draft-ietf-lamps-pkix-shake-12.txt   draft-ietf-lamps-pkix-shake-13.txt 
LAMPS WG P. Kampanakis LAMPS WG P. Kampanakis
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Updates: 3279 (if approved) Q. Dang Updates: 3279 (if approved) Q. Dang
Intended status: Standards Track NIST Intended status: Standards Track NIST
Expires: January 1, 2020 June 30, 2019 Expires: January 22, 2020 July 21, 2019
Internet X.509 Public Key Infrastructure: Additional Algorithm Internet X.509 Public Key Infrastructure: Additional Algorithm
Identifiers for RSASSA-PSS and ECDSA using SHAKEs Identifiers for RSASSA-PSS and ECDSA using SHAKEs
draft-ietf-lamps-pkix-shake-12 draft-ietf-lamps-pkix-shake-13
Abstract Abstract
Digital signatures are used to sign messages, X.509 certificates and Digital signatures are used to sign messages, X.509 certificates and
CRLs. This document updates [RFC3279] and describes the conventions CRLs. This document updates the "Algorithms and Identifiers for the
for using the SHAKE function family in Internet X.509 certificates Internet X.509 Public Key Infrastructure Certificate and Certificate
and CRLs as one-way hash functions with the RSA Probabilistic Revocation List Profile" (RFC3279) and describes the conventions for
using the SHAKE function family in Internet X.509 certificates and
revocation lists as one-way hash functions with the RSA Probabilistic
signature and ECDSA signature algorithms. The conventions for the signature and ECDSA signature algorithms. The conventions for the
associated subject public keys are also described. associated subject public keys are also described.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 1, 2020. This Internet-Draft will expire on January 22, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 34
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. Normative References . . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 10
9.2. Informative References . . . . . . . . . . . . . . . . . 11 9.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12 Appendix A. ASN.1 module . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Change Log 1. Change Log
[ EDNOTE: Remove this section before publication. ] [ EDNOTE: Remove this section before publication. ]
o draft-ietf-lamps-pkix-shake-13:
* Addressing one applicable comment from Dan M. about sec levels
while in secdir review of draft-ietf-lamps-cms-shakes.
* Addressing comment from Scott B.'s opsdir review about
references in the abstract.
o draft-ietf-lamps-pkix-shake-12: o draft-ietf-lamps-pkix-shake-12:
* Nits identified by Roman, Eric V. Ben K., Barry L. in ballot * Nits identified by Roman, Eric V. Ben K., Barry L. in ballot
position review. position review.
o draft-ietf-lamps-pkix-shake-11: o draft-ietf-lamps-pkix-shake-11:
* Nits identified by Roman in AD Review. * Nits identified by Roman in AD Review.
o draft-ietf-lamps-pkix-shake-10: o draft-ietf-lamps-pkix-shake-10:
skipping to change at page 4, line 40 skipping to change at page 4, line 48
* Added Public key algorithm OIDs. * Added Public key algorithm OIDs.
* Populated Introduction and IANA sections. * Populated Introduction and IANA sections.
o draft-ietf-lamps-pkix-shake-00: o draft-ietf-lamps-pkix-shake-00:
* Initial version * Initial version
2. Introduction 2. Introduction
This document defines cryptographic algorithm identifiers for several [RFC3279] defines cryptographic algorithm identifiers for the
cryptographic algorithms that use variable length output SHAKE Internet X.509 Certificate and Certificate Revocation Lists (CRL)
functions introduced in [SHA3] which can be used with the Internet profile [RFC5280]. This document updates RFC3279 and defines
X.509 Certificate and Certificate Revocation List (CRL) profile identifiers for several cryptographic algorithms that use variable
[RFC5280]. length output SHAKE functions introduced in [SHA3] which can be used
with .
In the SHA-3 family, two extendable-output functions (SHAKEs), In the SHA-3 family, two extendable-output functions (SHAKEs),
SHAKE128 and SHAKE256, are defined. Four other hash function SHAKE128 and SHAKE256, are defined. Four other hash function
instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also instances, SHA3-224, SHA3-256, SHA3-384, and SHA3-512, are also
defined but are out of scope for this document. A SHAKE is a defined but are out of scope for this document. A SHAKE is a
variable length hash function defined as SHAKE(M, d) where the output variable length hash function defined as SHAKE(M, d) where the output
is a d-bits-long digest of message M. The corresponding collision is a d-bits-long digest of message M. The corresponding collision
and second-preimage-resistance strengths for SHAKE128 are and second-preimage-resistance strengths for SHAKE128 are
min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]). min(d/2,128) and min(d,128) bits, respectively (Appendix A.1 [SHA3]).
And the corresponding collision and second-preimage-resistance And the corresponding collision and second-preimage-resistance
skipping to change at page 7, line 10 skipping to change at page 7, line 10
by using the OIDs specified in Section 4 when encoding RSASSA-PSS or by using the OIDs specified in Section 4 when encoding RSASSA-PSS or
ECDSA with SHAKE signatures in certificates and CRLs. Conforming ECDSA with SHAKE signatures in certificates and CRLs. Conforming
client implementations that process certificates and CRLs using client implementations that process certificates and CRLs using
RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs. RSASSA-PSS or ECDSA with SHAKE MUST recognize the corresponding OIDs.
Encoding rules for RSASSA-PSS and ECDSA signature values are Encoding rules for RSASSA-PSS and ECDSA signature values are
specified in [RFC4055] and [RFC5480], respectively. specified in [RFC4055] and [RFC5480], respectively.
When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA When using RSASSA-PSS or ECDSA with SHAKEs, the RSA modulus and ECDSA
curve order SHOULD be chosen in line with the SHAKE output length. curve order SHOULD be chosen in line with the SHAKE output length.
In the context of this document SHAKE128 OIDs are RECOMMENDED for Refer to Section 7 for more details.
2048 or 3072-bit RSA modulus or curves with group order of 256-bits.
SHAKE256 OIDs are RECOMMENDED for 4096-bit RSA modulus and higher or
curves with group order of 384-bits and higher.
5.1.1. RSASSA-PSS Signatures 5.1.1. RSASSA-PSS Signatures
The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA- The RSASSA-PSS algorithm is defined in [RFC8017]. When id-RSASSA-
PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256 specified in Section 4 is
used, the encoding MUST omit the parameters field. That is, the used, the encoding MUST omit the parameters field. That is, the
AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA- AlgorithmIdentifier SHALL be a SEQUENCE of one component, id-RSASSA-
PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA- PSS-SHAKE128 or id-RSASSA-PSS-SHAKE256. [RFC4055] defines RSASSA-
PSS-params that are used to define the algorithms and inputs to the PSS-params that are used to define the algorithms and inputs to the
algorithm. This specification does not use parameters because the algorithm. This specification does not use parameters because the
skipping to change at page 10, line 23 skipping to change at page 10, line 16
This document updates [RFC3279]. The security considerations section This document updates [RFC3279]. The security considerations section
of that document applies to this specification as well. of that document applies to this specification as well.
NIST has defined appropriate use of the hash functions in terms of NIST has defined appropriate use of the hash functions in terms of
the algorithm strengths and expected time frames for secure use in the algorithm strengths and expected time frames for secure use in
Special Publications (SPs) [SP800-78-4] and [SP800-107]. These Special Publications (SPs) [SP800-78-4] and [SP800-107]. These
documents can be used as guides to choose appropriate key sizes for documents can be used as guides to choose appropriate key sizes for
various security scenarios. various security scenarios.
SHAKE128 with output length of 256-bits offers 128-bits of collision
and 256-bits of preimage resistance. Thus, SHAKE128 OIDs in this
specification are RECOMMENDED with 2048 (112-bit security) or
3072-bit (128-bit security) RSA modulus or curves with group order of
256-bits (128-bit security). SHAKE256 with 512-bits output length
offers 256-bits of collision and 512-bits of preimage resistance.
Thus, the SHAKE256 OIDs in this specification are RECOMMENDED with
4096-bit RSA modulus or higher or curves with group order of 384-bits
(256-bit security) or higher. Note that we recommended 4096-bit RSA
because we would need 15360-bit modulus for 256-bits of security
which is impractical for today's technology.
8. Acknowledgements 8. Acknowledgements
We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for We would like to thank Sean Turner, Jim Schaad and Eric Rescorla for
their valuable contributions to this document. their valuable contributions to this document.
The authors would like to thank Russ Housley for his guidance and The authors would like to thank Russ Housley for his guidance and
very valuable contributions with the ASN.1 module. very valuable contributions with the ASN.1 module.
9. References 9. References
 End of changes. 8 change blocks. 
15 lines changed or deleted 35 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/