[Docs] [txt|pdf|xml|html] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 07 08

LAMPS WG                                                   P. Kampanakis
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                                 Q. Dang
Expires: May 3, 2018                                                NIST
                                                        October 30, 2017


                   Put Your Internet Draft Title Here
                     draft-ietf-lamps-pkix-shake-00

Abstract

   This document describes the conventions for using the SHAKE family of
   hash functions in the Internet X.509 PKI as one-way hash functions
   with the RSA, DSA and ECDSA signature algorithms; the conventions for
   the associated subject public keys are also described.  Digital
   signatures are used to sign messages, certificates and CRLs
   (Certificate Revocation Lists).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 3, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of



Kampanakis & Dang          Expires May 3, 2018                  [Page 1]


Internet-Draft              Abbreviated Title               October 2017


   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Change Log  . . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Algorithm support . . . . . . . . . . . . . . . . . . . . . .   2
     3.1.  SHAKE One-Way Hash Functions  . . . . . . . . . . . . . .   2
     3.2.  Signature Algorithms  . . . . . . . . . . . . . . . . . .   3
       3.2.1.  RSA with SHAKE  . . . . . . . . . . . . . . . . . . .   3
       3.2.2.  DSA with SHAKE  . . . . . . . . . . . . . . . . . . .   3
       3.2.3.  ECDSA with SHAKE  . . . . . . . . . . . . . . . . . .   4
     3.3.  Public Keys . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Appendix A.  ASN.1 module . . . . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Change Log

   o  draft-kampanakis-adding-shake-to-pkix-00:

      *  Initial version

2.  Introduction

   EDNOTE: More here.

3.  Algorithm support

   This section describes several cryptographic algorithms which may be
   used with the Internet X.509 Certificate and CRL profile [RFC5280].
   This section describes two one-way hash functions and digital
   signature algorithms using these functions, which may be used to sign
   certificates and CRLs, and identifies OIDs (Object Identifiers) for
   public keys contained in certificates.

3.1.  SHAKE One-Way Hash Functions

   The SHA-3 family of one-way hash functions is specified in [SHA3].
   In the SHA-3 family, two extendable-output functions, called SHAKE128
   and SHAKE256 are defined.  Four hash functions, SHA3-224, SHA3-256,
   SHA3-384, and SHA3-512 are also defined but are out of scope for this



Kampanakis & Dang          Expires May 3, 2018                  [Page 2]


Internet-Draft              Abbreviated Title               October 2017


   document.  The output lengths, in bits, of the SHAKE hash functions
   is defined by the parameter d.  The corresponding collision and
   preimage resistance security levels for SHAKE128 and SHAKE256 are
   respectively min(d/2,128) and min(d,128) and min(d/2,256) and
   min(d,256).  The OIDs (Object Identifiers) for these two hash
   functions are as follows:



id-shake128 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
                                country(16) us(840) organization(1) gov(101) csor(3)
                                nistalgorithm(4) hashalgs(2) 11 }



id-shake256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2)
                        country(16) us(840) organization(1) gov(101) csor(3)
                        nistalgorithm(4) hashalgs(2) 12 }

   The output length, d, is always 256 and 512 bits for SHAKE128 and
   SHAKE256 respectively in this specification.

3.2.  Signature Algorithms

3.2.1.  RSA with SHAKE

   EDNOTE: To be discussed by the WG about what RSA standard with SHAKE
   is to be covered by this draft.



   shake128WithRSAEncryption  OBJECT IDENTIFIER  ::=  { }



   shake256withRSAEncryption OBJECT IDENTIFIER ::= { }

3.2.2.  DSA with SHAKE

   The DSA algorithm is defined in the Digital Signature Standard (DSS)
   [FIPS186-4].  When SHAKE128 is used with DSA, the OID is:

  id-dsa-with-shake128 OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2)
                    country(16) us(840) organization(1) gov(101) csor(3)
                    algorithms(4) id-dsa-with-shake(3) x }

   When SHAKE256 is used with DSA, the OID is:




Kampanakis & Dang          Expires May 3, 2018                  [Page 3]


Internet-Draft              Abbreviated Title               October 2017


id-dsa-with-shake256 OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2)
                  country(16) us(840) organization(1) gov(101) csor(3) algorithms(4)
                  id-dsa-with-shake(3) y }

   EDNOTE: "x" and "y" will be specified by NIST later.

   When the id-dsa-with-shake128 or id-dsa-with-shake256 algorithm
   identifier appears in the algorithm field as an AlgorithmIdentifier,
   the encoding SHALL omit the parameters field.  That is, the
   AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id-
   dsa-with-shake128 or id-dsa-with-shake256.

   Encoding rules for DSA signature values are specified in [RFC3279].

   Conforming CA implementations that generate DSA signatures for
   certificates or CRLs MUST generate such DSA signatures in accordance
   with all the requirements in Section 4 in [FIPS186-4].  The lengths
   of p and q must be at least 2048 and 224 bits respectively.

