PKIX Working Group                         R. Housley (RSA Laboratories)Internet Draft                             B. Kaliski (RSA Laboratories)expires June 2003                                          December 2002       Additional Algorithms and Identifiers for RSA Cryptography        for use in the Internet X.509 Public Key Infrastructure       Certificate and Certificate Revocation List (CRL) Profile                  <draft-ietf-pkix-rsa-pkalgs-00.txt>Status of this Memo   This document is an Internet-Draft and is in full conformance with   all provisions of Section 10 of RFC 2026.  Internet-Drafts are   working documents of the Internet Engineering Task Force (IETF), its   areas, and its working groups.  Note that other groups may also   distribute working documents as Internet-Drafts.   Internet-Drafts are draft documents valid for a maximum of six months   and may be updated, replaced, or obsoleted by other documents at any   time.  It is inappropriate to use Internet-Drafts as reference   material or to cite them other than as "work in progress."   The list of current Internet-Drafts can be accessed at   http://www.ietf.org/ietf/1id-abstracts.txt.   The list of Internet-Drafts Shadow Directories can be accessed at   http://www.ietf.org/shadow.html.Abstract   This document supplements RFC 3279.  It describes the conventions for   using the RSASSA-PSS signature algorithm, the RSAES-OAEP key   transport algorithm, and additional one-way hash functions with the   PKCS #1 version 1.5 signature algorithm in the Internet X.509 Public   Key Infrastructure (PKI).  Encoding formats, algorithm identifiers,   and parameter formats are specified.Housley & Kaliski                                               [Page 1]INTERNET DRAFT                                             December 2002Table of Contents    1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3       1.1  Terminology  . . . . . . . . . . . . . . . . . . . . . .   3       1.2  RSA Public Keys  . . . . . . . . . . . . . . . . . . . .   3    2  Common Functions  . . . . . . . . . . . . . . . . . . . . . .   5       2.1  One-way Hash Functions . . . . . . . . . . . . . . . . .   6       2.2  Mask Generation Functions  . . . . . . . . . . . . . . .   7    3  RSASSA-PSS Signature Algorithm  . . . . . . . . . . . . . . .   7       3.1  RSASSA-PSS Public Keys . . . . . . . . . . . . . . . . .   8       3.2  RSASSA-PSS Signature Values  . . . . . . . . . . . . . .  10    4  RSAES-OAEP Key Transport Algorithm  . . . . . . . . . . . . .  10       4.1  RSAES-OAEP Public Keys . . . . . . . . . . . . . . . . .  11    5  PKCS #1 Version 1.5 Signature Algorithm . . . . . . . . . . .  12    6  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . . . .  14    7  References  . . . . . . . . . . . . . . . . . . . . . . . . .  18       7.1  Normative References . . . . . . . . . . . . . . . . . .  18       7.2  Informative References . . . . . . . . . . . . . . . . .  19    8  Security Considerations . . . . . . . . . . . . . . . . . . .  19    9  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  21   10  Author Addresses  . . . . . . . . . . . . . . . . . . . . . .  22   11  Full Copyright Statement  . . . . . . . . . . . . . . . . . .  22Housley & Kaliski                                               [Page 2]INTERNET DRAFT                                             December 20021  Introduction   This document supplements RFC 3279 [PKALGS].  This document describes   the conventions for using the RSASSA-PSS signature algorithm and the   RSAES-OAEP key transport algorithm in the Internet X.509 Public Key   Infrastructure (PKI) [PROFILE].  Both of these RSA-based algorithms   are specified in [P1v2.1].  The algorithm identifiers and associated   parameters for subject public keys that employ either of these   algorithms are specified, and the encoding format for RSASSA-PSS   signatures is specified.  Also, the algorithm identifiers for using   the SHA-256, SHA-384, and SHA-512 one-way hash functions with the   PKCS #1 version 1.5 signature algorithm [P1v1.5] are specified.   This specification supplements RFC 3280 [PROFILE], which profile the   X.509 Certificates and Certificate Revocation Lists (CRLs) for use in   the Internet.  This specification extends the list of algorithms   discussed in RFC 3279 [PKALGS].  The X.509 Certificate and CRL   definitions use ASN.1 [X.208-88], the Basic Encoding Rules (BER)   [X.209-88], and the Distinguished Encoding Rules (DER) [X.509-88].   This specification defines the contents of the signatureAlgorithm,   signatureValue, signature, and subjectPublicKeyInfo fields within   Internet X.509 certificates and CRLs.  For each algorithm, the   appropriate alternatives for the keyUsage extension are provided.1.1  Terminology   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this   document are to be interpreted as described in RFC 2119 [STDWORDS].1.2  RSA Public Keys   RFC 3280 [PROFILE] specifies the profile for using X.509 Certificates   in Internet applications.  When a RSA public key will be used for   RSASSA-PSS digital signatures or RSAES-OAEP key transport, the   conventions specified in this section augment RFC 3280.   Traditionally, the rsaEncryption object identifier is used to   identify RSA public keys.  However, to implement all of the   recommendations described in the Security Considerations section of   this document (see section 8), the certificate user needs to be able   to determine the form of digital signature or key transport that the   RSA private key owner associates with the public key.   The rsaEncryption object identifier continues to identify the subject   public key when the RSA private key owner does not wish to limit the   use of the public key exclusively to either RSASSA-PSS or RSAES-OAEP.Housley & Kaliski                                               [Page 3]INTERNET DRAFT                                             December 2002   In this case, the rsaEncryption object identifier MUST be used in the   algorithm field within the subject public key information, and the   parameters field MUST contain NULL.      rsaEncryption  OBJECT IDENTIFIER  ::=  { pkcs-1 1 }   Further discussion of the conventions associated with use of the   rsaEncryption object identifier can be found in RFC 3279 (see   [PKALGS], section 2.3.1).   When the RSA private key owner wishes to limit the use of the public   key exclusively to RSASSA-PSS, then the id-RSASSA-PSS object   identifier MUST be used in the algorithm field within the subject   public key information, and the parameters field MUST contain RSASSA-   PSS-params.  The id-RSASSA-PSS object identifier value and the   RSASSA-PSS-params syntax are fully described in section 3 of this   document.   When the RSA private key owner wishes to limit the use of the public   key exclusively to RSAES-OAEP, then the id-RSAES-OAEP object   identifier MUST be used in the algorithm field within the subject   public key information, and the parameters field MUST contain RSAES-   OAEP-params.  The id-RSAES-OAEP object identifier value and the   RSAES-OAEP-params syntax are fully described in section 4 of this   document.   Regardless of the object identifier used, the RSA public key is   encoded in the same manner in the subject public key information.   The RSA public key MUST be encoded using the type RSAPublicKey type:      RSAPublicKey  ::=  SEQUENCE  {         modulus            INTEGER,    -- n         publicExponent     INTEGER  }  -- e   Here, the modulus is the modulus n, and publicExponent is the public   exponent e.  The DER encoded RSAPublicKey is carried in the   subjectPublicKey BIT STRING within the subject public key   information.   The intended application for the key MAY be indicated in the key   usage certificate extension (see [PROFILE], section 4.2.1.3).   If the keyUsage extension is present in an end entity certificate   that conveys an RSA public key with the id-RSASSA-PSS object   identifier, then the key usage extension MUST contain one or both ofHousley & Kaliski                                               [Page 4]INTERNET DRAFT                                             December 2002   the following values:      nonRepudiation; and      digitalSignature.   If the keyUsage extension is present in a certification authority   certificate that conveys an RSA public key with the id-RSASSA-PSS   object identifier, then the key usage extension MUST contain one or   more of the following values:      nonRepudiation;      digitalSignature;      keyCertSign; and      cRLSign.   When a certificate that conveys an RSA public key with the id-RSASSA-   PSS object identifier, the certificate user MUST only use the   certified RSA public key for RSASSA-PSS operations, and the   certificate user MUST perform those operations using the one-way hash   function, mask generation function, and trailer field identified in   the subject public key algorithm identifier parameters within the   certificate.   If the keyUsage extension is present in a certificate that conveys an   RSA public key with the id-RSAES-OAEP object identifier, then the key   usage extension MUST contain only the following values:      keyEncipherment; and      dataEncipherment.   However, both keyEncipherment and dataEncipherment SHOULD NOT be   present.   When a certificate that conveys an RSA public key with the id-RSAES-   OAEP object identifier, the certificate user MUST only use the   certified RSA public key for RSAES-OAEP operations, and the   certificate user MUST perform those operations using the one-way hash   function and mask generation function identified in the subject   public key algorithm identifier parameters within the certificate.2  Common Functions   The RSASSA-PSS signature algorithm and the RSAES-OAEP key transport   algorithm make use of one-way hash functions and mask generation   functions.Housley & Kaliski                                               [Page 5]INTERNET DRAFT                                             December 20022.1  One-way Hash Functions   PKCS #1 version 2.1 [P1v2.1] supports four one-way hash functions for   use with the RSASSA-PSS signature algorithm and the RSAES-OAEP key   transport algorithm: SHA-1, SHA-256, SHA-384, and SHA-512 [SHA2].   While support for additional one-way hash functions could be added in   the future, no other one-way hash functions are supported by this   specification.   These one-way hash functions are identified by the following object   identifiers:      id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)                           identified-organization(3) oiw(14)                           secsig(3) algorithms(2) 26 }      id-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)                           country(16) us(840) organization(1) gov(101)                           csor(3) nistalgorithm(4) hashalgs(2) 1 }      id-sha384  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)                           country(16) us(840) organization(1) gov(101)                           csor(3) nistalgorithm(4) hashalgs(2) 2 }      id-sha512  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)