms ALGORITHM-IDENTIFIER ::= { 515 { NULL IDENTIFIED BY id-Gost28147-89-CryptoPro-KeyMeshing } | 516 { NULL IDENTIFIED BY id-Gost28147-89-None-KeyMeshing } 517 } 518 Gost28147-89-KeyWrapAlgorithms ALGORITHM-IDENTIFIER ::= { 519 { NULL IDENTIFIED BY id-Gost28147-89-CryptoPro-KeyWrap } | 520 { NULL IDENTIFIED BY id-Gost28147-89-None-KeyWrap } 521 } 523 where 524 eUZ - S-box value; 525 mode - cipher mode; 526 shiftBits - cipher parameter; 527 keyWrap - key export algorithm identifier; 528 keyMeshing - key meshing algorithm identifier. 530 8.2 Digest algorithm parameters 532 This table contains the list of proposed parameter sets for 533 [GOST341194]: 535 GostR3411-94-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= { 536 { GostR3411-94-ParamSetParameters IDENTIFIED BY 537 id-GostR3411-94-TestParamSet 538 } | 539 { GostR3411-94-ParamSetParameters IDENTIFIED BY 540 id-GostR3411-94-CryptoProParamSet 541 } 542 } 544 Identifier values are in the Appendix. 546 Parameters for [GOST341194] are presented in the following form: 548 GostR3411-94-ParamSetParameters ::= 549 SEQUENCE { 550 hUZ Gost28147-89-UZ, -- S-Box for digest 551 h0 GostR3411-94-Digest -- start digest value 552 } 553 GostR3411-94-Digest ::= OCTET STRING (SIZE (32)) 555 8.3 GOST R 34.10-94 public key algorithm parameters 557 This table contains the list of proposed parameter sets for GOST R 558 34.10-94: 560 GostR3410-94-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= { 561 { GostR3410-94-ParamSetParameters IDENTIFIED BY 562 id-GostR3410-94-TestParamSet } | 563 { GostR3410-94-ParamSetParameters IDENTIFIED BY 564 id-GostR3410-94-CryptoPro-A-ParamSet } | 565 { GostR3410-94-ParamSetParameters IDENTIFIED BY 566 id-GostR3410-94-CryptoPro-B-ParamSet } | 567 { GostR3410-94-ParamSetParameters IDENTIFIED BY 568 id-GostR3410-94-CryptoPro-C-ParamSet } | 569 { GostR3410-94-ParamSetParameters IDENTIFIED BY 570 id-GostR3410-94-CryptoPro-D-ParamSet } | 571 { GostR3410-94-ParamSetParameters IDENTIFIED BY 572 id-GostR3410-94-CryptoPro-XchA-ParamSet } | 573 { GostR3410-94-ParamSetParameters IDENTIFIED BY 574 id-GostR3410-94-CryptoPro-XchB-ParamSet } | 575 { GostR3410-94-ParamSetParameters IDENTIFIED BY 576 id-GostR3410-94-CryptoPro-XchC-ParamSet } 577 } 579 Identifier values are in the Appendix. 581 Parameters for GOST R 34.10-94 are presented in the following form: 583 GostR3410-94-ParamSetParameters ::= 584 SEQUENCE { 585 t INTEGER, 586 p INTEGER, 587 q INTEGER, 588 a INTEGER, 589 validationAlgorithm AlgorithmIdentifier {{ 590 GostR3410-94-ValidationAlgorithms 591 }} OPTIONAL 592 } 594 GostR3410-94-ValidationParameters ::= 595 SEQUENCE { 596 x0 INTEGER, 597 c INTEGER, 598 d INTEGER OPTIONAL 599 } 601 Where 602 t - bit length of p (512 or 1024 bits); 603 p - modulus, prime number, 2^(t-1)