| 1 | <?xml version="1.0" encoding="US-ASCII"?>
|
| 2 |
|
| 3 | <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
|
| 4 | <!ENTITY rfc2119 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
|
| 5 | <!ENTITY rfc3279 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3279.xml">
|
| 6 | <!ENTITY rfc4055 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4055.xml">
|
| 7 | <!ENTITY rfc5280 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml">
|
| 8 | <!ENTITY rfc5480 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5480.xml">
|
| 9 | <!ENTITY rfc5639 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5639.xml">
|
| 10 | <!ENTITY rfc5755 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5755.xml">
|
| 11 | <!ENTITY rfc5758 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5758.xml">
|
| 12 | <!ENTITY rfc5915 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5915.xml">
|
| 13 | <!ENTITY rfc5958 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5958.xml">
|
| 14 | <!ENTITY rfc7468 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7468.xml">
|
| 15 | <!ENTITY rfc7748 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml">
|
| 16 | <!ENTITY rfc8174 SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
|
| 17 | <!ENTITY eddsa SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml">
|
| 18 | <!ENTITY iana SYSTEM "http://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.schaad-curdle-oid-registry.xml">
|
| 19 | ]>
|
| 20 |
|
| 21 | <?rfc strict="yes" ?>
|
| 22 | <?rfc compact="no"?>
|
| 23 | <?rfc toc="yes"?>
|
| 24 | <?rfc symrefs="yes"?>
|
| 25 |
|
| 26 | <rfc category="std"
|
| 27 | ipr="trust200902"
|
| 28 | docName="draft-ietf-curdle-pkix-10">
|
| 29 |
|
| 30 | <front>
|
| 31 |
|
| 32 | <title abbrev="Safe curves for X.509">
|
| 33 | <!-- Remove PH
|
| 34 | Algorithm Identifiers for Ed25519, Ed25519ph, Ed448, Ed448ph, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
|
| 35 | -->
|
| 36 | Algorithm Identifiers for Ed25519, Ed448, X25519 and X448 for use in the Internet X.509 Public Key Infrastructure
|
| 37 | </title>
|
| 38 |
|
| 39 | <author fullname="Simon Josefsson" initials="S." surname="Josefsson">
|
| 40 | <organization>SJD AB</organization>
|
| 41 | <address>
|
| 42 | <email>simon@josefsson.org</email>
|
| 43 | </address>
|
| 44 | </author>
|
| 45 |
|
| 46 | <author fullname="Jim Schaad" initials="J" surname="Schaad">
|
| 47 | <organization>August Cellars</organization>
|
| 48 | <address>
|
| 49 | <email>ietf@augustcellars.com</email>
|
| 50 | </address>
|
| 51 | </author>
|
| 52 |
|
| 53 | <date/>
|
| 54 |
|
| 55 | <keyword>Elliptic Curve Cryptography, Curve25519, Curve448,
|
| 56 | Goldilocks, X.509, PKIX, PKI, OID, ASN.1, EdDSA,
|
| 57 | Ed25519, Ed448, X25519, X448</keyword>
|
| 58 |
|
| 59 | <abstract>
|
| 60 |
|
| 61 | <t>This document specifies algorithm identifiers and ASN.1
|
| 62 | encoding formats for Elliptic Curve constructs using the curve25519 and curve448 curves.
|
| 63 | <!-- Remove ph
|
| 64 | The signature algorithms covered are Ed25519, Ed25519ph, Ed448 and Ed448ph.
|
| 65 | -->
|
| 66 | The signature algorithms covered are Ed25519 and Ed448.
|
| 67 | The key agreement algorithm covered are X25519 and X448.
|
| 68 | The encoding for Public Key, Private Key and EdDSA digital signature structures is provided.
|
| 69 | </t>
|
| 70 |
|
| 71 | </abstract>
|
| 72 |
|
| 73 | </front>
|
| 74 |
|
| 75 | <middle>
|
| 76 |
|
| 77 | <section title="Introduction">
|
| 78 |
|
| 79 | <t>
|
| 80 | In <xref target="RFC7748"/>, the elliptic curves curve25519
|
| 81 | and curve448 are described. They are designed with performance
|
| 82 | and security in mind. The curves may be used for Diffie-Hellman
|
| 83 | and Digital Signature operations.
|
| 84 | </t>
|
| 85 |
|
| 86 | <t>
|
| 87 | <xref target="RFC7748"/> describes the operations on these curves for the Diffie-Hellman operation.
|
| 88 | A convention has developed that when these two curves are used with the Diffie-Hellman operation, they are referred to as X25519 and X448.
|
| 89 | This RFC defines the ASN.1 Object Identifiers (OIDs) for the operations X25519 and X448 along with the associated parameters.
|
| 90 | The use of these OIDs is described for public and private keys.
|
| 91 | </t>
|
| 92 |
|
| 93 |
|
| 94 | <t>
|
| 95 | In <xref target="RFC8032"/> the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448.
|
| 96 | EdDSA has defined two modes, the PureEdDSA mode without pre-hashing, and the HashEdDSA mode with pre-hashing.
|
| 97 | <!-- Remove pre-hash
|
| 98 | The Ed25519ph and Ed448ph algorithm definitions specify the one-way hash function that is used for pre-hashing.
|
| 99 | The convention used for identifying the algorithm/curve combinations are to use the Ed25519 and Ed448 for the PureEdDSA mode, with Ed25519ph and Ed448ph for the HashEdDSA mode.
|
| 100 | -->
|
| 101 | The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode.
|
| 102 | The document does not provide the conventions needed for the pre-hash versions of the signature algorithm.
|
| 103 | The use of the OIDs is described for public keys, private keys and signatures.
|
| 104 | </t>
|
| 105 |
|
| 106 | <t>
|
| 107 | <xref target="RFC8032"/> additionally defined the concept of a context.
|
| 108 | Contexts can be used to differentiate signatures generated for different purposes with the same key.
|
| 109 | The use of contexts is not defined in this document for the following reasons:
|
| 110 | <list style="symbols">
|
| 111 | <t>The current implementations of Ed25519 do not support the use of contexts, thus if specified it will potentially delay the use of these algorithms further.</t>
|
| 112 | <t>
|
| 113 | The EdDSA algorithms are the only IETF algorithms that currently support the use of contexts, however there is a possibility that there will be confusion between which algorithms need to have separate keys and which do not.
|
| 114 | This may result in a decrease of security for those other algorithms.
|
| 115 | </t>
|
| 116 | <t>
|
| 117 | There are still ongoing discussions among the cryptographic community about how effective the use of contexts is for preventing attacks.
|
| 118 | </t>
|
| 119 | <t>
|
| 120 | There needs to be discussions about the correct way to identify when context strings are to be used.
|
| 121 | It is not clear if different OIDs should be used for different contexts, or the OID should merely note that a context string needs to be provided.
|
| 122 | </t>
|
| 123 | </list>
|
| 124 | </t>
|
| 125 | </section>
|
| 126 |
|
| 127 | <section title="Requirements Terminology">
|
| 128 |
|
| 129 | <t>
|
| 130 | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
|
| 131 | NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
|
| 132 | "MAY", and "OPTIONAL" in this document are to be interpreted as
|
| 133 | described in BCP 14 <xref target="RFC2119" /> <xref target="RFC8174"/> when, and only when, they
|
| 134 | appear in all capitals, as shown here.
|
| 135 | </t>
|
| 136 |
|
| 137 | </section>
|
| 138 |
|
| 139 | <section title="Curve25519 and Curve448 Algorithm Identifiers">
|
| 140 |
|
| 141 | <t>Certificates conforming to <xref target="RFC5280"/> can
|
| 142 | convey a public key for any public key algorithm. The
|
| 143 | certificate indicates the algorithm through an algorithm
|
| 144 | identifier. This algorithm identifier is an OID and optionally
|
| 145 | associated parameters.
|
| 146 | </t>
|
| 147 |
|
| 148 | <t>The AlgorithmIdentifier type, which is included for
|
| 149 | convenience, is defined as follows:</t>
|
| 150 |
|
| 151 | <figure>
|
| 152 | <artwork><![CDATA[
|
| 153 | AlgorithmIdentifier ::= SEQUENCE {
|
| 154 | algorithm OBJECT IDENTIFIER,
|
| 155 | parameters ANY DEFINED BY algorithm OPTIONAL
|
| 156 | }
|
| 157 | ]]></artwork>
|
| 158 | </figure>
|
| 159 |
|
| 160 | <t>The fields in AlgorithmIdentifier have the following
|
| 161 | meanings:</t>
|
| 162 |
|
| 163 | <t><list style="symbols">
|
| 164 | <t>algorithm identifies the cryptographic algorithm with an
|
| 165 | object identifier. Four such OIDs are defined below.</t>
|
| 166 |
|
| 167 | <t>parameters, which are optional, are the associated
|
| 168 | parameters for the algorithm identifier in the algorithm
|
| 169 | field.
|
| 170 | </t>
|
| 171 | </list></t>
|
| 172 |
|
| 173 | <t>
|
| 174 | <!-- RFC Editor: I have been told that the following three sentences should be joined together, I tend to think
|
| 175 | that they are correct as separate items but it is something that a copy editor should look at -->
|
| 176 | In this document we define four new OIDs for identifying the different curve/algorithm pairs.
|
| 177 | The curves being curve25519 and curve448.
|
| 178 | The algorithms being ECDH and EdDSA in pure mode. <!-- and EdDSA in pre-hash mode. -->
|
| 179 | For all of the OIDs, the parameters MUST be absent.
|
| 180 | </t>
|
| 181 |
|
| 182 | <t>
|
| 183 | It is possible to find systems that require the parameters to be present.
|
| 184 | This can be either due to a defect in the original 1997 syntax or a programming error where developers never got input where this was not true.
|
| 185 | The optimal solution is to fix these systems, where this is not possible the problem needs to be restricted to that subsystem and not propigated to the internet.
|
| 186 | </t>
|
| 187 | <t>
|
| 188 | The same algorithm identifiers are used for identifying a public key, identifying a private key and identifying a signature (for the two EdDSA related OIDs).
|
| 189 | Additional encoding information is provided below for each of these locations.
|
| 190 | </t>
|
| 191 |
|
| 192 | <!-- Remove pre-hash algorithms
|
| 193 | id-Ed25519ph OBJECT IDENTIFIER ::= { 1 3 101 114 }
|
| 194 | id-Ed448ph OBJECT IDENTIFIER ::= { 1 3 101 115 }
|
| 195 | -->
|
| 196 |
|
| 197 | <figure>
|
| 198 | <artwork><![CDATA[
|
| 199 | id-X25519 OBJECT IDENTIFIER ::= { 1 3 101 110 }
|
| 200 | id-X448 OBJECT IDENTIFIER ::= { 1 3 101 111 }
|
| 201 | id-Ed25519 OBJECT IDENTIFIER ::= { 1 3 101 112 }
|
| 202 | id-Ed448 OBJECT IDENTIFIER ::= { 1 3 101 113 }
|
| 203 | ]]></artwork>
|
| 204 | </figure>
|
| 205 |
|
| 206 | <!--
|
| 207 | <t>The OID id-Curve25519 refers to Curve25519. The OID
|
| 208 | id-Curve448 refers to Curve448. Both curves are described in
|
| 209 | <xref target="RFC7748"/>. The OIDs id-Curve25519ph and
|
| 210 | id-Curve448ph refers to Curve25519 and Curve448 when used with
|
| 211 | pre-hashing as Ed25519ph and Ed448ph described in <xref
|
| 212 | target="RFC8032"/>.</t>
|
| 213 |
|
| 214 | <t>The public key value encoded into the ECPoint value is the
|
| 215 | raw binary values described in <xref target="RFC7748"/>.</t>
|
| 216 | -->
|
| 217 |
|
| 218 | </section>
|
| 219 |
|
| 220 | <section title="Subject Public Key Fields">
|
| 221 |
|
| 222 | <t>In the X.509 certificate, the subjectPublicKeyInfo field has
|
| 223 | the SubjectPublicKeyInfo type, which has the following ASN.1
|
| 224 | syntax:</t>
|
| 225 |
|
| 226 | <figure>
|
| 227 | <artwork><![CDATA[
|
| 228 | SubjectPublicKeyInfo ::= SEQUENCE {
|
| 229 | algorithm AlgorithmIdentifier,
|
| 230 | subjectPublicKey BIT STRING
|
| 231 | }
|
| 232 | ]]></artwork>
|
| 233 | </figure>
|
| 234 |
|
| 235 | <t>The fields in SubjectPublicKeyInfo have the following meanings:</t>
|
| 236 |
|
| 237 | <t><list style="symbols">
|
| 238 | <t>algorithm is the algorithm identifier and parameters for
|
| 239 | the public key (see above).</t>
|
| 240 |
|
| 241 | <t>subjectPublicKey contains the byte stream of the public key.
|
| 242 | The algorithms defined in this document always encode the public key as an exact multiple of 8-bits.
|
| 243 | </t>
|
| 244 | </list></t>
|
| 245 |
|
| 246 | <t>
|
| 247 | Both <xref target="RFC7748"/> and <xref target="RFC8032"/> define the public key value as being a byte string.
|
| 248 | It should be noted that the public key is computed differently for each of these documents, thus the same private key will not produce the same public key.
|
| 249 | </t>
|
| 250 |
|
| 251 | <t>The following is an example of a public key encoded using the textual encoding defined in <xref target="RFC7468"/>.</t>
|
| 252 |
|
| 253 | <figure>
|
| 254 | <artwork><![CDATA[
|
| 255 | -----BEGIN PUBLIC KEY-----
|
| 256 | MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
|
| 257 | -----END PUBLIC KEY-----
|
| 258 | ]]></artwork>
|
| 259 | </figure>
|
| 260 | </section>
|
| 261 |
|
| 262 | <!--
|
| 263 | <section title="EdDSA Public Keys">
|
| 264 |
|
| 265 | <t>Certificates conforming to <xref target="RFC5280"/> may
|
| 266 | convey a public key for any public key algorithm. The
|
| 267 | certificate indicates the algorithm through an algorithm
|
| 268 | identifier. This algorithm identifier is an OID and optionally
|
| 269 | associated parameters.</t>
|
| 270 |
|
| 271 | <t>This section identify the OID and parameters for the EdDSA
|
| 272 | algorithm. Conforming CAs MUST use the identified OIDs when
|
| 273 | issuing certificates containing EdDSA public keys. Conforming
|
| 274 | applications supporting EdDSA MUST, at a minimum, recognize the
|
| 275 | OID identified in this section.</t>
|
| 276 |
|
| 277 | <t>The id-EdDSAPublicKey OID is used for identifying EdDSA
|
| 278 | public keys.</t>
|
| 279 |
|
| 280 | <figure>
|
| 281 | <artwork><![CDATA[
|
| 282 | id-EdDSAPublicKey OBJECT IDENTIFIER ::= { 1 3 101 100 }
|
| 283 | ]]></artwork>
|
| 284 | </figure>
|
| 285 |
|
| 286 | <t>The id-EdDSAPublicKey OID is intended to be used in the
|
| 287 | algorithm field of a value of type AlgorithmIdentifier.</t>
|
| 288 |
|
| 289 | <t>EdDSA public keys use the parameter field to specify the
|
| 290 | particular instantiation of EdDSA parameters. The parameters
|
| 291 | field have the ASN.1 type EdDSAParameters as follows.</t>
|
| 292 |
|
| 293 | <figure>
|
| 294 | <artwork><![CDATA[
|
| 295 | EdDSAParameters ::= ENUMERATED { ed25519 (1),
|
| 296 | ed25519ph (2) }
|
| 297 | ed448 (3) }
|
| 298 | ed448ph (4) }
|
| 299 | ]]></artwork>
|
| 300 | </figure>
|
| 301 |
|
| 302 | <t>The EdDSAParameters enumeration may be extended in the
|
| 303 | future.</t>
|
| 304 |
|
| 305 | <t>The "ed25519" and "ed448" values correspond to the PureEdDSA
|
| 306 | variants, and the "ed25519ph" and "ed448ph" values correspond to
|
| 307 | the HashEdDSA variants, as discussed in <xref
|
| 308 | target="RFC8032"/>.</t>
|
| 309 |
|
| 310 | <t>The raw binary EdDSA public key is encoded directly in the
|
| 311 | subjectPublicKey BIT STRING object. Note that unlike some other
|
| 312 | schemes, there is no additional OCTET STRING encoding step.</t>
|
| 313 |
|
| 314 | </section>
|
| 315 | -->
|
| 316 |
|
| 317 | <section title="Key Usage Bits">
|
| 318 |
|
| 319 | <t>The intended application for the key is indicated in the
|
| 320 | keyUsage certificate extension.</t>
|
| 321 |
|
| 322 | <t>
|
| 323 | If the keyUsage extension is present in a certificate that indicates
|
| 324 | id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST
|
| 325 | be present:
|
| 326 | </t>
|
| 327 |
|
| 328 | <figure><artwork>
|
| 329 | keyAgreement;
|
| 330 | </artwork></figure>
|
| 331 |
|
| 332 | <t>
|
| 333 | one of the following MAY also be present:
|
| 334 | </t>
|
| 335 |
|
| 336 | <t>
|
| 337 | <figure><artwork>
|
| 338 | encipherOnly; or
|
| 339 | decipherOnly.
|
| 340 | </artwork>
|
| 341 | </figure>
|
| 342 | </t>
|
| 343 |
|
| 344 | <t>
|
| 345 | If the keyUsage extension is present in an end-entity
|
| 346 | <!-- Remove pre-hash
|
| 347 | certificate that indicates id-EdDSA25519, id-EdDSA25519ph, id-EdDSA448 or id-EdDSA448ph
|
| 348 | -->
|
| 349 | certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension
|
| 350 | MUST contain one or both of the following values:</t>
|
| 351 |
|
| 352 | <figure>
|
| 353 | <artwork><![CDATA[
|
| 354 | nonRepudiation; and
|
| 355 | digitalSignature.
|
| 356 | ]]></artwork>
|
| 357 | </figure>
|
| 358 |
|
| 359 | <t>If the keyUsage extension is present in a certification
|
| 360 | authority certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension
|
| 361 | MUST contain one or more of the following values:</t>
|
| 362 |
|
| 363 | <figure>
|
| 364 | <artwork><![CDATA[
|
| 365 | nonRepudiation;
|
| 366 | digitalSignature;
|
| 367 | keyCertSign; and
|
| 368 | cRLSign.
|
| 369 | ]]></artwork>
|
| 370 | </figure>
|
| 371 |
|
| 372 | <!-- Remove pre-hash
|
| 373 | <t>
|
| 374 | CAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of certificates or CRLs.
|
| 375 | This is implied by the fact that those algorithms are not listed in the previous paragraph.
|
| 376 | Additionally OCSP responders SHOULD NOT use the pre-hash versions of the EdDSA algorithms when generating OCSP responses.
|
| 377 | No restriction is placed on generation of OCSP requests.
|
| 378 | </t>
|
| 379 |
|
| 380 |
|
| 381 | <t>
|
| 382 | AAs MUST NOT use the pre-hash versions of the EdDSA algorithms for the creation of attribute certificates or attribute CRLs <xref target="RFC5755"/>.
|
| 383 | </t>
|
| 384 |
|
| 385 | <t>
|
| 386 | The decision to require the use of pure mode balances the higher security of having a single failure point against the possibility that constrained devices, such as Hardware Security Modules (HSMs), may be unable to check signatures on CRLs due to the amount of memory required to hold the entire CRL in memory at one time.
|
| 387 | This concern can be addressed by CAs using CRL distribution points, combined with segmenting the certificates issued so that the length of any segmented CRL is not "too long" even if a large percentage of the certificates are revoked.
|
| 388 | The definition of "too long" is going to be highly dependent on what constrained device is being used, it can be on the order of single or low double digit kilobytes.
|
| 389 | </t>
|
| 390 | -->
|
| 391 |
|
| 392 |
|
| 393 | </section>
|
| 394 |
|
| 395 | <section title="EdDSA Signatures">
|
| 396 |
|
| 397 | <t>
|
| 398 | Signatures can be placed in a number of different ASN.1 structures.
|
| 399 | The top level structure for a certificate is given below as being illustrative of how signatures are frequently encoded with an algorithm identifier and a location for the signature.
|
| 400 | </t>
|
| 401 |
|
| 402 |
|
| 403 | <figure>
|
| 404 | <artwork><![CDATA[
|
| 405 | Certificate ::= SEQUENCE {
|
| 406 | tbsCertificate TBSCertificate,
|
| 407 | signatureAlgorithm AlgorithmIdentifier,
|
| 408 | signatureValue BIT STRING }
|
| 409 | ]]></artwork>
|
| 410 | </figure>
|
| 411 |
|
| 412 | <t>
|
| 413 | The same algorithm identifiers are used for signatures as are used for public keys.
|
| 414 | When used to identify signature algorithms, the parameters MUST be absent.
|
| 415 | </t>
|
| 416 |
|
| 417 | <t>The data to be signed is prepared for EdDSA. Then, a private
|
| 418 | key operation is performed to generate the signature value.
|
| 419 | This value is the opaque value ENC(R) || ENC(S) described in
|
| 420 | section 3.3 of <xref target="RFC8032"/>.
|
| 421 |
|
| 422 | The octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping.
|
| 423 | For the Certificate structure, the signature value is wrapped in the "signatureValue" BIT STRING field.
|
| 424 | </t>
|
| 425 |
|
| 426 | <!-- Remove Prehash
|
| 427 | <t>
|
| 428 | When the pre-hash versions of the EdDSA signature algorithms are used, the hash function used for the pre-hash is defined by the algorithm.
|
| 429 | This means that the pre-hash function is implicitly included in the algorithm identifier rather than being explicit as done in <xref target="RFC3279"/>.
|
| 430 | </t>
|
| 431 | -->
|
| 432 |
|
| 433 |
|
| 434 | </section>
|
| 435 |
|
| 436 | <section title="Private Key Format">
|
| 437 |
|
| 438 | <t>
|
| 439 | <xref target="RFC5958">Asymmetric Key Packages</xref> describes how to encode a private key in a structure that both identifies what algorithm the private key is for, but allows for the public key and additional attributes about the key to be included as well.
|
| 440 | For illustration, the ASN.1 structure OneAsymmetricKey is replicated below.
|
| 441 | The algorithm specific details of how a private key is encoded is left for the document describing the algorithm itself.
|
| 442 | </t>
|
| 443 |
|
| 444 | <figure>
|
| 445 | <artwork><![CDATA[
|
| 446 | OneAsymmetricKey ::= SEQUENCE {
|
| 447 | version Version,
|
| 448 | privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
|
| 449 | privateKey PrivateKey,
|
| 450 | attributes [0] IMPLICIT Attributes OPTIONAL,
|
| 451 | ...,
|
| 452 | [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
|
| 453 | ...
|
| 454 | }
|
| 455 |
|
| 456 | PrivateKey ::= OCTET STRING
|
| 457 |
|
| 458 | PublicKey ::= BIT STRING
|
| 459 | ]]></artwork>
|
| 460 | </figure>
|
| 461 |
|
| 462 | <t>
|
| 463 | For the keys defined in this document, the private key is always an opaque byte sequence.
|
| 464 | The ASN.1 type CurvePrivateKey is defined in this document to hold the byte sequence.
|
| 465 | Thus when encoding a OneAsymmetricKey object, the private key is wrapped in an CurvePrivateKey object and wrapped by the OCTET STRING of the "privateKey" field.
|
| 466 | </t>
|
| 467 |
|
| 468 | <figure>
|
| 469 | <artwork><![CDATA[
|
| 470 | CurvePrivateKey ::= OCTET STRING
|
| 471 | ]]></artwork>
|
| 472 | </figure>
|
| 473 |
|
| 474 | <t>
|
| 475 | To encode a EdDSA, X25519 or X448 private key, the
|
| 476 | "privateKey" field will hold the encoded private key.
|
| 477 | The "privateKeyAlgorithm" field uses the AlgorithmIdentifier structure.
|
| 478 | The structure is encoded as defined above.
|
| 479 | If present, the "publicKey" field will hold the encoded key as defined in <xref target="RFC7748"/> and <xref target="RFC8032"/>.
|
| 480 | </t>
|
| 481 |
|
| 482 | <t>The following is an example of a private key encoded using the textual encoding defined in <xref target="RFC7468"/>.</t>
|
| 483 |
|
| 484 | <figure>
|
| 485 | <artwork><![CDATA[
|
| 486 | -----BEGIN PRIVATE KEY-----
|
| 487 | MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
|
| 488 | -----END PRIVATE KEY-----
|
| 489 | ]]></artwork>
|
| 490 | </figure>
|
| 491 |
|
| 492 | <t>
|
| 493 | The following example, in addition to encoding the private key, additionally has an attribute included as well as the public key.
|
| 494 | As with the prior example, the textual encoding defined in <xref target="RFC7468"/> is used.
|
| 495 | </t>
|
| 496 | <figure>
|
| 497 | <artwork><![CDATA[
|
| 498 | -----BEGIN PRIVATE KEY-----
|
| 499 | MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
|
| 500 | oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
|
| 501 | Z9w7lshQhqowtrbLDFw4rXAxZuE=
|
| 502 | -----END PRIVATE KEY------]]></artwork>
|
| 503 | </figure>
|
| 504 |
|
| 505 | <t>
|
| 506 | NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in <xref target="RFC7748"/>.
|
| 507 | This means that they will not accept a private key structure which contains the public key field.
|
| 508 | This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.
|
| 509 | </t>
|
| 510 | </section>
|
| 511 |
|
| 512 | <section title="Human Readable Algorithm Names">
|
| 513 |
|
| 514 | <t>For the purpose of consistent cross-implementation naming,
|
| 515 | this section establishes human readable names for the algorithms
|
| 516 | specified in this document. Implementations SHOULD use these
|
| 517 | names when referring to the algorithms. If there is a strong
|
| 518 | reason to deviate from these names -- for example, if the
|
| 519 | implementation has a different naming convention and wants to
|
| 520 | maintain internal consistency -- it is encouraged to deviate as
|
| 521 | little as possible from the names given here.</t>
|
| 522 |
|
| 523 | <t>Use the string "ECDH" when referring to a public key of type "X25519" or "X448" when the curve is not known or relevant.</t>
|
| 524 |
|
| 525 | <t>When the curve is known, use the more specific string of "X25519" or "X448".</t>
|
| 526 |
|
| 527 |
|
| 528 | <t>Use the string "EdDSA" when referring to a signing public key or
|
| 529 | signature when the curve is not known or relevant.</t>
|
| 530 |
|
| 531 | <t>When the curve is known, use a more specific
|
| 532 | string.
|
| 533 | For the id-Ed25519 value use the string "Ed25519".
|
| 534 | <!-- Remove pre-hash
|
| 535 | For
|
| 536 | the id-EdDSA25519ph value use the string "Ed25519ph". --> For id-Ed448
|
| 537 | use "Ed448". <!-- Remvoe prehash For id-EdDSA448ph use "Ed448ph".--></t>
|
| 538 |
|
| 539 | </section>
|
| 540 |
|
| 541 | <section title="ASN.1 Module" anchor="module">
|
| 542 |
|
| 543 | <t>For reference purposes, the ASN.1 syntax is presented as an
|
| 544 | ASN.1 module here.</t>
|
| 545 |
|
| 546 | <figure>
|
| 547 | <artwork><![CDATA[
|
| 548 | -- ASN.1 Module
|
| 549 |
|
| 550 | Safecurves-pkix-0 -- TBD - IANA assigned module OID
|
| 551 |
|
| 552 | DEFINITIONS EXPLICIT TAGS ::=
|
| 553 | BEGIN
|
| 554 |
|
| 555 | IMPORTS
|
| 556 | SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
|
| 557 | KeyUsage, AlgorithmIdentifier
|
| 558 | FROM AlgorithmInformation-2009
|
| 559 | {iso(1) identified-organization(3) dod(6) internet(1) security(5)
|
| 560 | mechanisms(5) pkix(7) id-mod(0)
|
| 561 | id-mod-algorithmInformation-02(58)}
|
| 562 |
|
| 563 | mda-sha512
|
| 564 | FROM PKIX1-PSS-OAEP-Algorithms-2009
|
| 565 | { iso(1) identified-organization(3) dod(6) internet(1)
|
| 566 | security(5) mechanisms(5) pkix(7) id-mod(0)
|
| 567 | id-mod-pkix1-rsa-pkalgs-02(54) }
|
| 568 |
|
| 569 | kwa-aes128-wrap, kwa-aes256-wrap
|
| 570 | FROM CMSAesRsaesOaep-2009
|
| 571 | { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
|
| 572 | smime(16) modules(0) id-mod-cms-aes-02(38) }
|
| 573 | ;
|
| 574 |
|
| 575 |
|
| 576 | id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
|
| 577 |
|
| 578 | id-X25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
|
| 579 | id-X448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
|
| 580 | id-Ed25519 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
|
| 581 | id-Ed448 OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
|
| 582 |
|
| 583 |
|
| 584 | sa-Ed25519 SIGNATURE-ALGORITHM ::= {
|
| 585 | IDENTIFIER id-Ed25519
|
| 586 | PARAMS ARE absent
|
| 587 | PUBLIC-KEYS {pk-Ed25519}
|
| 588 | SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
|
| 589 | }
|
| 590 |
|
| 591 | pk-Ed25519 PUBLIC-KEY ::= {
|
| 592 | IDENTIFIER id-Ed25519
|
| 593 | -- KEY no ASN.1 wrapping --
|
| 594 | PARAMS ARE absent
|
| 595 | CERT-KEY-USAGE {digitalSignature, nonRepudiation,
|
| 596 | keyCertSign, cRLSign}
|
| 597 | PRIVATE-KEY CurvePrivateKey
|
| 598 | }
|
| 599 |
|
| 600 | kaa-X25519 KEY-AGREE ::= {
|
| 601 | IDENTIFIER id-X25519
|
| 602 | PARAMS ARE absent
|
| 603 | PUBLIC-KEYS {pk-X25519}
|
| 604 | UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
|
| 605 | SMIME-CAPS {
|
| 606 | TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
|
| 607 | IDENTIFIED BY id-X25519 }
|
| 608 | }
|
| 609 |
|
| 610 | pk-X25519 PUBLIC-KEY ::= {
|
| 611 | IDENTIFIER id-X25519
|
| 612 | -- KEY no ASN.1 wrapping --
|
| 613 | PARAMS ARE absent
|
| 614 | CERT-KEY-USAGE { keyAgreement }
|
| 615 | PRIVATE-KEY CurvePrivateKey
|
| 616 | }
|
| 617 |
|
| 618 | KeyWrapAlgorithms KEY-WRAP ::= {
|
| 619 | kwa-aes128-wrap | kwa-aes256-wrap,
|
| 620 | ...
|
| 621 | }
|
| 622 |
|
| 623 | kaa-X448 KEY-AGREE ::= {
|
| 624 | IDENTIFIER id-X448
|
| 625 | PARAMS ARE absent
|
| 626 | PUBLIC-KEYS {pk-X448}
|
| 627 | UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
|
| 628 | SMIME-CAPS {
|
| 629 | TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
|
| 630 | IDENTIFIED BY id-X448 }
|
| 631 | }
|
| 632 |
|
| 633 | pk-X448 PUBLIC-KEY ::= {
|
| 634 | IDENTIFIER id-X448
|
| 635 | -- KEY no ASN.1 wrapping --
|
| 636 | PARAMS ARE absent
|
| 637 | CERT-KEY-USAGE { keyAgreement }
|
| 638 | PRIVATE-KEY CurvePrivateKey
|
| 639 | }
|
| 640 |
|
| 641 | CurvePrivateKey ::= OCTET STRING
|
| 642 |
|
| 643 |
|
| 644 | END
|
| 645 | ]]></artwork>
|
| 646 | </figure>
|
| 647 |
|
| 648 | </section>
|
| 649 |
|
| 650 | <section title="Examples">
|
| 651 |
|
| 652 | <t>This section contains illustrations of EdDSA public keys and
|
| 653 | certificates, illustrating parameter choices.</t>
|
| 654 |
|
| 655 |
|
| 656 | <section title="Example Ed25519 Public Key">
|
| 657 |
|
| 658 | <t>An example of a Ed25519 public key:</t>
|
| 659 |
|
| 660 | <figure>
|
| 661 | <artwork><![CDATA[
|
| 662 | Public Key Information:
|
| 663 | Public Key Algorithm: Ed25519
|
| 664 | Algorithm Security Level: High
|
| 665 |
|
| 666 | Public Key Usage:
|
| 667 |
|
| 668 | Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
|
| 669 |
|
| 670 | -----BEGIN PUBLIC KEY-----
|
| 671 | MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
|
| 672 | -----END PUBLIC KEY-----
|
| 673 | ]]></artwork>
|
| 674 | </figure>
|
| 675 |
|
| 676 | </section>
|
| 677 |
|
| 678 | <section title="Example X25519 Certificate">
|
| 679 |
|
| 680 | <t>An example of a self issued PKIX certificate using Ed25519 to sign a X25519 public key would be:</t>
|
| 681 |
|
| 682 | <figure>
|
| 683 | <artwork><![CDATA[
|
| 684 | 0 300: SEQUENCE {
|
| 685 | 4 223: SEQUENCE {
|
| 686 | 7 3: [0] {
|
| 687 | 9 1: INTEGER 2
|
| 688 | : }
|
| 689 | 12 8: INTEGER 56 01 47 4A 2A 8D C3 30
|
| 690 | 22 5: SEQUENCE {
|
| 691 | 24 3: OBJECT IDENTIFIER
|
| 692 | : Ed 25519 signature algorithm { 1 3 101 112 }
|
| 693 | : }
|
| 694 | 29 25: SEQUENCE {
|
| 695 | 31 23: SET {
|
| 696 | 33 21: SEQUENCE {
|
| 697 | 35 3: OBJECT IDENTIFIER commonName (2 5 4 3)
|
| 698 | 40 14: UTF8String 'IETF Test Demo'
|
| 699 | : }
|
| 700 | : }
|
| 701 | : }
|
| 702 | 56 30: SEQUENCE {
|
| 703 | 58 13: UTCTime 01/08/2016 12:19:24 GMT
|
| 704 | 73 13: UTCTime 31/12/2040 23:59:59 GMT
|
| 705 | : }
|
| 706 | 88 25: SEQUENCE {
|
| 707 | 90 23: SET {
|
| 708 | 92 21: SEQUENCE {
|
| 709 | 94 3: OBJECT IDENTIFIER commonName (2 5 4 3)
|
| 710 | 99 14: UTF8String 'IETF Test Demo'
|
| 711 | : }
|
| 712 | : }
|
| 713 | : }
|
| 714 | 115 42: SEQUENCE {
|
| 715 | 117 5: SEQUENCE {
|
| 716 | 119 3: OBJECT IDENTIFIER
|
| 717 | : ECDH 25519 key agreement { 1 3 101 110 }
|
| 718 | : }
|
| 719 | 124 33: BIT STRING
|
| 720 | : 85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
|
| 721 | : 0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
|
| 722 | : }
|
| 723 | 159 69: [3] {
|
| 724 | 161 67: SEQUENCE {
|
| 725 | 163 15: SEQUENCE {
|
| 726 | 165 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
|
| 727 | 170 1: BOOLEAN TRUE
|
| 728 | 173 5: OCTET STRING, encapsulates {
|
| 729 | 175 3: SEQUENCE {
|
| 730 | 177 1: BOOLEAN FALSE
|
| 731 | : }
|
| 732 | : }
|
| 733 | : }
|
| 734 | 180 14: SEQUENCE {
|
| 735 | 182 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
|
| 736 | 187 1: BOOLEAN FALSE
|
| 737 | 190 4: OCTET STRING, encapsulates {
|
| 738 | 192 2: BIT STRING 3 unused bits
|
| 739 | : '10000'B (bit 4)
|
| 740 | : }
|
| 741 | : }
|
| 742 | 196 32: SEQUENCE {
|
| 743 | 198 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
|
| 744 | 203 1: BOOLEAN FALSE
|
| 745 | 206 22: OCTET STRING, encapsulates {
|
| 746 | 208 20: OCTET STRING
|
| 747 | : 9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
|
| 748 | : B9 0B C8 BB 3B
|
| 749 | : }
|
| 750 | : }
|
| 751 | : }
|
| 752 | : }
|
| 753 | : }
|
| 754 | 230 5: SEQUENCE {
|
| 755 | 232 3: OBJECT IDENTIFIER
|
| 756 | : Ed 25519 signature algorithm { 1 3 101 112 }
|
| 757 | : }
|
| 758 | 237 65: BIT STRING
|
| 759 | : AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
|
| 760 | : 39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
|
| 761 | : D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
|
| 762 | : 1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
|
| 763 | : }
|
| 764 |
|
| 765 | -----BEGIN CERTIFICATE-----
|
| 766 | MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
|
| 767 | N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
|
| 768 | DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
|
| 769 | ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
|
| 770 | BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
|
| 771 | /BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
|
| 772 | w1AH9efZBw==
|
| 773 | -----END CERTIFICATE-----
|
| 774 | ]]></artwork>
|
| 775 | </figure>
|
| 776 |
|
| 777 | </section>
|
| 778 |
|
| 779 | <section title="Examples of Ed25519 Private Key">
|
| 780 | <t>
|
| 781 | An example of an Ed25519 private key without the public key:
|
| 782 | </t>
|
| 783 |
|
| 784 | <figure>
|
| 785 | <artwork><![CDATA[
|
| 786 | -----BEGIN PRIVATE KEY-----
|
| 787 | MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
|
| 788 | -----END PRIVATE KEY-----
|
| 789 | ]]></artwork>
|
| 790 | </figure>
|
| 791 |
|
| 792 | <t>The same item dumped as ASN.1 yields:
|
| 793 | </t>
|
| 794 |
|
| 795 | <figure><artwork>
|
| 796 | 0 30 46: SEQUENCE {
|
| 797 | 2 02 1: INTEGER 0
|
| 798 | 5 30 5: SEQUENCE {
|
| 799 | 7 06 3: OBJECT IDENTIFIER
|
| 800 | : Ed 25519 signature algorithm { 1 3 101 112 }
|
| 801 | : }
|
| 802 | 12 04 34: OCTET STRING
|
| 803 | : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
|
| 804 | : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
|
| 805 | : 58 42
|
| 806 | : }
|
| 807 | </artwork>
|
| 808 | </figure>
|
| 809 |
|
| 810 | <t>
|
| 811 | Note that the value of the private key is:
|
| 812 | </t>
|
| 813 |
|
| 814 | <figure><artwork>
|
| 815 | D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD
|
| 816 | 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42
|
| 817 | </artwork></figure>
|
| 818 |
|
| 819 |
|
| 820 | <t>
|
| 821 | An example of the same Ed25519 private key encoded with an attribute and the public key:
|
| 822 | </t>
|
| 823 |
|
| 824 | <figure>
|
| 825 | <artwork><![CDATA[
|
| 826 | -----BEGIN PRIVATE KEY-----
|
| 827 | MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
|
| 828 | oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
|
| 829 | Z9w7lshQhqowtrbLDFw4rXAxZuE=
|
| 830 | -----END PRIVATE KEY-----
|
| 831 | ]]></artwork>
|
| 832 | </figure>
|
| 833 |
|
| 834 | <t>The same item dumped as ASN.1 yields:
|
| 835 | </t>
|
| 836 |
|
| 837 | <figure><artwork>
|
| 838 | 0 114: SEQUENCE {
|
| 839 | 2 1: INTEGER 1
|
| 840 | 5 5: SEQUENCE {
|
| 841 | 7 3: OBJECT IDENTIFIER '1 3 101 112'
|
| 842 | : }
|
| 843 | 12 34: OCTET STRING, encapsulates {
|
| 844 | : 04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
|
| 845 | : F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
|
| 846 | : 58 42
|
| 847 | : }
|
| 848 | 48 31: [0] {
|
| 849 | 50 29: SEQUENCE {
|
| 850 | 52 10: OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
|
| 851 | 64 15: SET {
|
| 852 | 66 13: UTF8String 'Curdle Chairs'
|
| 853 | : }
|
| 854 | : }
|
| 855 | : }
|
| 856 | 81 33: [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
|
| 857 | 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
|
| 858 | E1
|
| 859 | : }
|
| 860 | </artwork>
|
| 861 | </figure>
|
| 862 |
|
| 863 | </section>
|
| 864 | </section>
|
| 865 |
|
| 866 | <section anchor="ack"
|
| 867 | title="Acknowledgments">
|
| 868 |
|
| 869 | <t>Text and/or inspiration were drawn from <xref
|
| 870 | target="RFC5280"/>, <xref target="RFC3279"/>, <xref
|
| 871 | target="RFC4055"/>, <xref target="RFC5480"/>, and <xref
|
| 872 | target="RFC5639"/>.</t>
|
| 873 |
|
| 874 | <t>The following people discussed the document and provided
|
| 875 | feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick
|
| 876 | Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos,
|
| 877 | Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.</t>
|
| 878 |
|
| 879 | <t>A big thank you to Symantec for kindly donating the OIDs used
|
| 880 | in this draft.</t>
|
| 881 |
|
| 882 | </section>
|
| 883 |
|
| 884 | <section title="IANA Considerations">
|
| 885 |
|
| 886 | <t>
|
| 887 | IANA is requested to assign a module OID from the "SMI for PKIX Module Identifier" registry for the ASN.1 module in <xref target="module"/>.
|
| 888 | </t>
|
| 889 |
|
| 890 | <t>
|
| 891 | The OIDs are being independently registered in the IANA registry "SMI Security for Cryptographic Algorithms" in <xref target="I-D.schaad-curdle-oid-registry"/>.
|
| 892 | </t>
|
| 893 |
|
| 894 | </section>
|
| 895 |
|
| 896 | <section anchor="Security" title="Security Considerations">
|
| 897 |
|
| 898 | <t>
|
| 899 | The security considerations of <xref target='RFC5280' />, <xref target="RFC7748"/>, and <xref target="RFC8032"/> apply accordingly.
|
| 900 | </t>
|
| 901 |
|
| 902 | <t>
|
| 903 | The procedures for going from a private key to a public key are different for when used with Diffie-Hellman and when used with Edwards Signatures.
|
| 904 | This means that the same public key cannot be used for both ECDH and EdDSA.
|
| 905 | </t>
|
| 906 |
|
| 907 | <!--
|
| 908 | <t>
|
| 909 | In the original design of Ed25519 signatures, there was a known attack between the pure and the pre-hash version of the signatures.
|
| 910 | This has since been corrected in the final version of the design.
|
| 911 | The initial problem meant that there was a known attack, and therefore a known reason to forbid the use of Ed25519 keys with the Ed25519ph signature scheme and visa versa.
|
| 912 | With the change in the design this attack has been prevented.
|
| 913 | This does not mean that the same Ed25519 key should be used with both schemes, there still may be attacks where collisions can be found.
|
| 914 | For this reason, the same keys are not to be used for the pure and pre-hash versions of the scheme.
|
| 915 | This applies to both curve 25519 and curve 448.
|
| 916 | </t>
|
| 917 | -->
|
| 918 |
|
| 919 | </section>
|
| 920 |
|
| 921 | </middle>
|
| 922 |
|
| 923 | <back>
|
| 924 |
|
| 925 | <references title="Normative References">
|
| 926 |
|
| 927 | &rfc2119;
|
| 928 | &rfc5280;
|
| 929 | &rfc5480;
|
| 930 | &rfc7748;
|
| 931 | &eddsa;
|
| 932 | &rfc5958;
|
| 933 | &rfc8174;
|
| 934 |
|
| 935 | </references>
|
| 936 |
|
| 937 | <references title="Informative References">
|
| 938 |
|
| 939 | &rfc3279;
|
| 940 | &rfc4055;
|
| 941 | &rfc5639;
|
| 942 | <!-- Remove for pre-hash
|
| 943 | &rfc5755;
|
| 944 | -->
|
| 945 | <!-- &rfc5758; -->
|
| 946 | <!-- &rfc5915; -->
|
| 947 | &rfc7468;
|
| 948 | &iana;
|
| 949 |
|
| 950 | </references>
|
| 951 |
|
| 952 | <section title="Invalid Encodings">
|
| 953 | <t>
|
| 954 | There are a number of things that need to be dealt with when a new key part is decoded and imported into the system.
|
| 955 | A partial list of these includes:
|
| 956 | <list style="symbols">
|
| 957 | <t>
|
| 958 | ASN.1 encoding errors:
|
| 959 | Two items are highlighted here.
|
| 960 | First, the use of an OCTET STRING rather than a BIT STRING for the public key.
|
| 961 | This was an incorrect copy of the structure from <xref target="RFC5958"/> which was corrected before publication.
|
| 962 | However, any early implementation may have this wrong.
|
| 963 | Second, the value of the version field is required to be 0 if the publicKey is absent and 1 if present.
|
| 964 | This is called out in <xref target="RFC5958"/> but is not duplicated in the main text.
|
| 965 | </t>
|
| 966 | <t>
|
| 967 | Key encoding errors:
|
| 968 | Both <xref target="RFC7748"/> and <xref target="RFC8032"/> have formatting requirements for keys that need to be enforced.
|
| 969 | In some cases the enforcement is done at the time of importing, for example doing masking or a mod p operation.
|
| 970 | In other cases the enforcement is done by rejecting the keys and having an import failure.
|
| 971 | </t>
|
| 972 | <t>
|
| 973 | Key mismatch errors: If a public key is provided, it may not agree with the private key either because it is wrong or the wrong algorithm was used.
|
| 974 | </t>
|
| 975 | </list>
|
| 976 | </t>
|
| 977 |
|
| 978 | <t>
|
| 979 | Some systems are also going to be stricter on what they accept.
|
| 980 | As stated in <xref target="RFC5958"/>, BER decoding of OneAsymmetricKey objects is a requirement for compliance.
|
| 981 | Despite this requirement, some acceptors will only decode DER formats.
|
| 982 | The following is a BER encoding of a private key, as such is is valid, but it may not be accepted by many systems.
|
| 983 | </t>
|
| 984 |
|
| 985 | <figure><artwork>
|
| 986 | -----BEGIN PRIVATE KEY-----
|
| 987 | MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
|
| 988 | EIAAA==
|
| 989 | -----END PRIVATE KEY-----
|
| 990 | </artwork></figure>
|
| 991 |
|
| 992 |
|
| 993 |
|
| 994 | <t>
|
| 995 | What follows here is a brief sampling of some incorrect keys.
|
| 996 | </t>
|
| 997 |
|
| 998 | <t>
|
| 999 | In the following example, the private key does not match the masking requirements for X25519.
|
| 1000 | For this example the top bits are set to zero and the bottom three bits are set to 001.
|
| 1001 | </t>
|
| 1002 |
|
| 1003 | <figure><artwork>
|
| 1004 | -----BEGIN PRIVATE KEY-----
|
| 1005 | MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
|
| 1006 | MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
|
| 1007 | -----END PRIVATE KEY-----
|
| 1008 | </artwork></figure>
|
| 1009 |
|
| 1010 | <t>
|
| 1011 | In the following examples, the key is the wrong length because an all zero byte has been removed.
|
| 1012 | In one case the first byte has been removed, in the other case the last byte has been removed.
|
| 1013 | </t>
|
| 1014 |
|
| 1015 | <figure><artwork>
|
| 1016 | -----BEGIN PRIVATE KEY-----
|
| 1017 | MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
|
| 1018 | IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
|
| 1019 | -----END PRIVATE KEY-----
|
| 1020 | </artwork></figure>
|
| 1021 |
|
| 1022 | <figure><artwork>
|
| 1023 | -----BEGIN PRIVATE KEY-----
|
| 1024 | MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
|
| 1025 | IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
|
| 1026 | -----END PRIVATE KEY-----
|
| 1027 | </artwork></figure>
|
| 1028 |
|
| 1029 |
|
| 1030 | </section>
|
| 1031 | </back>
|
| 1032 | </rfc>
|