rfc9688.original | rfc9688.txt | |||
---|---|---|---|---|
Network Working Group R. Housley | Internet Engineering Task Force (IETF) R. Housley | |||
Internet-Draft Vigil Security | Request for Comments: 9688 Vigil Security | |||
Intended status: Standards Track 16 May 2024 | Category: Standards Track November 2024 | |||
Expires: 17 November 2024 | ISSN: 2070-1721 | |||
Use of the SHA3 One-way Hash Functions in the Cryptographic Message | Use of the SHA3 One-Way Hash Functions in the Cryptographic Message | |||
Syntax (CMS) | Syntax (CMS) | |||
draft-ietf-lamps-cms-sha3-hash-04 | ||||
Abstract | Abstract | |||
This document describes the conventions for using the one-way hash | This document describes the conventions for using the one-way hash | |||
functions in the SHA3 family with the Cryptographic Message Syntax | functions in the SHA3 family with the Cryptographic Message Syntax | |||
(CMS). The SHA3 family can be used as a message digest algorithm, as | (CMS). The SHA3 family can be used as a message digest algorithm, as | |||
part of a signature algorithm, as part of a message authentication | part of a signature algorithm, as part of a message authentication | |||
code, or part of a key derivation function. | code, or as part of a Key Derivation Function (KDF). | |||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 17 November 2024. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9688. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. ASN.1 | |||
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology | |||
2. Message Digest Algorithms . . . . . . . . . . . . . . . . . . 3 | 2. Message Digest Algorithms | |||
3. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 4 | 3. Signature Algorithms | |||
3.1. RSASSA PKCS#1 v1.5 with SHA3 . . . . . . . . . . . . . . 4 | 3.1. RSASSA PKCS#1 v1.5 with SHA3 | |||
3.2. ECDSA with SHA3 . . . . . . . . . . . . . . . . . . . . . 5 | 3.2. ECDSA with SHA3 | |||
4. Message Authentication Codes using HMAC and SHA3 . . . . . . 6 | 4. Message Authentication Codes Using HMAC and SHA3 | |||
5. Key Derivation Functions . . . . . . . . . . . . . . . . . . 6 | 5. Key Derivation Functions | |||
5.1. HKDF with SHA3 . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. HKDF with SHA3 | |||
5.2. KMAC128-KDF and KMAC256-KDF . . . . . . . . . . . . . . . 7 | 5.2. KMAC128-KDF and KMAC256-KDF | |||
5.3. KDF2 and KDF3 with SHA3 . . . . . . . . . . . . . . . . . 8 | 5.3. KDF2 and KDF3 with SHA3 | |||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations | |||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References | |||
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References | |||
Normative References . . . . . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References | |||
Informative References . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. ASN.1 Module | |||
Appendix. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 13 | Acknowledgements | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 | Author's Address | |||
1. Introduction | 1. Introduction | |||
The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | |||
sign, digest, authenticate, or encrypt arbitrary message contents. | sign, digest, authenticate, or encrypt arbitrary message contents. | |||
This specification describes the use of the four one-way hash | This specification describes the use of the four one-way hash | |||
functions in the SHA3 family (SHA3-224, SHA3-256, SHA3-384, and | functions in the SHA3 family (SHA3-224, SHA3-256, SHA3-384, and | |||
SHA3-512) [SHA3] with the CMS. In addition, this specification | SHA3-512) [SHA3] with the CMS. In addition, this specification | |||
describes the use of these four one-way hash functions with the | describes the use of these four one-way hash functions with the | |||
RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and the | RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and the | |||
Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the CMS | Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the CMS | |||
signed-data content type. | signed-data content type. | |||
This document should not be confused with RFC 8702 [RFC8702], which | This document should not be confused with [RFC8702], which defines | |||
defines conventions for using the the SHAKE family of SHA3-based | conventions for using the SHAKE family of SHA3-based extensible | |||
extensible output functions with the CMS. | output functions with the CMS. | |||
1.1. ASN.1 | 1.1. ASN.1 | |||
CMS values are generated using ASN.1 [X.680], using the Basic | CMS values are generated with ASN.1 [X.680], using the Basic Encoding | |||
Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | Rules (BER) and the Distinguished Encoding Rules (DER) [X.690]. | |||
[X.690]. | ||||
1.2. Terminology | 1.2. Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
2. Message Digest Algorithms | 2. Message Digest Algorithms | |||
skipping to change at page 3, line 45 ¶ | skipping to change at line 131 ¶ | |||
id-sha3-224 OBJECT IDENTIFIER ::= { hashAlgs 7 } | id-sha3-224 OBJECT IDENTIFIER ::= { hashAlgs 7 } | |||
id-sha3-256 OBJECT IDENTIFIER ::= { hashAlgs 8 } | id-sha3-256 OBJECT IDENTIFIER ::= { hashAlgs 8 } | |||
id-sha3-384 OBJECT IDENTIFIER ::= { hashAlgs 9 } | id-sha3-384 OBJECT IDENTIFIER ::= { hashAlgs 9 } | |||
id-sha3-512 OBJECT IDENTIFIER ::= { hashAlgs 10 } | id-sha3-512 OBJECT IDENTIFIER ::= { hashAlgs 10 } | |||
When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 | When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 | |||
algorithm identifiers, the parameters field MUST be absent; not NULL | algorithm identifiers, the parameters field MUST be absent, not NULL | |||
but absent. | but absent. | |||
3. Signature Algorithms | 3. Signature Algorithms | |||
This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
implementations that support the four SHA3 one-way hash functions | implementations that support the four SHA3 one-way hash functions | |||
with the RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and | with the RSASSA PKCS#1 v1.5 signature algorithm [RFC8017] and the | |||
the Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the | ECDSA [DSS] with the CMS signed-data content type. | |||
CMS signed-data content type. | ||||
Signature algorithm identifiers are located in the SignerInfo | Signature algorithm identifiers are located in the SignerInfo | |||
signatureAlgorithm field of SignedData. Also, signature algorithm | signatureAlgorithm field of SignedData. Also, signature algorithm | |||
identifiers are located in the SignerInfo signatureAlgorithm field of | identifiers are located in the SignerInfo signatureAlgorithm field of | |||
countersignature attributes. | countersignature attributes. | |||
Signature values are located in the SignerInfo signature field of | Signature values are located in the SignerInfo signature field of | |||
SignedData. Also, signature values are located in the SignerInfo | SignedData. Also, signature values are located in the SignerInfo | |||
signature field of countersignature attributes. | signature field of countersignature attributes. | |||
skipping to change at page 4, line 50 ¶ | skipping to change at line 178 ¶ | |||
The algorithm identifier for RSASSA PKCS#1 v1.5 subject public keys | The algorithm identifier for RSASSA PKCS#1 v1.5 subject public keys | |||
in certificates is specified in [RFC3279], and it is repeated here | in certificates is specified in [RFC3279], and it is repeated here | |||
for convenience: | for convenience: | |||
rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) | rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||
us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } | us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } | |||
When the rsaEncryption, id-rsassa-pkcs1-v1-5-with-sha3-224, id- | When the rsaEncryption, id-rsassa-pkcs1-v1-5-with-sha3-224, id- | |||
rsassa-pkcs1-v1-5-with-sha3-256, id-rsassa-pkcs1-v1-5-with-sha3-384, | rsassa-pkcs1-v1-5-with-sha3-256, id-rsassa-pkcs1-v1-5-with-sha3-384, | |||
and id-rsassa-pkcs1-v1-5-with-sha3-512 algorithm identifier is used, | and id-rsassa-pkcs1-v1-5-with-sha3-512 algorithm identifiers are | |||
AlgorithmIdentifier parameters field MUST contain NULL. | used, the AlgorithmIdentifier parameters field MUST contain NULL. | |||
When the rsaEncryption algorithm identifier is used, the RSA public | When the rsaEncryption algorithm identifier is used, the RSA public | |||
key, which is composed of a modulus and a public exponent, MUST be | key, which is composed of a modulus and a public exponent, MUST be | |||
encoded using the RSAPublicKey type as specified in [RFC3279]. The | encoded using the RSAPublicKey type as specified in [RFC3279]. The | |||
output of this encoding is carried in the certificate subject public | output of this encoding is carried in the certificate subject public | |||
key. The definition of RSAPublicKey is repeated here for | key. The definition of RSAPublicKey is repeated here for | |||
convenience: | convenience: | |||
RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
modulus INTEGER, -- n | modulus INTEGER, -- n | |||
publicExponent INTEGER } -- e | publicExponent INTEGER } -- e | |||
When signing, the RSASSA PKCS#1 v1.5 signature algorithm generates a | When signing, the RSASSA PKCS#1 v1.5 signature algorithm generates a | |||
single value, and that value is used directly as the signature value. | single value. That value is used directly as the signature value. | |||
3.2. ECDSA with SHA3 | 3.2. ECDSA with SHA3 | |||
The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The ECDSA is defined in [DSS]. When the ECDSA is used in conjunction | |||
[DSS]. When ECDSA is used in conjunction with one of the SHA3 one- | with one of the SHA3 one-way hash functions, the object identifiers | |||
way hash functions, the object identifiers are: | are: | |||
sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 3 } | us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 3 } | |||
id-ecdsa-with-sha3-224 OBJECT IDENTIFIER ::= { sigAlgs 9 } | id-ecdsa-with-sha3-224 OBJECT IDENTIFIER ::= { sigAlgs 9 } | |||
id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { sigAlgs 10 } | id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { sigAlgs 10 } | |||
id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { sigAlgs 11 } | id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { sigAlgs 11 } | |||
id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { sigAlgs 12 } | id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { sigAlgs 12 } | |||
When using the id-ecdsa-with-sha3-224, id-ecdsa-with-sha3-256, id- | When the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 | |||
ecdsa-with-sha3-384, and id-ecdsa-with-sha3-512 algorithm | algorithm identifier is used, the parameters field MUST be absent, | |||
identifiers, the parameters field MUST be absent; not NULL but | not NULL but absent. | |||
absent. | ||||
The conventions for ECDSA public keys is as specified in [RFC5480]. | When the id-ecdsa-with-sha3-224, id-ecdsa-with-sha3-256, id- ecdsa- | |||
with-sha3-384, and id-ecdsa-with-sha3-512 algorithm identifiers are | ||||
used, the parameters field MUST be absent, not NULL but absent. | ||||
The conventions for ECDSA public keys are as specified in [RFC5480]. | ||||
The ECParameters associated with the ECDSA public key in the signers | The ECParameters associated with the ECDSA public key in the signers | |||
certificate SHALL apply to the verification of the signature. | certificate SHALL apply to the verification of the signature. | |||
When signing, the ECDSA algorithm generates two values. These values | When signing, the ECDSA algorithm generates two values. These values | |||
are commonly referred to as r and s. To easily transfer these two | are commonly referred to as r and s. To easily transfer these two | |||
values as one signature, they MUST be ASN.1 encoded using the ECDSA- | values as one signature, they MUST be ASN.1 encoded using the ECDSA- | |||
Sig-Value defined in [RFC3279] and repeated here for convenience: | Sig-Value defined in [RFC3279], which is repeated here for | |||
convenience: | ||||
ECDSA-Sig-Value ::= SEQUENCE { | ECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s | |||
r INTEGER, | INTEGER } | |||
s INTEGER } | ||||
4. Message Authentication Codes using HMAC and SHA3 | 4. Message Authentication Codes Using HMAC and SHA3 | |||
This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
implementations that support the HMAC [RFC2104] with SHA3 message | implementations that support the Hashed Message Authentication Code | |||
authentication code (MAC). | (HMAC) [RFC2104] with SHA3 message authentication code (MAC). | |||
MAC algorithm identifiers are located in the AuthenticatedData | MAC algorithm identifiers are located in the AuthenticatedData | |||
macAlgorithm field. | macAlgorithm field. | |||
MAC values are located in the AuthenticatedData mac field. | MAC values are located in the AuthenticatedData mac field. | |||
When HMAC is used in conjunction with one of the SHA3 one-way hash | When HMAC is used in conjunction with one of the SHA3 one-way hash | |||
functions, the object identifiers are: | functions, the object identifiers are: | |||
hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
skipping to change at page 6, line 31 ¶ | skipping to change at line 259 ¶ | |||
id-hmacWithSHA3-224 OBJECT IDENTIFIER ::= { hashAlgs 13 } | id-hmacWithSHA3-224 OBJECT IDENTIFIER ::= { hashAlgs 13 } | |||
id-hmacWithSHA3-256 OBJECT IDENTIFIER ::= { hashAlgs 14 } | id-hmacWithSHA3-256 OBJECT IDENTIFIER ::= { hashAlgs 14 } | |||
id-hmacWithSHA3-384 OBJECT IDENTIFIER ::= { hashAlgs 15 } | id-hmacWithSHA3-384 OBJECT IDENTIFIER ::= { hashAlgs 15 } | |||
id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { hashAlgs 16 } | id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { hashAlgs 16 } | |||
When the id-hmacWithSHA3-224, id-hmacWithSHA3-256, id- | When the id-hmacWithSHA3-224, id-hmacWithSHA3-256, id- | |||
