draft-ietf-lamps-cms-shakes-13.txt   draft-ietf-lamps-cms-shakes-14.txt 
LAMPS WG P. Kampanakis LAMPS WG P. Kampanakis
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Updates: 3370 (if approved) Q. Dang Updates: 3370 (if approved) Q. Dang
Intended status: Standards Track NIST Intended status: Standards Track NIST
Expires: January 22, 2020 July 21, 2019 Expires: January 22, 2020 July 21, 2019
Use of the SHAKE One-way Hash Functions in the Cryptographic Message Use of the SHAKE One-way Hash Functions in the Cryptographic Message
Syntax (CMS) Syntax (CMS)
draft-ietf-lamps-cms-shakes-13 draft-ietf-lamps-cms-shakes-14
Abstract Abstract
This document updates the "Cryptographic Message Syntax Algorithms" This document updates the "Cryptographic Message Syntax Algorithms"
(RFC3370) and describes the conventions for using the SHAKE family of (RFC3370) and describes the conventions for using the SHAKE family of
hash functions in the Cryptographic Message Syntax as one-way hash hash functions in the Cryptographic Message Syntax as one-way hash
functions with the RSA Probabilistic signature and ECDSA signature functions with the RSA Probabilistic signature and ECDSA signature
algorithms. The conventions for the associated signer public keys in algorithms. The conventions for the associated signer public keys in
CMS are also described. CMS are also described.
skipping to change at page 2, line 11 skipping to change at page 2, line 11
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Identifiers . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Use in CMS . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7 4.1. Message Digests . . . . . . . . . . . . . . . . . . . . . 7
4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7 4.2. Signatures . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8 4.2.1. RSASSA-PSS Signatures . . . . . . . . . . . . . . . . 8
4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 8 4.2.2. ECDSA Signatures . . . . . . . . . . . . . . . . . . 9
4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9 4.3. Public Keys . . . . . . . . . . . . . . . . . . . . . . . 9
4.4. Message Authentication Codes . . . . . . . . . . . . . . 10 4.4. Message Authentication Codes . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. Security Considerations . . . . . . . . . . . . . . . . . . . 10
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Change Log 1. Change Log
[ EDNOTE: Remove this section before publication. ] [ EDNOTE: Remove this section before publication. ]
o draft-ietf-lamps-cms-shake-13: o draft-ietf-lamps-cms-shake-13:
* Fixing error with incorrect preimage resistance bits for SHA128
and SHA256.
o draft-ietf-lamps-cms-shake-13:
* Addressing comments from Dan M.'s secdir review. * Addressing comments from Dan M.'s secdir review.
* Addressing comment from Scott B.'s opsdir review about * Addressing comment from Scott B.'s opsdir review about
references in the abstract. references in the abstract.
o draft-ietf-lamps-cms-shake-12: o draft-ietf-lamps-cms-shake-12:
* Nits identified by Roman, Barry L. in ballot position review. * Nits identified by Roman, Barry L. in ballot position review.
o draft-ietf-lamps-cms-shake-11: o draft-ietf-lamps-cms-shake-11:
skipping to change at page 8, line 29 skipping to change at page 8, line 33
the same: both SHAKE128 or both SHAKE256. The output length of the the same: both SHAKE128 or both SHAKE256. The output length of the
hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or hash algorithm which hashes the message SHALL be 32 (for SHAKE128) or
64 bytes (for SHAKE256). 64 bytes (for SHAKE256).
The mask generation function takes an octet string of variable length The mask generation function takes an octet string of variable length
and a desired output length as input, and outputs an octet string of and a desired output length as input, and outputs an octet string of
the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be the desired length. In RSASSA-PSS with SHAKEs, the SHAKEs MUST be
used natively as the MGF function, instead of the MGF1 algorithm that used natively as the MGF function, instead of the MGF1 algorithm that
uses the hash function in multiple iterations as specified in uses the hash function in multiple iterations as specified in
Section B.2.1 of [RFC8017]. In other words, the MGF is defined as Section B.2.1 of [RFC8017]. In other words, the MGF is defined as
the SHAKE128 or SHAKE256 output of the mgfSeed for id-RSASSA-PSS- the SHAKE128 or SHAKE256 with input being the mgfSeed for id-RSASSA-
SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed is PSS- SHAKE128 and id-RSASSA-PSS-SHAKE256, respectively. The mgfSeed
the seed from which mask is generated, an octet string [RFC8017]. As is the seed from which mask is generated, an octet string [RFC8017].
explained in Step 9 of section 9.1.1 of [RFC8017], the output length As explained in Step 9 of section 9.1.1 of [RFC8017], the output
of the MGF is emLen - hLen - 1 bytes. emLen is the maximum message length of the MGF is emLen - hLen - 1 bytes. emLen is the maximum
length ceil((n-1)/8), where n is the RSA modulus in bits. hLen is 32 message length ceil((n-1)/8), where n is the RSA modulus in bits.
and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-SHAKE256, hLen is 32 and 64-bytes for id-RSASSA-PSS-SHAKE128 and id-RSASSA-PSS-
respectively. Thus when SHAKE is used as the MGF, the SHAKE output SHAKE256, respectively. Thus when SHAKE is used as the MGF, the
length maskLen is (8*emLen - 264) or (8*emLen - 520) bits, SHAKE output length maskLen is (8*emLen - 264) or (8*emLen - 520)
respectively. For example, when RSA modulus n is 2048, the output bits, respectively. For example, when RSA modulus n is 2048, the
length of SHAKE128 or SHAKE256 as the MGF will be 1784 or 1528-bits output length of SHAKE128 or SHAKE256 as the MGF will be 1784 or
when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is used, 1528-bits when id-RSASSA-PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 is
respectively. used, respectively.
The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128 The RSASSA-PSS saltLength MUST be 32 bytes for id-RSASSA-PSS-SHAKE128
or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField or 64 bytes for id-RSASSA-PSS-SHAKE256. Finally, the trailerField
MUST be 1, which represents the trailer field with hexadecimal value MUST be 1, which represents the trailer field with hexadecimal value
0xBC [RFC8017]. 0xBC [RFC8017].
4.2.2. ECDSA Signatures 4.2.2. ECDSA Signatures
The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
[X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256 [X9.62]. When the id-ecdsa-with-shake128 or id-ecdsa-with-shake256
skipping to change at page 10, line 50 skipping to change at page 11, line 8
This document updates [RFC3370]. The security considerations section This document updates [RFC3370]. The security considerations section
of that document applies to this specification as well. of that document applies to this specification as well.
NIST has defined appropriate use of the hash functions in terms of NIST has defined appropriate use of the hash functions in terms of
the algorithm strengths and expected time frames for secure use in the algorithm strengths and expected time frames for secure use in
Special Publications (SPs) [SP800-78-4] and [SP800-107]. These Special Publications (SPs) [SP800-78-4] and [SP800-107]. These
documents can be used as guides to choose appropriate key sizes for documents can be used as guides to choose appropriate key sizes for
various security scenarios. various security scenarios.
SHAKE128 with output length of 256-bits offers 128-bits of collision SHAKE128 with output length of 256-bits offers 128-bits of collision
and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this preimage resistance. Thus, SHAKE128 OIDs in this specification are
specification are RECOMMENDED with 2048 (112-bit security) or RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit
3072-bit (128-bit security) RSA modulus or curves with group order of security) RSA modulus or curves with group order of 256-bits (128-bit
256-bits (128-bit security). SHAKE256 with 512-bits output length security). SHAKE256 with 512-bits output length offers 256-bits of
offers 256-bits of collision and 512-bits of preimage resistance. collision and preimage resistance. Thus, the SHAKE256 OIDs in this
Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with specification are RECOMMENDED with 4096-bit RSA modulus or higher or
4096-bit RSA modulus or higher or curves with group order of 384-bits curves with group order of 521-bits (256-bit security) or higher.
(256-bit security) or higher. Note that we recommended 4096-bit RSA Note that we recommended 4096-bit RSA because we would need 15360-bit
because we would need 15360-bit modulus for 256-bits of security modulus for 256-bits of security which is impractical for today's
which is impractical for today's technology. technology.
When more than two parties share the same message-authentication key, When more than two parties share the same message-authentication key,
data origin authentication is not provided. Any party that knows the data origin authentication is not provided. Any party that knows the
message-authentication key can compute a valid MAC, therefore the message-authentication key can compute a valid MAC, therefore the
content could originate from any one of the parties. content could originate from any one of the parties.
7. Acknowledgements 7. Acknowledgements
This document is based on Russ Housley's draft This document is based on Russ Housley's draft
[I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions [I-D.housley-lamps-cms-sha3-hash]. It replaces SHA3 hash functions
 End of changes. 6 change blocks. 
26 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/