draft-ietf-smime-sha2-03.txt | draft-ietf-smime-sha2-04.txt | |||
---|---|---|---|---|

S/MIME WG Sean Turner, IECA | S/MIME WG Sean Turner, IECA | |||

Intended Status: Standard Track | Intended Status: Standard Track | |||

Expires: July 30, 2008 | Expires: September 11, 2008 | |||

Using SHA2 Algorithms with Cryptographic Message Syntax | Using SHA2 Algorithms with Cryptographic Message Syntax | |||

draft-ietf-smime-sha2-03.txt | draft-ietf-smime-sha2-04.txt | |||

Status of this Memo | Status of this Memo | |||

By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||

applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||

have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||

aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||

skipping to change at page 1, line 33 | skipping to change at page 1, line 33 | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||

http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||

The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||

http://www.ietf.org/shadow.html | http://www.ietf.org/shadow.html | |||

This Internet-Draft will expire on July 30, 2008. | This Internet-Draft will expire on September 11, 2008. | |||

Copyright Notice | Copyright Notice | |||

Copyright (C) The IETF Trust (2008). | Copyright (C) The IETF Trust (2008). | |||

Abstract | Abstract | |||

This document describes the conventions for using the message digest | This document describes the conventions for using the Secure Hash | |||

algorithms SHA-224, SHA-256, SHA-384, SHA-512, as defined in FIPS | Algorithm (SHA) message digest algorithms (SHA-224, SHA-256, SHA-384, | |||

180-3, with the Cryptographic Message Syntax (CMS). It also describes | SHA-512) with the Cryptographic Message Syntax (CMS). It also | |||

the conventions for using these algorithms with CMS and the DSA, RSA, | describes the conventions for using these algorithms with CMS and the | |||

and ECDSA signature algorithms. | Digital Signature Algorithm (DSA), Rivest Shamir Adleman (RSA), and | |||

Elliptic Curve DSA (ECDSA) signature algorithms. | ||||

Conventions used in this document | Conventions used in this document | |||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||

document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||

Table of Contents | Table of Contents | |||

1. Introduction...................................................2 | 1. Introduction...................................................2 | |||

skipping to change at page 2, line 34 | skipping to change at page 2, line 34 | |||

5. IANA Considerations............................................7 | 5. IANA Considerations............................................7 | |||

6. References.....................................................7 | 6. References.....................................................7 | |||

6.1. Normative References......................................7 | 6.1. Normative References......................................7 | |||

6.2. Informative References....................................8 | 6.2. Informative References....................................8 | |||

1. Introduction | 1. Introduction | |||

This document specifies the algorithm identifiers and specifies | This document specifies the algorithm identifiers and specifies | |||

parameters for the message digest algorithms SHA-224, SHA-256, SHA- | parameters for the message digest algorithms SHA-224, SHA-256, SHA- | |||

384, and SHA-512 for use with the Cryptographic Message Syntax (CMS) | 384, and SHA-512 for use with the Cryptographic Message Syntax (CMS) | |||

[RFC3852]. The message digest algorithms are defined in and [SHS]. | [RFC3852]. The message digest algorithms are defined in [SHS]. | |||

If an implementation chooses to support one of the algorithms | ||||

discussed in this document, then the implementation MUST do so as | ||||

described in this document. | ||||

This document also specifies the algorithm identifiers and parameters | This document also specifies the algorithm identifiers and parameters | |||

for use of SHA-224, SHA-256, SHA-384, and SHA-512 with DSA, RSA, and | for use of SHA-224, SHA-256, SHA-384, and SHA-512 with DSA [DSS], RSA | |||

ECDSA. If an implementation chooses to support one of the algorithms | [RFC2313], and ECDSA [X9.62]. | |||

discussed in this document, then the implementation MUST do so as | ||||

described in this document. | ||||

This document does not define new identifiers; they are taken from | This document does not define new identifiers; they are taken from | |||

[RFC3874], [RFC4055], [ECCADD], [RFC3278], and [RFC3370]. | [RFC3874], [RFC4055], [ECCADD], and [RFC3278]. Additionally, the | |||

