 1/draftietfsmimesha208.txt 20081009 21:12:26.000000000 +0200
+++ 2/draftietfsmimesha209.txt 20081009 21:12:26.000000000 +0200
@@ 1,17 +1,17 @@
S/MIME WG Sean Turner, IECA
Intended Status: Standard Track
Expires: March 24, 2009
+Expires: April 6, 2009
Using SHA2 Algorithms with Cryptographic Message Syntax
 draftietfsmimesha208.txt
+ draftietfsmimesha209.txt
Status of this Memo
By submitting this InternetDraft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
@@ 22,21 +22,21 @@
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use InternetDrafts as reference
material or to cite them other than as "work in progress."
The list of current InternetDrafts can be accessed at
http://www.ietf.org/ietf/1idabstracts.txt
The list of InternetDraft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
 This InternetDraft will expire on March 24, 2008.
+ This InternetDraft will expire on April 6, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2008).
Abstract
This document describes the conventions for using the Secure Hash
Algorithm (SHA) message digest algorithms (SHA224, SHA256, SHA384,
SHA512) with the Cryptographic Message Syntax (CMS). It also
@@ 47,98 +47,86 @@
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Table of Contents
1. Introduction...................................................2
2. Message Digest Algorithms......................................3
 2.1. SHA224...................................................4
+ 2.1. SHA224...................................................3
2.2. SHA256...................................................4
2.3. SHA384...................................................4
2.4. SHA512...................................................4
 3. Signature Algorithms...........................................5
+ 3. Signature Algorithms...........................................4
3.1. DSA.......................................................5
 3.2. RSA.......................................................6
+ 3.2. RSA.......................................................5
3.3. ECDSA.....................................................6
4. Security Considerations........................................7
5. IANA Considerations............................................7
6. References.....................................................7
6.1. Normative References......................................7
6.2. Informative References....................................8
1. Introduction
This document specifies the algorithm identifiers and specifies
parameters for the message digest algorithms SHA224, SHA256, SHA
384, and SHA512 for use with the Cryptographic Message Syntax (CMS)
[RFC3852]. The message digest algorithms are defined in [SHS] and
reference code is provided in [RFC4634].
This document also specifies the algorithm identifiers and parameters
for use of SHA224, SHA256, SHA384, and SHA512 with DSA [DSS], RSA
 [RFC2313], and ECDSA [X9.62].
+ [RFC2313], and ECDSA [DSS].
This document does not define new identifiers; they are taken from
 [RFC3874], [RFC4055], [ECCADD], and [RFC3278]. Additionally, the
 parameters follow the conventions specified therein. Therefore,
 there is no Abstract Syntax Notation One (ASN.1) module included in
 this document.
+ [RFC3874], [RFC4055], and [ECCADD]. Additionally, the parameters
+ follow the conventions specified therein. Therefore, there is no
+ Abstract Syntax Notation One (ASN.1) module included in this
+ document.
Note that [RFC4231] specifies the conventions for the message
authentication code (MAC) algorithms: HMAC with SHA224, HMAC with
SHA256, HMAC with SHA384, and HMAC with SHA512.
In CMS, the various algorithm identifiers use the AlgorithmIdentifier
syntax, which is included here for convenience:
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
2. Message Digest Algorithms
Digest algorithm identifiers are located in the SignedData
digestAlgorithms field, the SignerInfo digestAlgorithm field, the
DigestedData digestAlgorithm field, and the AuthenticatedData
 digestAlgorithm field.
+ digestAlgorithm field. The object identifiers are taken from
+ [RFC4055].
Digest values are located in the DigestedData digest field and the
Message Digest authenticated attribute. In addition, digest values
are input to signature algorithms.
The digest algorithm identifiers use the AlgorithmIdentifier syntax
elaborated upon in Section 1.
The algorithm field is discussed in Sections 2.12.4 for each message
digest algorithm.
 There are two possible encodings for the SHA AlgorithmIdentifier
 parameters field. The two alternatives arise from the fact that when
 the 1988 syntax for AlgorithmIdentifier was translated into the 1997
 syntax, the OPTIONAL associated with the AlgorithmIdentifier
 parameters got lost. Later the OPTIONAL was recovered via a defect
 report, but by then many people thought that algorithm parameters
 were mandatory. Because of this history some implementations encode
 parameters as a NULL element and others omit them entirely. The
 correct encoding is to omit the parameters field; however,
 implementations MUST also handle a SHA AlgorithmIdentifier parameters
 field which contains a NULL.