hmacWithSHA3-384, and id-hmacWithSHA3-512 algorithm identifier is | hmacWithSHA3-384, and id-hmacWithSHA3-512 algorithm identifiers are | |||
used, the parameters field MUST be absent; not NULL but absent. | used, the parameters field MUST be absent, not NULL but absent. | |||
5. Key Derivation Functions | 5. Key Derivation Functions | |||
The CMS KEMRecipientInfo structure [I-D.ietf-lamps-cms-kemri] is one | The CMS KEMRecipientInfo structure [RFC9629] is one place where | |||
place where algorithm identifiers for key-derivation functions are | algorithm identifiers for key-derivation functions are needed. | |||
needed. | ||||
5.1. HKDF with SHA3 | 5.1. HKDF with SHA3 | |||
This section assigns four algorithm identifiers that can be employed | This section assigns four algorithm identifiers that can be employed | |||
by CMS implementations that support the HMAC-based Extract-and-Expand | by CMS implementations that support the HMAC-based Extract-and-Expand | |||
Key Derivation Function (HKDF) [RFC5869] with the SHA3 family of hash | Key Derivation Function (HKDF) [RFC5869] with the SHA3 family of hash | |||
functions. | functions. | |||
When HKDF is used in conjunction with one of the SHA3 one-way hash | When HKDF is used in conjunction with one of the SHA3 one-way hash | |||
functions, the object identifiers are: | functions, the object identifiers are: | |||
id-alg OBJECT IDENTIFIER ::= { iso(1) member-body(2) | id-alg OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 3 } | us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 3 } | |||
id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg 32 } | |||
id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg TBD2 } | id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg 33 } | |||
id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg TBD3 } | id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg 34 } | |||
id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg TBD4 } | id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg 35 } | |||
When id-alg-hkdf-with-sha3-224, id-alg-hkdf-with-sha3-256, id-alg- | When id-alg-hkdf-with-sha3-224, id-alg-hkdf-with-sha3-256, id-alg- | |||
hkdf-with-sha3-384, or id-alg-hkdf-with-sha3-512 is used in an | hkdf-with-sha3-384, or id-alg-hkdf-with-sha3-512 is used in an | |||
algorithm identifier, the parameters field MUST be absent; not NULL | algorithm identifier, the parameters field MUST be absent, not NULL | |||
but absent. | but absent. | |||
5.2. KMAC128-KDF and KMAC256-KDF | 5.2. KMAC128-KDF and KMAC256-KDF | |||
This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
implementations that employ either the KMAC128 or KMAC256 as a key | implementations that employ either KMAC128 or KMAC256 as KDFs as | |||
derivation function as defined in Section 4.4 of | defined in Section 4.4 of [NIST.SP.800-108r1-upd1]. | |||
[NIST.SP.800-108r1-upd1]. | ||||
KMAC128 and KMAC256 are specified in [NIST.SP.800-185]. The use of | KMAC128 and KMAC256 are specified in [NIST.SP.800-185]. The use of | |||
KMAC128 and KMAC256 as a key derivation function are defined as: | KMAC128 and KMAC256 as KDFs are defined as follows: | |||
KMAC128-KDF is KMAC128(K, X, L, S). | KMAC128-KDF is KMAC128(K, X, L, S). | |||
KMAC256-KDF is KMAC256(K, X, L, S). | KMAC256-KDF is KMAC256(K, X, L, S). | |||
The parameters to the KMAC128 and KMAC256 functions are: | The parameters to the KMAC128 and KMAC256 functions are: | |||
K the input key-derivation key. The length of K MUST be less | K The input key-derivation key. The length of K MUST be less than | |||
than 2^2040. | 2^2040. | |||
X the context, which contains the ASN.1 DER encoding of | X The context, which contains the ASN.1 DER encoding of | |||
CMSORIforKEMOtherInfo when the KDF is used with | CMSORIforKEMOtherInfo when the KDF is used with [RFC9629]. | |||
[I-D.ietf-lamps-cms-kemri]. | ||||
L the output length, in bits. L MUST be greater than or equal to | L The output length in bits. L MUST be greater than or equal to 0 | |||
0, and L MUST be less than 2^2040. | and MUST be less than 2^2040. | |||
S the optional customization label, such as "KDF" (0x4B4446). | S The optional customization label, such as "KDF" (0x4B4446). The | |||
The length of S MUST be less than 2^2040. | length of S MUST be less than 2^2040. | |||
The K parameter is known to all authorized parties; it is often the | The K parameter is known to all authorized parties; it is often the | |||
output of a KEM Decap() operation. The X parameter is assembled from | output of a KEM Decap() operation. The X parameter is assembled from | |||
data that is transmitted by the originator. The L parameter is | data that is transmitted by the originator. The L parameter is | |||
determined by the size of the output keying material. The S | determined by the size of the output keying material. The S | |||
parameter is optional, and if it is provided by the originator, it is | parameter is optional, and if it is provided by the originator, it is | |||
passed in the parameters field of the KDF algorithm identifier. | passed in the parameters field of the KDF algorithm identifier. | |||
When KMAC128-KDF or KMAC256-KDF is used, the object identifiers are: | When KMAC128-KDF or KMAC256-KDF is used, the object identifiers are: | |||
hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 2 } | us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 2 } | |||
id-kmac128 OBJECT IDENTIFIER ::= { hashAlgs 21 } | id-kmac128 OBJECT IDENTIFIER ::= { hashAlgs 21 } | |||
id-kmac256 OBJECT IDENTIFIER ::= { hashAlgs 22 } | id-kmac256 OBJECT IDENTIFIER ::= { hashAlgs 22 } | |||
When the id-kmac128 or id-kmac256 is used as part of an algorithm | When id-kmac128 or id-kmac256 is used as part of an algorithm | |||
identifier, the parameters field MUST be absent when there is no | identifier, the parameters field MUST be absent when there is no | |||
customization label S. If any value is provided for S, then the | customization label (S). If any value is provided for S, then the | |||
parameters field MUST be present and contain the value of S, encoded | parameters field MUST be present and contain the value of S, encoded | |||
as Customization. | as Customization. | |||
Customization ::= OCTET STRING | Customization ::= OCTET STRING | |||
5.3. KDF2 and KDF3 with SHA3 | 5.3. KDF2 and KDF3 with SHA3 | |||
This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
implementations that employ either the KDF2 or KDF3 functions defined | implementations that employ either the KDF2 or KDF3 functions defined | |||
in [ANS-X9.44]. The CMS KEMRecipientInfo structure | in [ANS-X9.44-2007]. The CMS KEMRecipientInfo structure [RFC9629] is | |||
[I-D.ietf-lamps-cms-kemri] is one place where algorithm identifiers | one place where algorithm identifiers for key-derivation functions | |||
for key-derivation functions are needed. | are needed. | |||
The key-derivation function algorithm identifier is an object | The key-derivation function algorithm identifier is an object | |||
identifier and optional parameters. When KDF2 and KDF3 are used, | identifier and optional parameters. When KDF2 and KDF3 are used, | |||
they are identified by the id-kdf-kdf2 and id-kdf-kdf3 object | they are identified by the id-kdf-kdf2 and id-kdf-kdf3 object | |||
identifiers, respectively. The key-derivation function algorithm | identifiers, respectively. The key-derivation function algorithm | |||
identifier parameters carry a message digest algorithm identifier, | identifier parameters carry a message digest algorithm identifier, | |||
which indicates the hash function that is being employed. To support | which indicates the hash function that is being employed. To support | |||
SHA3, the key-derivation function algorithm identifier parameters | SHA3, the key-derivation function algorithm identifier parameters | |||
contain an algorithm identifier from Section 2. | contain an algorithm identifier from Section 2. | |||
skipping to change at page 9, line 18 ¶ | skipping to change at line 383 ¶ | |||
the signer's private key permits masquerade. | the signer's private key permits masquerade. | |||
Implementations must protect the key-derivation key. Compromise of | Implementations must protect the key-derivation key. Compromise of | |||
the key-derivation key permits others to derive the derived keying | the key-derivation key permits others to derive the derived keying | |||
material, which would result in loss of confidentiality, integrity, | material, which would result in loss of confidentiality, integrity, | |||
or authentication, depending on the use of the derived keying | or authentication, depending on the use of the derived keying | |||
material. | material. | |||
When more than two parties share the same message-authentication key, | When more than two parties share the same message-authentication key, | |||
data origin authentication is not assured. Any party that knows the | data origin authentication is not assured. Any party that knows the | |||
message-authentication key can compute a valid MAC, therefore the | message-authentication key can compute a valid MAC; therefore, the | |||
content could originate from any one of the parties. | content could originate from any one of the parties. | |||
Implementations must randomly generate message-authentication keys | Implementations must randomly generate message-authentication keys | |||