3.2.3.  ECDSA with SHAKE

   The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in
   "Public Key Cryptography for the Financial Services Industry: The
   Elliptic Curve Digital Signature Standard (ECDSA)" [X9.62].  The
   ASN.1 OIDs of ECDSA signature algorithms using SHAKE128 and SHAKE256,
   are below:



id-ecdsa-with-shake128 OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2)
                        country(16) us(840) organization(1) gov(101) csor(3) algorithms(4)
                        id-ecdsa-with-shake(3) x }



id-ecdsa-with-shake256 OBJECT IDENTIFIER  ::=  { joint-iso-ccitt(2)
                        country(16) us(840) organization(1) gov(101) csor(3) algorithms(4)
                        id-ecdsa-with-shake(3) y }

   EDNOTE: "x" and "y" will be specified by NIST later.

   When the id-ecdsa-with-SHAKE128 or id-ecdsa-with-SHAKE256, algorithm
   identifier appears in the algorithm field as an AlgorithmIdentifier,
   the encoding MUST omit the parameters field.  That is, the
   AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID
   ecdsa-with-SHAKE128 or ecdsa-with-SHAKE256.





Kampanakis & Dang          Expires May 3, 2018                  [Page 4]


Internet-Draft              Abbreviated Title               October 2017


   Conforming CA implementations MUST specify the hash algorithm
   explicitly using the OIDs specified above when encoding ECDSA/SHAKE
   signatures in certificates and CRLs.

   Conforming client implementations that process ECDSA signatures with
   any of the SHAKE hash algorithms when processing certificates and
   CRLs MUST recognize the corresponding OIDs specified above.

   Encoding rules for ECDSA signature values are specified in [RFC3279],
   Section 2.2.3, and [RFC5480].

   Conforming CA implementations that generate ECDSA signatures in
   certificates or CRLs MUST generate such ECDSA signatures in
   accordance with all the requirements specified in Sections 7.2 and
   7.3 of [X9.62] or with all the requirements specified in
   Section 4.1.3 of [SEC1].  They MAY also generate such ECDSA
   signatures in accordance with all the recommendations in [X9.62] or
   [SEC1] if they have a stated policy that requires conformance to
   these standards.  These standards above may have not specified
   SHAKE128 and SHAKE256 as hash algorithm options.  However, SHAKE128
   and SHAKE256 with output length being 256 and 512 bits respectively
   are subtitutions for 256 and 512-bit output hash algorithms such as
   SHA256 and SHA512 used in the standards.

   EDNOTE: Depending on the updates to the Charter, the group may want
   to consider an EdDSA with SHAKE section here.

3.3.  Public Keys

   The conventions for RSA, DSA and ECDSA public keys are as specified
   in [RFC3279] and [RFC5480].

   We include them here for convenience:

   EDNOTE: Add the public key OIDs here.



   ...  OBJECT IDENTIFIER  ::=  { }



   ... OBJECT IDENTIFIER ::= { }








Kampanakis & Dang          Expires May 3, 2018                  [Page 5]


Internet-Draft              Abbreviated Title               October 2017


4.  Acknowledgements

   We would like to thank Sean Turner for his valuable contributions to
   this document.

5.  IANA Considerations

   IANA is kindly requested to register two OIDs in the SMI Security for
   PKIX Module Identifier registry for the ASN.1 modules found in
   Appendix A.  The description is as follows:

   o  EDNOTE: More here

   where the four digits at the end represent the ASN.1's publication
   date.

6.  Security Considerations

   EDNOTE: More here.

7.  References

7.1.  Normative References

   [RFC3279]  Bassham, L., Polk, W., and R. Housley, "Algorithms and
              Identifiers for the Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April
              2002, <https://www.rfc-editor.org/info/rfc3279>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5480]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Elliptic Curve Cryptography Subject Public Key
              Information", RFC 5480, DOI 10.17487/RFC5480, March 2009,
              <https://www.rfc-editor.org/info/rfc5480>.

   [SHA3]     National Institute of Standards and Technology, "SHA-3
              Standard - Permutation-Based Hash and Extendable-Output
              Functions FIPS PUB 202", August 2015,
              <https://www.nist.gov/publications/sha-3-standard-
              permutation-based-hash-and-extendable-output-functions>.





Kampanakis & Dang          Expires May 3, 2018                  [Page 6]


Internet-Draft              Abbreviated Title               October 2017


7.2.  Informative References

   [FIPS186-4]
              National Institute of Standards and Technology, "Digital
              Signature Standard (DSS) FIPS PUB 186-4", July 2013,
              <http://nvlpubs.nist.gov/nistpubs/FIPS/
              NIST.FIPS.186-4.pdf>.

   [SEC1]     Standards for Efficient Cryptography Group, "SEC 1:
              Elliptic Curve Cryptography", May 2009,
              <http://www.secg.org/sec1-v2.pdf>.

   [X9.62]    American National Standard for Financial Services (ANSI),
              "X9.62-2005 Public Key Cryptography for the Financial
              Services Industry: The Elliptic Curve Digital Signature
              Standard (ECDSA)", November 2005.

Appendix A.  ASN.1 module

   EDNOTE: More here.

Authors' Addresses

   Panos Kampanakis
   Cisco Systems

   Email: pkampana@cisco.com


   Quynh Dang
   NIST
   100 Bureau Drive, Stop 8930
   Gaithersburg, MD  20899-8930
   USA

   Email: quynh.dang@nist.gov















Kampanakis & Dang          Expires May 3, 2018                  [Page 7]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/