| rfc9688.original | rfc9688.txt | |||
|---|---|---|---|---|
| Network Working Group R. Housley | Internet Engineering Task Force (IETF) R. Housley | |||
| Internet-Draft Vigil Security | Request for Comments: 9688 Vigil Security | |||
| Intended status: Standards Track 16 May 2024 | Category: Standards Track November 2024 | |||
| Expires: 17 November 2024 | ISSN: 2070-1721 | |||
| Use of the SHA3 One-way Hash Functions in the Cryptographic Message | Use of the SHA3 One-Way Hash Functions in the Cryptographic Message | |||
| Syntax (CMS) | Syntax (CMS) | |||
| draft-ietf-lamps-cms-sha3-hash-04 | ||||
| Abstract | Abstract | |||
| This document describes the conventions for using the one-way hash | This document describes the conventions for using the one-way hash | |||
| functions in the SHA3 family with the Cryptographic Message Syntax | functions in the SHA3 family with the Cryptographic Message Syntax | |||
| (CMS). The SHA3 family can be used as a message digest algorithm, as | (CMS). The SHA3 family can be used as a message digest algorithm, as | |||
| part of a signature algorithm, as part of a message authentication | part of a signature algorithm, as part of a message authentication | |||
| code, or part of a key derivation function. | code, or as part of a Key Derivation Function (KDF). | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 17 November 2024. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9688. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 1.1. ASN.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. ASN.1 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology | |||
| 2. Message Digest Algorithms . . . . . . . . . . . . . . . . . . 3 | 2. Message Digest Algorithms | |||
| 3. Signature Algorithms . . . . . . . . . . . . . . . . . . . . 4 | 3. Signature Algorithms | |||
| 3.1. RSASSA PKCS#1 v1.5 with SHA3 . . . . . . . . . . . . . . 4 | 3.1. RSASSA PKCS#1 v1.5 with SHA3 | |||
| 3.2. ECDSA with SHA3 . . . . . . . . . . . . . . . . . . . . . 5 | 3.2. ECDSA with SHA3 | |||
| 4. Message Authentication Codes using HMAC and SHA3 . . . . . . 6 | 4. Message Authentication Codes Using HMAC and SHA3 | |||
| 5. Key Derivation Functions . . . . . . . . . . . . . . . . . . 6 | 5. Key Derivation Functions | |||
| 5.1. HKDF with SHA3 . . . . . . . . . . . . . . . . . . . . . 6 | 5.1. HKDF with SHA3 | |||
| 5.2. KMAC128-KDF and KMAC256-KDF . . . . . . . . . . . . . . . 7 | 5.2. KMAC128-KDF and KMAC256-KDF | |||
| 5.3. KDF2 and KDF3 with SHA3 . . . . . . . . . . . . . . . . . 8 | 5.3. KDF2 and KDF3 with SHA3 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations | |||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8. References | |||
| References . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 8.1. Normative References | |||
| Normative References . . . . . . . . . . . . . . . . . . . . . 10 | 8.2. Informative References | |||
| Informative References . . . . . . . . . . . . . . . . . . . . 12 | Appendix A. ASN.1 Module | |||
| Appendix. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 13 | Acknowledgements | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 20 | Author's Address | |||
| 1. Introduction | 1. Introduction | |||
| The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | The Cryptographic Message Syntax (CMS) [RFC5652] is used to digitally | |||
| sign, digest, authenticate, or encrypt arbitrary message contents. | sign, digest, authenticate, or encrypt arbitrary message contents. | |||
| This specification describes the use of the four one-way hash | This specification describes the use of the four one-way hash | |||
| functions in the SHA3 family (SHA3-224, SHA3-256, SHA3-384, and | functions in the SHA3 family (SHA3-224, SHA3-256, SHA3-384, and | |||
| SHA3-512) [SHA3] with the CMS. In addition, this specification | SHA3-512) [SHA3] with the CMS. In addition, this specification | |||
| describes the use of these four one-way hash functions with the | describes the use of these four one-way hash functions with the | |||
| RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and the | RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and the | |||
| Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the CMS | Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the CMS | |||
| signed-data content type. | signed-data content type. | |||
| This document should not be confused with RFC 8702 [RFC8702], which | This document should not be confused with [RFC8702], which defines | |||
| defines conventions for using the the SHAKE family of SHA3-based | conventions for using the SHAKE family of SHA3-based extensible | |||
| extensible output functions with the CMS. | output functions with the CMS. | |||
| 1.1. ASN.1 | 1.1. ASN.1 | |||
| CMS values are generated using ASN.1 [X.680], using the Basic | CMS values are generated using ASN.1 [X.680], using the Basic | |||
| Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | Encoding Rules (BER) and the Distinguished Encoding Rules (DER) | |||
| [X.690]. | [X.690]. | |||
| 1.2. Terminology | 1.2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| skipping to change at page 3, line 45 ¶ | skipping to change at line 132 ¶ | |||
| id-sha3-224 OBJECT IDENTIFIER ::= { hashAlgs 7 } | id-sha3-224 OBJECT IDENTIFIER ::= { hashAlgs 7 } | |||
| id-sha3-256 OBJECT IDENTIFIER ::= { hashAlgs 8 } | id-sha3-256 OBJECT IDENTIFIER ::= { hashAlgs 8 } | |||
| id-sha3-384 OBJECT IDENTIFIER ::= { hashAlgs 9 } | id-sha3-384 OBJECT IDENTIFIER ::= { hashAlgs 9 } | |||
| id-sha3-512 OBJECT IDENTIFIER ::= { hashAlgs 10 } | id-sha3-512 OBJECT IDENTIFIER ::= { hashAlgs 10 } | |||
| When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 | When using the id-sha3-224, id-sha3-s256, id-sha3-384, or id-sha3-512 | |||
| algorithm identifiers, the parameters field MUST be absent; not NULL | algorithm identifiers, the parameters field MUST be absent, not NULL | |||
| but absent. | but absent. | |||
| 3. Signature Algorithms | 3. Signature Algorithms | |||
| This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
| implementations that support the four SHA3 one-way hash functions | implementations that support the four SHA3 one-way hash functions | |||
| with the RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and | with the RSASSA PKCS#1 version 1.5 signature algorithm [RFC8017] and | |||
| the Elliptic Curve Digital Signature Algorithm (ECDSA) [DSS] with the | the ECDSA [DSS] with the CMS signed-data content type. | |||
| CMS signed-data content type. | ||||
| Signature algorithm identifiers are located in the SignerInfo | Signature algorithm identifiers are located in the SignerInfo | |||
| signatureAlgorithm field of SignedData. Also, signature algorithm | signatureAlgorithm field of SignedData. Also, signature algorithm | |||
| identifiers are located in the SignerInfo signatureAlgorithm field of | identifiers are located in the SignerInfo signatureAlgorithm field of | |||
| countersignature attributes. | countersignature attributes. | |||
| Signature values are located in the SignerInfo signature field of | Signature values are located in the SignerInfo signature field of | |||
| SignedData. Also, signature values are located in the SignerInfo | SignedData. Also, signature values are located in the SignerInfo | |||
| signature field of countersignature attributes. | signature field of countersignature attributes. | |||
| skipping to change at page 4, line 50 ¶ | skipping to change at line 179 ¶ | |||
| The algorithm identifier for RSASSA PKCS#1 v1.5 subject public keys | The algorithm identifier for RSASSA PKCS#1 v1.5 subject public keys | |||
| in certificates is specified in [RFC3279], and it is repeated here | in certificates is specified in [RFC3279], and it is repeated here | |||
| for convenience: | for convenience: | |||
| rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) | rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||
| us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } | us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } | |||
| When the rsaEncryption, id-rsassa-pkcs1-v1-5-with-sha3-224, id- | When the rsaEncryption, id-rsassa-pkcs1-v1-5-with-sha3-224, id- | |||
| rsassa-pkcs1-v1-5-with-sha3-256, id-rsassa-pkcs1-v1-5-with-sha3-384, | rsassa-pkcs1-v1-5-with-sha3-256, id-rsassa-pkcs1-v1-5-with-sha3-384, | |||
| and id-rsassa-pkcs1-v1-5-with-sha3-512 algorithm identifier is used, | and id-rsassa-pkcs1-v1-5-with-sha3-512 algorithm identifiers are | |||
| AlgorithmIdentifier parameters field MUST contain NULL. | used, the AlgorithmIdentifier parameters field MUST contain NULL. | |||
| When the rsaEncryption algorithm identifier is used, the RSA public | When the rsaEncryption algorithm identifier is used, the RSA public | |||
| key, which is composed of a modulus and a public exponent, MUST be | key, which is composed of a modulus and a public exponent, MUST be | |||
| encoded using the RSAPublicKey type as specified in [RFC3279]. The | encoded using the RSAPublicKey type as specified in [RFC3279]. The | |||
| output of this encoding is carried in the certificate subject public | output of this encoding is carried in the certificate subject public | |||
| key. The definition of RSAPublicKey is repeated here for | key. The definition of RSAPublicKey is repeated here for | |||
| convenience: | convenience: | |||
| RSAPublicKey ::= SEQUENCE { | RSAPublicKey ::= SEQUENCE { | |||
| modulus INTEGER, -- n | modulus INTEGER, -- n | |||
| publicExponent INTEGER } -- e | publicExponent INTEGER } -- e | |||
| When signing, the RSASSA PKCS#1 v1.5 signature algorithm generates a | When signing, the RSASSA PKCS#1 v1.5 signature algorithm generates a | |||
| single value, and that value is used directly as the signature value. | single value. That value is used directly as the signature value. | |||
| 3.2. ECDSA with SHA3 | 3.2. ECDSA with SHA3 | |||
| The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in | The ECDSA is defined in [DSS]. When the ECDSA is used in conjunction | |||
| [DSS]. When ECDSA is used in conjunction with one of the SHA3 one- | with one of the SHA3 one-way hash functions, the object identifiers | |||
| way hash functions, the object identifiers are: | are: | |||
| sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | sigAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 3 } | us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 3 } | |||
| id-ecdsa-with-sha3-224 OBJECT IDENTIFIER ::= { sigAlgs 9 } | id-ecdsa-with-sha3-224 OBJECT IDENTIFIER ::= { sigAlgs 9 } | |||
| id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { sigAlgs 10 } | id-ecdsa-with-sha3-256 OBJECT IDENTIFIER ::= { sigAlgs 10 } | |||
| id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { sigAlgs 11 } | id-ecdsa-with-sha3-384 OBJECT IDENTIFIER ::= { sigAlgs 11 } | |||
| id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { sigAlgs 12 } | id-ecdsa-with-sha3-512 OBJECT IDENTIFIER ::= { sigAlgs 12 } | |||
| When using the id-ecdsa-with-sha3-224, id-ecdsa-with-sha3-256, id- | When using the id-ecdsa-with-sha3-224, id-ecdsa-with-sha3-256, id- | |||
| ecdsa-with-sha3-384, and id-ecdsa-with-sha3-512 algorithm | ecdsa-with-sha3-384, and id-ecdsa-with-sha3-512 algorithm | |||
| identifiers, the parameters field MUST be absent; not NULL but | identifiers, the parameters field MUST be absent, not NULL but | |||
| absent. | absent. | |||
| The conventions for ECDSA public keys is as specified in [RFC5480]. | The conventions for ECDSA public keys are as specified in [RFC5480]. | |||
| The ECParameters associated with the ECDSA public key in the signers | The ECParameters associated with the ECDSA public key in the signers | |||
| certificate SHALL apply to the verification of the signature. | certificate SHALL apply to the verification of the signature. | |||
| When signing, the ECDSA algorithm generates two values. These values | When signing, the ECDSA algorithm generates two values. These values | |||
| are commonly referred to as r and s. To easily transfer these two | are commonly referred to as r and s. To easily transfer these two | |||
| values as one signature, they MUST be ASN.1 encoded using the ECDSA- | values as one signature, they MUST be ASN.1 encoded using the ECDSA- | |||
| Sig-Value defined in [RFC3279] and repeated here for convenience: | Sig-Value defined in [RFC3279], which is repeated here for | |||
| convenience: | ||||
| ECDSA-Sig-Value ::= SEQUENCE { | ECDSA-Sig-Value ::= SEQUENCE { | |||
| r INTEGER, | r INTEGER, | |||
| s INTEGER } | s INTEGER } | |||
| 4. Message Authentication Codes using HMAC and SHA3 | 4. Message Authentication Codes Using HMAC and SHA3 | |||
| This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
| implementations that support the HMAC [RFC2104] with SHA3 message | implementations that support the Hashed Message Authentication Code | |||
| authentication code (MAC). | (HMAC) [RFC2104] with SHA3 message authentication code (MAC). | |||
| MAC algorithm identifiers are located in the AuthenticatedData | MAC algorithm identifiers are located in the AuthenticatedData | |||
| macAlgorithm field. | macAlgorithm field. | |||
| MAC values are located in the AuthenticatedData mac field. | MAC values are located in the AuthenticatedData mac field. | |||
| When HMAC is used in conjunction with one of the SHA3 one-way hash | When HMAC is used in conjunction with one of the SHA3 one-way hash | |||
| functions, the object identifiers are: | functions, the object identifiers are: | |||
| hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| skipping to change at page 6, line 31 ¶ | skipping to change at line 258 ¶ | |||
| id-hmacWithSHA3-224 OBJECT IDENTIFIER ::= { hashAlgs 13 } | id-hmacWithSHA3-224 OBJECT IDENTIFIER ::= { hashAlgs 13 } | |||
| id-hmacWithSHA3-256 OBJECT IDENTIFIER ::= { hashAlgs 14 } | id-hmacWithSHA3-256 OBJECT IDENTIFIER ::= { hashAlgs 14 } | |||
| id-hmacWithSHA3-384 OBJECT IDENTIFIER ::= { hashAlgs 15 } | id-hmacWithSHA3-384 OBJECT IDENTIFIER ::= { hashAlgs 15 } | |||
| id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { hashAlgs 16 } | id-hmacWithSHA3-512 OBJECT IDENTIFIER ::= { hashAlgs 16 } | |||
| When the id-hmacWithSHA3-224, id-hmacWithSHA3-256, id- | When the id-hmacWithSHA3-224, id-hmacWithSHA3-256, id- | |||
| hmacWithSHA3-384, and id-hmacWithSHA3-512 algorithm identifier is | hmacWithSHA3-384, and id-hmacWithSHA3-512 algorithm identifiers are | |||
| used, the parameters field MUST be absent; not NULL but absent. | used, the parameters field MUST be absent, not NULL but absent. | |||
| 5. Key Derivation Functions | 5. Key Derivation Functions | |||
| The CMS KEMRecipientInfo structure [I-D.ietf-lamps-cms-kemri] is one | The CMS KEMRecipientInfo structure [RFC9629] is one place where | |||
| place where algorithm identifiers for key-derivation functions are | algorithm identifiers for key-derivation functions are needed. | |||
| needed. | ||||
| 5.1. HKDF with SHA3 | 5.1. HKDF with SHA3 | |||
| This section assigns four algorithm identifiers that can be employed | This section assigns four algorithm identifiers that can be employed | |||
| by CMS implementations that support the HMAC-based Extract-and-Expand | by CMS implementations that support the HMAC-based Extract-and-Expand | |||
| Key Derivation Function (HKDF) [RFC5869] with the SHA3 family of hash | Key Derivation Function (HKDF) [RFC5869] with the SHA3 family of hash | |||
| functions. | functions. | |||
| When HKDF is used in conjunction with one of the SHA3 one-way hash | When HKDF is used in conjunction with one of the SHA3 one-way hash | |||
| functions, the object identifiers are: | functions, the object identifiers are: | |||
| id-alg OBJECT IDENTIFIER ::= { iso(1) member-body(2) | id-alg OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||
| us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 3 } | us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 3 } | |||
| id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg 32 } | |||
| id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg TBD2 } | id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg 33 } | |||
| id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg TBD3 } | id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg 34 } | |||
| id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg TBD4 } | id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg 35 } | |||
| When id-alg-hkdf-with-sha3-224, id-alg-hkdf-with-sha3-256, id-alg- | When id-alg-hkdf-with-sha3-224, id-alg-hkdf-with-sha3-256, id-alg- | |||
| hkdf-with-sha3-384, or id-alg-hkdf-with-sha3-512 is used in an | hkdf-with-sha3-384, or id-alg-hkdf-with-sha3-512 is used in an | |||
| algorithm identifier, the parameters field MUST be absent; not NULL | algorithm identifier, the parameters field MUST be absent, not NULL | |||
| but absent. | but absent. | |||
| 5.2. KMAC128-KDF and KMAC256-KDF | 5.2. KMAC128-KDF and KMAC256-KDF | |||
| This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
| implementations that employ either the KMAC128 or KMAC256 as a key | implementations that employ either KMAC128 or KMAC256 as KDFs as | |||
| derivation function as defined in Section 4.4 of | defined in Section 4.4 of [NIST.SP.800-108r1-upd1]. | |||
| [NIST.SP.800-108r1-upd1]. | ||||
| KMAC128 and KMAC256 are specified in [NIST.SP.800-185]. The use of | KMAC128 and KMAC256 are specified in [NIST.SP.800-185]. The use of | |||
| KMAC128 and KMAC256 as a key derivation function are defined as: | KMAC128 and KMAC256 as KDFs are defined as follows: | |||
| KMAC128-KDF is KMAC128(K, X, L, S). | KMAC128-KDF is KMAC128(K, X, L, S). | |||
| KMAC256-KDF is KMAC256(K, X, L, S). | KMAC256-KDF is KMAC256(K, X, L, S). | |||
| The parameters to the KMAC128 and KMAC256 functions are: | The parameters to the KMAC128 and KMAC256 functions are: | |||
| K the input key-derivation key. The length of K MUST be less | K The input key-derivation key. The length of K MUST be less than | |||
| than 2^2040. | 2^2040. | |||
| X the context, which contains the ASN.1 DER encoding of | X The context, which contains the ASN.1 DER encoding of | |||
| CMSORIforKEMOtherInfo when the KDF is used with | CMSORIforKEMOtherInfo when the KDF is used with [RFC9629]. | |||
| [I-D.ietf-lamps-cms-kemri]. | ||||
| L the output length, in bits. L MUST be greater than or equal to | L The output length in bits. L MUST be greater than or equal to 0 | |||
| 0, and L MUST be less than 2^2040. | and MUST be less than 2^2040. | |||
| S the optional customization label, such as "KDF" (0x4B4446). | S The optional customization label, such as "KDF" (0x4B4446). The | |||
| The length of S MUST be less than 2^2040. | length of S MUST be less than 2^2040. | |||
| The K parameter is known to all authorized parties; it is often the | The K parameter is known to all authorized parties; it is often the | |||
| output of a KEM Decap() operation. The X parameter is assembled from | output of a KEM Decap() operation. The X parameter is assembled from | |||
| data that is transmitted by the originator. The L parameter is | data that is transmitted by the originator. The L parameter is | |||
| determined by the size of the output keying material. The S | determined by the size of the output keying material. The S | |||
| parameter is optional, and if it is provided by the originator, it is | parameter is optional, and if it is provided by the originator, it is | |||
| passed in the parameters field of the KDF algorithm identifier. | passed in the parameters field of the KDF algorithm identifier. | |||
| When KMAC128-KDF or KMAC256-KDF is used, the object identifiers are: | When KMAC128-KDF or KMAC256-KDF is used, the object identifiers are: | |||
| hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | hashAlgs OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) | |||
| us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 2 } | us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 2 } | |||
| id-kmac128 OBJECT IDENTIFIER ::= { hashAlgs 21 } | id-kmac128 OBJECT IDENTIFIER ::= { hashAlgs 21 } | |||
| id-kmac256 OBJECT IDENTIFIER ::= { hashAlgs 22 } | id-kmac256 OBJECT IDENTIFIER ::= { hashAlgs 22 } | |||
| When the id-kmac128 or id-kmac256 is used as part of an algorithm | When id-kmac128 or id-kmac256 is used as part of an algorithm | |||
| identifier, the parameters field MUST be absent when there is no | identifier, the parameters field MUST be absent when there is no | |||
| customization label S. If any value is provided for S, then the | customization label (S). If any value is provided for S, then the | |||
| parameters field MUST be present and contain the value of S, encoded | parameters field MUST be present and contain the value of S, encoded | |||
| as Customization. | as Customization. | |||
| Customization ::= OCTET STRING | Customization ::= OCTET STRING | |||
| 5.3. KDF2 and KDF3 with SHA3 | 5.3. KDF2 and KDF3 with SHA3 | |||
| This section specifies the conventions employed by CMS | This section specifies the conventions employed by CMS | |||
| implementations that employ either the KDF2 or KDF3 functions defined | implementations that employ either the KDF2 or KDF3 functions defined | |||
| in [ANS-X9.44]. The CMS KEMRecipientInfo structure | in [ANS-X9.44]. The CMS KEMRecipientInfo structure [RFC9629] is one | |||
| [I-D.ietf-lamps-cms-kemri] is one place where algorithm identifiers | place where algorithm identifiers for key-derivation functions are | |||
| for key-derivation functions are needed. | needed. | |||
| The key-derivation function algorithm identifier is an object | The key-derivation function algorithm identifier is an object | |||
| identifier and optional parameters. When KDF2 and KDF3 are used, | identifier and optional parameter. When KDF2 and KDF3 are used, they | |||
| they are identified by the id-kdf-kdf2 and id-kdf-kdf3 object | are identified by the id-kdf-kdf2 and id-kdf-kdf3 object identifiers, | |||
| identifiers, respectively. The key-derivation function algorithm | respectively. The key-derivation function algorithm identifier | |||
| identifier parameters carry a message digest algorithm identifier, | parameters carry a message digest algorithm identifier, which | |||
| which indicates the hash function that is being employed. To support | indicates the hash function that is being employed. To support SHA3, | |||
| SHA3, the key-derivation function algorithm identifier parameters | the key-derivation function algorithm identifier parameters contain | |||
| contain an algorithm identifier from Section 2. | an algorithm identifier from Section 2. | |||
| x9-44 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | x9-44 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | |||
| tc68(133) country(16) x9(840) x9Standards(9) x9-44(44) } | tc68(133) country(16) x9(840) x9Standards(9) x9-44(44) } | |||
| x9-44-components OBJECT IDENTIFIER ::= { x9-44 components(1) } | x9-44-components OBJECT IDENTIFIER ::= { x9-44 components(1) } | |||
| id-kdf-kdf2 OBJECT IDENTIFIER ::= { x9-44-components kdf2(1) } | id-kdf-kdf2 OBJECT IDENTIFIER ::= { x9-44-components kdf2(1) } | |||
| id-kdf-kdf3 OBJECT IDENTIFIER ::= { x9-44-components kdf3(2) } | id-kdf-kdf3 OBJECT IDENTIFIER ::= { x9-44-components kdf3(2) } | |||
| skipping to change at page 9, line 18 ¶ | skipping to change at line 382 ¶ | |||
| the signer's private key permits masquerade. | the signer's private key permits masquerade. | |||
| Implementations must protect the key-derivation key. Compromise of | Implementations must protect the key-derivation key. Compromise of | |||
| the key-derivation key permits others to derive the derived keying | the key-derivation key permits others to derive the derived keying | |||
| material, which would result in loss of confidentiality, integrity, | material, which would result in loss of confidentiality, integrity, | |||
| or authentication, depending on the use of the derived keying | or authentication, depending on the use of the derived keying | |||
| material. | material. | |||
| When more than two parties share the same message-authentication key, | When more than two parties share the same message-authentication key, | |||
| data origin authentication is not assured. Any party that knows the | data origin authentication is not assured. Any party that knows the | |||
| message-authentication key can compute a valid MAC, therefore the | message-authentication key can compute a valid MAC; therefore, the | |||
| content could originate from any one of the parties. | content could originate from any one of the parties. | |||
| Implementations must randomly generate message-authentication keys | Implementations must randomly generate message-authentication keys | |||
| and one-time values, such as the k value when generating a ECDSA | and one-time values, such as the k value when generating an ECDSA | |||
| signature. In addition, the generation of public/private key pairs | signature. In addition, the generation of public/private key pairs | |||
| relies on a random numbers. The use of inadequate pseudo-random | relies on a random numbers. The use of inadequate pseudorandom | |||
| number generators (PRNGs) to generate cryptographic values can result | number generators (PRNGs) to generate cryptographic values can result | |||
| in little or no security. Instead of brute force searching the whole | in little or no security. Instead of brute-force searching the whole | |||
| key space, an attacker may find it much easier to reproduce the PRNG | key space, an attacker may find it much easier to reproduce the PRNG | |||
| environment that produced the keys, and then search the resulting | environment that produced the keys and then search the resulting | |||
| small set of possibilities. The generation of quality random numbers | small set of possibilities. The generation of quality random numbers | |||
| is difficult. RFC 4086 [RFC4086] offers important guidance in this | is difficult. [RFC4086] offers important guidance in this area, and | |||
| area, and Appendix 3 of FIPS Pub 186-4 [DSS] provides some PRNG | Appendix 3 of FIPS PUB 186-4 [DSS] provides some PRNG techniques. | |||
| techniques. | ||||
| Implementers should be aware that cryptographic algorithms become | Implementers should be aware that cryptographic algorithms become | |||
| weaker with time. As new cryptanalysis techniques are developed and | weaker with time. As new cryptanalysis techniques are developed and | |||
| computing performance improves, the work factor to break a particular | computing performance improves, the work factor to break a particular | |||
| cryptographic algorithm will reduce. Therefore, cryptographic | cryptographic algorithm will reduce. Therefore, cryptographic | |||
| algorithm implementations should be modular allowing new algorithms | algorithm implementations should be modular, allowing new algorithms | |||
| to be readily inserted. That is, implementers should be prepared to | to be readily inserted. That is, implementers should be prepared to | |||
| regularly update the set of algorithms in their implementations. | regularly update the set of algorithms in their implementations. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| IANA is asked to assign one object identifier for the ASN.1 module in | IANA has assigned one object identifier for the ASN.1 module in | |||
| Appendix "Appendix. ASN.1 Module" in the "SMI Security for S/MIME | Appendix A in the "SMI Security for S/MIME Module Identifiers | |||
| Module Identifiers (1.2.840.113549.1.9.16.0)" registry [IANA-MOD]: | (1.2.840.113549.1.9.16.0)" registry [IANA-MOD]: | |||
| id-mod-sha3-oids-2023 OBJECT IDENTIFIER ::= { | id-mod-sha3-oids-2023 OBJECT IDENTIFIER ::= { | |||
| iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) | |||
| pkcs-9(9) smime(16) mod(0) TBD0 } | pkcs-9(9) smime(16) mod(0) 78 } | |||
| IANA is asked to assign four object identifiers for the HKDF using | IANA has assigned four object identifiers for the HKDF using SHA3 | |||
| SHA3 algorithm identifiers in the "SMI Security for S/MIME Algorithms | algorithm identifiers in the "SMI Security for S/MIME Algorithms | |||
| (1.2.840.113549.1.9.16.3)" registry [IANA-ALG]: | (1.2.840.113549.1.9.16.3)" registry [IANA-ALG]: | |||
| id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OBJECT IDENTIFIER ::= { id-alg 32 } | |||
| id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg TBD2 } | ||||
| id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg TBD3 } | ||||
| id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg TBD4 } | ||||
| Acknowledgements | id-alg-hkdf-with-sha3-256 OBJECT IDENTIFIER ::= { id-alg 33 } | |||
| Thanks to Daniel Van Geest and Sean Turner for their careful review | id-alg-hkdf-with-sha3-384 OBJECT IDENTIFIER ::= { id-alg 34 } | |||
| and thoughtful comments. | ||||
| Thanks to Sara Kerman, Quynh Dang, and David Cooper for getting the | id-alg-hkdf-with-sha3-512 OBJECT IDENTIFIER ::= { id-alg 35 } | |||
| object identifiers assigned for KMAC128 and KMAC256. | ||||
| References | 8. References | |||
| Normative References | 8.1. Normative References | |||
| [ANS-X9.44] | [ANS-X9.44] | |||
| American National Standards Institute, "Public Key | American National Standards Institute, "Public Key | |||
| Cryptography for the Financial Services Industry -- Key | Cryptography for the Financial Services Industry -- Key | |||
| Establishment Using Integer Factorization Cryptography", | Establishment Using Integer Factorization Cryptography", | |||
| American National Standard X9.44, 2007. | ANSI X9.44-2007 (R2017), 2017, | |||
| <https://webstore.ansi.org/standards/ascx9/ | ||||
| ansix9442007r2017>. | ||||
| [DSS] National Institute of Standards and Technology, "Digital | [DSS] National Institute of Standards and Technology, "Digital | |||
| Signature Standard (DSS)", FIPS PUB 186-5, | Signature Standard (DSS)", FIPS PUB 186-5, | |||
| DOI 10.6028/NIST.FIPS.186-5, 3 February 2023, | DOI 10.6028/NIST.FIPS.186-5, 3 February 2023, | |||
| <https://nvlpubs.nist.gov/nistpubs/FIPS/ | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.186-5.pdf>. | NIST.FIPS.186-5.pdf>. | |||
| [NIST.SP.800-108r1-upd1] | [NIST.SP.800-108r1-upd1] | |||
| National Institute of Standards and Technology, | Chen, L., "Recommendation for Key Derivation Using | |||
| "Recommendation for key derivation using pseudorandom | Pseudorandom Functions", NIST SP 800-108r1-upd1, | |||
| functions", DOI 10.6028/NIST.SP.800-108r1-upd1, 2 February | DOI 10.6028/NIST.SP.800-108r1-upd1, 2 February 2024, | |||
| 2024, | ||||
| <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
| NIST.SP.800-108r1-upd1.pdf>. | NIST.SP.800-108r1-upd1.pdf>. | |||
| [NIST.SP.800-185] | [NIST.SP.800-185] | |||
| National Institute of Standards and Technology, "SHA-3 | Kelsey, J., Chang, S., and R. Perlner, "SHA-3 Derived | |||
| Derived Functions: cSHAKE, KMAC, TupleHash and | Functions: cSHAKE, KMAC, TupleHash and ParallelHash", NIST | |||
| ParallelHash", NIST Special Publication 800-185, | SP 800-185, DOI 10.6028/NIST.SP.800-185, December 2016, | |||
| DOI 10.6028/NIST.SP.800-185, December 2016, | ||||
| <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ | |||
| NIST.SP.800-185.pdf>. | NIST.SP.800-185.pdf>. | |||
| [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | |||
| Hashing for Message Authentication", RFC 2104, | Hashing for Message Authentication", RFC 2104, | |||
| DOI 10.17487/RFC2104, February 1997, | DOI 10.17487/RFC2104, February 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2104>. | <https://www.rfc-editor.org/info/rfc2104>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/rfc/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | [RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and | |||
| Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April | |||
| 2002, <https://www.rfc-editor.org/rfc/rfc3279>. | 2002, <https://www.rfc-editor.org/info/rfc3279>. | |||
| [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | [RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | |||
| "Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | |||
| Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, | |||
| <https://www.rfc-editor.org/rfc/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
| <https://www.rfc-editor.org/rfc/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
| [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand | |||
| Key Derivation Function (HKDF)", RFC 5869, | Key Derivation Function (HKDF)", RFC 5869, | |||
| DOI 10.17487/RFC5869, May 2010, | DOI 10.17487/RFC5869, May 2010, | |||
| <https://www.rfc-editor.org/rfc/rfc5869>. | <https://www.rfc-editor.org/info/rfc5869>. | |||
| [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the | |||
| Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, | |||
| DOI 10.17487/RFC5912, June 2010, | DOI 10.17487/RFC5912, June 2010, | |||
| <https://www.rfc-editor.org/rfc/rfc5912>. | <https://www.rfc-editor.org/info/rfc5912>. | |||
| [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
| "PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
| RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
| <https://www.rfc-editor.org/rfc/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SHA3] National Institute of Standards and Technology, "SHA-3 | [SHA3] National Institute of Standards and Technology, "SHA-3 | |||
| Standard: Permutation-Based Hash and Extendable-Output | Standard: Permutation-Based Hash and Extendable-Output | |||
| Functions", FIPS PUB 202, August 2015, | Functions", NIST FIPS 202, DOI 10.6028/NIST.FIPS.202, | |||
| August 2015, | ||||
| <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>. | <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf>. | |||
| [X.680] ITU-T, "Information technology -- Abstract Syntax Notation | [X.680] ITU-T, "Information technology - Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | |||
| <https://www.itu.int/rec/T-REC-X.680>. | <https://www.itu.int/rec/T-REC-X.680-202102-I/en>. | |||
| [X.690] ITU-T, "Information technology -- ASN.1 encoding rules: | [X.690] ITU-T, "Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | |||
| February 2021, <https://www.itu.int/rec/T-REC-X.680>. | February 2021, | |||
| <https://www.itu.int/rec/T-REC-X.690-202102-I/en>. | ||||
| Informative References | ||||
| [I-D.ietf-lamps-cms-kemri] | 8.2. Informative References | |||
| Housley, R., Gray, J., and T. Okubo, "Using Key | ||||
| Encapsulation Mechanism (KEM) Algorithms in the | ||||
| Cryptographic Message Syntax (CMS)", Work in Progress, | ||||
| Internet-Draft, draft-ietf-lamps-cms-kemri-08, 6 February | ||||
| 2024, <https://datatracker.ietf.org/doc/html/draft-ietf- | ||||
| lamps-cms-kemri-08>. | ||||
| [IANA-ALG] IANA, "SMI Security for for S/MIME Algorithms | [IANA-ALG] IANA, "SMI Security for S/MIME Algorithms | |||
| (1.2.840.113549.1.9.16.3)", n.d., | (1.2.840.113549.1.9.16.3)", | |||
| <https://www.iana.org/assignments/smi-numbers/>. | <https://www.iana.org/assignments/smi-numbers/>. | |||
| [IANA-MOD] IANA, "SMI Security for S/MIME Module Identifier | [IANA-MOD] IANA, "SMI Security for S/MIME Module Identifier | |||
| (1.2.840.113549.1.9.16.0)", n.d., | (1.2.840.113549.1.9.16.0)", | |||
| <https://www.iana.org/assignments/smi-numbers/>. | <https://www.iana.org/assignments/smi-numbers/>. | |||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | |||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | "Randomness Requirements for Security", BCP 106, RFC 4086, | |||
| DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | |||
| <https://www.rfc-editor.org/rfc/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. | |||
| [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash | [RFC8702] Kampanakis, P. and Q. Dang, "Use of the SHAKE One-Way Hash | |||
| Functions in the Cryptographic Message Syntax (CMS)", | Functions in the Cryptographic Message Syntax (CMS)", | |||
| RFC 8702, DOI 10.17487/RFC8702, January 2020, | RFC 8702, DOI 10.17487/RFC8702, January 2020, | |||
| <https://www.rfc-editor.org/rfc/rfc8702>. | <https://www.rfc-editor.org/info/rfc8702>. | |||
| Appendix. ASN.1 Module | [RFC9629] Housley, R., Gray, J., and T. Okubo, "Using Key | |||
| Encapsulation Mechanism (KEM) Algorithms in the | ||||
| Cryptographic Message Syntax (CMS)", RFC 9629, | ||||
| DOI 10.17487/RFC9629, August 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9629>. | ||||
| Appendix A. ASN.1 Module | ||||
| This section contains the ASN.1 module for the algorithm identifiers | This section contains the ASN.1 module for the algorithm identifiers | |||
| using SHA3 family of hash functions [SHA3]. This module imports | using the SHA3 family of hash functions [SHA3]. This module imports | |||
| types from other ASN.1 modules that are defined in [RFC5912]. | types from other ASN.1 modules that are defined in [RFC5912]. | |||
| <CODE BEGINS> | <CODE BEGINS> | |||
| SHA3-OIDs-2023 | SHA3-OIDs-2023 | |||
| { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||
| smime(16) modules(0) id-mod-sha3-oids-2023(TBD0) } | smime(16) modules(0) id-mod-sha3-oids-2023(78) } | |||
| DEFINITIONS IMPLICIT TAGS ::= | DEFINITIONS IMPLICIT TAGS ::= | |||
| BEGIN | BEGIN | |||
| EXPORTS ALL; | EXPORTS ALL; | |||
| IMPORTS | IMPORTS | |||
| AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, | AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, | |||
| KEY-DERIVATION, MAC-ALGORITHM | KEY-DERIVATION, MAC-ALGORITHM | |||
| skipping to change at page 18, line 16 ¶ | skipping to change at line 795 ¶ | |||
| maca-hmacWithSHA3-224 | | maca-hmacWithSHA3-224 | | |||
| maca-hmacWithSHA3-256 | | maca-hmacWithSHA3-256 | | |||
| maca-hmacWithSHA3-384 | | maca-hmacWithSHA3-384 | | |||
| maca-hmacWithSHA3-512, | maca-hmacWithSHA3-512, | |||
| ... } | ... } | |||
| -- | -- | |||
| -- Key Derivation Algorithms | -- Key Derivation Algorithms | |||
| -- | -- | |||
| id-alg-hkdf-with-sha3-224 OID ::= { id-alg TBD1 } | id-alg-hkdf-with-sha3-224 OID ::= { id-alg 32 } | |||
| id-alg-hkdf-with-sha3-256 OID ::= { id-alg TBD2 } | id-alg-hkdf-with-sha3-256 OID ::= { id-alg 33 } | |||
| id-alg-hkdf-with-sha3-384 OID ::= { id-alg TBD3 } | id-alg-hkdf-with-sha3-384 OID ::= { id-alg 34 } | |||
| id-alg-hkdf-with-sha3-512 OID ::= { id-alg TBD4 } | id-alg-hkdf-with-sha3-512 OID ::= { id-alg 35 } | |||
| id-kmac128 OID ::= { hashAlgs 21 } | id-kmac128 OID ::= { hashAlgs 21 } | |||
| id-kmac256 OID ::= { hashAlgs 22 } | id-kmac256 OID ::= { hashAlgs 22 } | |||
| id-kdf-kdf2 OID ::= { x9-44-components kdf2(1) } | id-kdf-kdf2 OID ::= { x9-44-components kdf2(1) } | |||
| id-kdf-kdf3 OID ::= { x9-44-components kdf3(2) } | id-kdf-kdf3 OID ::= { x9-44-components kdf3(2) } | |||
| kda-hkdf-with-sha3-224 KEY-DERIVATION ::= { | kda-hkdf-with-sha3-224 KEY-DERIVATION ::= { | |||
| skipping to change at page 20, line 23 ¶ | skipping to change at line 898 ¶ | |||
| kda-hkdf-with-sha3-512 | | kda-hkdf-with-sha3-512 | | |||
| kda-kmac128 | | kda-kmac128 | | |||
| kda-kmac256 | | kda-kmac256 | | |||
| kda-kdf2 | | kda-kdf2 | | |||
| kda-kdf3, | kda-kdf3, | |||
| ... } | ... } | |||
| END | END | |||
| <CODE ENDS> | <CODE ENDS> | |||
| Acknowledgements | ||||
| Thanks to Daniel Van Geest and Sean Turner for their careful review | ||||
| and thoughtful comments. | ||||
| Thanks to Sara Kerman, Quynh Dang, and David Cooper for getting the | ||||
| object identifiers assigned for KMAC128 and KMAC256. | ||||
| Author's Address | Author's Address | |||
| Russ Housley | Russ Housley | |||
| Vigil Security, LLC | Vigil Security, LLC | |||
| Herndon, VA | Herndon, VA | |||
| United States of America | United States of America | |||
| Email: housley@vigilsec.com | Email: housley@vigilsec.com | |||
| End of changes. 83 change blocks. | ||||
| 172 lines changed or deleted | 165 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||