| rfc9879.original | rfc9879.txt | |||
|---|---|---|---|---|
| lamps A. Kario | Internet Engineering Task Force (IETF) A. Kario | |||
| Internet-Draft Red Hat, Inc. | Request for Comments: 9879 Red Hat, Inc. | |||
| Obsoletes: 9579 (if approved) 25 April 2025 | Obsoletes: 9579 September 2025 | |||
| Updates: 7292, 8018 (if approved) | Updates: 7292, 8018 | |||
| Intended status: Informational | Category: Informational | |||
| Expires: 27 October 2025 | ISSN: 2070-1721 | |||
| Use of Password-Based Message Authentication Code 1 (PBMAC1) in PKCS #12 | Use of Password-Based Message Authentication Code 1 (PBMAC1) in PKCS #12 | |||
| Syntax | Syntax | |||
| draft-ietf-lamps-rfc9579bis-06 | ||||
| Abstract | Abstract | |||
| This document specifies additions and amendments to RFCs 7292 and | This document specifies additions and amendments to RFCs 7292 and | |||
| 8018. It also obsoletes the RFC 9579. It defines a way to use the | 8018. It also obsoletes the RFC 9579. It defines a way to use the | |||
| Password-Based Message Authentication Code 1 (PBMAC1), defined in RFC | Password-Based Message Authentication Code 1 (PBMAC1), defined in RFC | |||
| 8018, inside the PKCS #12 syntax. The purpose of this specification | 8018, inside the PKCS #12 syntax. The purpose of this specification | |||
| is to permit the use of more modern Password-Based Key Derivation | is to permit the use of more modern Password-Based Key Derivation | |||
| Functions (PBKDFs) and allow for regulatory compliance. | Functions (PBKDFs) and allow for regulatory compliance. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This document is not an Internet Standards Track specification; it is | |||
| provisions of BCP 78 and BCP 79. | published for informational purposes. | |||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Not all documents | |||
| approved by the IESG are candidates for any level of Internet | ||||
| Standard; see Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 27 October 2025. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9879. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2025 IETF Trust and the persons identified as the | Copyright (c) 2025 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 1.1. Changes since RFC 9579 . . . . . . . . . . . . . . . . . 2 | 1.1. Changes since RFC 9579 | |||
| 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Rationale | |||
| 3. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 3. Requirements Language | |||
| 4. Embedding PBMAC1 in PKCS #12 . . . . . . . . . . . . . . . . 3 | 4. Embedding PBMAC1 in PKCS #12 | |||
| 5. Recommended Parameters . . . . . . . . . . . . . . . . . . . 4 | 5. Recommended Parameters | |||
| 6. Password Encoding . . . . . . . . . . . . . . . . . . . . . . 4 | 6. Password Encoding | |||
| 7. Deprecated Algorithms . . . . . . . . . . . . . . . . . . . . 5 | 7. Deprecated Algorithms | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 8. IANA Considerations | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 9. Security Considerations | |||
| 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 10. References | |||
| 10.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 10.1. Normative References | |||
| 10.2. Informative References . . . . . . . . . . . . . . . . . 7 | 10.2. Informative References | |||
| Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 7 | Appendix A. Test Vectors | |||
| A.1. Valid PKCS #12 File with SHA-256 HMAC and PRF . . . . . . 7 | A.1. Valid PKCS #12 File with SHA-256 HMAC and PRF | |||
| A.2. Valid PKCS #12 File with SHA-256 HMAC and SHA-512 PRF . . 9 | A.2. Valid PKCS #12 File with SHA-256 HMAC and SHA-512 PRF | |||
| A.3. Valid PKCS #12 File with SHA-512 HMAC and PRF . . . . . . 10 | A.3. Valid PKCS #12 File with SHA-512 HMAC and PRF | |||
| A.4. Invalid PKCS #12 File with Incorrect Iteration Count . . 11 | A.4. Invalid PKCS #12 File with Incorrect Iteration Count | |||
| A.5. Invalid PKCS #12 File with Incorrect Salt . . . . . . . . 13 | A.5. Invalid PKCS #12 File with Incorrect Salt | |||
| A.6. Invalid PKCS #12 File with Missing Key Length . . . . . . 14 | A.6. Invalid PKCS #12 File with Missing Key Length | |||
| Appendix B. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 15 | Appendix B. ASN.1 Module | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 18 | Author's Address | |||
| 1. Introduction | 1. Introduction | |||
| The PKCS #12 format [RFC7292] is widely used for the interoperable | The PKCS #12 format [RFC7292] is widely used for the interoperable | |||
| transfer of certificate, key, and other miscellaneous secrets between | transfer of certificate, key, and other miscellaneous secrets between | |||
| machines, applications, browsers, etc. Unfortunately, [RFC7292] | machines, applications, browsers, etc. Unfortunately, [RFC7292] | |||
| mandates the use of a PKCS #12 specific password-based key derivation | mandates the use of a PKCS #12 specific password-based key derivation | |||
| function that only allows for change of the underlying message digest | function that only allows for change of the underlying message digest | |||
| function. | function. | |||
| 1.1. Changes since RFC 9579 | 1.1. Changes since RFC 9579 | |||
| This document changes the specified format of password passed to the | This document changes the specified format of the password passed to | |||
| key derivation function. Previously it was a BMPString, now it's | the key derivation function. Previously, it was a BMPString, but now | |||
| declared as a UTF8String. It should be noted that the test vectors | it's declared as a UTF8String. It should be noted that the test | |||
| attached to [RFC9579] use UTF8String encoding. This resolves | vectors attached to [RFC9579] use UTF8String encoding. This resolves | |||
| [Err7974]. | [Err7974]. | |||
| 2. Rationale | 2. Rationale | |||
| Due to security concerns with the key derivation function from | Due to security concerns with the key derivation function from | |||
| [RFC7292] and the much higher extensibility of PBMAC1 [RFC8018], we | [RFC7292] and the much higher extensibility of PBMAC1 [RFC8018], we | |||
| propose the use of PBMAC1 for integrity protection of PKCS #12 | propose the use of PBMAC1 for integrity protection of PKCS #12 | |||
| structures. The new syntax is designed to allow legacy applications | structures. The new syntax is designed to allow legacy applications | |||
| to still be able to decrypt the key material, even if they are unable | to still be able to decrypt the key material, even if they are unable | |||
| to interpret the new integrity protection, provided that they can | to interpret the new integrity protection, provided that they can | |||
| skipping to change at page 4, line 39 ¶ | skipping to change at line 175 ¶ | |||
| SHA-256 HMAC should also include KDF parameters that generate a | SHA-256 HMAC should also include KDF parameters that generate a | |||
| 32-octet key. In particular, when using the PBKDF2, implementations | 32-octet key. In particular, when using the PBKDF2, implementations | |||
| MUST include the keyLength field in the encoded PBKDF2-params. | MUST include the keyLength field in the encoded PBKDF2-params. | |||
| Implementations MUST NOT accept PBKDF2 KDF with PBKDF2-params that | Implementations MUST NOT accept PBKDF2 KDF with PBKDF2-params that | |||
| omit the keyLength field. | omit the keyLength field. | |||
| 6. Password Encoding | 6. Password Encoding | |||
| As documented in Appendix B.1 of [RFC7292], the handling of password | As documented in Appendix B.1 of [RFC7292], the handling of password | |||
| encoding in the underlying standards is underspecified. However, | encoding in the underlying standards is underspecified. However, | |||
| unlike with Password Based Encryption Scheme 1 (PBES1) [RFC8018] when | unlike with Password-Based Encryption Scheme 1 (PBES1) [RFC8018] when | |||
| used in the context of PKCS #12 or the MAC algorithm described in | used in the context of PKCS #12 or the MAC algorithm described in | |||
| [RFC7292] (which use BMPString with NULL-termination), all passwords | [RFC7292] (which use BMPString with NULL termination), all passwords | |||
| used with PBMAC1 MUST be created from UTF-8 [RFC3629] encoding | used with PBMAC1 MUST be created from UTF-8 encoding [RFC3629] | |||
| without a NULL terminator or Byte Order Mark (BOM). | without a NULL terminator or Byte Order Mark (BOM). | |||
| 7. Deprecated Algorithms | 7. Deprecated Algorithms | |||
| While attacks against SHA-1 HMACs are not considered practical | While attacks against SHA-1 HMACs are not considered practical | |||
| [RFC6194] to limit the number of algorithms needed for | [RFC6194] to limit the number of algorithms needed for | |||
| interoperability, implementations of this specification SHOULD NOT | interoperability, implementations of this specification SHOULD NOT | |||
| use PBKDF2 with the SHA-1 HMAC. In addition, implementations MUST | use PBKDF2 with the SHA-1 HMAC. In addition, implementations MUST | |||
| NOT use any other message digest functions with an output of 160 bits | NOT use any other message digest functions with an output of 160 bits | |||
| or less. | or less. | |||
| 8. IANA Considerations | 8. IANA Considerations | |||
| IANA has registered the following object identifier in the "SMI | IANA has registered the following object identifier in the "SMI | |||
| Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" | Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" | |||
| registry. See Appendix B for the ASN.1 module. | registry. See Appendix B for the ASN.1 module. | |||
| We ask IANA to update the reference to point to this new document. | IANA has updated the reference to point to this document. | |||
| +=========+=======================+=================+ | +=========+=======================+===========+ | |||
| | Decimal | Description | Reference | | | Decimal | Description | Reference | | |||
| +=========+=======================+=================+ | +=========+=======================+===========+ | |||
| | 76 | id-pkcs12-pbmac1-2023 | [this document] | | | 76 | id-pkcs12-pbmac1-2023 | RFC 9879 | | |||
| +---------+-----------------------+-----------------+ | +---------+-----------------------+-----------+ | |||
| Table 1 | Table 1 | |||
| 9. Security Considerations | 9. Security Considerations | |||
| Except for the use of different key derivation functions, this | Except for the use of different key derivation functions, this | |||
| document doesn't change how the integrity protection on PKCS #12 | document doesn't change how the integrity protection on PKCS #12 | |||
| objects is computed; therefore, all the security considerations from | objects is computed; therefore, all the security considerations from | |||
| [RFC7292] apply. | [RFC7292] apply. | |||
| skipping to change at page 6, line 38 ¶ | skipping to change at line 262 ¶ | |||
| [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: | [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: | |||
| Password-Based Cryptography Specification Version 2.1", | Password-Based Cryptography Specification Version 2.1", | |||
| RFC 8018, DOI 10.17487/RFC8018, January 2017, | RFC 8018, DOI 10.17487/RFC8018, January 2017, | |||
| <https://www.rfc-editor.org/info/rfc8018>. | <https://www.rfc-editor.org/info/rfc8018>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [SHA2] National Institute of Standards and Technology (NIST), | [SHA2] NIST, "Secure Hash Standard (SHS)", FIPS PUB 180-4, | |||
| "Secure Hash Standard (SHS)", FIPS PUB 180-4, | ||||
| DOI 10.6028/NIST.FIPS.180-4, August 2015, | DOI 10.6028/NIST.FIPS.180-4, August 2015, | |||
| <https://nvlpubs.nist.gov/nistpubs/FIPS/ | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.180-4.pdf>. | NIST.FIPS.180-4.pdf>. | |||
| [x680] ITU-T, "Information technology - Abstract Syntax Notation | [x680] ITU-T, "Information technology - Abstract Syntax Notation | |||
| One (ASN.1): Specification of basic notation", ITU-T | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | |||
| <https://www.itu.int/rec/T-REC-X.680>. | <https://www.itu.int/rec/T-REC-X.680>. | |||
| [x681] ITU-T, "Information technology - Abstract Syntax Notation | [x681] ITU-T, "Information technology - Abstract Syntax Notation | |||
| skipping to change at page 7, line 23 ¶ | skipping to change at line 295 ¶ | |||
| 2021, <https://www.itu.int/rec/T-REC-X.683>. | 2021, <https://www.itu.int/rec/T-REC-X.683>. | |||
| [x690] ITU-T, "Information technology - ASN.1 encoding rules: | [x690] ITU-T, "Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | |||
| February 2021, <https://www.itu.int/rec/T-REC-X.690>. | February 2021, <https://www.itu.int/rec/T-REC-X.690>. | |||
| 10.2. Informative References | 10.2. Informative References | |||
| [Err7974] Kario, A., "RFC Errata Report 7974, RFC 9579,", | [Err7974] RFC Errata, Erratum ID 7974, RFC 9579, | |||
| <https://www.rfc-editor.org/errata/eid7974>. | <https://www.rfc-editor.org/errata/eid7974>. | |||
| [RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based | [RFC7914] Percival, C. and S. Josefsson, "The scrypt Password-Based | |||
| Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914, | Key Derivation Function", RFC 7914, DOI 10.17487/RFC7914, | |||
| August 2016, <https://www.rfc-editor.org/info/rfc7914>. | August 2016, <https://www.rfc-editor.org/info/rfc7914>. | |||
| [RFC9579] Kario, H., "Use of Password-Based Message Authentication | [RFC9579] Kario, H., "Use of Password-Based Message Authentication | |||
| Code 1 (PBMAC1) in PKCS #12 Syntax", RFC 9579, | Code 1 (PBMAC1) in PKCS #12 Syntax", RFC 9579, | |||
| DOI 10.17487/RFC9579, May 2024, | DOI 10.17487/RFC9579, May 2024, | |||
| <https://www.rfc-editor.org/info/rfc9579>. | <https://www.rfc-editor.org/info/rfc9579>. | |||
| [SHA3] National Institute of Standards and Technology (NIST), | [SHA3] NIST, "SHA-3 Standard: Permutation-Based Hash and | |||
| "SHA-3 Standard: Permutation-Based Hash and Extendable- | Extendable-Output Functions", FIPS PUB 202, | |||
| Output Functions", FIPS PUB 202, | ||||
| DOI 10.6028/NIST.FIPS.202, August 2015, | DOI 10.6028/NIST.FIPS.202, August 2015, | |||
| <https://nvlpubs.nist.gov/nistpubs/FIPS/ | <https://nvlpubs.nist.gov/nistpubs/FIPS/ | |||
| NIST.FIPS.202.pdf>. | NIST.FIPS.202.pdf>. | |||
| Appendix A. Test Vectors | Appendix A. Test Vectors | |||
| All test vectors use "1234" as the password for both encryption and | All test vectors use "1234" as the password for both encryption and | |||
| integrity protection. | integrity protection. | |||
| A.1. Valid PKCS #12 File with SHA-256 HMAC and PRF | A.1. Valid PKCS #12 File with SHA-256 HMAC and PRF | |||
| End of changes. 15 change blocks. | ||||
| 67 lines changed or deleted | 64 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||