draft-ietf-lamps-cms-shakes-14.txt   draft-ietf-lamps-cms-shakes-15.txt 
LAMPS WG P. Kampanakis LAMPS WG P. Kampanakis
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Updates: 3370 (if approved) Q. Dang Updates: 3370 (if approved) Q. Dang
Intended status: Standards Track NIST Intended status: Standards Track NIST
Expires: January 22, 2020 July 21, 2019 Expires: January 22, 2020 July 21, 2019
Use of the SHAKE One-way Hash Functions in the Cryptographic Message Use of the SHAKE One-way Hash Functions in the Cryptographic Message
Syntax (CMS) Syntax (CMS)
draft-ietf-lamps-cms-shakes-14 draft-ietf-lamps-cms-shakes-15
Abstract Abstract
This document updates the "Cryptographic Message Syntax Algorithms" This document updates the "Cryptographic Message Syntax Algorithms"
(RFC3370) and describes the conventions for using the SHAKE family of (RFC3370) and describes the conventions for using the SHAKE family of
hash functions in the Cryptographic Message Syntax as one-way hash hash functions in the Cryptographic Message Syntax as one-way hash
functions with the RSA Probabilistic signature and ECDSA signature functions with the RSA Probabilistic signature and ECDSA signature
algorithms. The conventions for the associated signer public keys in algorithms. The conventions for the associated signer public keys in
CMS are also described. CMS are also described.
skipping to change at page 2, line 34 skipping to change at page 2, line 34
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . 12 8.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Change Log 1. Change Log
[ EDNOTE: Remove this section before publication. ] [ EDNOTE: Remove this section before publication. ]
o draft-ietf-lamps-cms-shake-13: o draft-ietf-lamps-cms-shake-15:
* Minor editorial nits.
o draft-ietf-lamps-cms-shake-14:
* Fixing error with incorrect preimage resistance bits for SHA128 * Fixing error with incorrect preimage resistance bits for SHA128
and SHA256. and SHA256.
o draft-ietf-lamps-cms-shake-13: o draft-ietf-lamps-cms-shake-13:
* Addressing comments from Dan M.'s secdir review. * Addressing comments from Dan M.'s secdir review.
* Addressing comment from Scott B.'s opsdir review about * Addressing comment from Scott B.'s opsdir review about
references in the abstract. references in the abstract.
skipping to change at page 11, line 8 skipping to change at page 11, line 8
This document updates [RFC3370]. The security considerations section This document updates [RFC3370]. The security considerations section
of that document applies to this specification as well. of that document applies to this specification as well.
NIST has defined appropriate use of the hash functions in terms of NIST has defined appropriate use of the hash functions in terms of
the algorithm strengths and expected time frames for secure use in the algorithm strengths and expected time frames for secure use in
Special Publications (SPs) [SP800-78-4] and [SP800-107]. These Special Publications (SPs) [SP800-78-4] and [SP800-107]. These
documents can be used as guides to choose appropriate key sizes for documents can be used as guides to choose appropriate key sizes for
various security scenarios. various security scenarios.
SHAKE128 with output length of 256-bits offers 128-bits of collision SHAKE128 with output length of 256-bits offers 128-bits of collision
preimage resistance. Thus, SHAKE128 OIDs in this specification are and preimage resistance. Thus, SHAKE128 OIDs in this specification
RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit are RECOMMENDED with 2048 (112-bit security) or 3072-bit (128-bit
security) RSA modulus or curves with group order of 256-bits (128-bit security) RSA modulus or curves with group order of 256-bits (128-bit
security). SHAKE256 with 512-bits output length offers 256-bits of security). SHAKE256 with 512-bits output length offers 256-bits of
collision and preimage resistance. Thus, the SHAKE256 OIDs in this collision and preimage resistance. Thus, the SHAKE256 OIDs in this
specification are RECOMMENDED with 4096-bit RSA modulus or higher or specification are RECOMMENDED with 4096-bit RSA modulus or higher or
curves with group order of 521-bits (256-bit security) or higher. curves with group order of at least 521-bits (256-bit security).
Note that we recommended 4096-bit RSA because we would need 15360-bit Note that we recommended 4096-bit RSA because we would need 15360-bit
modulus for 256-bits of security which is impractical for today's modulus for 256-bits of security which is impractical for today's
technology. technology.
When more than two parties share the same message-authentication key, When more than two parties share the same message-authentication key,
data origin authentication is not provided. Any party that knows the data origin authentication is not provided. Any party that knows the
message-authentication key can compute a valid MAC, therefore the message-authentication key can compute a valid MAC, therefore the
content could originate from any one of the parties. content could originate from any one of the parties.
7. Acknowledgements 7. Acknowledgements
 End of changes. 4 change blocks. 
5 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/