and one-time values, such as the k value when generating a ECDSA | and one-time values, such as the a per-message secret number (called | |||
signature. In addition, the generation of public/private key pairs | the k value) when generating a ECDSA signature. In addition, the | |||
relies on a random numbers. The use of inadequate pseudo-random | generation of public/private key pairs relies on a random numbers. | |||
number generators (PRNGs) to generate cryptographic values can result | The use of inadequate pseudorandom number generators (PRNGs) to | |||
in little or no security. Instead of brute force searching the whole | generate cryptographic values can result in little or no security. | |||
key space, an attacker may find it much easier to reproduce the PRNG | Instead of brute-force searching the whole key space, an attacker may | |||
environment that produced the keys, and then search the resulting | find it much easier to reproduce the PRNG environment that produced | |||
small set of possibilities. The generation of quality random numbers | the keys and then search the resulting small set of possibilities. | |||
is difficult. RFC 4086 [RFC4086] offers important guidance in this | The generation of quality random numbers is difficult. [RFC4086] | |||
area, and Appendix 3 of FIPS Pub 186-4 [DSS] provides some PRNG | offers important guidance in this area, and Appendix 3 of FIPS PUB | |||
techniques. | 186-4 [DSS] provides some PRNG techniques. | |||
Implementers should be aware that cryptographic algorithms become | Implementers should be aware that cryptographic algorithms become | |||
weaker with time. As new cryptanalysis techniques are developed and | weaker with time. As new cryptanalysis techniques are developed and | |||
computing performance improves, the work factor to break a particular | computing performance improves, the work factor to break a particular | |||
cryptographic algorithm will reduce. Therefore, cryptographic | cryptographic algorithm will reduce. Therefore, cryptographic | |||
algorithm implementations should be modular allowing new algorithms | algorithm implementations should be modular, allowing new algorithms | |||
to be readily inserted. That is, implementers should be prepared to | to be readily inserted. That is, implementers should be prepared to | |||
regularly update the set of algorithms in their implementations. | regularly update the set of algorithms in their implementations. | |||
7. IANA Considerations | 7. IANA Considerations | |||
IANA is asked to assign one object identifier for the ASN.1 module in | IANA has assigned one object identifier for the ASN.1 module in | |||
Appendix "Appendix. ASN.1 Module" in the "SMI Security for S/MIME | Appendix A in the "SMI Security for S/MIME Module Identifiers | |||
Module Identifiers (1.2.840.113549.1.9.16.0)" registry [IANA-MOD]: | (1.2.840.113549.1.9.16.0)" registry [IANA-MOD]: | |||
id-mod-sha3-oids-2023 OBJECT IDENTIFIER ::= { | id-mod-sha3-oids-2023 OBJECT IDENTIFIER ::= { | |||
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | |||
pkcs-9(9) smime(16) mod(0) TBD0 } | pkcs-9(9) smime(16) mod(0) 78 } | |||
IANA is asked to assign four object identifiers for the HKDF using | IANA has assigned four object identifiers for the HKDF using SHA3 | |||
SHA3 algorithm identifiers in the "SMI Security for S/MIME Algorithms | algorithm identifiers in the "SMI Security for S/MIME Algorithms | |||
(1.2.840.113549.1.9.16.3)" registry [IANA-ALG]: | (1.2.840.113549.1.9.16.3)" registry [IANA-ALG]: | |||
id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg 32 } | |||
id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg TBD2 } | ||||
id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg TBD3 } | ||||
id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg TBD4 } | ||||
Acknowledgements | id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg 33 } | |||
Thanks to Daniel Van Geest and Sean Turner for their careful review | id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg 34 } | |||
and thoughtful comments. | ||||
Thanks to Sara Kerman, Quynh Dang, and David Cooper for getting the | id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg 35 } | |||
object identifiers assigned for KMAC128 and KMAC256. | ||||
References | 8. References | |||
Normative References | 8.1. Normative References | |||
[ANS-X9.44] | [ANS-X9.44-2007] | |||
American National Standards Institute, "Public Key | American National Standards Institute, "Public Key | |||
Cryptography for the Financial Services Industry -- Key | Cryptography for the Financial Services Industry -- Key | |||
Establishment Using Integer Factorization Cryptography", | Establishment Using Integer Factorization Cryptography", | |||
American National Standard X9.44, 2007. | ANSI X9.44-2007 (R2017), 2017, | |||
<https://webstore.ansi.org/standards/ascx9/ | ||||
ansix9442007r2017>. | ||||
[DSS] National Institute of Standards and Technology, "Digital | [DSS] National Institute of Standards and Technology, "Digital | |||
Signature Standard (DSS)", FIPS PUB 186-5, | Signature Standard (DSS)", FIPS PUB 186-5, | |||
DOI 10.6028/NIST.FIPS.186-5, 3 February 2023, | DOI 10.6028/NIST.FIPS.186-5, 3 February 2023, | |||
<https://nvlpubs.nist.gov/nistpubs/FIPS/ | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
NIST.FIPS.186-5.pdf>. | NIST.FIPS.186-5.pdf>. | |||
[NIST.SP.800-108r1-upd1] | [NIST.SP.800-108r1-upd1] | |||
National Institute of Standards and Technology, | Chen, L., "Recommendation for Key Derivation Using | |||
"Recommendation for key derivation using pseudorandom | Pseudorandom Functions", NIST SP 800-108r1-upd1, | |||
functions", DOI 10.6028/NIST.SP.800-108r1-upd1, 2 February | DOI 10.6028/NIST.SP.800-108r1-upd1, 2 February 2024, | |||
2024, | ||||
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
NIST.SP.800-108r1-upd1.pdf>. | NIST.SP.800-108r1-upd1.pdf>. | |||
[NIST.SP.800-185] | [NIST.SP.800-185] | |||
National Institute of Standards and Technology, "SHA-3 | Kelsey, J., Chang, S., and R. Perlner, "SHA-3 Derived | |||
Derived Functions: cSHAKE, KMAC, TupleHash and | Functions: cSHAKE, KMAC, TupleHash and ParallelHash", NIST | |||
ParallelHash", NIST Special Publication 800-185, | SP 800-185, DOI 10.6028/NIST.SP.800-185, December 2016, | |||
DOI 10.6028/NIST.SP.800-185, December 2016, | ||||
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
NIST.SP.800-185.pdf>. | NIST.SP.800-185.pdf>. | |||
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||
DOI 10.17487/RFC2104, February 1997, | DOI 10.17487/RFC2104, February 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2104>. | <https://www.rfc-editor.org/info/rfc2104>. | |||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
(CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
2002, <https://www.rfc-editor.org/rfc/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
"Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | |||
<https://www.rfc-editor.org/rfc/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | |||
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
<https://www.rfc-editor.org/rfc/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | |||
Key Derivation Function (HKDF)", RFC 5869, | Key Derivation Function (HKDF)", RFC 5869, | |||
DOI 10.17487/RFC5869, May 2010, | DOI 10.17487/RFC5869, May 2010, | |||
<https://www.rfc-editor.org/rfc/rfc5869>. | <https://www.rfc-editor.org/info/rfc5869>. | |||
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
<https://www.rfc-editor.org/rfc/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
"PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
<https://www.rfc-editor.org/rfc/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[SHA3] National Institute of Standards and Technology, "SHA-3 | [SHA3] National Institute of Standards and Technology, "SHA-3 | |||
Standard: Permutation-Based Hash and Extendable-Output | Standard: Permutation-Based Hash and Extendable-Output | |||
Functions", FIPS PUB 202, August 2015, | Functions", NIST FIPS 202, DOI 10.6028/NIST.FIPS.202, | |||
August 2015, | ||||
<http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>. | <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>. | |||
[X.680] ITU-T, "Information technology -- Abstract Syntax Notation | [X.680] ITU-T, "Information technology - Abstract Syntax Notation | |||
One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | |||
<https://www.itu.int/rec/T-REC-X.680>. | <https://www.itu.int/rec/T-REC-X.680-202102-I/en>. | |||
[X.690] ITU-T, "Information technology -- ASN.1 encoding rules: | [X.690] ITU-T, "Information technology - ASN.1 encoding rules: | |||
Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
(DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | |||
February 2021, <https://www.itu.int/rec/T-REC-X.680>. | February 2021, | |||
<https://www.itu.int/rec/T-REC-X.690-202102-I/en>. | ||||
Informative References | ||||
[I-D.ietf-lamps-cms-kemri] | 8.2. Informative References | |||
Housley, R., Gray, J., and T. Okubo, "Using Key | ||||
Encapsulation Mechanism (KEM) Algorithms in the | ||||
Cryptographic Message Syntax (CMS)", Work in Progress, | ||||
Internet-Draft, draft-ietf-lamps-cms-kemri-08, 6 February | ||||
2024, <https://datatracker.ietf.org/doc/html/draft-ietf- | ||||
lamps-cms-kemri-08>. | ||||
[IANA-ALG] IANA, "SMI Security for for S/MIME Algorithms | [IANA-ALG] IANA, "SMI Security for S/MIME Algorithms | |||
(1.2.840.113549.1.9.16.3)", n.d., | (1.2.840.113549.1.9.16.3)", | |||
<https://www.iana.org/assignments/smi-numbers/>. | <https://www.iana.org/assignments/smi-numbers/>. | |||
[IANA-MOD] IANA, "SMI Security for S/MIME Module Identifier | [IANA-MOD] IANA, "SMI Security for S/MIME Module Identifier | |||
(1.2.840.113549.1.9.16.0)", n.d., | (1.2.840.113549.1.9.16.0)", | |||
<https://www.iana.org/assignments/smi-numbers/>. | <https://www.iana.org/assignments/smi-numbers/>. | |||
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | |||
"Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
<https://www.rfc-editor.org/rfc/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. | |||
[RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash | [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash | |||
Functions in the Cryptographic Message Syntax (CMS)", | Functions in the Cryptographic Message Syntax (CMS)", | |||
RFC 8702, DOI 10.17487/RFC8702, January 2020, | RFC 8702, DOI 10.17487/RFC8702, January 2020, | |||
<https://www.rfc-editor.org/rfc/rfc8702>. | <https://www.rfc-editor.org/info/rfc8702>. | |||
Appendix. ASN.1 Module | [RFC9629] Housley, R., Gray, J., and T. Okubo, "Using Key | |||
Encapsulation Mechanism (KEM) Algorithms in the | ||||
Cryptographic Message Syntax (CMS)", RFC 9629, | ||||
DOI 10.17487/RFC9629, August 2024, | ||||
<https://www.rfc-editor.org/info/rfc9629>. | ||||
Appendix A. ASN.1 Module | ||||
This section contains the ASN.1 module for the algorithm identifiers | This section contains the ASN.1 module for the algorithm identifiers | |||
using SHA3 family of hash functions [SHA3]. This module imports | using the SHA3 family of hash functions [SHA3]. This module imports | |||
types from other ASN.1 modules that are defined in [RFC5912]. | types from other ASN.1 modules that are defined in [RFC5912]. | |||
<CODE BEGINS> | <CODE BEGINS> | |||
SHA3-OIDs-2023 | SHA3-OIDs-2023 | |||
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||
smime(16) modules(0) id-mod-sha3-oids-2023(TBD0) } | smime(16) modules(0) id-mod-sha3-oids-2023(78) } | |||
DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
BEGIN | BEGIN | |||
EXPORTS ALL; | EXPORTS ALL; | |||
IMPORTS | IMPORTS | |||
AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, | AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, | |||
KEY-DERIVATION, MAC-ALGORITHM | KEY-DERIVATION, MAC-ALGORITHM | |||
skipping to change at page 18, line 16 ¶ | skipping to change at line 797 ¶ | |||
maca-hmacWithSHA3-224 | | maca-hmacWithSHA3-224 | | |||
maca-hmacWithSHA3-256 | | maca-hmacWithSHA3-256 | | |||
maca-hmacWithSHA3-384 | | maca-hmacWithSHA3-384 | | |||
maca-hmacWithSHA3-512, | maca-hmacWithSHA3-512, | |||
... } | ... } | |||
-- | -- | |||
-- Key Derivation Algorithms | -- Key Derivation Algorithms | |||
-- | -- | |||
id-alg-hkdf-with-sha3-224 OID ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OID ::= { id-alg 32 } | |||
id-alg-hkdf-with-sha3-256 OID ::= { id-alg TBD2 } | id-alg-hkdf-with-sha3-256 OID ::= { id-alg 33 } | |||
id-alg-hkdf-with-sha3-384 OID ::= { id-alg TBD3 } | id-alg-hkdf-with-sha3-384 OID ::= { id-alg 34 } | |||
id-alg-hkdf-with-sha3-512 OID ::= { id-alg TBD4 } | id-alg-hkdf-with-sha3-512 OID ::= { id-alg 35 } | |||
id-kmac128 OID ::= { hashAlgs 21 } | id-kmac128 OID ::= { hashAlgs 21 } | |||
id-kmac256 OID ::= { hashAlgs 22 } | id-kmac256 OID ::= { hashAlgs 22 } | |||
id-kdf-kdf2 OID ::= { x9-44-components kdf2(1) } | id-kdf-kdf2 OID ::= { x9-44-components kdf2(1) } | |||
id-kdf-kdf3 OID ::= { x9-44-components kdf3(2) } | id-kdf-kdf3 OID ::= { x9-44-components kdf3(2) } | |||
kda-hkdf-with-sha3-224 KEY-DERIVATION ::= { | kda-hkdf-with-sha3-224 KEY-DERIVATION ::= { | |||
skipping to change at page 20, line 23 ¶ | skipping to change at line 900 ¶ | |||
kda-hkdf-with-sha3-512 | | kda-hkdf-with-sha3-512 | | |||
kda-kmac128 | | kda-kmac128 | | |||
kda-kmac256 | | kda-kmac256 | | |||
kda-kdf2 | | kda-kdf2 | | |||
kda-kdf3, | kda-kdf3, | |||
... } | ... } | |||
END | END | |||
<CODE ENDS> | <CODE ENDS> | |||
Acknowledgements | ||||
Thanks to Daniel Van Geest and Sean Turner for their careful review | ||||
and thoughtful comments. | ||||
Thanks to Sara Kerman, Quynh Dang, and David Cooper for getting the | ||||
object identifiers assigned for KMAC128 and KMAC256. | ||||
Author's Address | Author's Address | |||
Russ Housley | Russ Housley | |||
Vigil Security, LLC | Vigil Security, LLC | |||
Herndon, VA | Herndon, VA | |||
United States of America | United States of America | |||
Email: housley@vigilsec.com | Email: housley@vigilsec.com | |||
End of changes. 81 change blocks. | ||||
180 lines changed or deleted | 175 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |