idnits 2.17.1 draft-turner-lamps-adding-sha3-to-pkix-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 13, 2017) is 2600 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'DSS' ** Downref: Normative reference to an Informational RFC: RFC 5912 -- Possible downref: Non-RFC (?) normative reference: ref. 'SHA3' == Outdated reference: A later version (-10) exists of draft-ietf-curdle-pkix-03 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Turner 3 Internet-Draft sn3rd 4 Intended status: Standards Track March 13, 2017 5 Expires: September 14, 2017 7 SHA-3 Related Algorithms and Identifiers for PKIX 8 draft-turner-lamps-adding-sha3-to-pkix-01 10 Abstract 12 This document describes the conventions for using the SHA-3 family of 13 hash functions in the Internet X.509 PKI as one-way hash functions 14 and with the ECDSA signature algorithm; the conventions for the 15 associated ECDSA subject public keys are also described. Digital 16 signatures are used to sign certificates and CRLs (Certificate 17 Revocation Lists). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at http://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on September 14, 2017. 36 Copyright Notice 38 Copyright (c) 2017 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Algorithm Support . . . . . . . . . . . . . . . . . . . . . . 2 55 2.1. SHA-3 One-way Hash Functions . . . . . . . . . . . . . . 3 56 2.2. ECDSA Signature Algorithm with SHA-3 . . . . . . . . . . 3 57 2.3. ECDSA Public Keys . . . . . . . . . . . . . . . . . . . . 4 58 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 59 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 60 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 61 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 62 5.2. Informative References . . . . . . . . . . . . . . . . . 6 63 Appendix A. 2015 ASN.1 Module . . . . . . . . . . . . . . . . . 6 64 Appendix B. 1988 ASN.1 Module . . . . . . . . . . . . . . . . . 9 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11 67 1. Introduction 69 [RFC3279], [RFC4055], [RFC5480], and [I-D.ietf-curdle-pkix] defines 70 the contents of the signatureAlgorithm, signatureValue, signature, 71 and subjectPublicKeyInfo fields within Internet X.509 certificates 72 and CRLs (Certificate Revocation Lists) [RFC5280] for a number of 73 algorithms. This document does the same for the SHA-3 family of one- 74 way hash functions and their use with the ECDSA and RSA PKCS#1 v1.5 75 digital signature algorithms. 77 Familiarity with [RFC5280] is assumed. 79 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 80 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 81 "OPTIONAL" in this document are to be interpreted as described in 82 [RFC2119]. 84 2. Algorithm Support 86 This section describes cryptographic algorithms which may be used 87 with the Internet X.509 Certificate and CRL profile [RFC5280]. This 88 section describes one-way hash functions and digital signature 89 algorithms which may be used to sign certificates and CRLs, and 90 identifies OIDs (Object Identifiers) for public keys contained in a 91 certificate. 93 2.1. SHA-3 One-way Hash Functions 95 The SHA-3 family of one-way hash functions is specified in [SHA3]. 96 In the SHA-3 family, four hash functions are defined: SHA3-224, 97 SHA3-256, SHA3-384, and SHA3-512; two extendable-output functions, 98 called SHAKE128 and SHAKE256, are also defined but are not addressed 99 by this document. The respective output lengths, in bits, of the 100 SHA-3 hash functions are 224, 256, 384, and 512 and as of this 101 document's publication date correspond to 112, 128, 192, and 256 bits 102 of security [RFC3766]. The OIDs (Object Identifiers) for these four 103 hash functions are as follows: 105 id-sha3-224 OBJECT IDENTIFIER ::= { 106 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 107 csor(3) nistAlgorithm(4) hashAlgs(2) 7 108 } 110 id-sha3-256 OBJECT IDENTIFIER ::= { 111 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 112 csor(3) nistAlgorithm(4) hashAlgs(2) 8 113 } 115 id-sha3-384 OBJECT IDENTIFIER ::= { 116 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 117 csor(3) nistAlgorithm(4) hashAlgs(2) 9 118 } 120 id-sha3-512 OBJECT IDENTIFIER ::= { 121 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 122 csor(3) nistAlgorithm(4) hashAlgs(2) 10 123 } 125 When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 126 algorithm identifiers, the parameters field MUST be absent; not NULL 127 but absent. 129 2.2. ECDSA Signature Algorithm with SHA-3 131 The ECDSA (Elliptic Curve Digital Signature Algorithm) is defined in 132 [DSS]. When ECDSA is used in conjunction with one of the SHA-3 one- 133 way hash functions the OID is, respectively: 135 id-ecdsa-with-sha3-224 OBJECT IDENTIFIER ::= { 136 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 137 csor(3) nistAlgorithm(4) sigAlgs(3) 9 138 } 140 id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { 141 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 142 csor(3) nistAlgorithm(4) sigAlgs(3) 10 143 } 145 id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { 146 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 147 csor(3) nistAlgorithm(4) sigAlgs(3) 11 148 } 150 id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { 151 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 152 csor(3) nistAlgorithm(4) sigAlgs(3) 12 153 } 155 When these algorithm identifiers appear as the algorithm field in an 156 AlgorithmIdentifier, the encoding MUST omit the parameters field. 157 That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one 158 component: the OBJECT IDENTIFIER id-ecdsa-with-sha3-224, id-ecdsa- 159 with-sha3-256, id-ecdsa-with-sha3-384, or id-ecdsa-with-sha3-512. 161 The ECParameters in the subjectPublicKeyInfo field of the issuer's 162 certificate SHALL apply to the verification of the signature. 164 When signing, the ECDSA algorithm generates two values. These values 165 are commonly referred to as r and s. To easily transfer these two 166 values as one signature, they MUST be ASN.1 encoded using the ECDSA- 167 Sig-Value defined in [RFC3279] but repeated here for convenience: 169 ECDSA-Sig-Value ::= SEQUENCE { 170 r INTEGER, 171 s INTEGER } 173 2.3. ECDSA Public Keys 175 The conventions for ECDSA public keys is as specified in [RFC5480]. 177 3. Security Considerations 179 TBD 181 4. IANA Considerations 183 IANA is kindly requested to register two OIDs in the SMI Security for 184 PKIX Module Identifier registry for the ASN.1 modules found in 185 Appendix A.1 and A.2. The description is as follows: 187 o id-mod-pkix1-sha3-2015 189 o id-mod-pkix1-sha3-1988 191 where the four digits at the end represent the ASN.1's publication 192 date. 194 5. References 196 5.1. Normative References 198 [DSS] National Institute of Standards and Technology, U.S. 199 Department of Commerce, "Digital Signature Standard, 200 version 4", NIST FIPS PUB 186-4, 2013. 202 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 203 Requirement Levels", BCP 14, RFC 2119, 204 DOI 10.17487/RFC2119, March 1997, 205 . 207 [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and 208 Identifiers for the Internet X.509 Public Key 209 Infrastructure Certificate and Certificate Revocation List 210 (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 211 2002, . 213 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 214 Housley, R., and W. Polk, "Internet X.509 Public Key 215 Infrastructure Certificate and Certificate Revocation List 216 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 217 . 219 [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, 220 "Elliptic Curve Cryptography Subject Public Key 221 Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, 222 . 224 [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the 225 Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, 226 DOI 10.17487/RFC5912, June 2010, 227 . 229 [SHA3] National Institute of Standards and Technology, U.S. 230 Department of Commerce, "SHA-3 Standard - Permutation- 231 Based Hash and Extendable-Output Functions", NIST FIPS PUB 232 202, August 2015. 234 5.2. Informative References 236 [I-D.ietf-curdle-pkix] 237 Josefsson, S. and J. Schaad, "Algorithm Identifiers for 238 Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for 239 use in the Internet X.509 Public Key Infrastructure", 240 draft-ietf-curdle-pkix-03 (work in progress), November 241 2016. 243 [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For 244 Public Keys Used For Exchanging Symmetric Keys", BCP 86, 245 RFC 3766, DOI 10.17487/RFC3766, April 2004, 246 . 248 [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional 249 Algorithms and Identifiers for RSA Cryptography for use in 250 the Internet X.509 Public Key Infrastructure Certificate 251 and Certificate Revocation List (CRL) Profile", RFC 4055, 252 DOI 10.17487/RFC4055, June 2005, 253 . 255 Appendix A. 2015 ASN.1 Module 257 PKIXAlgsForSHA3-2015 { iso(1) identified-organization(3) dod(6) 258 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 259 id-mod-pkix1-sha3-2015(TBD) } 261 DEFINITIONS EXPLICIT TAGS ::= 263 BEGIN 265 -- EXPORTS ALL; 267 IMPORTS 269 PUBLIC-KEY, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, SMIME-CAPS 270 FROM AlgorithmInformation-2009 -- in [RFC5912] 271 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 272 mechanisms(5) pkix(7) id-mod(0) 273 id-mod-algorithmInformation-02(58) } 275 pk-ec, id-ecPublicKey, ECPoint, ECDSA-Sig-Value 276 FROM PKIXAlgs-2009 -- in [RFC5912] 277 { iso(1) identified-organization(3) dod(6) internet(1) security(5) 278 mechanisms(5) pkix(7) id-mod(0) 279 id-mod-pkix1-algorithms2008-02(56) } 281 ; 283 -- 284 -- Message Digest Algorithms (mda-) 285 -- 287 HashAlgs DIGEST-ALGORITHM ::= { 288 ..., 289 -- This expands HashAlgs from [RFC5912] 290 mda-sha3-256 | 291 mda-sha3-384 | 292 mda-sha3-512 293 } 295 -- SHA3-256 297 mda-sha3-256 DIGEST-ALGORITHM ::= { 298 IDENTIFIER id-sha3-256 299 PARAMS ARE absent 300 } 302 id-sha3-256 OBJECT IDENTIFIER ::= { 303 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 304 csor(3) nistAlgorithm(4) hashAlgs(2) 8 305 } 307 -- SHA3-384 309 mda-sha3-384 DIGEST-ALGORITHM ::= { 310 IDENTIFIER id-sha3-384 311 PARAMS ARE absent 312 } 314 id-sha3-384 OBJECT IDENTIFIER ::= { 315 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 316 csor(3) nistAlgorithm(4) hashAlgs(2) 9 317 } 319 -- SHA3-512 321 mda-sha3-512 DIGEST-ALGORITHM ::= { 322 IDENTIFIER id-sha3-512 323 PARAMS ARE absent 324 } 326 id-sha3-512 OBJECT IDENTIFIER ::= { 327 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 328 csor(3) nistAlgorithm(4) hashAlgs(2) 10 329 } 331 -- 332 -- Public Key (pk-) Algorithms 333 -- 335 -- See [RFC5912]. 337 -- 338 -- Signature Algorithms (sa-) 339 -- 341 SignatureAlgs SIGNATURE-ALGORITHM ::= { 342 ..., 343 -- This expands SignatureAlgorithms from [RFC5912] 344 sa-ecdsaWithSHA3-256 | 345 sa-ecdsaWithSHA3-384 | 346 sa-ecdsaWithSHA3-512 347 } 349 -- ECDSA with SHA3-256 351 sa-ecdsaWithSHA3-256 SIGNATURE-ALGORITHM ::= { 352 IDENTIFIER id-ecdsa-with-SHA3-256 353 VALUE ECDSA-Sig-Value 354 PARAMS TYPE NULL ARE absent 355 HASHES { mda-sha3-256 } 356 PUBLIC-KEYS { pk-ec } 357 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-256 } 358 } 360 id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { 361 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 362 csor(3) nistAlgorithm(4) sigAlgs(3) 10 363 } 365 -- ECDSA with SHA3-384 367 sa-ecdsaWithSHA3-384 SIGNATURE-ALGORITHM ::= { 368 IDENTIFIER id-ecdsa-with-SHA3-384 369 VALUE ECDSA-Sig-Value 370 PARAMS TYPE NULL ARE absent 371 HASHES { mda-sha3-384 } 372 PUBLIC-KEYS { pk-ec } 373 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-384 } 374 } 376 id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { 377 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 378 csor(3) nistAlgorithm(4) sigAlgs(3) 11 379 } 381 -- ECDSA with SHA3-512 383 sa-ecdsaWithSHA3-512 SIGNATURE-ALGORITHM ::= { 384 IDENTIFIER id-ecdsa-with-SHA3-512 385 VALUE ECDSA-Sig-Value 386 PARAMS TYPE NULL ARE absent 387 HASHES { mda-sha3-512 } 388 PUBLIC-KEYS { pk-ec } 389 SMIME-CAPS { IDENTIFIED BY id-ecdsa-with-SHA3-512 } 390 } 392 id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { 393 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 394 csor(3) nistAlgorithm(4) sigAlgs(3) 12 395 } 397 -- 398 -- SMIME Capabilities (sa-) 399 -- 401 SMimeCaps SMIME-CAPS ::= { 402 ..., 403 -- The expands SMimeCaps from [RFC5912] 404 sa-ecdsaWithSHA3-256.&smimeCaps | 405 sa-ecdsaWithSHA3-384.&smimeCaps | 406 sa-ecdsaWithSHA3-512.&smimeCaps 407 } 409 END 411 Appendix B. 1988 ASN.1 Module 413 PKIXAlgsForSHA3-1988 { iso(1) identified-organization(3) dod(6) 414 internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 415 id-mod-pkix1-sha3-1988(TBD) } 417 DEFINITIONS EXPLICIT TAGS ::= 419 BEGIN 420 -- EXPORTS ALL; 422 -- IMPORTS NONE; 424 -- 425 -- Message Digest Algorithms 426 -- 428 -- SHA3-256 429 -- Parameters are absent 431 id-sha3-256 OBJECT IDENTIFIER ::= { 432 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 433 csor(3) nistAlgorithm(4) hashAlgs(2) 8 434 } 436 -- SHA3-384 437 -- Parameters are absent 439 id-sha3-384 OBJECT IDENTIFIER ::= { 440 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 441 csor(3) nistAlgorithm(4) hashAlgs(2) 9 442 } 444 -- SHA3-512 445 -- Parameters are absent 447 id-sha3-512 OBJECT IDENTIFIER ::= { 448 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 449 csor(3) nistAlgorithm(4) hashAlgs(2) 10 450 } 452 -- 453 -- ECDSA Keys, Signatures, and Curves 454 -- 456 -- OID for ECDSA signatures with SHA3-256 458 id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { 459 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 460 csor(3) nistAlgorithm(4) sigAlgs(3) 10 461 } 463 -- OID for ECDSA signatures with SHA3-384 465 id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { 466 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 467 csor(3) nistAlgorithm(4) sigAlgs(3) 11 468 } 470 -- OID for ECDSA signatures with SHA3-512 472 id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { 473 joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) 474 csor(3) nistAlgorithm(4) sigAlgs(3) 12 475 } 477 -- See [RFC5480] for ECDSA-Sig-Value, which is the format for 478 -- the value of an ECDSA signature value. 480 -- See [RFC5480] for ECDSA Keys and Curves. 482 END 484 Author's Address 486 Sean Turner 487 sn3rd 489 Email: sean@sn3rd.com