 1/draftietfsmimepss02.txt 20060205 01:53:09.000000000 +0100
+++ 2/draftietfsmimepss03.txt 20060205 01:53:09.000000000 +0100
@@ 1,14 +1,14 @@
S/MIME Working Group J Schaad
Internet Draft Soaring Hawk Consulting
Document: draftietfsmimepss02.txt November 2003
+Document: draftietfsmimepss03.txt December 2003
Category: Standards
Use of the RSA PSS Signature Algorithm in CMS
Status of this Memo
This document is an InternetDraft and is in full conformance with
all provisions of Section 10 of RFC2026 [1].
InternetDrafts are working documents of the Internet Engineering
@@ 43,27 +43,31 @@
[STDWORDS].
1. Overview
This document specifies the conventions for using the RSASSAPSS (RSA
Signature Scheme with Appendix  Probabilistic Signature Scheme)
[P1v2.1] digital signature algorithm with the Cryptographic Message
Syntax [CMS] signeddata content type.
Schaad Standards  Exp: August 2003 1
 CMS and PSS Signature February 2003
+Schaad Standards  Exp: August 2004 1
+ CMS and PSS Signature December 2003
CMS values are generated using ASN.1 [X.20888], using the Basic
Encoding Rules (BER) [X.20988] and the Distinguished Encoding Rules
(DER) [X.50988].
+ This document is written to be used in conjunction with RFC XXX [RSA
+ ALGS]. All of the ASN.1 structures referenced in this document are
+ defined in RFC XXX.
+
1.1 PSS Algorithm
Although there are no known defects with the PKCS #1 v1.5 [P1v1.5]
signature algorithm, RSASSAPSS [P1v2.1] was developed in an effort
to have more mathematically provable security. PKCS #1 v1.5
signatures were developed in an ad hoc manner, RSASSAPSS was
developed based on mathematical foundations.
2. Algorithm Identifiers and Parameters
@@ 95,45 +99,45 @@
and a public exponent, MUST be encoded using the RSAPublicKey type.
The output of this encoding is carried in the certificate subject
public key.
RSAPublicKey ::= SEQUENCE {
modulus INTEGER,  n
publicExponent INTEGER }  e
2.2 Signature Identifiers
+Schaad Standards  Exp: August 2004 2
+ CMS and PSS Signature December 2003
+
The algorithm identifier for RSASAAPSS signatures is:
idRSASSAPSS OBJECT IDENTIFER ::= {pkcs1 10 }
Schaad Standards  Exp: August 2003 2
 CMS and PSS Signature February 2003

When the idRSASSAPSS algorithm identifier is used for a signature,
the AlgorithmIdentifier parameters field MUST contain RSASSAPSS
params. Information about RSASSAPSSparams can be found in [RSA
ALGS].
When signing, the RSA algorithm generates a single value, and that
value is used directly as the signature value.
3. Signeddata Conventions
digestAlgorithms SHOULD contain the oneway hash function used to
compute the message digest on the eContent value.
The same oneway hash function SHOULD be used for computing the
message digest on both the eContent and the signedAttributes value
if signedAttributes exist.
 The same oneway hash function SHOULD be used for computing the
+ The same oneway hash function MUST be used for computing the
message digest on the signedAttributes and as the hashAlgorithm in
the RSAPSSparams structure.
signatureAlgorithm MUST contain idRSASSAPSS. The algorithm
parameters field MUST contain RSASSAPSSparams.
signature contains the single value resulting from the signing
operation.
If the subjectPublicKeyInfo algorithm identifier for the public key
@@ 150,24 +154,24 @@
3. The saltLength in the signatureAlgorithm parameters MUST be
greater or equal to the saltLength in the certificate
subjectPublicKey.algorithm parameters.
4. The trailerField in the certificate subjectPublicKey.algorithm
parameters and signatureAlgorithm parameters MUST be the same.
In doing the above comparisons, default values are considered to be
the same as extant values. If any of the above four steps is not
true, the signature checking algorithm MUST fail validation.
4. Security Considerations
+Schaad Standards  Exp: August 2004 3
+ CMS and PSS Signature December 2003
Schaad Standards  Exp: August 2003 3
 CMS and PSS Signature February 2003
+4. Security Considerations
Implementations must protect the RSA private key. Compromise of the
RSA private key may result in the ability to forge signatures.
The generation of RSA private key relies on random numbers. The use
of inadequate pseudorandom number generators (PRNGs) to generate
these values can result in little or no security. An attacker may
find it much easier to reproduce the PRNG environment that produced
the keys, searching the resulting small set of possibilities, rather
than brute force searching the whole key space. The generation of
@@ 178,20 +182,27 @@
of allowing an attacker to get extra information about the key. It
is strongly suggested that the same key not be used for both the PKCS
#1 v1.5 and RSASSAPSS signature algorithms.
When computing signatures, the same hash function should be used for
all operations. This reduces the number of failure points in the
signature process.
+ The parameter checking procedures outlined in section 3 are of
+ special importance. It is possible to forge signatures by changing
+ (especially to weaker values) these parameter values. Signers using
+ this algorithm should take care that only one set of parameter values
+
+ is used as this decreases the possibility of leaking information.
+
5. Normative References
CMS Housley, R, "Cryptographic Message Syntax",
RFC 3369, August 2002.
P1v2.1 Jonsson, J., and B. Kaliski, "PKCS #1: RSA
Cryptography Specification Version 2.1",
RFC 3447, February 2003.
RSAALGS Schaad, J., B. Kaliski and R Housley, "Additional
@@ 202,32 +213,32 @@
draftietfpkixrsapkalgs01.txt,
November 2003.
STDWORDS S. Bradner, "Key Words for Use in RFCs to
Indicate Requirement Levels", RFC 2119, March
1997.
X.20888 CCITT Recommendation X.208: Specification of
Abstract Syntax Notation One (ASN.1), 1998.
+Schaad Standards  Exp: August 2004 4
+ CMS and PSS Signature December 2003
+
X.20988 CCITT Recommendation X.209: Specification of
Basic Encoding Rules for Abstract Syntax
Notation One (ASN.1), 1988.
X.50988 CCITT Recommendation X.509: The Directory
Authentication Framework, 1988.
6. Informational References
Schaad Standards  Exp: August 2003 4
 CMS and PSS Signature February 2003

P1v1.5 Kaliski, B. and J. Staddon, "PKCS #1: RSA Encryption,
Version 2.0, RFC 2437, October 1998.
PKALGS Polk, W, R Housley, L. Bassham, "Algorithms and Identifiers
for the Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile",
RFC 3279, April 2002.
RANDOM Eastlake, D., S. Crocker and J. Schiller
"Randomness Recommendations for Security",
@@ 256,11 +267,14 @@
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
Schaad Standards  Exp: August 2003 5
+Schaad Standards  Exp: August 2004 5
+ CMS and PSS Signature December 2003
+
+Schaad Standards  Exp: August 2004 6