Additionally, the parameters follow the conventions specified | parameters follow the conventions specified therein. Therefore, | |||

therein. Therefore, there is no ASN.1 module included in this | there is no Abstract Syntax Notation One (ASN.1) module included in | |||

document. | this document. | |||

Note that [RFC4231] specifies the conventions for use of for the | Note that [RFC4231] specifies the conventions for the message | |||

message authentication code (MAC) algorithms: HMAC with SHA-224, HMAC | authentication code (MAC) algorithms: HMAC with SHA-224, HMAC with | |||

with SHA-256, HMAC with SHA-384, and HMAC with SHA-512. | SHA-256, HMAC with SHA-384, and HMAC with SHA-512. | |||

In CMS, the various algorithm identifiers use the AlgorithmIdentifier | In CMS, the various algorithm identifiers use the AlgorithmIdentifier | |||

syntax, which is included here for convenience: | syntax, which is included here for convenience: | |||

AlgorithmIdentifier ::= SEQUENCE { | AlgorithmIdentifier ::= SEQUENCE { | |||

algorithm OBJECT IDENTIFIER, | algorithm OBJECT IDENTIFIER, | |||

parameters ANY DEFINED BY algorithm OPTIONAL } | parameters ANY DEFINED BY algorithm OPTIONAL } | |||

2. Message Digest Algorithms | 2. Message Digest Algorithms | |||

skipping to change at page 3, line 33 | skipping to change at page 3, line 29 | |||

Digest values are located in the DigestedData digest field and the | Digest values are located in the DigestedData digest field and the | |||

Message Digest authenticated attribute. In addition, digest values | Message Digest authenticated attribute. In addition, digest values | |||

are input to signature algorithms. | are input to signature algorithms. | |||

The digest algorithm identifiers use the AlgorithmIdentifier syntax | The digest algorithm identifiers use the AlgorithmIdentifier syntax | |||

elaborated upon in Section 1. | elaborated upon in Section 1. | |||

The algorithm field is discussed in Sections 2.1-2.4 for each message | The algorithm field is discussed in Sections 2.1-2.4 for each message | |||

digest algorithm. | digest algorithm. | |||

The following addresses the parameters field: | ||||

There are two possible encodings for the SHA AlgorithmIdentifier | There are two possible encodings for the SHA AlgorithmIdentifier | |||

parameters field. The two alternatives arise from the fact that when | parameters field. The two alternatives arise from the fact that when | |||

the 1988 syntax for AlgorithmIdentifier was translated into the 1997 | the 1988 syntax for AlgorithmIdentifier was translated into the 1997 | |||

syntax, the OPTIONAL associated with the AlgorithmIdentifier | syntax, the OPTIONAL associated with the AlgorithmIdentifier | |||

parameters got lost. Later the OPTIONAL was recovered via a defect | parameters got lost. Later the OPTIONAL was recovered via a defect | |||

report, but by then many people thought that algorithm parameters | report, but by then many people thought that algorithm parameters | |||

were mandatory. Because of this history some implementations encode | were mandatory. Because of this history some implementations encode | |||

parameters as a NULL element and others omit them entirely. The | parameters as a NULL element and others omit them entirely. The | |||

correct encoding is to omit the parameters field; however, | correct encoding is to omit the parameters field; however, | |||

implementations MUST also handle a SHA AlgorithmIdentifier parameters | implementations MUST also handle a SHA AlgorithmIdentifier parameters | |||

skipping to change at page 4, line 42 | skipping to change at page 4, line 40 | |||

algorithm identifier for SHA-384 is: | algorithm identifier for SHA-384 is: | |||

id-sha384 OBJECT IDENTIFIER ::= { | id-sha384 OBJECT IDENTIFIER ::= { | |||

joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | |||

csor(3) nistalgorithm(4) hashalgs(2) 2 } | csor(3) nistalgorithm(4) hashalgs(2) 2 } | |||

The parameters are as specified in Section 2. | The parameters are as specified in Section 2. | |||

2.4. SHA-512 | 2.4. SHA-512 | |||

The SHA-256 message digest algorithm is defined in [SHS]. The | The SHA-512 message digest algorithm is defined in [SHS]. The | |||

algorithm identifier for SHA-512 is: | algorithm identifier for SHA-512 is: | |||

id-sha512 OBJECT IDENTIFIER ::= { | id-sha512 OBJECT IDENTIFIER ::= { | |||

joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) | |||

csor(3) nistalgorithm(4) hashalgs(2) 3 } | csor(3) nistalgorithm(4) hashalgs(2) 3 } | |||

The parameters are as specified in Section 2. | The parameters are as specified in Section 2. | |||

3. Signature Algorithms | 3. Signature Algorithms | |||

This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||

implementations that support DSA [DSS], ECDSA [X9.62], and RSA | implementations that support DSA, RSA, and ECDSA with SHA2 | |||

[RFC2313] with SHA2 algorithms. | algorithms. | |||

Signature algorithm identifiers are located in the SignerInfo | Signature algorithm identifiers are located in the SignerInfo | |||

signatureAlgorithm field of SignedData. Also, signature algorithm | signatureAlgorithm field of SignedData. Also, signature algorithm | |||

identifiers are located in the SignerInfo signatureAlgorithm field of | identifiers are located in the SignerInfo signatureAlgorithm field of | |||

countersignature attributes. | countersignature attributes. | |||

Signature values are located in the SignerInfo signature field of | Signature values are located in the SignerInfo signature field of | |||

SignedData. Also, signature values are located in the SignerInfo | SignedData. Also, signature values are located in the SignerInfo | |||

signature field of countersignature attributes. | signature field of countersignature attributes. | |||

NOTE [to be removed upon publication as an RFC]: NIST has not yet | ||||

finalized FIPS 186-3 and there is a chance that the draft may be | ||||

changed. This may result in differences between what is documented | ||||

in the current version of this document and what is in the FIPS. It | ||||

is intended to synchronize the final version of this draft with the | ||||

FIPS before publication as an RFC. | ||||

3.1. DSA | 3.1. DSA | |||

[RFC3370] section 3.1 specifies the conventions for DSA with SHA1 | [RFC3370] section 3.1 specifies the conventions for DSA with SHA1 | |||

public key algorithm identifiers, parameters, public keys, and | public key algorithm identifiers, parameters, public keys, and | |||

signature values. DSA with SHA2 algorithms uses the same conventions | signature values. DSA with SHA2 algorithms uses the same conventions | |||

for these public key algorithm identifiers, parameters, public keys, | for these public key algorithm identifiers, parameters, public keys, | |||

and signature values. DSA MAY be used with SHA-224 and SHA-256. | and signature values. DSA MAY be used with SHA-224 and SHA-256. | |||

DSA has not been specified with SHA-384 and SHA-512. SHA-384 and | ||||

SHA-512 are not supported because the maximum bit length of p | ||||

(specified as L) is 3072 for DSA. For consistent cryptographic | ||||

strength, SHA-384 would be used with DSA where L is 7068, and SHA-512 | ||||

would be used with DSA where L is 15360. | ||||

The algorithm identifier for DSA with SHA-224 signature values is: | The algorithm identifier for DSA with SHA-224 signature values is: | |||

id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | id-dsa-with-sha224 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | |||

country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||

algorithms(4) id-dsa-with-sha2(3) 1 } | algorithms(4) id-dsa-with-sha2(3) 1 } | |||

The algorithm identifier for DSA with SHA-224 signature values is: | The algorithm identifier for DSA with SHA-256 signature values is: | |||

id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | id-dsa-with-sha256 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) | |||

country(16) us(840) organization(1) gov(101) csor(3) | country(16) us(840) organization(1) gov(101) csor(3) | |||

algorithms(4) id-dsa-with-sha2(3) 2 } | algorithms(4) id-dsa-with-sha2(3) 2 } | |||

When either of these algorithm identifiers is used, the | When either of these algorithm identifiers is used, the | |||

AlgorithmIdentifier parameters field MUST be absent. | AlgorithmIdentifier parameters field MUST be absent. | |||

3.2. RSA | 3.2. RSA | |||

skipping to change at page 6, line 46 | skipping to change at page 6, line 46 | |||

MUST accept the parameters being absent as well as present. | MUST accept the parameters being absent as well as present. | |||

3.3. ECDSA | 3.3. ECDSA | |||

[RFC3278] section 2.1 specifies the conventions for ECDSA with SHA1 | [RFC3278] section 2.1 specifies the conventions for ECDSA with SHA1 | |||

public key algorithm identifiers, parameters, public keys, and | public key algorithm identifiers, parameters, public keys, and | |||

signature values. ECDSA with SHA2 algorithms uses the same | signature values. ECDSA with SHA2 algorithms uses the same | |||

conventions for these public key algorithm identifiers, parameters, | conventions for these public key algorithm identifiers, parameters, | |||

public keys, and signature values, except that the digestAlgorithm | public keys, and signature values, except that the digestAlgorithm | |||

MUST include the corresponding message digest algorithm identifier, | MUST include the corresponding message digest algorithm identifier, | |||

and not sha-1 object identifier. ECDSA MAY be used with SHA-224, | and not the sha-1 object identifier. ECDSA MAY be used with SHA-224, | |||

SHA-256, SHA-384, or SHA-512. | SHA-256, SHA-384, or SHA-512. | |||

The algorithm identifier for ECDSA with SHA-224 signature values is: | The algorithm identifier for ECDSA with SHA-224 signature values is: | |||

ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||

us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } | us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2(3) 1 } | |||

The algorithm identifier for ECDSA with SHA-256 signature values is: | The algorithm identifier for ECDSA with SHA-256 signature values is: | |||

ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | ecdsa-with-SHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||

skipping to change at page 7, line 49 | skipping to change at page 7, line 49 | |||

6. References | 6. References | |||

6.1. Normative References | 6.1. Normative References | |||

[ECCADD] Dang, S., Santesson, S., Moriarty, K., and Brown, | [ECCADD] Dang, S., Santesson, S., Moriarty, K., and Brown, | |||

"Internet X.509 Public Key Infrastructure: Additional | "Internet X.509 Public Key Infrastructure: Additional | |||

Algorithms and Identifiers for DSA and ECDSA", work-in- | Algorithms and Identifiers for DSA and ECDSA", work-in- | |||

progress. | progress. | |||

[DSS] Federal Information Processing Standards Publication | [DSS] Federal Information Processing Standards Publication | |||

(FIPS PUB) 186-3, Secure Hash Standard (SHS), July 2007. | (FIPS PUB) 186-2, Secure Hash Standard (SHS), 2000. | |||

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||

Requirement Levels", BCP 14, RFC 2119. March 1997. | Requirement Levels", BCP 14, RFC 2119. March 1997. | |||

[RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC | [RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC | |||

2313, March 1998. | 2313, March 1998. | |||

[RFC3278] Blake-Wilson, S., Brown, D., and P. Lambert, "Use of | [RFC3278] Blake-Wilson, S., Brown, D., and P. Lambert, "Use of | |||

Elliptic Curve Cryptography (ECC) Algorithms in | Elliptic Curve Cryptography (ECC) Algorithms in | |||

Cryptographic Message Syntax (CMS)", RFC 3278, April | Cryptographic Message Syntax (CMS)", RFC 3278, April | |||

skipping to change at page 8, line 35 | skipping to change at page 8, line 35 | |||

[RFC3874] Housley, R., "A 224-bit One Way Hash Function: SHA-224", | [RFC3874] Housley, R., "A 224-bit One Way Hash Function: SHA-224", | |||

RFC 3874. September 2004. | RFC 3874. September 2004. | |||

[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | [RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional | |||

Algorithms and Identifiers for RSA Cryptography for use | Algorithms and Identifiers for RSA Cryptography for use | |||

in the Internet Public Key Infrastructure Certificate and | in the Internet Public Key Infrastructure Certificate and | |||

Certificate Revocation List (CRL) Profile", RFC 4055. | Certificate Revocation List (CRL) Profile", RFC 4055. | |||

June 2005. | June 2005. | |||

[SHS] National Institute of Standards and Technology (NIST), | [SHS] National Institute of Standards and Technology (NIST), | |||

FIPS Publication 180-3: Secure Hash Standard, June 2007. | FIPS Publication 180-2: Secure Hash Standard, 2002. | |||

[X9.62] X9.62-2005, "Public Key Cryptography for the Financial | [X9.62] X9.62-2005, "Public Key Cryptography for the Financial | |||

Services Industry: The Elliptic Curve Digital Signature | Services Industry: The Elliptic Curve Digital Signature | |||

Standard (ECDSA)", November, 2005. | Standard (ECDSA)", November, 2005. | |||

6.2. Informative References | 6.2. Informative References | |||

[RFC4231] Nystrom, A. "Identifiers and Test Vectors for HMAC-SHA- | [RFC4231] Nystrom, A. "Identifiers and Test Vectors for HMAC-SHA- | |||

224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | 224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", | |||

RFC4231. December 2005. | RFC4231. December 2005. | |||

End of changes. 17 change blocks. | ||||

39 lines changed or deleted | | 32 lines changed or added | ||

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |