draft-ietf-curdle-cms-ecdh-new-curves-09.txt   draft-ietf-curdle-cms-ecdh-new-curves-10.txt 
Internet-Draft R. Housley Internet-Draft R. Housley
Intended status: Standards Track Vigil Security Intended status: Standards Track Vigil Security
Expires: 4 December 2017 4 June 2017 Expires: 22 February 2018 22 August 2017
Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm
with X25519 and X448 in the Cryptographic Message Syntax (CMS) with X25519 and X448 in the Cryptographic Message Syntax (CMS)
<draft-ietf-curdle-cms-ecdh-new-curves-09.txt> <draft-ietf-curdle-cms-ecdh-new-curves-10.txt>
Abstract Abstract
This document describes the conventions for using Elliptic Curve This document describes the conventions for using Elliptic Curve
Diffie-Hellman (ECDH) key agreement algorithm using curve25519 and Diffie-Hellman (ECDH) key agreement algorithm using curve25519 and
curve448 in the Cryptographic Message Syntax (CMS). curve448 in the Cryptographic Message Syntax (CMS).
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 4 December 2017. This Internet-Draft will expire on 22 February 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 9, line 48 skipping to change at page 9, line 48
The following object identifiers are assigned to indicate ECDH with The following object identifiers are assigned to indicate ECDH with
HKDF using various one-way hash functions. These are expected to be HKDF using various one-way hash functions. These are expected to be
used as AlgorithmIdentifiers with a parameter that specifies the used as AlgorithmIdentifiers with a parameter that specifies the
key-encryption algorithm. key-encryption algorithm.
smime-alg OBJECT IDENTIFIER ::= { smime-alg OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) alg(3) } pkcs-9(9) smime(16) alg(3) }
dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD1 } smime-alg 19 }
dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD2 } smime-alg 20 }
dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD3 } smime-alg 21 }
8. SMIMECapabilities Attribute Conventions 8. SMIMECapabilities Attribute Conventions
A sending agent MAY announce to other agents that it supports ECDH A sending agent MAY announce to other agents that it supports ECDH
key agreement using the SMIMECapabilities signed attribute in a key agreement using the SMIMECapabilities signed attribute in a
signed message [SMIME] or a certificate [CERTCAP]. Following the signed message [SMIME] or a certificate [CERTCAP]. Following the
pattern established in [CMSECC], the SMIMECapabilities associated pattern established in [CMSECC], the SMIMECapabilities associated
with ECDH carries a DER-encoded object identifier that identifies with ECDH carries a DER-encoded object identifier that identifies
support for ECDH in conjunction with a particular KDF, and it support for ECDH in conjunction with a particular KDF, and it
includes a parameter that names the key wrap algorithm. includes a parameter that names the key wrap algorithm.
skipping to change at page 10, line 50 skipping to change at page 10, line 50
ECDH with ANSI-X9.63-KDF using SHA-512; uses AES-256 key wrap: ECDH with ANSI-X9.63-KDF using SHA-512; uses AES-256 key wrap:
30 15 06 06 2B 81 04 01 0B 03 30 0B 06 09 60 86 48 01 65 03 04 30 15 06 06 2B 81 04 01 0B 03 30 0B 06 09 60 86 48 01 65 03 04
01 2D 01 2D
The following SMIMECapabilities values (in hexidecimal) based on the The following SMIMECapabilities values (in hexidecimal) based on the
algorithm identifiers in Section 7 of this document might be of algorithm identifiers in Section 7 of this document might be of
interest to implementations that support X25519 and X448: interest to implementations that support X25519 and X448:
ECDH with HKDF using SHA-256; uses AES-128 key wrap: ECDH with HKDF using SHA-256; uses AES-128 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 13 30 0B 06 09 60 86
48 01 65 03 04 01 05
ECDH with HKDF using SHA-384; uses AES-128 key wrap: ECDH with HKDF using SHA-384; uses AES-128 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 14 30 0B 06 09 60 86
48 01 65 03 04 01 05
ECDH with HKDF using SHA-512; uses AES-128 key wrap: ECDH with HKDF using SHA-512; uses AES-128 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 15 30 0B 06 09 60 86
48 01 65 03 04 01 05
ECDH with HKDF using SHA-256; uses AES-256 key wrap: ECDH with HKDF using SHA-256; uses AES-256 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 13 30 0B 06 09 60 86
48 01 65 03 04 01 2D
ECDH with HKDF using SHA-384; uses AES-256 key wrap: ECDH with HKDF using SHA-384; uses AES-256 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 14 30 0B 06 09 60 86
48 01 65 03 04 01 2D
ECDH with HKDF using SHA-512; uses AES-256 key wrap: ECDH with HKDF using SHA-512; uses AES-256 key wrap:
TBD 30 1A 06 0B 2A 86 48 86 F7 0D 01 09 10 03 15 30 0B 06 09 60 86
48 01 65 03 04 01 2D
9. Security Considerations 9. Security Considerations
Please consult the security considerations of [CMS] for security Please consult the security considerations of [CMS] for security
considerations related to the enveloped-data content type and the considerations related to the enveloped-data content type and the
authenticated-data content type. authenticated-data content type.
Please consult the security considerations of [AUTHENV] for security Please consult the security considerations of [AUTHENV] for security
considerations related to the authenticated-enveloped-data content considerations related to the authenticated-enveloped-data content
type. type.
skipping to change at page 12, line 7 skipping to change at page 12, line 7
As specified in [CMS], implementations MUST support processing of the As specified in [CMS], implementations MUST support processing of the
KeyAgreeRecipientInfo ukm field; this ensures that interoperability KeyAgreeRecipientInfo ukm field; this ensures that interoperability
is not a concern whether the ukm is present or absent. The ukm is is not a concern whether the ukm is present or absent. The ukm is
placed in the entityUInfo field of the ECC-CMS-SharedInfo structure. placed in the entityUInfo field of the ECC-CMS-SharedInfo structure.
When present, the ukm ensures that a different key-encryption key is When present, the ukm ensures that a different key-encryption key is
generated, even when the originator ephemeral private key is generated, even when the originator ephemeral private key is
improperly used more than once. improperly used more than once.
10. IANA Considerations 10. IANA Considerations
One object identifier for the ASN.1 module in the Appendix needs to One object identifier for the ASN.1 module in the Appendix was
be assigned in the SMI Security for S/MIME Module Identifiers assigned in the SMI Security for S/MIME Module Identifiers
(1.2.840.113549.1.9.16.0) [IANA-MOD] registry: (1.2.840.113549.1.9.16.0) [IANA-MOD] registry:
id-mod-cms-ecdh-alg-2017 OBJECT IDENTIFIER ::= { id-mod-cms-ecdh-alg-2017 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) mod(0) TBD0 } pkcs-9(9) smime(16) mod(0) 67 }
Three object identifiers for the Key Agreement Algorithm Identifiers Three object identifiers for the Key Agreement Algorithm Identifiers
in Sections 7 need to be assigned in the SMI Security for S/MIME in Sections 7 were assigned in the SMI Security for S/MIME Algorithms
Algorithms (1.2.840.113549.1.9.16.3) [IANA-ALG] registry: (1.2.840.113549.1.9.16.3) [IANA-ALG] registry:
smime-alg OBJECT IDENTIFIER ::= { smime-alg OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) alg(3) } pkcs-9(9) smime(16) alg(3) }
dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD1 } smime-alg 19 }
dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD2 } smime-alg 20 }
dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD3 } smime-alg 21 }
11. Normative References 11. Normative References
[AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) [AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083, Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007. November 2007.
[CERTCAP] Santesson, S., "X.509 Certificate Extension for [CERTCAP] Santesson, S., "X.509 Certificate Extension for
Secure/Multipurpose Internet Mail Extensions (S/MIME) Secure/Multipurpose Internet Mail Extensions (S/MIME)
Capabilities", RFC 4262, December 2005. Capabilities", RFC 4262, December 2005.
skipping to change at page 13, line 23 skipping to change at page 13, line 23
Josefsson, S., and J. Schaad, "Algorithm Identifiers for Josefsson, S., and J. Schaad, "Algorithm Identifiers for
Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for
use in the Internet X.509 Public Key Infrastructure", use in the Internet X.509 Public Key Infrastructure",
15 August 2016, Work-in-progress. 15 August 2016, Work-in-progress.
[PKIXALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and [PKIXALG] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 3279, April 2002. (CRL) Profile", RFC 3279, April 2002.
[PKIXECC] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key
Information", RFC 5480, March 2009.
[PROFILE] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., [PROFILE] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008. (CRL) Profile", RFC 5280, May 2008.
[SEC1] Standards for Efficient Cryptography Group, "SEC 1: [SEC1] Standards for Efficient Cryptography Group, "SEC 1:
Elliptic Curve Cryptography", version 2.0, May 2009, Elliptic Curve Cryptography", version 2.0, May 2009,
<http://www.secg.org/sec1-v2.pdf>. <http://www.secg.org/sec1-v2.pdf>.
[SMIME] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet [SMIME] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
skipping to change at page 15, line 9 skipping to change at page 15, line 9
[X963] "Public-Key Cryptography for the Financial Services [X963] "Public-Key Cryptography for the Financial Services
Industry: Key Agreement and Key Transport Using Elliptic Industry: Key Agreement and Key Transport Using Elliptic
Curve Cryptography", American National Standard Curve Cryptography", American National Standard
X9.63-2001, 2001. X9.63-2001, 2001.
Appendix: ASN.1 Module Appendix: ASN.1 Module
CMSECDHAlgs-2017 CMSECDHAlgs-2017
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-ecdh-alg-2017(TBD0) } smime(16) modules(0) id-mod-cms-ecdh-alg-2017(67) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- EXPORTS ALL
IMPORTS IMPORTS
KeyWrapAlgorithm KeyWrapAlgorithm
FROM CryptographicMessageSyntaxAlgorithms-2009 -- in [CMSASN1] FROM CryptographicMessageSyntaxAlgorithms-2009 -- in [CMSASN1]
skipping to change at page 16, line 14 skipping to change at page 16, line 14
-- --
-- Object Identifiers -- Object Identifiers
-- --
smime-alg OBJECT IDENTIFIER ::= { smime-alg OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) alg(3) } pkcs-9(9) smime(16) alg(3) }
dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha256-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD1 } smime-alg 19 }
dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha384-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD2 } smime-alg 20 }
dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-hkdf-sha512-scheme OBJECT IDENTIFIER ::= {
smime-alg TBD3 } smime-alg 21 }
-- --
-- Extend the Key Agreement Algorithms in [CMSECC] -- Extend the Key Agreement Algorithms in [CMSECC]
-- --
KeyAgreementAlgs KEY-AGREE ::= { ..., KeyAgreementAlgs KEY-AGREE ::= { ...,
kaa-dhSinglePass-stdDH-sha256kdf-scheme | kaa-dhSinglePass-stdDH-sha256kdf-scheme |
kaa-dhSinglePass-stdDH-sha384kdf-scheme | kaa-dhSinglePass-stdDH-sha384kdf-scheme |
kaa-dhSinglePass-stdDH-sha512kdf-scheme | kaa-dhSinglePass-stdDH-sha512kdf-scheme |
kaa-dhSinglePass-stdDH-hkdf-sha256-scheme | kaa-dhSinglePass-stdDH-hkdf-sha256-scheme |
 End of changes. 23 change blocks. 
28 lines changed or deleted 30 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/