SHA-3 Related Algorithms and Identifiers for PKIXsn3rdsean@sn3rd.com
Security
Network Working GroupInternet-DraftThis document describes the conventions for using the SHA-3 family of hash functions in the Internet X.509 PKI as one-way hash functions and with the ECDSA signature algorithm; the conventions for the associated ECDSA subject public keys are also described. Digital signatures are used to sign certificates and CRLs (Certificate Revocation Lists)., , , and defines the contents of the signatureAlgorithm, signatureValue, signature, and subjectPublicKeyInfo fields within Internet X.509 certificates and CRLs (Certificate Revocation Lists) for a number of algorithms. This document does the same for the SHA-3 family of one-way hash functions and their use with the ECDSA and RSA PKCS#1 v1.5 digital signature algorithms.Familiarity with is assumed.The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in .This section describes cryptographic algorithms which may be used with the Internet X.509 Certificate and CRL profile . This section describes one-way hash functions and digital signature algorithms which may be used to sign certificates and CRLs, and identifies OIDs (Object Identifiers) for public keys contained in a certificate.The SHA-3 family of one-way hash functions is specified in . In the SHA-3 family, four hash functions are defined: SHA3-224, SHA3-256, SHA3-384, and SHA3-512; two extendable-output functions, called SHAKE128 and SHAKE256, are also defined but are not addressed by this document. The respective output lengths, in bits, of the SHA-3 hash functions are 224, 256, 384, and 512 and as of this document’s publication date correspond to 112, 128, 192, and 256 bits of security . The OIDs (Object Identifiers) for these four hash functions are as follows:When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 algorithm identifiers, the parameters field MUST be absent; not NULL but absent.The ECDSA (Elliptic Curve Digital Signature Algorithm) is defined in . When ECDSA is used in conjunction with one of the SHA-3 one-way hash functions the OID is, respectively:When these algorithm identifiers appear as the algorithm field in an AlgorithmIdentifier, the encoding MUST omit the parameters field. That is, the AlgorithmIdentifier SHALL be a SEQUENCE of one component: the OBJECT IDENTIFIER id-ecdsa-with-sha3-224, id-ecdsa-with-sha3-256, id-ecdsa-with-sha3-384, or id-ecdsa-with-sha3-512.The ECParameters in the subjectPublicKeyInfo field of the issuer’s certificate SHALL apply to the verification of the signature.When signing, the ECDSA algorithm generates two values. These values are commonly referred to as r and s. To easily transfer these two values as one signature, they MUST be ASN.1 encoded using the ECDSA-Sig-Value defined in but repeated here for convenience:The conventions for ECDSA public keys is as specified in .TBDIANA is kindly requested to register two OIDs in the SMI Security for PKIX Module Identifier registry for the ASN.1 modules found in Appendix A.1 and A.2. The description is as follows:id-mod-pkix1-sha3-2015id-mod-pkix1-sha3-1988where the four digits at the end represent the ASN.1’s publication date.Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis document specifies algorithm identifiers and ASN.1 encoding formats for digital signatures and subject public keys used in the Internet X.509 Public Key Infrastructure (PKI). Digital signatures are used to sign certificates and certificate revocation list (CRLs). Certificates include the public key of the named subject. [STANDARDS-TRACK]Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]Elliptic Curve Cryptography Subject Public Key InformationThis document specifies the syntax and semantics for the Subject Public Key Information field in certificates that support Elliptic Curve Cryptography. This document updates Sections 2.3.5 and 5, and the ASN.1 module of "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279. [STANDARDS-TRACK]New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)The Public Key Infrastructure using X.509 (PKIX) certificate format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes.Digital Signature Standard, version 4National Institute of Standards and Technology, U.S. Department of CommerceSHA-3 Standard - Permutation-Based Hash and Extendable-Output FunctionsNational Institute of Standards and Technology, U.S. Department of CommerceDetermining Strengths For Public Keys Used For Exchanging Symmetric KeysImplementors of systems that use public key cryptography to exchange symmetric keys need to make the public keys resistant to some predetermined level of attack. That level of attack resistance is the strength of the system, and the symmetric keys that are exchanged must be at least as strong as the system strength requirements. The three quantities, system strength, symmetric key strength, and public key strength, must be consistently matched for any network protocol usage. While it is fairly easy to express the system strength requirements in terms of a symmetric key length and to choose a cipher that has a key length equal to or exceeding that requirement, it is harder to choose a public key that has a cryptographic strength meeting a symmetric key strength requirement. This document explains how to determine the length of an asymmetric key as a function of a symmetric key strength requirement. Some rules of thumb for estimating equivalent resistance to large-scale attacks on various algorithms are given. The document also addresses how changing the sizes of the underlying large integers (moduli, group sizes, exponents, and so on) changes the time to use the algorithms for key exchange. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) ProfileThis document supplements RFC 3279. It describes the conventions for using the RSA Probabilistic Signature Scheme (RSASSA-PSS) signature algorithm, the RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) key transport algorithm and additional one-way hash functions with the Public-Key Cryptography Standards (PKCS) #1 version 1.5 signature algorithm in the Internet X.509 Public Key Infrastructure (PKI). Encoding formats, algorithm identifiers, and parameter formats are specified. [STANDARDS-TRACK]Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key InfrastructureThis document specifies algorithm identifiers and ASN.1 encoding formats for Elliptic Curve constructs using the Curve25519 and Curve448 curves. The signature algorithms covered are Ed25519, Ed25519ph, Ed448 and Ed448ph. The key agreement algorithm covered are X25519 and X448. The encoding for Public Key, Private Key and EdDSA digital signature structures is provided.