 1/draftietfsmimepss01.txt 20060205 01:53:08.000000000 +0100
+++ 2/draftietfsmimepss02.txt 20060205 01:53:08.000000000 +0100
@@ 1,17 +1,17 @@
S/MIME Working Group J Schaad
Internet Draft Soaring Hawk Consulting
Document: draftietfsmimepss01.txt May 2003
+Document: draftietfsmimepss02.txt November 2003
Category: Standards
 Use of the PSS Signature Algorithm in CMS
+ Use of the RSA PSS Signature Algorithm in CMS
Status of this Memo
This document is an InternetDraft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet
Drafts. InternetDrafts are draft documents valid for a maximum of
@@ 26,48 +26,44 @@
The list of InternetDraft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Comments or suggestions for improvement may be made on the "ietf
smime" mailing list, or directly to the author.
Abstract
This document specifies the conventions for using the RSA
Probabilistic Signature Scheme (RSASSAPSS) digital signature
 algorithm [P1v2.1] with the Cryptographic Message Syntax (CMS) [CMS].
+ algorithm with the Cryptographic Message Syntax (CMS).
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119
[STDWORDS].
1. Overview
 This document specifies the conventions for using the RSASSAPSS
+ This document specifies the conventions for using the RSASSAPSS (RSA
+
+ Signature Scheme with Appendix  Probabilistic Signature Scheme)
[P1v2.1] digital signature algorithm with the Cryptographic Message
Syntax [CMS] signeddata content type.
Schaad Standards  Exp: November 2003 1
 CMS and PSS Signature May 2003
+Schaad Standards  Exp: August 2003 1
+ CMS and PSS Signature February 2003
CMS values are generated using ASN.1 [X.20888], using the Basic
Encoding Rules (BER) [X.20988] and the Distinguished Encoding Rules
(DER) [X.50988].
 NOTE: AT PRESENT THERE ARE INCOMPATILITIES BETWEEN THIS DOCUMENT AND

 RSASSAPSS [P1v2.1] and RFC XXX [RSAALGS]. These will be resolved
 before final acceptance by the working group and reflect issues that
 I believe need to be addressed in those documents.

1.1 PSS Algorithm
Although there are no known defects with the PKCS #1 v1.5 [P1v1.5]
signature algorithm, RSASSAPSS [P1v2.1] was developed in an effort
to have more mathematically provable security. PKCS #1 v1.5
signatures were developed in an ad hoc manner, RSASSAPSS was
developed based on mathematical foundations.
2. Algorithm Identifiers and Parameters
@@ 86,40 +82,40 @@
idRSASSAPSS OBJECT IDENTIFIER ::= { pkcs1 10 }
When the rsaEncryption algorithm identifier is used for a public
key, the AlgorithmIdentifier parameters field MUST contain NULL.
Complete details can be found in [RSAALGS].
When the idRSASSAPSS algorithm identifier is used for a public
key, the AlgorithmIdentifier parameters field MUST either be absent
or contain RSASSAPSSparams. Again, complete details can be found
 in [PKALGS].
+ in [RSAALGS].
In both cases, the RSA public key, which is composed of a modulus
and a public exponent, MUST be encoded using the RSAPublicKey type.
The output of this encoding is carried in the certificate subject
public key.
RSAPublicKey ::= SEQUENCE {
modulus INTEGER,  n
publicExponent INTEGER }  e
Schaad Standards  Exp: November 2003 2
 CMS and PSS Signature May 2003

2.2 Signature Identifiers
The algorithm identifier for RSASAAPSS signatures is:
idRSASSAPSS OBJECT IDENTIFER ::= {pkcs1 10 }
+Schaad Standards  Exp: August 2003 2
+ CMS and PSS Signature February 2003
+
When the idRSASSAPSS algorithm identifier is used for a signature,
the AlgorithmIdentifier parameters field MUST contain RSASSAPSS
params. Information about RSASSAPSSparams can be found in [RSA
ALGS].
When signing, the RSA algorithm generates a single value, and that
value is used directly as the signature value.
3. Signeddata Conventions
@@ 134,106 +130,112 @@
message digest on the signedAttributes and as the hashAlgorithm in
the RSAPSSparams structure.
signatureAlgorithm MUST contain idRSASSAPSS. The algorithm
parameters field MUST contain RSASSAPSSparams.
signature contains the single value resulting from the signing
operation.
If the subjectPublicKeyInfo algorithm identifier for the public key
 in the certificate is idRSASSAPSS and the parameters field is not
 absent, the following additional steps MUST be done as part of
+ in the certificate is idRSASSAPSS and the parameters field is
+ present, the following additional steps MUST be done as part of
signature validation:
1. The hashAlgorithm field in the certificate
subjectPublicKey.algorithm parameters and the signatureAlgorithm
parameters MUST be the same.
2. The maskGenAlgorithm field in the certificate
subjectPublicKey.algorithm parameters and the signatureAlgorithm
parameters MUST be the same.
3. The saltLength in the signatureAlgorithm parameters MUST be
greater or equal to the saltLength in the certificate
subjectPublicKey.algorithm parameters.
4. The trailerField in the certificate subjectPublicKey.algorithm
parameters and signatureAlgorithm parameters MUST be the same.
In doing the above comparisons, default values are considered to be
the same as extant values. If any of the above four steps is not
true, the signature checking algorithm MUST fail validation.
Schaad Standards  Exp: November 2003 3
 CMS and PSS Signature May 2003

4. Security Considerations
+Schaad Standards  Exp: August 2003 3
+ CMS and PSS Signature February 2003
+
Implementations must protect the RSA private key. Compromise of the
RSA private key may result in the ability to forge signatures.
The generation of RSA private key relies on random numbers. The use
of inadequate pseudorandom number generators (PRNGs) to generate
these values can result in little or no security. An attacker may
find it much easier to reproduce the PRNG environment that produced
the keys, searching the resulting small set of possibilities, rather
than brute force searching the whole key space. The generation of
quality random numbers is difficult. RFC 1750 [RANDOM] offers
important guidance in this area.
+ Using the same private key for different algorithms has the potential
+
+ of allowing an attacker to get extra information about the key. It
+ is strongly suggested that the same key not be used for both the PKCS
+
+ #1 v1.5 and RSASSAPSS signature algorithms.
+
+ When computing signatures, the same hash function should be used for
+ all operations. This reduces the number of failure points in the
+ signature process.
+
5. Normative References
CMS Housley, R, "Cryptographic Message Syntax",
RFC 3369, August 2002.
P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA
Cryptography Specification Version 2.1",
 InternetDraft, August 2002.

+ RFC 3447, February 2003.
 RSAALGS Housley, R. and B. Kaliski, "Additional
+ RSAALGS Schaad, J., B. Kaliski and R Housley, "Additional
Algorithms and Identifiers for RSA Cryptography
for use in the Internet X.509 Public Key
Infrastructure Certificate and Certificate
Revocation List (CRL) Profile",
 draftietfpkixrsapkalgs00.txt,
 December 2002.

 PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers
 for the Internet X.509 Public Key Infrastructure
 Certificate and Certificate Revocation List (CRL) Profile",
 RFC 3279, April 2002.

 SHA2 National Institute of Standards and Technology
 (NIST), FIPS 1802: Secure Hash Standard, 1
 August 2002.
+ draftietfpkixrsapkalgs01.txt,
+ November 2003.
STDWORDS S. Bradner, "Key Words for Use in RFCs to
Indicate Requirement Levels", RFC 2119, March
1997.
X.20888 CCITT Recommendation X.208: Specification of
Abstract Syntax Notation One (ASN.1), 1998.
X.20988 CCITT Recommendation X.209: Specification of
Basic Encoding Rules for Abstract Syntax
Notation One (ASN.1), 1988.
Schaad Standards  Exp: November 2003 4
 CMS and PSS Signature May 2003

X.50988 CCITT Recommendation X.509: The Directory
Authentication Framework, 1988.
6. Informational References
+Schaad Standards  Exp: August 2003 4
+ CMS and PSS Signature February 2003
+
P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption,
Version 2.0, RFC 2437, October 1998.
+ PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers
+ for the Internet X.509 Public Key Infrastructure
+ Certificate and Certificate Revocation List (CRL) Profile",
+ RFC 3279, April 2002.
+
RANDOM Eastlake, D., S. Crocker and J. Schiller
"Randomness Recommendations for Security",
RFC 1750, December 1994.
7. Author's Address
Jim Schaad
Soaring Hawk Consulting
PO Box 675
Gold Bar, WA 98251
@@ 254,11 +256,11 @@
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Schaad Standards  Exp: November 2003 5
+Schaad Standards  Exp: August 2003 5