 The AlgorithmIdentifier parameters field is OPTIONAL. If present,
 the parameters field MUST contain a NULL. Implementations MUST
 accept SHA2 AlgorithmIdentifiers with absent parameters.
+ The AlgorithmIdentifier parameters field is OPTIONAL. Implementations
+ MUST accept SHA2 AlgorithmIdentifiers with absent parameters.
Implementations MUST accept SHA2 AlgorithmIdentifiers with NULL
 parameters. Implementations SHOULD generate SHA2
 AlgorithmIdentifiers with absent parameters.
+ parameters. Implementations MUST generate SHA2 AlgorithmIdentifiers
+ with absent parameters.
2.1. SHA224
The SHA224 message digest algorithm is defined in [SHS]. The
algorithm identifier for SHA224 is:
idsha224 OBJECT IDENTIFIER ::= {
jointisoitut(2) country(16) us(840) organization(1) gov(101)
csor(3) nistalgorithm(4) hashalgs(2) 4 }
@@ 191,21 +179,22 @@
Signature values are located in the SignerInfo signature field of
SignedData. Also, signature values are located in the SignerInfo
signature field of countersignature attributes.
3.1. DSA
[RFC3370] section 3.1 specifies the conventions for DSA with SHA1
public key algorithm identifiers, parameters, public keys, and
signature values. DSA with SHA2 algorithms uses the same conventions
for these public key algorithm identifiers, parameters, public keys,
 and signature values. DSA MAY be used with SHA224 and SHA256.
+ and signature values. DSA MAY be used with SHA224 and SHA256. The
+ object identifiers are taken from [ECCADD].
DSA has not been specified with SHA384 and SHA512. SHA384 and
SHA512 are not supported because the maximum bit length of p
(specified as L) is 3072 for DSA. For consistent cryptographic
strength, SHA384 would be used with DSA where L is 7680, and SHA512
would be used with DSA where L is 15360.
The algorithm identifier for DSA with SHA224 signature values is:
iddsawithsha224 OBJECT IDENTIFIER ::= { jointisoccitt(2)
@@ 221,27 +210,27 @@
When either of these algorithm identifiers is used, the
AlgorithmIdentifier parameters field MUST be absent.
3.2. RSA
[RFC3370] section 3.2 specifies the conventions for RSA with SHA1
(PKCS #1 v1.5) public key algorithm identifiers, parameters, public
keys, and signature values. RSA with SHA2 algorithms uses the same
conventions for these public key algorithm identifiers, parameters,
public keys, and signature values. RSA (PKCS #1 v1.5) MAY be used
 with SHA224, SHA256, SHA384, or SHA512.
+ with SHA224, SHA256, SHA384, or SHA512. The object identifiers
+ are taken from [RFC4055].
The object identifier for RSA with SHA224 signature values is:
sha224WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
memberbody(2) us(840) rsadsi(113549) pkcs(1) pkcs1(1) 14 }

The object identifier for RSA with SHA256 signature values is:
sha256WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
memberbody(2) us(840) rsadsi(113549) pkcs(1) pkcs1(1) 11 }
The object identifier for RSA with SHA384 signature values is:
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
memberbody(2) us(840) rsadsi(113549) pkcs(1) pkcs1(1) 12 }
@@ 256,21 +245,22 @@
3.3. ECDSA
[RFC3278] section 2.1 specifies the conventions for ECDSA with SHA1
public key algorithm identifiers, parameters, public keys, and
signature values. ECDSA with SHA2 algorithms uses the same
conventions for these public key algorithm identifiers, parameters,
public keys, and signature values, except that the digestAlgorithm
MUST include the corresponding message digest algorithm identifier,
and not the sha1 object identifier. ECDSA MAY be used with SHA224,
 SHA256, SHA384, or SHA512.
+ SHA256, SHA384, or SHA512. The object identifiers are taken from
+ [ECCADD].
The algorithm identifier for ECDSA with SHA224 signature values is:
ecdsawithSHA224 OBJECT IDENTIFIER ::= { iso(1) memberbody(2)
us(840) ansiX962(10045) signatures(4) ecdsawithSHA2(3) 1 }
The algorithm identifier for ECDSA with SHA256 signature values is:
ecdsawithSHA256 OBJECT IDENTIFIER ::= { iso(1) memberbody(2)
us(840)ansiX962(10045) signatures(4) ecdsawithSHA2(3) 2 }
@@ 272,91 +262,87 @@
The algorithm identifier for ECDSA with SHA256 signature values is:
ecdsawithSHA256 OBJECT IDENTIFIER ::= { iso(1) memberbody(2)
us(840)ansiX962(10045) signatures(4) ecdsawithSHA2(3) 2 }
The algorithm identifier for ECDSA with SHA384 signature values is:
ecdsawithSHA384 OBJECT IDENTIFIER ::= { iso(1) memberbody(2)
us(840) ansiX962(10045) signatures(4) ecdsawithSHA2(3) 3 }

The algorithm identifier for ECDSA with SHA512 signature values is:
ecdsawithSHA512 OBJECT IDENTIFIER ::= { iso(1) memberbody(2)
us(840) ansiX962(10045) signatures(4) ecdsawithSHA2(3) 4 }
When any of these four object identifiers appears within an
 AlgorithmIdentifier, the parameters MUST omit the parameters field.
 That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one
 component: the OID ecdsawithSHA224, ecdsawithSHA256,
+ AlgorithmIdentifier, the parameters filed MUST be absent. That is,
+ the AlgorithmIdentifier SHALL be a SEQUENCE of one component: the OID
+ ecdsawithSHA224, ecdsawithSHA256,
ecdsawithSHA384 or ecdsawithSHA512.
4. Security Considerations
 The security considerations in [RFC3278], [RFC3370], [RFC3874],
 [RFC4055], and [ECCADD] apply. No new security considerations are
 introduced as a result of this specification.
+ The security considerations in [RFC3370], [RFC3874], [RFC4055], and
+ [ECCADD] apply. No new security considerations are introduced as a
+ result of this specification.
5. IANA Considerations
None: All identifiers are already registered. Please remove this
section prior to publication as an RFC.
6. References
6.1. Normative References
[ECCADD] Dang, S., Santesson, S., Moriarty, K., and Brown,
"Internet X.509 Public Key Infrastructure: Additional
 Algorithms and Identifiers for DSA and ECDSA", workin
 progress.
+ Algorithms and Identifiers for DSA and ECDSA", draft
+ ietfpkixsha2dsaecdsa04.txt (workinprogress).
[DSS] National Institute of Standards and Technology (NIST),
 FIPS Publication 1863: Digital Signature Standard, March
 2006.
+ FIPS Publication 1863: Digital Signature Standard,
+ (draft) March 2006.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119. March 1997.
[RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC
2313, March 1998.
 [RFC3278] BlakeWilson, S., Brown, D., and P. Lambert, "Use of
 Elliptic Curve Cryptography (ECC) Algorithms in
 Cryptographic Message Syntax (CMS)", RFC 3278, April
 2002.

[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[RFC3852] Housley, R., "The Cryptographic Message Syntax (CMS)",
RFC 3852. July 2004.
[RFC3874] Housley, R., "A 224bit One Way Hash Function: SHA224",
RFC 3874. September 2004.
[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use
in the Internet Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 4055.
June 2005.
[SHS] National Institute of Standards and Technology (NIST),
 FIPS Publication 1803: Secure Hash Standard, June 2003.

 [X9.62] X9.622005, "Public Key Cryptography for the Financial
 Services Industry: The Elliptic Curve Digital Signature
 Standard (ECDSA)", November, 2005.
+ FIPS Publication 1803: Secure Hash Standard, (draft)
+ June 2003.
6.2. Informative References
+ [RFC3278] BlakeWilson, S., Brown, D., and P. Lambert, "Use of
+ Elliptic Curve Cryptography (ECC) Algorithms in
+ Cryptographic Message Syntax (CMS)", RFC 3278, April
+ 2002.
+
[RFC4231] Nystrom, A. "Identifiers and Test Vectors for HMACSHA
224, HMACSHA256, HMACSHA384, and HMACSHA512",
RFC4231. December 2005.
[RFC4634] Eastlake, D., and T. Hansen, "US Secure Hash Algorithms
(SHA and HMACSHA)", RFC 4634, July 2006.
Author's Addresses
Sean Turner