draft-ietf-smime-pss-02.txt | draft-ietf-smime-pss-03.txt | |||
---|---|---|---|---|

S/MIME Working Group J Schaad | S/MIME Working Group J Schaad | |||

Internet Draft Soaring Hawk Consulting | Internet Draft Soaring Hawk Consulting | |||

Document: draft-ietf-smime-pss-02.txt November 2003 | Document: draft-ietf-smime-pss-03.txt December 2003 | |||

Category: Standards | Category: Standards | |||

Use of the RSA PSS Signature Algorithm in CMS | Use of the RSA PSS Signature Algorithm in CMS | |||

Status of this Memo | Status of this Memo | |||

This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||

all provisions of Section 10 of RFC2026 [1]. | all provisions of Section 10 of RFC2026 [1]. | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

skipping to change at line 53 | skipping to change at line 53 | |||

[STDWORDS]. | [STDWORDS]. | |||

1. Overview | 1. Overview | |||

This document specifies the conventions for using the RSASSA-PSS (RSA | This document specifies the conventions for using the RSASSA-PSS (RSA | |||

Signature Scheme with Appendix - Probabilistic Signature Scheme) | Signature Scheme with Appendix - Probabilistic Signature Scheme) | |||

[P1v2.1] digital signature algorithm with the Cryptographic Message | [P1v2.1] digital signature algorithm with the Cryptographic Message | |||

Syntax [CMS] signed-data content type. | Syntax [CMS] signed-data content type. | |||

Schaad Standards - Exp: August 2003 1 | Schaad Standards - Exp: August 2004 1 | |||

CMS and PSS Signature February 2003 | CMS and PSS Signature December 2003 | |||

CMS values are generated using ASN.1 [X.208-88], using the Basic | CMS values are generated using ASN.1 [X.208-88], using the Basic | |||

Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules | Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules | |||

(DER) [X.509-88]. | (DER) [X.509-88]. | |||

This document is written to be used in conjunction with RFC XXX [RSA- | ||||

ALGS]. All of the ASN.1 structures referenced in this document are | ||||

defined in RFC XXX. | ||||

1.1 PSS Algorithm | 1.1 PSS Algorithm | |||

Although there are no known defects with the PKCS #1 v1.5 [P1v1.5] | Although there are no known defects with the PKCS #1 v1.5 [P1v1.5] | |||

signature algorithm, RSASSA-PSS [P1v2.1] was developed in an effort | signature algorithm, RSASSA-PSS [P1v2.1] was developed in an effort | |||

to have more mathematically provable security. PKCS #1 v1.5 | to have more mathematically provable security. PKCS #1 v1.5 | |||

signatures were developed in an ad hoc manner, RSASSA-PSS was | signatures were developed in an ad hoc manner, RSASSA-PSS was | |||

developed based on mathematical foundations. | developed based on mathematical foundations. | |||

2. Algorithm Identifiers and Parameters | 2. Algorithm Identifiers and Parameters | |||

skipping to change at line 105 | skipping to change at line 109 | |||

and a public exponent, MUST be encoded using the RSAPublicKey type. | and a public exponent, MUST be encoded using the RSAPublicKey type. | |||

The output of this encoding is carried in the certificate subject | The output of this encoding is carried in the certificate subject | |||

public key. | public key. | |||

RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||

modulus INTEGER, -- n | modulus INTEGER, -- n | |||

publicExponent INTEGER } -- e | publicExponent INTEGER } -- e | |||

2.2 Signature Identifiers | 2.2 Signature Identifiers | |||

Schaad Standards - Exp: August 2004 2 | ||||

CMS and PSS Signature December 2003 | ||||

The algorithm identifier for RSASAA-PSS signatures is: | The algorithm identifier for RSASAA-PSS signatures is: | |||

id-RSASSA-PSS OBJECT IDENTIFER ::= {pkcs-1 10 } | id-RSASSA-PSS OBJECT IDENTIFER ::= {pkcs-1 10 } | |||

Schaad Standards - Exp: August 2003 2 | ||||

CMS and PSS Signature February 2003 | ||||

When the id-RSASSA-PSS algorithm identifier is used for a signature, | When the id-RSASSA-PSS algorithm identifier is used for a signature, | |||

the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- | the AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- | |||

params. Information about RSASSA-PSS-params can be found in [RSA- | params. Information about RSASSA-PSS-params can be found in [RSA- | |||

ALGS]. | ALGS]. | |||

When signing, the RSA algorithm generates a single value, and that | When signing, the RSA algorithm generates a single value, and that | |||

value is used directly as the signature value. | value is used directly as the signature value. | |||

3. Signed-data Conventions | 3. Signed-data Conventions | |||

digestAlgorithms SHOULD contain the one-way hash function used to | digestAlgorithms SHOULD contain the one-way hash function used to | |||

compute the message digest on the eContent value. | compute the message digest on the eContent value. | |||

The same one-way hash function SHOULD be used for computing the | The same one-way hash function SHOULD be used for computing the | |||

message digest on both the eContent and the signedAttributes value | message digest on both the eContent and the signedAttributes value | |||

if signedAttributes exist. | if signedAttributes exist. | |||

The same one-way hash function SHOULD be used for computing the | The same one-way hash function MUST be used for computing the | |||

message digest on the signedAttributes and as the hashAlgorithm in | message digest on the signedAttributes and as the hashAlgorithm in | |||

the RSA-PSS-params structure. | the RSA-PSS-params structure. | |||

signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm | signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm | |||

parameters field MUST contain RSASSA-PSS-params. | parameters field MUST contain RSASSA-PSS-params. | |||

signature contains the single value resulting from the signing | signature contains the single value resulting from the signing | |||

operation. | operation. | |||

If the subjectPublicKeyInfo algorithm identifier for the public key | If the subjectPublicKeyInfo algorithm identifier for the public key | |||

skipping to change at line 160 | skipping to change at line 164 | |||

3. The saltLength in the signatureAlgorithm parameters MUST be | 3. The saltLength in the signatureAlgorithm parameters MUST be | |||

greater or equal to the saltLength in the certificate | greater or equal to the saltLength in the certificate | |||

subjectPublicKey.algorithm parameters. | subjectPublicKey.algorithm parameters. | |||

4. The trailerField in the certificate subjectPublicKey.algorithm | 4. The trailerField in the certificate subjectPublicKey.algorithm | |||

parameters and signatureAlgorithm parameters MUST be the same. | parameters and signatureAlgorithm parameters MUST be the same. | |||

In doing the above comparisons, default values are considered to be | In doing the above comparisons, default values are considered to be | |||

the same as extant values. If any of the above four steps is not | the same as extant values. If any of the above four steps is not | |||

true, the signature checking algorithm MUST fail validation. | true, the signature checking algorithm MUST fail validation. | |||

4. Security Considerations | Schaad Standards - Exp: August 2004 3 | |||

CMS and PSS Signature December 2003 | ||||

Schaad Standards - Exp: August 2003 3 | 4. Security Considerations | |||

CMS and PSS Signature February 2003 | ||||

Implementations must protect the RSA private key. Compromise of the | Implementations must protect the RSA private key. Compromise of the | |||

RSA private key may result in the ability to forge signatures. | RSA private key may result in the ability to forge signatures. | |||

The generation of RSA private key relies on random numbers. The use | The generation of RSA private key relies on random numbers. The use | |||

of inadequate pseudo-random number generators (PRNGs) to generate | of inadequate pseudo-random number generators (PRNGs) to generate | |||

these values can result in little or no security. An attacker may | these values can result in little or no security. An attacker may | |||

find it much easier to reproduce the PRNG environment that produced | find it much easier to reproduce the PRNG environment that produced | |||

the keys, searching the resulting small set of possibilities, rather | the keys, searching the resulting small set of possibilities, rather | |||

than brute force searching the whole key space. The generation of | than brute force searching the whole key space. The generation of | |||

skipping to change at line 188 | skipping to change at line 192 | |||

of allowing an attacker to get extra information about the key. It | of allowing an attacker to get extra information about the key. It | |||

is strongly suggested that the same key not be used for both the PKCS | is strongly suggested that the same key not be used for both the PKCS | |||

#1 v1.5 and RSASSA-PSS signature algorithms. | #1 v1.5 and RSASSA-PSS signature algorithms. | |||

When computing signatures, the same hash function should be used for | When computing signatures, the same hash function should be used for | |||

all operations. This reduces the number of failure points in the | all operations. This reduces the number of failure points in the | |||

signature process. | signature process. | |||

The parameter checking procedures outlined in section 3 are of | ||||

special importance. It is possible to forge signatures by changing | ||||

(especially to weaker values) these parameter values. Signers using | ||||

this algorithm should take care that only one set of parameter values | ||||

is used as this decreases the possibility of leaking information. | ||||

5. Normative References | 5. Normative References | |||

CMS Housley, R, "Cryptographic Message Syntax", | CMS Housley, R, "Cryptographic Message Syntax", | |||

RFC 3369, August 2002. | RFC 3369, August 2002. | |||

P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA | P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA | |||

Cryptography Specification Version 2.1", | Cryptography Specification Version 2.1", | |||

RFC 3447, February 2003. | RFC 3447, February 2003. | |||

RSA-ALGS Schaad, J., B. Kaliski and R Housley, "Additional | RSA-ALGS Schaad, J., B. Kaliski and R Housley, "Additional | |||

skipping to change at line 212 | skipping to change at line 223 | |||

draft-ietf-pkix-rsa-pkalgs-01.txt, | draft-ietf-pkix-rsa-pkalgs-01.txt, | |||

November 2003. | November 2003. | |||

STDWORDS S. Bradner, "Key Words for Use in RFCs to | STDWORDS S. Bradner, "Key Words for Use in RFCs to | |||

Indicate Requirement Levels", RFC 2119, March | Indicate Requirement Levels", RFC 2119, March | |||

1997. | 1997. | |||

X.208-88 CCITT Recommendation X.208: Specification of | X.208-88 CCITT Recommendation X.208: Specification of | |||

Abstract Syntax Notation One (ASN.1), 1998. | Abstract Syntax Notation One (ASN.1), 1998. | |||

Schaad Standards - Exp: August 2004 4 | ||||

CMS and PSS Signature December 2003 | ||||

X.209-88 CCITT Recommendation X.209: Specification of | X.209-88 CCITT Recommendation X.209: Specification of | |||

Basic Encoding Rules for Abstract Syntax | Basic Encoding Rules for Abstract Syntax | |||

Notation One (ASN.1), 1988. | Notation One (ASN.1), 1988. | |||

X.509-88 CCITT Recommendation X.509: The Directory | X.509-88 CCITT Recommendation X.509: The Directory | |||

Authentication Framework, 1988. | Authentication Framework, 1988. | |||

6. Informational References | 6. Informational References | |||

Schaad Standards - Exp: August 2003 4 | ||||

CMS and PSS Signature February 2003 | ||||

P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption, | P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption, | |||

Version 2.0, RFC 2437, October 1998. | Version 2.0, RFC 2437, October 1998. | |||

PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers | PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers | |||

for the Internet X.509 Public Key Infrastructure | for the Internet X.509 Public Key Infrastructure | |||

Certificate and Certificate Revocation List (CRL) Profile", | Certificate and Certificate Revocation List (CRL) Profile", | |||

RFC 3279, April 2002. | RFC 3279, April 2002. | |||

RANDOM Eastlake, D., S. Crocker and J. Schiller | RANDOM Eastlake, D., S. Crocker and J. Schiller | |||

"Randomness Recommendations for Security", | "Randomness Recommendations for Security", | |||

skipping to change at line 266 | skipping to change at line 277 | |||

the copyright notice or references to the Internet Society or other | the copyright notice or references to the Internet Society or other | |||

Internet organizations, except as needed for the purpose of | Internet organizations, except as needed for the purpose of | |||

developing Internet standards in which case the procedures for | developing Internet standards in which case the procedures for | |||

copyrights defined in the Internet Standards process must be | copyrights defined in the Internet Standards process must be | |||

followed, or as required to translate it into languages other than | followed, or as required to translate it into languages other than | |||

English. | English. | |||

The limited permissions granted above are perpetual and will not be | The limited permissions granted above are perpetual and will not be | |||

revoked by the Internet Society or its successors or assigns. | revoked by the Internet Society or its successors or assigns. | |||

Schaad Standards - Exp: August 2003 5 | Schaad Standards - Exp: August 2004 5 | |||

CMS and PSS Signature December 2003 | ||||

Schaad Standards - Exp: August 2004 6 | ||||

End of changes. | ||||

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |