draft-ietf-lamps-cms-hash-sig-06.txt   draft-ietf-lamps-cms-hash-sig-07.txt 
INTERNET-DRAFT R. Housley INTERNET-DRAFT R. Housley
Internet Engineering Task Force (IETF) Vigil Security Internet Engineering Task Force (IETF) Vigil Security
Intended Status: Proposed Standard Intended Status: Proposed Standard
Expires: 26 August 2019 26 February 2019 Expires: 6 September 2019 6 March 2019
Use of the HSS/LMS Hash-based Signature Algorithm Use of the HSS/LMS Hash-based Signature Algorithm
in the Cryptographic Message Syntax (CMS) in the Cryptographic Message Syntax (CMS)
<draft-ietf-lamps-cms-hash-sig-06> <draft-ietf-lamps-cms-hash-sig-07>
Abstract Abstract
This document specifies the conventions for using the the HSS/LMS This document specifies the conventions for using the the HSS/LMS
hash-based signature algorithm with the Cryptographic Message Syntax hash-based signature algorithm with the Cryptographic Message Syntax
(CMS). In addition, the algorithm identifier and public key syntax (CMS). In addition, the algorithm identifier and public key syntax
are provided. The HSS/LMS algorithm is one form of hash-based are provided. The HSS/LMS algorithm is one form of hash-based
digital signature; it is described in [HASHSIG]. digital signature; it is described in [HASHSIG].
Status of this Memo Status of this Memo
skipping to change at page 2, line 25 skipping to change at page 2, line 25
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 3 1.3. Algorithm Considerations . . . . . . . . . . . . . . . . . 3
2. HSS/LMS Hash-based Signature Algorithm Overview . . . . . . . 4
2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4 2.1. Hierarchical Signature System (HSS) . . . . . . . . . . . 4
2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 4 2.2. Leighton-Micali Signature (LMS) . . . . . . . . . . . . . 5
2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 5 2.3. Leighton-Micali One-time Signature Algorithm (LM-OTS) . . 6
3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 6 3. Algorithm Identifiers and Parameters . . . . . . . . . . . . . 7
4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 7 4. HSS/LMS Public Key Identifier . . . . . . . . . . . . . . . . 8
5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 8 5. Signed-data Conventions . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6.1. Implementation Security Considerations . . . . . . . . . . 9
6.2. Algorithm Security Considerations . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . . 11
Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 13 Appendix: ASN.1 Module . . . . . . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document specifies the conventions for using the HSS/LMS hash- This document specifies the conventions for using the HSS/LMS hash-
based signature algorithm with the Cryptographic Message Syntax (CMS) based signature algorithm with the Cryptographic Message Syntax (CMS)
[CMS] signed-data content type. The Leighton-Micali Signature (LMS) [CMS] signed-data content type. The Leighton-Micali Signature (LMS)
system provides a one-time digital signature that is a variant of system provides a one-time digital signature that is a variant of
Merkle Tree Signatures (MTS). The Hierarchical Signature System Merkle Tree Signatures (MTS). The Hierarchical Signature System
(HSS) is built on top of the LMS system to efficiently scale for a (HSS) is built on top of the LMS system to efficiently scale for a
larger numbers of signatures. The HSS/LMS algorithm is one form of larger numbers of signatures. The HSS/LMS algorithm is one form of
skipping to change at page 3, line 47 skipping to change at page 3, line 47
1.3. Algorithm Considerations 1.3. Algorithm Considerations
At Black Hat USA 2013, some researchers gave a presentation on the At Black Hat USA 2013, some researchers gave a presentation on the
current state of public key cryptography. They said: "Current current state of public key cryptography. They said: "Current
cryptosystems depend on discrete logarithm and factoring which has cryptosystems depend on discrete logarithm and factoring which has
seen some major new developments in the past 6 months" [BH2013]. seen some major new developments in the past 6 months" [BH2013].
They encouraged preparation for a day when RSA and DSA cannot be They encouraged preparation for a day when RSA and DSA cannot be
depended upon. depended upon.
A post-quantum cryptosystem is a system that is secure against A post-quantum cryptosystem [PQC] is a system that is secure against
quantum computers that have more than a trivial number of quantum quantum computers that have more than a trivial number of quantum
bits. It is open to conjecture when it will be feasible to build bits. It is open to conjecture when it will be feasible to build
such a machine. RSA, DSA, and ECDSA are not post-quantum secure. such a machine. RSA, DSA, and ECDSA are not post-quantum secure.
The LM-OTS one-time signature, LMS, and HSS do not depend on discrete The LM-OTS one-time signature, LMS, and HSS do not depend on discrete
logarithm or factoring, as a result these algorithms are considered logarithm or factoring, as a result these algorithms are considered
to be post-quantum secure. to be post-quantum secure.
Hash-based signatures [HASHSIG] are currently defined to use Hash-based signatures [HASHSIG] are currently defined to use
exclusively SHA-256 [SHS]. An IANA registry is defined so that other exclusively SHA-256 [SHS]. An IANA registry is defined so that other
skipping to change at page 11, line 5 skipping to change at page 10, line 42
In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3) In the SMI Security for S/MIME Algorithms (1.2.840.113549.1.9.16.3)
registry, change the description for value 17 to registry, change the description for value 17 to
"id-alg-hss-lms-hashsig" and change the reference to point to this "id-alg-hss-lms-hashsig" and change the reference to point to this
document. document.
Also, add the following note to the registry: Also, add the following note to the registry:
Value 17, "id-alg-hss-lms-hashsig", is also referred to as Value 17, "id-alg-hss-lms-hashsig", is also referred to as
"id-alg-mts-hashsig". "id-alg-mts-hashsig".
8. Acknowledgements 8. References
Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim
Schaad, Sean Turner, and Daniel Van Geest for their careful review
and comments.
9. References
9.1. Normative References 8.1. Normative References
[ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation [ASN1-B] ITU-T, "Information technology -- Abstract Syntax Notation
One (ASN.1): Specification of basic notation", ITU-T One (ASN.1): Specification of basic notation", ITU-T
Recommendation X.680, 2015. Recommendation X.680, 2015.
[ASN1-E] ITU-T, "Information technology -- ASN.1 encoding rules: [ASN1-E] ITU-T, "Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, 2015. (DER)", ITU-T Recommendation X.690, 2015.
skipping to change at page 12, line 5 skipping to change at page 11, line 38
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174, DOI RFC 2119 Key Words", BCP 14, RFC 8174, DOI
10.17487/RFC8174, May 2017, <https://www.rfc- 10.17487/RFC8174, May 2017, <https://www.rfc-
editor.org/info/rfc8174>. editor.org/info/rfc8174>.
[SHS] National Institute of Standards and Technology (NIST), [SHS] National Institute of Standards and Technology (NIST),
FIPS Publication 180-3: Secure Hash Standard, October FIPS Publication 180-3: Secure Hash Standard, October
2008. 2008.
9.2. Informative References 8.2. Informative References
[BH2013] Ptacek, T., T. Ritter, J. Samuel, and A. Stamos, "The [BH2013] Ptacek, T., T. Ritter, J. Samuel, and A. Stamos, "The
Factoring Dead: Preparing for the Cryptopocalypse", August Factoring Dead: Preparing for the Cryptopocalypse", August
2013. <https://media.blackhat.com/us-13/us-13-Stamos-The- 2013. <https://media.blackhat.com/us-13/us-13-Stamos-The-
Factoring-Dead.pdf> Factoring-Dead.pdf>
[CMSASN1] Hoffman, P. and J. Schaad, "New ASN.1 Modules for [CMSASN1] Hoffman, P. and J. Schaad, "New ASN.1 Modules for
Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911, Cryptographic Message Syntax (CMS) and S/MIME", RFC 5911,
DOI 10.17487/RFC5911, June 2010, <http://www.rfc- DOI 10.17487/RFC5911, June 2010, <http://www.rfc-
editor.org/info/rfc5911>. editor.org/info/rfc5911>.
skipping to change at page 13, line 30 skipping to change at page 13, line 20
DEFINITIONS IMPLICIT TAGS ::= BEGIN DEFINITIONS IMPLICIT TAGS ::= BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS
FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1] FROM AlgorithmInformation-2009 -- RFC 5911 [CMSASN1]
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) } id-mod-algorithmInformation-02(58) } ;
mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms-2009 -- RFC 5912 [PKIXASN1]
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54) } ;
-- --
-- Object Identifiers -- Object Identifiers
-- --
id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) alg(3) 17 } smime(16) alg(3) 17 }
id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig
skipping to change at page 14, line 4 skipping to change at page 13, line 31
-- --
-- Object Identifiers -- Object Identifiers
-- --
id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) alg(3) 17 } smime(16) alg(3) 17 }
id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig
-- --
-- Signature Algorithm and Public Key -- Signature Algorithm and Public Key
-- --
sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= { sa-HSS-LMS-HashSig SIGNATURE-ALGORITHM ::= {
IDENTIFIER id-alg-hss-lms-hashsig IDENTIFIER id-alg-hss-lms-hashsig
PARAMS ARE absent PARAMS ARE absent
HASHES { mda-sha256 }
PUBLIC-KEYS { pk-HSS-LMS-HashSig } PUBLIC-KEYS { pk-HSS-LMS-HashSig }
SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } } SMIME-CAPS { IDENTIFIED BY id-alg-hss-lms-hashsig } }
pk-HSS-LMS-HashSig PUBLIC-KEY ::= { pk-HSS-LMS-HashSig PUBLIC-KEY ::= {
IDENTIFIER id-alg-hss-lms-hashsig IDENTIFIER id-alg-hss-lms-hashsig
KEY HSS-LMS-HashSig-PublicKey KEY HSS-LMS-HashSig-PublicKey
PARAMS ARE absent PARAMS ARE absent
CERT-KEY-USAGE CERT-KEY-USAGE
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } } { digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
skipping to change at page 14, line 40 skipping to change at page 14, line 20
-- --
-- Expand the S/MIME capabilities set used by CMS [CMSASN1] -- Expand the S/MIME capabilities set used by CMS [CMSASN1]
-- --
SMimeCaps SMIME-CAPS ::= SMimeCaps SMIME-CAPS ::=
{ sa-HSS-LMS-HashSig.&smimeCaps, ... } { sa-HSS-LMS-HashSig.&smimeCaps, ... }
END END
Acknowledgements
Many thanks to Scott Fluhrer, Jonathan Hammell, Panos Kampanakis, Jim
Schaad, Sean Turner, and Daniel Van Geest for their careful review
and comments.
Author's Address Author's Address
Russ Housley Russ Housley
Vigil Security, LLC Vigil Security, LLC
516 Dranesville Road 516 Dranesville Road
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley@vigilsec.com EMail: housley@vigilsec.com
 End of changes. 15 change blocks. 
31 lines changed or deleted 25 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/