PKIX Working Group Q. Dang (NIST) Internet Draft S. Santesson Intended Category: Standards Track K. Moriarty (RSA) D. Brown (Certicom Corp.) T. Polk (NIST) March 6, 2009 Expires: September 6, 2009 Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA <draft-ietf-pkix-sha2-dsa-ecdsa-06.txt> Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id- abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Dang, et al. Expires September 6, 2009 [Page 1]

Internet-Draft DSA/ECDSA March 2009 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Abstract This document supplements RFC 3279. It specifies algorithm identifiers and ASN.1 encoding rules for the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures when using SHA-224, SHA-256, SHA-384 or SHA-512 as hashing algorithm. This specification applies to the Internet X.509 Public Key Infrastructure (PKI) when digital signatures are used to sign certificates and certificate revocation lists (CRLs). The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC 2119]. Table of Contents 1. Introduction.............................................3 2. One-way Hash Functions...................................3 3. Signature Algorithms.....................................4 3.1 DSA Signature Algorithm................................5 3.2 ECDSA Signature Algorithm..............................7 4. ASN.1 Module.............................................8 5. Security Considerations.................................10 6. References..............................................12 6.1 Normative references:...............................12 6.2 Informative references:.............................13 7. Authors' Addresses......................................14 8. IANA Considerations.....................................15 Dang, et al. Expires September 6, 2009 [Page 2]

Internet-Draft DSA/ECDSA March 2009 1. Introduction This specification supplements [RFC 3279], "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" and extends the list of algorithms defined for use in the Internet PKI. This document specifies algorithm identifiers and ASN.1 [X.690] encoding rules for DSA and ECDSA digital signatures in certificates and CRLs when using one of the SHA2 hash algorithms (SHA-224, SHA-256, SHA-384, and SHA-512) as the hash algorithm. This specification defines the contents of the signatureAlgorithm, signatureValue and signature fields within Internet X.509 certificates and CRLs when these objects are signed using DSA or ECDSA with a SHA2 hash algorithm. These fields are more fully described in [RFC 5280]. This document profiles material presented in the "Secure Hash Standard" [FIPS 180-3], "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)" [X9.62], and the "Digital Signature Standard" [FIPS 186-3]. Algorithm identifiers and encoding rules for RSA, DSA and ECDSA when used with SHA-1 are specified in [RFC 3279]. Algorithm identifiers and encoding rules for RSA when used with SHA2 hash algorithms are specified in [RFC 4055]. 2. One-way Hash Functions This section identifies four additional hash algorithms for use with DSA and ECDSA in the Internet X.509 certificate and CRL profile [RFC 5280]. Dang, et al. Expires September 6, 2009 [Page 3]

Internet-Draft DSA/ECDSA March 2009 SHA-224, SHA-256, SHA-384, and SHA-512 produce a 224-bit, 256-bit, 384-bit and 512-bit "hash" of the input respectively and are fully described in the Federal Information Processing Standard 180-3 [FIPS 180-3]. The listed one-way hash functions are identified by the following object identifiers (OIDs): id-sha224 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } id-sha512 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } When one of these OIDs appears in an AlgorithmIdentifier, all implementations MUST accept both NULL and absent parameters as legal and equivalent encodings. 3. Signature Algorithms Certificates and CRLs conforming to [RFC 5280] may be signed with any public key signature algorithm. The certificate or CRL indicates the algorithm through an identifier, which appears in the signatureAlgorithm field within the Certificate or CertificateList. This algorithm identifier is an OID and has optionally associated parameters. This section denotes algorithm identifiers and parameters that MUST be used in the signatureAlgorithm field in a Certificate or CertificateList. Dang, et al. Expires September 6, 2009 [Page 4]

Internet-Draft DSA/ECDSA March 2009 Signature algorithms are always used in conjunction with a one-way hash function. This section identifies OIDs for DSA and ECDSA with SHA-224, SHA-256, SHA-384, and SHA-512. The contents of the parameters component for each signature algorithm vary; details are provided for each algorithm. The data to be signed (e.g., the one-way hash function output value) is formatted for the signature algorithm to be used. Then, a private key operation (e.g., DSA encryption) is performed to generate the signature value. This signature value is then ASN.1 encoded as a BIT STRING and included in the Certificate or CertificateList in the signature field. More detail on how digital signatures are generated can be found in [FIPS 186-3]. Entities that validate DSA signatures MUST support SHA-224 and SHA-256. Entities that validate ECDSA signatures MUST support SHA-224 and SHA-256 and should support SHA-384 and SHA-512. 3.1 DSA Signature Algorithm The DSA is defined in the Digital Signature Standard (DSS) [FIPS 186-3]. DSA was developed by the U.S. Government, and can be used in conjunction with a SHA2 one-way hash function such as SHA-224 or SHA-256. DSA is fully described in [FIPS 186-3]. [FIPS 186-3] specifies four size-choices for a DSA key pair of the form (public key size, private key size) in bits. The four choices are (1024, 160), (2048, 224), (2048, 256), and (3072, 256). More information can be found in [FIPS 186-3]. For the remainder of this specification, each and every key pair of the DSA key pairs is referred to by the size of its public key. DSA key pairs of 1024 and 2048 bits may be used with SHA-224. DSA key pairs of any of the four sizes may use SHA-256. The following are the OIDs of the DSA digital signature algorithm when used with SHA-224 or SHA-256. Dang, et al. Expires September 6, 2009 [Page 5]

Internet-Draft DSA/ECDSA March 2009 When SHA-224 is used, the OID is: id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 1 }. When SHA-256 is used, the OID is: id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 2 }. The DSA key pair of 3072 bits provides 128 bits of security and provides the most security among all the four sizes of DSA key pairs. More information on security strength assessments of DSA and other cryptographic algorithms can be found in [SP 800- 57]. A digital signature algorithm has the same security strength as its asymmetric key algorithm like DSA or ECDSA only if its hashing algorithm has at least the same security strength as the asymmetric key algorithm. Therefore, a 128-bit security strength hashing algorithm which is SHA- 256 will be sufficient to build a 128-bit security strength DSA digital signature algorithm when the DSA key pair of 3072 bits is used. Therefore, it is only needed to specify DSA with SHA-224 and SHA-256 because SHA-256 provides sufficient security for using with any DSA key pair of any of the four size choices. More information on security strengths of the hash functions SHAs specified in [FIPS 180-3] and the digital signature algorithms specified in [FIPS 186-3] can be found in [SP 800-107] and [SP 800-57]. When the id-dsa-with-sha224 or id-dsa-with-sha256 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding SHALL omit the parameters field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component, the OID id-dsa-with-sha224 or id-dsa- with-sha256. Encoding rules for DSA signature values are specified in [RFC 3279]. For completeness, this information is repeated below: Dang, et al. Expires September 6, 2009 [Page 6]

Internet-Draft DSA/ECDSA March 2009 When signing, the DSA algorithm generates two values commonly referred to as r and s. To easily transfer these two values as one signature, they SHALL be ASN.1 encoded using the following ASN.1 structure: Dss-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER }. The DSA parameters in the subjectPublicKeyInfo field of the certificate of the issuer SHALL apply to the verification of the signature. 3.2 ECDSA Signature Algorithm The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)" [X9.62]. The ASN.1 OIDs used to specify that an ECDSA signature was generated using SHA-224, SHA-256, SHA-384 or SHA-512 are respectively: ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9- 62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9- 62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9- 62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } ecdsa-with-SHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9- 62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384 or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field. That is, the AlgorithmIdentifier Dang, et al. Expires September 6, 2009 [Page 7]

Internet-Draft DSA/ECDSA March 2009 SHALL be a SEQUENCE of one component, the OID ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with- SHA384 or ecdsa-with-SHA512. Conforming CA implementations MUST specify the hash algorithm explicitly, using the OIDs specified above, when encoding ECDSA/SHA2 signatures in certificates and CRLs. Conforming client implementations that process ECDSA signatures with any of the SHA-2 hash algorithms when processing certificates and CRLs MUST recognize the corresponding OIDs specified above. [X9.62] has defined additional OIDs for the ECDSA signature algorithm. Encoding rules for ECDSA signature values are specified in [RFC 3279]. For completeness, this information is repeated below: When signing, the ECDSA algorithm generates two values commonly referred to as r and s. To easily transfer these two values as one signature, they MUST be ASN.1 encoded using the following ASN.1 structure: Ecdsa-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER }. The elliptic curve parameters in the subjectPublicKeyInfo field of the certificate of the issuer MUST be applied to the verification of the signature. The subjectPublicKeyInfo field must be compliant with requirements for Subject Public Key Information field in [Elliptic]. 4. ASN.1 Module DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- -- All types and values defined in this module are -- exported for use in other ASN.1 modules. Dang, et al. Expires September 6, 2009 [Page 8]

Internet-Draft DSA/ECDSA March 2009 IMPORTS NONE id-sha224 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } id-sha512 OBJECT IDENTIFIER ::= { joint- iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } -- --DSA with SHA-224 and SHA-256 signature algorithms -- id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } -- --ECDSA Signatures with SHA-2 Hashes, from X9.62 -- ecdsa-with-SHA224 ::= { iso(1) member- body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } ecdsa-with-SHA256 ::= { iso(1) member- body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 2 } Dang, et al. Expires September 6, 2009 [Page 9]

Internet-Draft DSA/ECDSA March 2009 ecdsa-with-SHA384 ::= { iso(1) member- body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 3 } ecdsa-with-SHA512 ::= { iso(1) member- body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 4 } END -- Definitions 5. Security Considerations This specification supplements [RFC 3279]. This document covers the DSA and ECDSA algorithms with SHA2 hash functions and the associated considerations. The appropriate use of the hash functions in terms of the algorithm strengths and expected time frames for secure use as defined by NIST can be found in Special Publications (SPs) 800-78-1 [SP 800-78-1], 800-57 [SP 800-57] and 800-107 [SP 800- 107]. FIPS 186-3 fully specifies the DSA digital signature algorithm and defines security requirements for the DSA and ECDSA digital signature algorithms; details can be found in [FIPS 186-3]. ECDSA is fully specified in [X9.62]. [FIPS 186-3] also specifies three types of elliptic curves for use in conjunction with one of the described hash functions: curves over prime fields, curves over binary fields, and Koblitz curves (anomalous binary curves). FIPS 186-3 provides a table listing the uses and time periods for each algorithm and key size combinations for various applications. The DSA and ECDSA private keys must be generated from pseudorandom functions whose security strengths meet or exceed the desired security strengths for the digital signature algorithms. Guidelines on building these NIST-approved pseudorandom functions can be found in SP 800-90 [SP 800-90]. The hash functions must meet or exceed the desired security strengths of the digital signature algorithms. More guidelines can be found in SP 800-57 [SP 800-57] and SP 800- 107 [SP 800-107]. Dang, et al. Expires September 6, 2009 [Page 10]

Internet-Draft DSA/ECDSA March 2009 The one-way hash algorithms discussed in this document, SHA-224, SHA-256, SHA-384, and SHA-512 each have a recommended lifetime when used in combination with a digital signature algorithm. NIST provides information on the appropriate time periods for which each combination should be used based upon the security needs of the service and information being protected in NIST Special Publication 800-57. A table outlines the year in which NIST deems it is no longer safe to use specific combinations of key lengths and algorithms of various strengths for RSA, DSA, and ECDSA. NIST also provides Recommendation for using NIST-approved hash algorithms in the digital signature applications in [SP 800-107]. The Special Publication 800-57 also provides guidelines for key management to be used by both developers and system administrators. The document covers the aspects of key management from algorithm selection and key sizes with associated key usage period to key usage (preventing key overlap), the compromise of keys and keying material, and key destruction. Specific guidelines are offered for key usage periods such as the lifetime of a private signature key may be shorter than the lifetime of the public verification key for practical applications. The specification also provides recommendations on the number of years various key types should be used such as public and private signature keys, public and private authentication keys, etc. NIST Special Publication 800-78-1 also lists time frames for the use of combined hash algorithms and digital signature algorithms for specific key types, but differentiates some security requirements between digital signature and authentication keys. The recommendation for the size of digital signature keys and key management keys is more restrictive than that of authentication keys, because they are used to protect data for longer periods of time. Therefore, the transition dates to larger key sizes are earlier in general. Guidelines for the protection of domain parameters, initialization vectors (IVs), and per message secret numbers for use with digital signature algorithms, DSA and ECSDA are provided in [FIPS 186-3]. An assurance Dang, et al. Expires September 6, 2009 [Page 11]

Internet-Draft DSA/ECDSA March 2009 of integrity should be obtained prior to using all keying material for the generation of digital signatures using DSA and ECDSA. Recommendation for Obtaining Assurances for Digital Signature Applications can be found in [SP 800-89]. The purpose of this is to ensure the keying material is in the proper format, the domain parameters are valid, the possession of the private key, the validity of the public key, and that the request is coming from an authorized source. Certificate Authorities (CAs) that issue certificates using the DSA and ECDSA algorithms for key generation SHOULD adhere to the recommended security guidelines for key management in the NIST Special Publication 800-57. When signing a digital signature certificate, a CA should use the same or greater size hash function than the hash function in the digital signature algorithm in the certificate. 6. References 6.1 Normative References [RFC 2119] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [RFC 3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002. [RFC 5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. Dang, et al. Expires September 6, 2009 [Page 12]

Internet-Draft DSA/ECDSA March 2009 [X9.62] X9.62-2005, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)", November, 2005. [Elliptic] Turner S., Brown D., Yiu K., Housley R., and Polk W., "Elliptic Curve Cryptography Subject Public Key Information" draft-ietf-pkix- ecc-subpubkeyinfo-11.txt (work in progress), December 2008. [FIPS 180-3] Federal Information Processing Standards Publication (FIPS PUB) 180-3, Secure Hash Standard (SHS), October 2008. [FIPS 186-3] Federal Information Processing Standards Publication (FIPS PUB) 186-3, Digital Signature Standard (DSS), (draft) November 2008. [X.690] ITU-T Recommendation X.660 Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER), 1997. 6.2 Informative References [SP 800-107] Quynh Dang, NIST, "Recommendation for Applications Using Approved Hash Algorithms", February 2009. [SP 800-78-1] W. Timothy Polk, Donna, F. Dodson, William E. Burr, NIST, "Cryptographic Standards and Key Sizes for Personal Dang, et al. Expires September 6, 2009 [Page 13]

Internet-Draft DSA/ECDSA March 2009 Identity Verification", August 2007. [SP 800-57] Elaine Barker, William Barker, William E. Burr, NIST, "Recommendation for Key Management", August 2005. [SP 800-89] Elaine Barker, NIST, "Recommendation for Obtaining Assurances for Digital Signature Applications", November 2006. [SP 800-90] Elaine Barker, John Kelsey, NIST, ''Recommendation for Random Number Generation Using Deterministic Random Bit Generators'', March 2007. [RFC 4055] Schaad, J., Kaliski, B., and Housley, R., "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X. 509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005. 7. Authors' Addresses Quynh Dang NIST 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 USA Email: quynh.dang@nist.gov Kathleen M. Moriarty RSA, The Security Division of EMC 174 Middlesex Turnpike Bedford, MA 01730 Email: Moriarty_Kathleen@emc.com Dang, et al. Expires September 6, 2009 [Page 14]

Internet-Draft DSA/ECDSA March 2009 Stefan Santesson EMail: stefans@exmsft.com Daniel R. L. Brown Certicom Corp. 5520 Explorer Drive Mississaug, ON L4W 5L1 Email: dbrown@certicom.com Tim Polk NIST 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 USA Email: tim.polk@nist.gov 8. IANA Considerations This document has no actions for IANA. Dang, et al. Expires September 6, 2009 [Page 15]