rfc9054.original | rfc9054.txt | |||
---|---|---|---|---|
Network Working Group J. Schaad | Internet Engineering Task Force (IETF) J. Schaad | |||
Internet-Draft August Cellars | Request for Comments: 9054 August Cellars | |||
Intended status: Informational September 14, 2020 | Category: Informational July 2021 | |||
Expires: March 18, 2021 | ISSN: 2070-1721 | |||
CBOR Object Signing and Encryption (COSE): Hash Algorithms | CBOR Object Signing and Encryption (COSE): Hash Algorithms | |||
draft-ietf-cose-hash-algs-09 | ||||
Abstract | Abstract | |||
The CBOR Object Signing and Encryption (COSE) syntax | The CBOR Object Signing and Encryption (COSE) syntax (see RFC 9052) | |||
[I-D.ietf-cose-rfc8152bis-struct] does not define any direct methods | does not define any direct methods for using hash algorithms. There | |||
for using hash algorithms. There are, however, circumstances where | are, however, circumstances where hash algorithms are used, such as | |||
hash algorithms are used, such as indirect signatures where the hash | indirect signatures, where the hash of one or more contents are | |||
of one or more contents are signed, and X.509 certificate or other | signed, and an X.509 certificate or other object identification by | |||
object identification by the use of a fingerprint. This document | the use of a fingerprint. This document defines hash algorithms that | |||
defines a set of hash algorithms that are identified by COSE | are identified by COSE algorithm identifiers. | |||
Algorithm Identifiers. | ||||
Contributing to this document | ||||
This note is to be removed before publishing as an RFC. | ||||
The source for this draft is being maintained in GitHub. Suggested | ||||
changes should be submitted as pull requests at https://github.com/ | ||||
cose-wg/X509 Editorial changes can be managed in GitHub, but any | ||||
substantial issues need to be discussed on the COSE mailing list. | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
approved by the IESG are candidates for any level of Internet | ||||
Standard; see Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on March 18, 2021. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9054. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Simplified BSD License text | to this document. Code Components extracted from this document must | |||
as described in Section 4.e of the Trust Legal Provisions and are | include Simplified BSD License text as described in Section 4.e of | |||
provided without warranty as described in the Simplified BSD License. | the Trust Legal Provisions and are provided without warranty as | |||
described in the Simplified BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
1.1. Requirements Terminology . . . . . . . . . . . . . . . . 3 | 1.1. Requirements Terminology | |||
2. Hash Algorithm Usage . . . . . . . . . . . . . . . . . . . . 3 | 2. Hash Algorithm Usage | |||
2.1. Example CBOR hash structure . . . . . . . . . . . . . . . 4 | 2.1. Example CBOR Hash Structure | |||
3. Hash Algorithm Identifiers . . . . . . . . . . . . . . . . . 5 | 3. Hash Algorithm Identifiers | |||
3.1. SHA-1 Hash Algorithm . . . . . . . . . . . . . . . . . . 6 | 3.1. SHA-1 Hash Algorithm | |||
3.2. SHA-2 Hash Algorithms . . . . . . . . . . . . . . . . . . 6 | 3.2. SHA-2 Hash Algorithms | |||
3.3. SHAKE Algorithms . . . . . . . . . . . . . . . . . . . . 8 | 3.3. SHAKE Algorithms | |||
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 4. IANA Considerations | |||
4.1. COSE Algorithm Registry . . . . . . . . . . . . . . . . . 9 | 4.1. COSE Algorithm Registry | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 5. Security Considerations | |||
6. Normative References . . . . . . . . . . . . . . . . . . . . 10 | 6. Normative References | |||
7. Informative References . . . . . . . . . . . . . . . . . . . 11 | 7. Informative References | |||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 | Author's Address | |||
1. Introduction | 1. Introduction | |||
The CBOR Object Signing and Encryption (COSE) syntax does not define | The CBOR Object Signing and Encryption (COSE) syntax does not define | |||
any direct methods for the use of hash algorithms. It also does not | any direct methods for the use of hash algorithms. It also does not | |||
define a structure syntax that is used to encode a digested object | define a structure syntax that is used to encode a digested object | |||
structure along the lines of the DigestedData ASN.1 structure in | structure along the lines of the DigestedData ASN.1 structure in | |||
[CMS]. This omission was intentional, as a structure consisting of | [CMS]. This omission was intentional, as a structure consisting of | |||
just a digest identifier, the content, and a digest value does not, | just a digest identifier, the content, and a digest value does not, | |||
by itself, provide any strong security service. Additionally, an | by itself, provide any strong security service. Additionally, an | |||
skipping to change at page 3, line 10 ¶ | skipping to change at line 90 ¶ | |||
While the above is true, there are some cases where having some | While the above is true, there are some cases where having some | |||
standard hash algorithms defined for COSE with a common identifier | standard hash algorithms defined for COSE with a common identifier | |||
makes a great deal of sense. Two of the cases where these are going | makes a great deal of sense. Two of the cases where these are going | |||
to be used are: | to be used are: | |||
* Indirect signing of content, and | * Indirect signing of content, and | |||
* Object identification. | * Object identification. | |||
Indirect signing of content is a paradigm where the content is not | Indirect signing of content is a paradigm where the content is not | |||
directly signed, but instead a hash of the content is computed and | directly signed, but instead a hash of the content is computed, and | |||
that hash value, along with an identifier for the hash algorithm, is | that hash value -- along with an identifier for the hash algorithm -- | |||
included in the content that will be signed. Doing indirect signing | is included in the content that will be signed. Indirect signing | |||
allows for a signature to be validated without first downloading all | allows for a signature to be validated without first downloading all | |||
of the content associated with the signature. Rather the signature | of the content associated with the signature. Rather, the signature | |||
can be validated on all of the hash values and pointers to the | can be validated on all of the hash values and pointers to the | |||
associated contents, then those associated parts can be downloaded, | associated contents; those associated parts can then be downloaded, | |||
the hash value of that part computed, and then compared to the hash | then the hash value of that part can be computed and compared to the | |||
value in the signed content. This capability can be of even greater | hash value in the signed content. This capability can be of even | |||
importance in a constrained environment as not all of the content | greater importance in a constrained environment, as not all of the | |||
signed may be needed by the device. An example of how this is used | content signed may be needed by the device. An example of how this | |||
can be found in [I-D.ietf-suit-manifest]. | is used can be found in [SUIT-MANIFEST]. | |||
The use of hashes to identify objects is something that has been very | The use of hashes to identify objects is something that has been very | |||
common. One of the primary things that has been identified by a hash | common. One of the primary things that has been identified by a hash | |||
function in a secure message is a certificate. Two examples of this | function in a secure message is a certificate. Two examples of this | |||
can be found in [ESS] and the COSE equivalents in | can be found in [ESS] and the COSE equivalents in [COSE-x509]. | |||
[I-D.ietf-cose-x509]. | ||||
1.1. Requirements Terminology | 1.1. Requirements Terminology | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
2. Hash Algorithm Usage | 2. Hash Algorithm Usage | |||
As noted in the previous section, hash functions can be used for a | As noted in the previous section, hash functions can be used for a | |||
variety of purposes. Some of these purposes require that a hash | variety of purposes. Some of these purposes require that a hash | |||
function be cryptographically strong. These include direct and | function be cryptographically strong. These include direct and | |||
indirect signatures. That is, using the hash as part of the | indirect signatures -- that is, using the hash as part of the | |||
signature or using the hash as part of the body to be signed. Other | signature or using the hash as part of the body to be signed. Other | |||
uses of hash functions may not require the same level of strength. | uses of hash functions may not require the same level of strength. | |||
This document contains some hash functions that are not designed to | This document contains some hash functions that are not designed to | |||
be used for cryptographic operations. An application that is using a | be used for cryptographic operations. An application that is using a | |||
hash function needs to carefully evaluate exactly what hash | hash function needs to carefully evaluate exactly what hash | |||
properties are needed and which hash functions are going to provide | properties are needed and which hash functions are going to provide | |||
them. Applications should also make sure that the ability to change | them. Applications should also make sure that the ability to change | |||
hash functions is part of the base design, as cryptographic advances | hash functions is part of the base design, as cryptographic advances | |||
are sure to reduce the strength of a hash function [BCP201]. | are sure to reduce the strength of a hash function [BCP201]. | |||
A hash function is a map from one, normally large, bit string to a | A hash function is a map from one, normally large, bit string to a | |||
second, usually smaller, bit string. As the number of possible input | second, usually smaller, bit string. As the number of possible input | |||
values is far greater than the number of possible output values, it | values is far greater than the number of possible output values, it | |||
is inevitable that there are going to be collisions. The trick is to | is inevitable that there are going to be collisions. The trick is to | |||
make sure that it is difficult to find two values that are going to | make sure that it is difficult to find two values that are going to | |||
map to the same output value. A "Collision Attack" is one where an | map to the same output value. A "Collision Attack" is one where an | |||
attacker can find two different messages that have the same hash | attacker can find two different messages that have the same hash | |||
value. A hash function that is susceptible to practical collision | value. A hash function that is susceptible to practical collision | |||
attacks, SHOULD NOT be used for a cryptographic purpose. The | attacks SHOULD NOT be used for a cryptographic purpose. The | |||
discovery of theoretical collision attacks against a given hash | discovery of theoretical collision attacks against a given hash | |||
function SHOULD trigger protocol maintainers and users to do a review | function SHOULD trigger protocol maintainers and users to review the | |||
of the continued suitability of the algorithm if alternatives are | continued suitability of the algorithm if alternatives are available | |||
available and migration is viable. The only reason why such a hash | and migration is viable. The only reason such a hash function is | |||
function is used is when there is absolutely no other choice (e.g. a | used is when there is absolutely no other choice (e.g., a Hardware | |||
Hardware Security Module (HSM) that cannot be replaced), and only | Security Module (HSM) that cannot be replaced), and only after | |||
after looking at the possible security issues. Cryptographic | looking at the possible security issues. Cryptographic purposes | |||
purposes would include the creation of signatures or the use of | would include the creation of signatures or the use of hashes for | |||
hashes for indirect signatures. These functions may still be usable | indirect signatures. These functions may still be usable for | |||
for non-cryptographic purposes. | noncryptographic purposes. | |||
An example of a non-cryptographic use of a hash is for filtering from | An example of a noncryptographic use of a hash is filtering from a | |||
a collection of values to find a set of possible candidates; the | collection of values to find a set of possible candidates; the | |||
candidates can then be checked to see if they can successfully be | candidates can then be checked to see if they can successfully be | |||
used. A simple example of this is the classic fingerprint of a | used. A simple example of this is the classic fingerprint of a | |||
certificate. If the fingerprint is used to verify that it is the | certificate. If the fingerprint is used to verify that it is the | |||
correct certificate, then that usage is a cryptographic one and is | correct certificate, then that usage is a cryptographic one and is | |||
subject to the warning above about collision attack. If, however, | subject to the warning above about collision attack. If, however, | |||
the fingerprint is used to sort through a collection of certificates | the fingerprint is used to sort through a collection of certificates | |||
to find those that might be used for the purpose of verifying a | to find those that might be used for the purpose of verifying a | |||
signature, a simple filter capability is sufficient. In this case, | signature, a simple filter capability is sufficient. In this case, | |||
one still needs to confirm that the public key validates the | one still needs to confirm that the public key validates the | |||
signature (and the certificate is trusted), and all certificates that | signature (and the certificate is trusted), and all certificates that | |||
don't contain a key that validates the signature can be discarded as | don't contain a key that validates the signature can be discarded as | |||
false positives. | false positives. | |||
To distinguish between these two cases, a new value in the | To distinguish between these two cases, a new value in the | |||
recommended column of the COSE Algorithms registry is to be added. | Recommended column of the "COSE Algorithms" registry has been added. | |||
"Filter Only" indicates that the only purpose of a hash function | "Filter Only" indicates that the only purpose of a hash function | |||
should be to filter results and it is not intended for applications | should be to filter results; it is not intended for applications that | |||
which require a cryptographically strong algorithm. | require a cryptographically strong algorithm. | |||
2.1. Example CBOR hash structure | 2.1. Example CBOR Hash Structure | |||
[COSE] did not provide a default structure for holding a hash value | [COSE] did not provide a default structure for holding a hash value | |||
not only because no separate hash algorithms were defined, but | both because no separate hash algorithms were defined and because the | |||
because how the structure is setup is frequently application | way the structure is set up is frequently application specific. | |||
specific. There are four fields that are often included as part of a | There are four fields that are often included as part of a hash | |||
hash structure: | structure: | |||
* The hash algorithm identifier. | * The hash algorithm identifier. | |||
* The hash value. | * The hash value. | |||
* A pointer to the value that was hashed. This could be a pointer | * A pointer to the value that was hashed. This could be a pointer | |||
to a file, an object that can be obtained from the network, or a | to a file, an object that can be obtained from the network, a | |||
pointer to someplace in the message, or something very application | pointer to someplace in the message, or something very application | |||
specific. | specific. | |||
* Additional data; this can be something as simple as a random value | * Additional data. This can be something as simple as a random | |||
(i.e. salt) to make finding hash collisions slightly harder (as | value (i.e., salt) to make finding hash collisions slightly harder | |||
the payload handed to the application could have been selected to | (because the payload handed to the application could have been | |||
have a collision), or as complicated as a set of processing | selected to have a collision), or as complicated as a set of | |||
instructions that are used with the object that is pointed to. | processing instructions that is used with the object that is | |||
The additional data can be dealt with in a number of ways, | pointed to. The additional data can be dealt with in a number of | |||
prepending or appending to the content, but it is strongly | ways, prepending or appending to the content, but it is strongly | |||
suggested that it either be a fixed known size, or the lengths of | suggested that either it be a fixed known size, or the lengths of | |||
the pieces being hashed be included. (Encoding as a CBOR array | the pieces being hashed be included. (Encoding as a CBOR array | |||
accomplishes this requirement.) | accomplishes this requirement.) | |||
An example of a structure which permits all of the above fields to | An example of a structure that permits all of the above fields to | |||
exist would look like the following. | exist would look like the following: | |||
COSE_Hash_V = ( | COSE_Hash_V = ( | |||
1 : int / tstr, # Algorithm identifier | 1 : int / tstr, # Algorithm identifier | |||
2 : bstr, # Hash value | 2 : bstr, # Hash value | |||
? 3 : tstr, # Location of object that was hashed | ? 3 : tstr, # Location of object that was hashed | |||
? 4 : any # object containing other details and things | ? 4 : any # object containing other details and things | |||
) | ) | |||
Below is an alternative structure that could be used in situations | Below is an alternative structure that could be used in situations | |||
where one is searching a group of objects for a matching hash value. | where one is searching a group of objects for a matching hash value. | |||
In this case, the location would not be needed and adding extra data | In this case, the location would not be needed, and adding extra data | |||
to the hash would be counterproductive. This results in a structure | to the hash would be counterproductive. This results in a structure | |||
that looks like this: | that looks like this: | |||
COSE_Hash_Find = [ | COSE_Hash_Find = [ | |||
hashAlg : int / tstr, | hashAlg : int / tstr, | |||
hashValue : bstr | hashValue : bstr | |||
] | ] | |||
3. Hash Algorithm Identifiers | 3. Hash Algorithm Identifiers | |||
3.1. SHA-1 Hash Algorithm | 3.1. SHA-1 Hash Algorithm | |||
The SHA-1 hash algorithm [RFC3174] was designed by the United States | The SHA-1 hash algorithm [RFC3174] was designed by the United States | |||
National Security Agency and published in 1995. Since that time a | National Security Agency and published in 1995. Since that time, a | |||
large amount of cryptographic analysis has been applied to this | large amount of cryptographic analysis has been applied to this | |||
algorithm and a successful collision attack has been created | algorithm, and a successful collision attack has been created | |||
([SHA-1-collision]). The IETF formally started discouraging the use | [SHA-1-collision]. The IETF formally started discouraging the use of | |||
of SHA-1 with the publishing of [RFC6194]. | SHA-1 in [RFC6194]. | |||
Despite the above, there are still times where SHA-1 needs to be used | Despite these facts, there are still times where SHA-1 needs to be | |||
and therefore it makes sense to assign a codepoint for the use of | used; therefore, it makes sense to assign a code point for the use of | |||
this hash algorithm. Some of these situations are with historic HSMs | this hash algorithm. Some of these situations involve historic HSMs | |||
where only SHA-1 is implemented; other situations are where the SHA-1 | where only SHA-1 is implemented; in other situations, the SHA-1 value | |||
value is used for the purpose of filtering and thus the collision | is used for the purpose of filtering; thus, the collision-resistance | |||
resistance property is not needed. | property is not needed. | |||
Because of the known issues for SHA-1 and the fact that it should no | Because of the known issues for SHA-1 and the fact that it should no | |||
longer be used, the algorithm will be registered with the | longer be used, the algorithm will be registered with the | |||
recommendation of "Filter Only". This provides guidance about when | recommendation of "Filter Only". This provides guidance about when | |||
the algorithm is safe for use, while discouraging usage where it is | the algorithm is safe for use, while discouraging usage where it is | |||
not safe. | not safe. | |||
The COSE capabilities for this algorithm is an empty array. | The COSE capabilities for this algorithm is an empty array. | |||
+=====+======+=============+==============+===========+=============+ | +=====+======+=============+==============+===========+=============+ | |||
|Name |Value | Description | Capabilities | Reference | Recommended | | |Name |Value | Description | Capabilities | Reference | Recommended | | |||
+=====+======+=============+==============+===========+=============+ | +=====+======+=============+==============+===========+=============+ | |||
|SHA-1| -14 | SHA-1 Hash | [] | [This | Filter Only | | |SHA-1|-14 | SHA-1 Hash | [] | RFC 9054 | Filter Only | | |||
| | | | | Document] | | | ||||
+-----+------+-------------+--------------+-----------+-------------+ | +-----+------+-------------+--------------+-----------+-------------+ | |||
Table 1: SHA-1 Hash Algorithm | Table 1: SHA-1 Hash Algorithm | |||
3.2. SHA-2 Hash Algorithms | 3.2. SHA-2 Hash Algorithms | |||
The family of SHA-2 hash algorithms [FIPS-180-4] was designed by the | The family of SHA-2 hash algorithms [FIPS-180-4] was designed by the | |||
United States National Security Agency and published in 2001. Since | United States National Security Agency and published in 2001. Since | |||
that time some additional algorithms have been added to the original | that time, some additional algorithms have been added to the original | |||
set to deal with length extension attacks and some performance | set to deal with length-extension attacks and some performance | |||
issues. While the SHA-3 hash algorithms have been published since | issues. While the SHA-3 hash algorithms have been published since | |||
that time, the SHA-2 algorithms are still broadly used. | that time, the SHA-2 algorithms are still broadly used. | |||
There are a number of different parameters for the SHA-2 hash | There are a number of different parameters for the SHA-2 hash | |||
functions. The set of hash functions which have been chosen for | functions. The set of hash functions that has been chosen for | |||
inclusion in this document are based on those different parameters | inclusion in this document is based on those different parameters and | |||
and some of the trade-offs involved. | some of the trade-offs involved. | |||
* *SHA-256/64* provides a truncated hash. The length of the | * *SHA-256/64* provides a truncated hash. The length of the | |||
truncation is designed to allow for smaller transmission size. | truncation is designed to allow for smaller transmission size. | |||
The trade-off is that the odds that a collision will occur | The trade-off is that the odds that a collision will occur | |||
increase proportionally. Use of this hash function needs analysis | increase proportionally. Use of this hash function requires | |||
of the potential problems with having a collision occur, or must | analysis of the potential problems that could result from a | |||
be limited to where the function of the hash is non-cryptographic. | collision, or it must be limited to where the function of the hash | |||
is noncryptographic. | ||||
The latter is the case for [I-D.ietf-cose-x509]. The hash value | The latter is the case for [COSE-x509]. The hash value is used to | |||
is used to select possible certificates and, if there are multiple | select possible certificates; if there are multiple choices | |||
choices remaining then, each choice can be tested by using the | remaining, then each choice can be tested by using the public key. | |||
public key. | ||||
* *SHA-256* is probably the most common hash function used | * *SHA-256* is probably the most common hash function used | |||
currently. SHA-256 is an efficient hash algorithm for 32-bit | currently. SHA-256 is an efficient hash algorithm for 32-bit | |||
hardware. | hardware. | |||
* *SHA-384* and *SHA-512* hash functions are efficient for 64-bit | * *SHA-384* and *SHA-512* hash functions are efficient for 64-bit | |||
hardware. | hardware. | |||
* *SHA-512/256* provides a hash function that runs more efficiently | * *SHA-512/256* provides a hash function that runs more efficiently | |||
on 64-bit hardware, but offers the same security levels as SHA- | on 64-bit hardware but offers the same security levels as SHA-256. | |||
256. | ||||
The COSE capabilities array for these algorithms is empty. | The COSE capabilities array for these algorithms is empty. | |||
+===========+=====+===========+==============+=========+============+ | +===========+=====+===========+==============+=========+============+ | |||
| Name |Value|Description| Capabilities |Reference|Recommended | | |Name |Value|Description| Capabilities |Reference|Recommended | | |||
+===========+=====+===========+==============+=========+============+ | +===========+=====+===========+==============+=========+============+ | |||
|SHA-256/64 | -15 | SHA-2 | [] | [This |Filter Only | | |SHA-256/64 |-15 |SHA-2 | [] |RFC 9054 |Filter Only | | |||
| | | 256-bit | |Document]| | | | | |256-bit | | | | | |||
| | | Hash | | | | | | | |Hash | | | | | |||
| | | truncated | | | | | | | |truncated | | | | | |||
| | |to 64-bits | | | | | | | |to 64-bits | | | | | |||
+-----------+-----+-----------+--------------+---------+------------+ | +-----------+-----+-----------+--------------+---------+------------+ | |||
| SHA-256 | -16 | SHA-2 | [] | [This | Yes | | |SHA-256 |-16 |SHA-2 | [] |RFC 9054 |Yes | | |||
| | | 256-bit | |Document]| | | | | |256-bit | | | | | |||
| | | Hash | | | | | | | |Hash | | | | | |||
+-----------+-----+-----------+--------------+---------+------------+ | +-----------+-----+-----------+--------------+---------+------------+ | |||
| SHA-384 | -43 | SHA-2 | [] | [This | Yes | | |SHA-384 |-43 |SHA-2 | [] |RFC 9054 |Yes | | |||
| | | 384-bit | |Document]| | | | | |384-bit | | | | | |||
| | | Hash | | | | | | | |Hash | | | | | |||
+-----------+-----+-----------+--------------+---------+------------+ | +-----------+-----+-----------+--------------+---------+------------+ | |||
| SHA-512 | -44 | SHA-2 | [] | [This | Yes | | |SHA-512 |-44 |SHA-2 | [] |RFC 9054 |Yes | | |||
| | | 512-bit | |Document]| | | | | |512-bit | | | | | |||
| | | Hash | | | | | | | |Hash | | | | | |||
+-----------+-----+-----------+--------------+---------+------------+ | +-----------+-----+-----------+--------------+---------+------------+ | |||
|SHA-512/256| -17 | SHA-2 | [] | [This | Yes | | |SHA-512/256|-17 |SHA-2 | [] |RFC 9054 |Yes | | |||
| | | 512-bit | |Document]| | | | | |512-bit | | | | | |||
| | | Hash | | | | | | | |Hash | | | | | |||
| | | truncated | | | | | | | |truncated | | | | | |||
| | |to 256-bits| | | | | | | |to 256-bits| | | | | |||
+-----------+-----+-----------+--------------+---------+------------+ | +-----------+-----+-----------+--------------+---------+------------+ | |||
Table 2: SHA-2 Hash Algorithms | Table 2: SHA-2 Hash Algorithms | |||
3.3. SHAKE Algorithms | 3.3. SHAKE Algorithms | |||
The family of SHA-3 hash algorithms [FIPS-202] was the result of a | The family of SHA-3 hash algorithms [FIPS-202] was the result of a | |||
competition run by NIST. The pair of algorithms known as SHAKE-128 | competition run by NIST. The pair of algorithms known as SHAKE-128 | |||
and SHAKE-256 are the instances of SHA-3 that are currently being | and SHAKE-256 are the instances of SHA-3 that are currently being | |||
standardized in the IETF. This is the reason for including these | standardized in the IETF. This is the reason for including these | |||
algorithms in this document. | algorithms in this document. | |||
The SHA-3 hash algorithms have a significantly different structure | The SHA-3 hash algorithms have a significantly different structure | |||
than the SHA-2 hash algorithms. | than the SHA-2 hash algorithms. | |||
Unlike the SHA-2 hash functions, no algorithm identifier is created | Unlike the SHA-2 hash functions, no algorithm identifier is created | |||
for shorter lengths. The length of the hash value stored is 256-bits | for shorter lengths. The length of the hash value stored is 256 bits | |||
for SHAKE-128 and 512-bits for SHAKE-256. | for SHAKE-128 and 512 bits for SHAKE-256. | |||
The COSE capabilities array for these algorithms is empty. | The COSE capabilities array for these algorithms is empty. | |||
+========+=====+=============+==============+=========+=============+ | +========+=====+=============+==============+=========+=============+ | |||
| Name |Value| Description | Capabilities |Reference| Recommended | | |Name |Value|Description | Capabilities |Reference| Recommended | | |||
+========+=====+=============+==============+=========+=============+ | +========+=====+=============+==============+=========+=============+ | |||
|SHAKE128| -18 | SHAKE-128 | [] | [This | Yes | | |SHAKE128|-18 |SHAKE-128 | [] |RFC 9054 | Yes | | |||
| | |256-bit Hash | |Document]| | | | | |256-bit Hash | | | | | |||
| | | Value | | | | | | | |Value | | | | | |||
+--------+-----+-------------+--------------+---------+-------------+ | +--------+-----+-------------+--------------+---------+-------------+ | |||
|SHAKE256| -45 | SHAKE-256 | [] | [This | Yes | | |SHAKE256|-45 |SHAKE-256 | [] |RFC 9054 | Yes | | |||
| | |512-bit Hash | |Document]| | | | | |512-bit Hash | | | | | |||
| | | Value | | | | | | | |Value | | | | | |||
+--------+-----+-------------+--------------+---------+-------------+ | +--------+-----+-------------+--------------+---------+-------------+ | |||
Table 3: SHAKE Hash Functions | Table 3: SHAKE Hash Functions | |||
4. IANA Considerations | 4. IANA Considerations | |||
The IANA actions in [I-D.ietf-cose-rfc8152bis-struct] and | ||||
[I-D.ietf-cose-rfc8152bis-algs] need to be executed before the | ||||
actions in this document. Where early allocation of codepoints has | ||||
been made, these should be preserved. | ||||
4.1. COSE Algorithm Registry | 4.1. COSE Algorithm Registry | |||
IANA is requested to register the following algorithms in the "COSE | IANA has registered the following algorithms in the "COSE Algorithms" | |||
Algorithms" registry. | registry (https://www.iana.org/assignments/cose/). | |||
* The SHA-1 hash function found in Table 1. | * The SHA-1 hash function found in Table 1. | |||
* The set of SHA-2 hash functions found in Table 2. | * The set of SHA-2 hash functions found in Table 2. | |||
* The set of SHAKE hash functions found in Table 3. | * The set of SHAKE hash functions found in Table 3. | |||
Many of the hash values produced are relatively long and as such the | Many of the hash values produced are relatively long; as such, use of | |||
use of a two byte algorithm identifier seems reasonable. SHA-1 is | a two-byte algorithm identifier seems reasonable. SHA-1 is tagged as | |||
tagged as 'Filter Only' and thus a longer algorithm identifier is | "Filter Only", so a longer algorithm identifier is appropriate even | |||
appropriate even though it is a shorter hash value. | though it is a shorter hash value. | |||
IANA is requested to add the value of 'Filter Only' to the set of | IANA has added the value of "Filter Only" to the set of legal values | |||
legal values for the 'Recommended' column. This value is only to be | for the Recommended column. This value is only to be used for hash | |||
used for hash functions and indicates that it is not to be used for | functions and indicates that it is not to be used for purposes that | |||
purposes which require collision resistance. IANA is requested to | require collision resistance. As a result of this addition, IANA has | |||
add this document to the reference section for this table due to this | added this document as a reference for the "COSE Algorithms" | |||
addition. | registry. | |||
5. Security Considerations | 5. Security Considerations | |||
Protocols need to perform a careful analysis of the properties of a | Protocols need to perform a careful analysis of the properties of a | |||
hash function that are needed and how they map onto the possible | hash function that are needed and how they map onto the possible | |||
attacks. In particular, one needs to distinguish between those uses | attacks. In particular, one needs to distinguish between those uses | |||
that need the cryptographic properties, such as collision resistance, | that need the cryptographic properties, such as collision resistance, | |||
and properties that correspond to possible object identification. | and properties that correspond to possible object identification. | |||
The different attacks correspond to who or what is being protected: | The different attacks correspond to who or what is being protected: | |||
is it the originator that is the attacker or a third party? This is | is it the originator that is the attacker or a third party? This is | |||
the difference between collision resistance and second pre-image | the difference between collision resistance and second pre-image | |||
resistance. As a general rule, longer hash values are "better" than | resistance. As a general rule, longer hash values are "better" than | |||
short ones, but trade-offs of transmission size, timeliness, and | short ones, but trade-offs of transmission size, timeliness, and | |||
security all need to be included as part of this analysis. In many | security all need to be included as part of this analysis. In many | |||
cases the value being hashed is a public value and, as such, pre- | cases, the value being hashed is a public value and, as such, pre- | |||
image resistance is not part of this analysis. | image resistance is not part of this analysis. | |||
Algorithm agility needs to be considered a requirement for any use of | Algorithm agility needs to be considered a requirement for any use of | |||
hash functions [BCP201]. As with any cryptographic function, hash | hash functions [BCP201]. As with any cryptographic function, hash | |||
functions are under constant attack and the cryptographic strength of | functions are under constant attack, and the cryptographic strength | |||
hash algorithms will be reduced over time. | of hash algorithms will be reduced over time. | |||
6. Normative References | 6. Normative References | |||
[FIPS-180-4] | ||||
NIST, "Secure Hash Standard", FIPS PUB 180-4, | ||||
DOI 10.6028/NIST.FIPS.180-4, August 2015, | ||||
<https://doi.org/10.6028/NIST.FIPS.180-4>. | ||||
[FIPS-202] Dworkin, M.J., "SHA-3 Standard: Permutation-Based Hash and | ||||
Extendable-Output Functions", FIPS PUB 202, | ||||
DOI 10.6028/NIST.FIPS.202, August 2015, | ||||
<https://doi.org/10.6028/NIST.FIPS.202>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 | ||||
(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, | ||||
<https://www.rfc-editor.org/info/rfc3174>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[I-D.ietf-cose-rfc8152bis-struct] | [RFC9052] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | Structures and Process", STD 96, RFC 9052, | |||
Structures and Process", Work in Progress, Internet-Draft, | DOI 10.17487/RFC9052, July 2021, | |||
draft-ietf-cose-rfc8152bis-struct-12, August 24, 2020, | <https://www.rfc-editor.org/info/rfc9052>. | |||
<https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis- | ||||
struct-12>. | ||||
[FIPS-180-4] | ||||
National Institute of Standards and Technology, "Secure | ||||
Hash Standard", FIPS PUB 180-4, August 2015. | ||||
[FIPS-202] National Institute of Standards and Technology, "SHA-3 | ||||
Standard: Permutation-Based Hash and Extendable-Output | ||||
Functions", FIPS PUB 202, August 2015. | ||||
[RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm 1 | ||||
(SHA1)", RFC 3174, DOI 10.17487/RFC3174, September 2001, | ||||
<https://www.rfc-editor.org/info/rfc3174>. | ||||
7. Informative References | 7. Informative References | |||
[BCP201] Housley, R., "Guidelines for Cryptographic Algorithm | ||||
Agility and Selecting Mandatory-to-Implement Algorithms", | ||||
BCP 201, RFC 7696, November 2015, | ||||
<https://www.rfc-editor.org/info/bcp201>. | ||||
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
<https://www.rfc-editor.org/info/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
[ESS] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", | [COSE] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | |||
RFC 2634, DOI 10.17487/RFC2634, June 1999, | RFC 8152, DOI 10.17487/RFC8152, July 2017, | |||
<https://www.rfc-editor.org/info/rfc2634>. | <https://www.rfc-editor.org/info/rfc8152>. | |||
[I-D.ietf-cose-x509] | [COSE-x509] | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
Header parameters for carrying and referencing X.509 | Header parameters for carrying and referencing X.509 | |||
certificates", Work in Progress, Internet-Draft, draft- | certificates", Work in Progress, Internet-Draft, draft- | |||
ietf-cose-x509-06, March 9, 2020, | ietf-cose-x509-08, 14 December 2020, | |||
<https://tools.ietf.org/html/draft-ietf-cose-x509-06>. | <https://datatracker.ietf.org/doc/html/draft-ietf-cose- | |||
x509-08>. | ||||
[ESS] Hoffman, P., Ed., "Enhanced Security Services for S/MIME", | ||||
RFC 2634, DOI 10.17487/RFC2634, June 1999, | ||||
<https://www.rfc-editor.org/info/rfc2634>. | ||||
[RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | |||
Considerations for the SHA-0 and SHA-1 Message-Digest | Considerations for the SHA-0 and SHA-1 Message-Digest | |||
Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | |||
<https://www.rfc-editor.org/info/rfc6194>. | <https://www.rfc-editor.org/info/rfc6194>. | |||
[I-D.ietf-cose-rfc8152bis-algs] | [RFC9053] Schaad, J., "CBOR Object Signing and Encryption (COSE): | |||
Schaad, J., "CBOR Object Signing and Encryption (COSE): | Initial Algorithms", RFC 9053, DOI 10.17487/RFC9053, July | |||
Initial Algorithms", Work in Progress, Internet-Draft, | 2021, <https://www.rfc-editor.org/info/rfc9053>. | |||
draft-ietf-cose-rfc8152bis-algs-11, July 1, 2020, | ||||
<https://tools.ietf.org/html/draft-ietf-cose-rfc8152bis- | ||||
algs-11>. | ||||
[I-D.ietf-suit-manifest] | ||||
Moran, B., Tschofenig, H., Birkholz, H., and K. Zandberg, | ||||
"A Concise Binary Object Representation (CBOR)-based | ||||
Serialization Format for the Software Updates for Internet | ||||
of Things (SUIT) Manifest", Work in Progress, Internet- | ||||
Draft, draft-ietf-suit-manifest-09, July 13, 2020, | ||||
<https://tools.ietf.org/html/draft-ietf-suit-manifest-09>. | ||||
[BCP201] Housley, R., "Guidelines for Cryptographic Algorithm | ||||
Agility and Selecting Mandatory-to-Implement Algorithms", | ||||
BCP 201, RFC 7696, November 2015. | ||||
<https://www.rfc-editor.org/info/bcp201> | ||||
[SHA-1-collision] | [SHA-1-collision] | |||
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., | Stevens, M., Bursztein, E., Karpman, P., Albertini, A., | |||
and Y. Markov, "The first collision for full SHA-1", | and Y. Markov, "The first collision for full SHA-1", | |||
February 2017, | February 2017, | |||
<https://shattered.io/static/shattered.pdf>. | <https://shattered.io/static/shattered.pdf>. | |||
[COSE] Schaad, J., "CBOR Object Signing and Encryption (COSE)", | [SUIT-MANIFEST] | |||
RFC 8152, DOI 10.17487/RFC8152, July 2017, | Moran, B., Tschofenig, H., Birkholz, H., and K. Zandberg, | |||
<https://www.rfc-editor.org/info/rfc8152>. | "A Concise Binary Object Representation (CBOR)-based | |||
Serialization Format for the Software Updates for Internet | ||||
of Things (SUIT) Manifest", Work in Progress, Internet- | ||||
Draft, draft-ietf-suit-manifest-14, 12 July 2021, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-suit- | ||||
manifest-14>. | ||||
Author's Address | Author's Address | |||
Jim Schaad | Jim Schaad | |||
August Cellars | August Cellars | |||
Email: ietf@augustcellars.com | Email: ietf@augustcellars.com | |||
End of changes. 60 change blocks. | ||||
221 lines changed or deleted | 201 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |