Network Working Group | R. Tse |
Internet-Draft | Ribose |
Updates: 4880, 6637 (if approved) | W. Wong |
Intended status: Standards Track | Hang Seng Management College |
Expires: March 2, 2018 | August 29, 2017 |
OSCCA Extensions For OpenPGP
draft-openpgp-oscca-00
This document enables OpenPGP (RFC4880) usage in an compliant manner with OSCCA regulations for use within China.
Specifically, it extends OpenPGP to support the usage of SM2, SM3 and SM4 algorithms.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 2, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
SM2 [SM2] [I-D.shen-sm2-ecdsa], SM3 [SM3] [I-D.shen-sm3-hash] and SM4 [SM4] are cryptographic standards issued by the Organization of State Commercial Administration of China [OSCCA] as authorized cryptographic algorithms for the use within China. These algorithms are published in public.
Adoption of this document enables exchange of OpenPGP-secured email [RFC4880] in a OSCCA-compliant manner through usage of the authorized combination of SM2, SM3 and SM4.
SM2 [SM2] [I-D.shen-sm2-ecdsa] is a set of public key cryptographic algorithms based on elliptic curves that include:
SM3 [SM3] [I-D.shen-sm3-hash] is a hash algorithm designed for electronic authentication purposes.
SM4 [SM4] is a symmetric encryption algorithm designed for data encryption.
This document extends OpenPGP [RFC4880] and its ECC extension [RFC6637] to support SM2, SM3 and SM4:
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
Compliant applications are a subset of the broader set of OpenPGP applications described in [RFC4880]. Any [RFC2119] keyword within this document applies to compliant applications only.
SM2 is an elliptic curve based cryptosystem (ECC) [SM2] designed by Xiaoyun Wang et al and published by [OSCCA] [I-D.shen-sm2-ecdsa].
The SM2 cryptosystem is composed of three distinct algorithms:
This document will refer to all three algorithms for the usage of OpenPGP [RFC4880].
The SM2 Digital Signature Algorithm is intended for digital signature and verifications in commercial cryptographic applications, including, but not limited to:
The process of digital signature signing and verifying along with their examples are found in [SM2-2], and also described in [I-D.shen-sm2-ecdsa].
In OpenPGP, SM2DSA is an alternative to the ECDSA algorithm specified in [RFC6637].
The SM2DSA algorithm has been cryptanalyzed to a certain extent, with the current strongest attack being nonce [SM2-DSA-Nonces] [SM2-DSA-Nonces2] and lattice attacks [SM2-DSA-Lattice].
The SM2 Key Exchange Protocol is used for cryptographic key exchange, allowing the negoatiation and exchange of a session key within two to three message transfers.
The process of key exchange and verification along with their examples are found in [SM2-3], and also described in [I-D.shen-sm2-ecdsa].
SM2KEP is not used with OpenPGP as it is a two- to three- pass key exchange mechanism, while in OpenPGP public keys of recipients are available initially.
The SM2KEP is now considered insecure due to [SM2-KEP-Comments], similar in status to the Unified Model and MQV schemes described in [NIST.SP.800-56Ar2].
The SM2 Public Key Encryption algorithm is an elliptic curve (ECC) based asymmetric encryption algorithm. It is used for cryptographic encryption and decryption, allowing the message sender to utilize the public key of the message receiver to encrypt the message, with the recipient decrypting the messaging using his private key.
The full description of SM2PKE is provided in [I-D.shen-sm2-ecdsa].
It utilizes a public key size of 512 bits and private key size of 256 bits [GMT-0003.1-2012].
The process of encryption and decryption, along with their examples are found in [SM2-4].
In OpenPGP, SM2PKE is an alternative to RSA specified in [RFC4880].
The recommended curve is specified in [SM2-5] and provided here for reference. SM2 uses a 256-bit elliptic curve.
y^2 = x^3 + ax + b
p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123 x_G = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 y_G = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0
The SM3 Cryptographic Hash Algorithm [SM3] is an iterated hash function designed by Xiaoyun Wang et al., published by [OSCCA] as an alternative to SHA-2 [NIST.FIPS.180-4].
The algorithm is designed to be used for various commercial cryptographic applications including, but not limited to:
According to the authors, SM3 is designed with a Merkle-Damgard construction and is very similar to SHA-2 [NIST.FIPS.180-4] of the MD4 [RFC6150] family, with the addition of several strengthening features such as a more complex step function and stronger message dependency than SHA-256 [SM3-Boomerang].
SM3 produces an output hash value of 256 bits long, based on 512-bit input message blocks [SM3-Boomerang], on input lengths up to 2^(m).
The specification of SM3 is described in [SM3] and [I-D.shen-sm3-hash].
SM4 [SM4] is a symmetric encryption algorithm designed by Shuwang Lu et al. in 2006 as SMS4, and officially published published by the OSCCA in 2012 as SM4.
The algorithm is publicly described in "GM/T 0002-2012 SM4 Block Cipher Algorithm Standard" [SM4], and is used in WAPI (Wired Authentication and Privacy Infrastructure), the Chinese National Standard for Wireless LAN [GB15629.11-2003].
SM4 is a 128-bit block cipher, uses a key size of 128 bits and internally uses an 8-bit S-box. It performs 32 rounds per block, and decryption simply reverses the order of encryption.
The SM2 algorithm is supported with the following extension.
The following public key algorithm IDs are added to expand Section 9.1 of [RFC4880], "Public-Key Algorithms":
ID | Description of Algorithm |
---|---|
TBD | SM2 |
Compliant applications MUST support both usages of SM2:
The SM4 algorithm is supported with the following extension.
The following symmetric encryption algorithm ID is added to expand Section 9.2 of [RFC4880], "Symmetric-Key Algorithms":
ID | Description of Algorithm |
---|---|
TBD | SM4 |
Compliant applications MUST support SM4.
The SM3 algorithm is supported with the following extension.
The following symmetric encryption algorithm IDs are added to expand Section 9.3 of [RFC4880], "Hash Algorithms":
ID | Description of Algorithm |
---|---|
TBD | SM3 |
Compliant applications MUST support SM3.
The encoding method of [RFC6637] Section 6 MUST be used, and is compatible with the definition given in [SEC1].
For clarity, according to the EC curve MPI encoding method of [RFC6637], the exact size of the MPI payload for the "SM2 Recommended" 256-bit curve, is 515 bits.
A key derivation function (KDF) is necessary to implement EC encryption.
The SM2PKE KDF is defined in Section 5.4.3 of [I-D.shen-sm2-ecdsa] (originally from Section 3.4.3 of [SM2-4]) and SHOULD be used in conjunction with an OSCCA-approved hash algorithm, such as SM3 [SM3].
The pseudocode is provided here for convenience.
KDF (Z, klen) { Counter = 0x00000001 [a 32-bit register] n = klen / v Iterate from i = 1 to Ceil(n) Ha[i] = H_v( Z || Counter ) Counter++ If n is a whole number Ha![Ceil(n)] = Ha[Ceil(n)] Else Ha![Ceil(n)] = leftmost (klen − (v x Floor(n))) bits of Ha[Ceil(n)] K = Ha[1] || Ha[2] || ... || Ha[Ceil(n)−1] || Ha![Ceil(n)] }
The following algorithm-specific packets are added to Section 5.5.2 of [RFC4880], "Public-Key Packet Formats", to support SM2DSA and SM2PKE.
This document extends the algorithm-specific portion with the following fields.
Algorithm-Specific Fields for SM2DSA keys:
Algorithm-Specific Fields for SM2PKE keys:
An SM2PKE public key is composed of the same sequence of fields that define an SM2DSA key, plus the KDF parameters field.
The following algorithm-specific packets are added to Section 5.5.3. of [RFC4880], "Secret-Key Packet Formats", to support SM2DSA and SM2PKE.
This document extends the algorithm-specific portion with the following fields.
Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys:
Section 5.1 of [RFC4880], "Public-Key Encrypted Session Key Packets (Tag 1)" is extended to support SM2PKE using the following algorithm specific fields for SM2PKE, through applying the KDF described in Section 8.
Algorithm Specific Fields for SM2 encryption:
Section 5.2.2 of [RFC4880] define the signature format for "Version 3 Signature Packet Format". Similar to ECDSA [RFC6637], no changes in the format is necessary for SM2DSA.
Section 5.2.3 of [RFC4880] define the signature format for "Version 4 Signature Packet Format". Similar to ECDSA [RFC6637], no changes in the format is necessary for SM2DSA.
This section provides the "SM2 Recommended Curve" described in [SM2-5] according to the method of [RFC6637].
The named curves are referenced as a sequence of bytes in this document, called throughout, curve OID. Section 11 describes in detail how this sequence of bytes is formed. The parameter curve OID is an array of octets that define a named curve. The table below specifies the exact sequence of bytes for each named curve referenced in this document:
ASN.1 Object Identifier | OID len | Curve OID bytes in hexadecimal representation | Curve name |
---|---|---|---|
1.2.156.10197.1.301 | 8 | 2A 81 1C CF 55 01 82 2D | SM2 Recommended |
The sequence of octets in the third column is the result of applying the Distinguished Encoding Rules (DER) to the ASN.1 Object Identifier with subsequent truncation. The truncation removes the two fields of encoded Object Identifier. The first omitted field is one octet representing the Object Identifier tag, and the second omitted field is the length of the Object Identifier body.
The complete ASN.1 DER encoding for the SM2 Recommended curve OID is "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in the table above is constructed by omitting the first two octets. Only the truncated sequence of octets is the valid representation of a curve OID.
A compliant application MUST implement:
The IANA "Pretty Good Privacy (PGP)" registry [RFC8126] has made the following assignments for algorithms described in this document, namely:
TODO!
The authors would like to thank the following persons for their valuable advice and input.