Internet Engineering Task Force (IETF) M. Jones
Request for Comments: 8230 Microsoft
Category: Standards Track September 2017
ISSN: 2070-1721
Internet Engineering Task Force (IETF) M. Jones
Request for Comments: 8230 Microsoft
Category: Standards Track September 2017
ISSN: 2070-1721
Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages
将RSA算法与CBOR对象签名和加密(COSE)消息一起使用
Abstract
摘要
The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme - Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.
CBOR对象签名和加密(COSE)规范使用简明二进制对象表示(CBOR)定义加密消息编码。本规范定义了算法编码和表示,使RSA算法能够用于COSE消息。为使用RSA概率签名方案(RSASSA-PSS)签名、RSA加密方案-最佳非对称加密填充(RSAES-OAEP)加密和RSA密钥指定了编码。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8230.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8230.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 3
2. RSASSA-PSS Signature Algorithm . . . . . . . . . . . . . . . 3
3. RSAES-OAEP Key Encryption Algorithm . . . . . . . . . . . . . 4
4. RSA Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5.1. COSE Algorithms Registrations . . . . . . . . . . . . . . 6
5.2. COSE Key Type Registrations . . . . . . . . . . . . . . . 7
5.3. COSE Key Type Parameters Registrations . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6.1. Key Size Security Considerations . . . . . . . . . . . . 9
6.2. RSASSA-PSS Security Considerations . . . . . . . . . . . 10
6.3. RSAES-OAEP Security Considerations . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Notation and Conventions . . . . . . . . . . 3
2. RSASSA-PSS Signature Algorithm . . . . . . . . . . . . . . . 3
3. RSAES-OAEP Key Encryption Algorithm . . . . . . . . . . . . . 4
4. RSA Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
5.1. COSE Algorithms Registrations . . . . . . . . . . . . . . 6
5.2. COSE Key Type Registrations . . . . . . . . . . . . . . . 7
5.3. COSE Key Type Parameters Registrations . . . . . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6.1. Key Size Security Considerations . . . . . . . . . . . . 9
6.2. RSASSA-PSS Security Considerations . . . . . . . . . . . 10
6.3. RSAES-OAEP Security Considerations . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 10
7.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
The CBOR Object Signing and Encryption (COSE) [RFC8152] specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR) [RFC7049]. This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages.
CBOR对象签名和加密(COSE)[RFC8152]规范使用简明二进制对象表示(CBOR)[RFC7049]定义加密消息编码。本规范定义了算法编码和表示,使RSA算法能够用于COSE消息。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。
The RSASSA-PSS signature algorithm is defined in [RFC8017].
[RFC8017]中定义了RSASSA-PSS签名算法。
The RSASSA-PSS signature algorithm is parameterized with a hash function (h), a mask generation function (mgf), and a salt length (sLen). For this specification, the mask generation function is fixed to be MGF1 as defined in [RFC8017]. It has been recommended that the same hash function be used for hashing the data as well as in the mask generation function. This specification follows this recommendation. The salt length is the same length as the hash function output.
RSASSA-PSS签名算法由哈希函数(h)、掩码生成函数(mgf)和salt长度(sLen)参数化。对于本规范,掩码生成函数固定为[RFC8017]中定义的MGF1。建议使用相同的散列函数对数据进行散列,并在掩码生成函数中使用。本规范遵循本建议。salt长度与哈希函数输出的长度相同。
Implementations need to check that the key type is 'RSA' when creating or verifying a signature.
在创建或验证签名时,实现需要检查密钥类型是否为“RSA”。
The RSASSA-PSS algorithms specified in this document are in the following table.
本文件中规定的RSASSA-PSS算法如下表所示。
+-------+-------+---------+-------------+-----------------------+
| Name | Value | Hash | Salt Length | Description |
+-------+-------+---------+-------------+-----------------------+
| PS256 | -37 | SHA-256 | 32 | RSASSA-PSS w/ SHA-256 |
| PS384 | -38 | SHA-384 | 48 | RSASSA-PSS w/ SHA-384 |
| PS512 | -39 | SHA-512 | 64 | RSASSA-PSS w/ SHA-512 |
+-------+-------+---------+-------------+-----------------------+
+-------+-------+---------+-------------+-----------------------+
| Name | Value | Hash | Salt Length | Description |
+-------+-------+---------+-------------+-----------------------+
| PS256 | -37 | SHA-256 | 32 | RSASSA-PSS w/ SHA-256 |
| PS384 | -38 | SHA-384 | 48 | RSASSA-PSS w/ SHA-384 |
| PS512 | -39 | SHA-512 | 64 | RSASSA-PSS w/ SHA-512 |
+-------+-------+---------+-------------+-----------------------+
Table 1: RSASSA-PSS Algorithm Values
表1:RSASSA-PSS算法值
RSAES-OAEP is an asymmetric key encryption algorithm. The definition of RSAEA-OAEP can be found in Section 7.1 of [RFC8017]. The algorithm is parameterized using a mask generation function (mgf), a hash function (h), and encoding parameters (P). For the algorithm identifiers defined in this section:
RSAES-OAEP是一种非对称密钥加密算法。RSAEA-OAEP的定义见[RFC8017]第7.1节。该算法使用掩码生成函数(mgf)、哈希函数(h)和编码参数(P)进行参数化。对于本节中定义的算法标识符:
o mgf is always set to MGF1 as defined in [RFC8017] and uses the same hash function as h.
o mgf始终设置为[RFC8017]中定义的MGF1,并使用与h相同的哈希函数。
o P is always set to the empty octet string.
o P始终设置为空的八位字节字符串。
The following table summarizes the rest of the values.
下表总结了其余的值。
+-------------------------------+-------+---------+-----------------+
| Name | Value | Hash | Description |
+-------------------------------+-------+---------+-----------------+
| RSAES-OAEP w/ RFC 8017 | -40 | SHA-1 | RSAES-OAEP w/ |
| default parameters | | | SHA-1 |
| RSAES-OAEP w/ SHA-256 | -41 | SHA-256 | RSAES-OAEP w/ |
| | | | SHA-256 |
| RSAES-OAEP w/ SHA-512 | -42 | SHA-512 | RSAES-OAEP w/ |
| | | | SHA-512 |
+-------------------------------+-------+---------+-----------------+
+-------------------------------+-------+---------+-----------------+
| Name | Value | Hash | Description |
+-------------------------------+-------+---------+-----------------+
| RSAES-OAEP w/ RFC 8017 | -40 | SHA-1 | RSAES-OAEP w/ |
| default parameters | | | SHA-1 |
| RSAES-OAEP w/ SHA-256 | -41 | SHA-256 | RSAES-OAEP w/ |
| | | | SHA-256 |
| RSAES-OAEP w/ SHA-512 | -42 | SHA-512 | RSAES-OAEP w/ |
| | | | SHA-512 |
+-------------------------------+-------+---------+-----------------+
Table 2: RSAES-OAEP Algorithm Values
表2:RSAES-OAEP算法值
The key type MUST be 'RSA'.
密钥类型必须为“RSA”。
Key types are identified by the 'kty' member of the COSE_Key object. This specification defines one value for this member in the following table.
密钥类型由COSE_密钥对象的“kty”成员标识。本规范在下表中为此成员定义了一个值。
+------+-------+-------------+
| Name | Value | Description |
+------+-------+-------------+
| RSA | 3 | RSA Key |
+------+-------+-------------+
+------+-------+-------------+
| Name | Value | Description |
+------+-------+-------------+
| RSA | 3 | RSA Key |
+------+-------+-------------+
Table 3: Key Type Values
表3:键类型值
This document defines a key structure for both the public and private parts of RSA keys. Together, an RSA public key and an RSA private key form an RSA key pair.
本文档为RSA密钥的公共和私有部分定义了密钥结构。RSA公钥和RSA私钥一起构成RSA密钥对。
The document also provides support for the so-called "multi-prime" RSA keys, in which the modulus may have more than two prime factors. The benefit of multi-prime RSA is lower computational cost for the decryption and signature primitives. For a discussion on how multi-prime affects the security of RSA cryptosystems, the reader is referred to [MultiPrimeRSA].
该文档还支持所谓的“多素数”RSA密钥,其中模可能有两个以上的素数因子。多素数RSA的优点是解密和签名原语的计算成本较低。有关多重素数如何影响RSA密码系统安全性的讨论,请参阅[MultiPrimeRSA]。
This document follows the naming convention of [RFC8017] for the naming of the fields of an RSA public or private key, and the corresponding fields have identical semantics. The requirements for fields for RSA keys are as follows:
本文档遵循[RFC8017]的命名约定对RSA公钥或私钥的字段进行命名,相应字段具有相同的语义。RSA密钥字段的要求如下:
o For all keys, 'kty' MUST be present and MUST have a value of 3.
o 对于所有键,“kty”必须存在,且其值必须为3。
o For public keys, the fields 'n' and 'e' MUST be present. All other fields defined in the following table below MUST be absent.
o 对于公钥,字段“n”和“e”必须存在。下表中定义的所有其他字段必须不存在。
o For private keys with two primes, the fields 'other', 'r_i', 'd_i', and 't_i' MUST be absent; all other fields MUST be present.
o 对于具有两个素数的私钥,字段“other”、“r_i”、“d_i”和“t_i”必须不存在;所有其他字段都必须存在。
o For private keys with more than two primes, all fields MUST be present. For the third to nth primes, each of the primes is represented as a map containing the fields 'r_i', 'd_i', and 't_i'. The field 'other' is an array of those maps.
o 对于具有两个以上素数的私钥,必须存在所有字段。对于第三个到第n个素数,每个素数都表示为包含“r_i”、“d_i”和“t_i”字段的映射。字段“other”是这些映射的数组。
o All numeric key parameters are encoded in an unsigned big-endian representation as an octet sequence using the CBOR byte string type (major type 2). The octet sequence MUST utilize the minimum number of octets needed to represent the value. For instance, the value 32,768 is represented as the CBOR byte sequence 0b010_00010, 0x80 0x00 (major type 2, additional information 2 for the length).
o 所有数字键参数都使用CBOR字节字符串类型(主类型2)以无符号大端表示形式编码为八位字节序列。八位字节序列必须使用表示该值所需的最小八位字节数。例如,值32768表示为CBOR字节序列0b010_00010,0x80 0x00(主要类型2,长度的附加信息2)。
The following table provides a summary of the label values and the types associated with each of those labels.
下表提供了标签值的摘要以及与每个标签关联的类型。
+-------+-------+-------+-------+-----------------------------------+
| Key | Name | Label | CBOR | Description |
| Type | | | Type | |
+-------+-------+-------+-------+-----------------------------------+
| 3 | n | -1 | bstr | the RSA modulus n |
| 3 | e | -2 | bstr | the RSA public exponent e |
| 3 | d | -3 | bstr | the RSA private exponent d |
| 3 | p | -4 | bstr | the prime factor p of n |
| 3 | q | -5 | bstr | the prime factor q of n |
| 3 | dP | -6 | bstr | dP is d mod (p - 1) |
| 3 | dQ | -7 | bstr | dQ is d mod (q - 1) |
| 3 | qInv | -8 | bstr | qInv is the CRT coefficient |
| | | | | q^(-1) mod p |
| 3 | other | -9 | array | other prime infos, an array |
| 3 | r_i | -10 | bstr | a prime factor r_i of n, where i |
| | | | | >= 3 |
| 3 | d_i | -11 | bstr | d_i = d mod (r_i - 1) |
| 3 | t_i | -12 | bstr | the CRT coefficient t_i = (r_1 * |
| | | | | r_2 * ... * r_(i-1))^(-1) mod r_i |
+-------+-------+-------+-------+-----------------------------------+
+-------+-------+-------+-------+-----------------------------------+
| Key | Name | Label | CBOR | Description |
| Type | | | Type | |
+-------+-------+-------+-------+-----------------------------------+
| 3 | n | -1 | bstr | the RSA modulus n |
| 3 | e | -2 | bstr | the RSA public exponent e |
| 3 | d | -3 | bstr | the RSA private exponent d |
| 3 | p | -4 | bstr | the prime factor p of n |
| 3 | q | -5 | bstr | the prime factor q of n |
| 3 | dP | -6 | bstr | dP is d mod (p - 1) |
| 3 | dQ | -7 | bstr | dQ is d mod (q - 1) |
| 3 | qInv | -8 | bstr | qInv is the CRT coefficient |
| | | | | q^(-1) mod p |
| 3 | other | -9 | array | other prime infos, an array |
| 3 | r_i | -10 | bstr | a prime factor r_i of n, where i |
| | | | | >= 3 |
| 3 | d_i | -11 | bstr | d_i = d mod (r_i - 1) |
| 3 | t_i | -12 | bstr | the CRT coefficient t_i = (r_1 * |
| | | | | r_2 * ... * r_(i-1))^(-1) mod r_i |
+-------+-------+-------+-------+-----------------------------------+
Table 4: RSA Key Parameters
表4:RSA密钥参数
IANA has registered the following values in the IANA "COSE Algorithms" registry [IANA.COSE].
IANA已在IANA“COSE算法”注册表[IANA.COSE]中注册了以下值。
o Name: PS256 o Value: -37 o Description: RSASSA-PSS w/ SHA-256 o Reference: Section 2 of this document o Recommended: Yes
o 名称:PS256 o值:-37 o说明:RSASSA-PSS w/SHA-256 o参考:本文件第2节o建议:是
o Name: PS384 o Value: -38 o Description: RSASSA-PSS w/ SHA-384 o Reference: Section 2 of this document o Recommended: Yes
o 名称:PS384 o值:-38 o说明:RSASSA-PSS w/SHA-384 o参考:本文件第2节o建议:是
o Name: PS512 o Value: -39 o Description: RSASSA-PSS w/ SHA-512 o Reference: Section 2 of this document o Recommended: Yes
o 名称:PS512 o值:-39 o说明:RSASSA-PSS w/SHA-512 o参考:本文件第2节o建议:是
o Name: RSAES-OAEP w/ RFC 8017 default parameters o Value: -40 o Description: RSAES-OAEP w/ SHA-1 o Reference: Section 3 of this document o Recommended: Yes
o 名称:RSAES-OAEP w/RFC 8017默认参数o值:-40 o说明:RSAES-OAEP w/SHA-1 o参考:本文件第3节o建议:是
o Name: RSAES-OAEP w/ SHA-256 o Value: -41 o Description: RSAES-OAEP w/ SHA-256 o Reference: Section 3 of this document o Recommended: Yes
o 名称:RSAES-OAEP w/SHA-256 o值:-41 o说明:RSAES-OAEP w/SHA-256 o参考:本文件第3节o建议:是
o Name: RSAES-OAEP w/ SHA-512 o Value: -42 o Description: RSAES-OAEP w/ SHA-512 o Reference: Section 3 of this document o Recommended: Yes
o 名称:RSAES-OAEP w/SHA-512 o值:-42 o说明:RSAES-OAEP w/SHA-512 o参考:本文件第3节o建议:是
IANA has registered the following value in the IANA "COSE Key Types" registry [IANA.COSE].
IANA已在IANA“COSE密钥类型”注册表[IANA.COSE]中注册了以下值。
o Name: RSA o Value: 3 o Description: RSA Key o Reference: Section 4 of this document
o 名称:RSA o值:3 o说明:RSA密钥o参考:本文档第4节
IANA has registered the following values in the IANA "COSE Key Type Parameters" registry [IANA.COSE].
IANA已在IANA“COSE密钥类型参数”注册表[IANA.COSE]中注册了以下值。
o Key Type: 3 o Name: n o Label: -1 o CBOR Type: bstr o Description: the RSA modulus n o Reference: Section 4 of this document
o 密钥类型:3 o名称:n o标签:-1 o CBOR类型:bstr o说明:RSA模数n o参考:本文档第4节
o Key Type: 3 o Name: e o Label: -2 o CBOR Type: bstr o Description: the RSA public exponent e o Reference: Section 4 of this document
o 密钥类型:3 o名称:EO标签:-2 o CBOR类型:bstr o说明:RSA公共指数EO参考:本文档第4节
o Key Type: 3 o Name: d o Label: -3 o CBOR Type: bstr o Description: the RSA private exponent d o Reference: Section 4 of this document
o 密钥类型:3 o名称:DO标签:-3 o CBOR类型:bstr o说明:RSA专用指数DO参考:本文档第4节
o Key Type: 3 o Name: p o Label: -4 o CBOR Type: bstr o Description: the prime factor p of n o Reference: Section 4 of this document
o 密钥类型:3 o名称:PO标签:-4 o CBOR类型:bstr o说明:n o的基本因子p参考:本文件第4节
o Key Type: 3 o Name: q o Label: -5 o CBOR Type: bstr o Description: the prime factor q of n o Reference: Section 4 of this document
o 密钥类型:3 o名称:q o标签:-5 o CBOR类型:bstr o说明:n o的基本因子q参考:本文件第4节
o Key Type: 3 o Name: dP o Label: -6 o CBOR Type: bstr o Description: dP is d mod (p - 1) o Reference: Section 4 of this document
o 密钥类型:3 o名称:dP o标签:-6 o CBOR类型:bstr o说明:dP为d mod(p-1)o参考:本文件第4节
o Key Type: 3 o Name: dQ o Label: -7 o CBOR Type: bstr o Description: dQ is d mod (q - 1) o Reference: Section 4 of this document
o 密钥类型:3 o名称:dQ o标签:-7 o CBOR类型:bstr o说明:dQ为d mod(q-1)o参考:本文件第4节
o Key Type: 3 o Name: qInv o Label: -8 o CBOR Type: bstr o Description: qInv is the CRT coefficient q^(-1) mod p o Reference: Section 4 of this document
o 密钥类型:3 o名称:qInv o标签:-8 o CBOR类型:bstr o说明:qInv是CRT系数q^(-1)mod p o参考:本文件第4节
o Key Type: 3 o Name: other o Label: -9 o CBOR Type: array o Description: other prime infos, an array o Reference: Section 4 of this document
o 密钥类型:3 o名称:其他o标签:-9 o CBOR类型:数组o说明:其他基本信息,数组o参考:本文档第4节
o Key Type: 3 o Name: r_i o Label: -10 o CBOR Type: bstr o Description: a prime factor r_i of n, where i >= 3 o Reference: Section 4 of this document
o 密钥类型:3 o名称:r_i o标签:-10 o CBOR类型:bstr o说明:一个素因子r_i为n,其中i>=3 o参考:本文件第4节
o Key Type: 3 o Name: d_i o Label: -11 o CBOR Type: bstr o Description: d_i = d mod (r_i - 1) o Reference: Section 4 of this document
o 密钥类型:3 o名称:d_i o标签:-11 o CBOR类型:bstr o说明:d_i=d mod(r_i-1)o参考:本文件第4节
o Key Type: 3 o Name: t_i o Label: -12 o CBOR Type: bstr o Description: the CRT coefficient t_i = (r_1 * r_2 * ... * r_(i-1))^(-1) mod r_i o Reference: Section 4 of this document
o 密钥类型:3 o名称:t_i o标签:-12 o CBOR类型:bstr o说明:CRT系数t_i=(r_1*r_2*…*r_(i-1))^(-1)模块r_i o参考:本文件第4节
A key size of 2048 bits or larger MUST be used with these algorithms. This key size corresponds roughly to the same strength as provided by a 128-bit symmetric encryption algorithm. Implementations SHOULD be able to encrypt and decrypt with modulus between 2048 and 16K bits in length. Applications can impose additional restrictions on the length of the modulus.
这些算法必须使用2048位或更大的密钥大小。该密钥大小与128位对称加密算法提供的强度大致相同。实现应该能够使用长度介于2048和16K位之间的模数进行加密和解密。应用程序可以对模量的长度施加附加限制。
In addition to needing to worry about keys that are too small to provide the required security, there are issues with keys that are too large. Denial-of-service attacks have been mounted with overly large keys or oddly sized keys. This has the potential to consume resources with these keys. It is highly recommended that checks on the key length be done before starting a cryptographic operation.
除了需要担心密钥太小而无法提供所需的安全性之外,还存在密钥太大的问题。拒绝服务攻击是使用过大的密钥或大小异常的密钥进行的。这可能会使用这些密钥消耗资源。强烈建议在开始加密操作之前检查密钥长度。
There are two reasonable ways to address this attack. First, a key should not be used for a cryptographic operation until it has been verified that it is controlled by a party trusted by the recipient. This approach means that no cryptography will be done until a trust decision about the key has been made, a process described in Appendix D, Item 4 of [RFC7515]. Second, applications can impose maximum- as well as minimum-length requirements on keys. This limits the resources that would otherwise be consumed by the use of overly large keys.
有两种合理的方法可以解决此攻击。首先,在验证密钥是否由接收方信任的一方控制之前,不应将密钥用于加密操作。这种方法意味着,在做出关于密钥的信任决定之前,不会进行加密,这一过程如[RFC7515]附录D第4项所述。其次,应用程序可以对键施加最大和最小长度要求。这限制了使用过大的键所消耗的资源。
There is a theoretical hash substitution attack that can be mounted against RSASSA-PSS [HASHID]. However, the requirement that the same hash function be used consistently for all operations is an effective mitigation against it. Unlike an Elliptic Curve Digital Signature Algorithm (ECDSA), hash function outputs are not truncated so that the full hash value is always signed. The internal padding structure of RSASSA-PSS means that one needs to have multiple collisions between the two hash functions to be successful in producing a forgery based on changing the hash function. This is highly unlikely.
有一种理论上的散列替换攻击可以针对RSASSA-PSS[HASHID]发起。然而,对所有操作一致使用相同哈希函数的要求是一种有效的缓解措施。与椭圆曲线数字签名算法(ECDSA)不同,哈希函数的输出不会被截断,因此整个哈希值始终是有符号的。RSASSA-PSS的内部填充结构意味着两个哈希函数之间需要有多次冲突,才能在更改哈希函数的基础上成功生成伪造。这是极不可能的。
A version of RSAES-OAEP using the default parameters specified in Appendix A.2.1 of [RFC8017] is included because this is the most widely implemented set of OAEP parameter choices. (Those default parameters are the SHA-1 hash function and the MGF1 with SHA-1 mask generation function.)
包括使用[RFC8017]附录A.2.1中规定的默认参数的RSAES-OAEP版本,因为这是应用最广泛的一组OAEP参数选择。(这些默认参数是SHA-1哈希函数和MGF1 with SHA-1掩码生成函数。)
Keys used with RSAES-OAEP MUST follow the constraints in Section 7.1 of [RFC8017]. Also, keys with a low private key exponent value, as described in Section 3 of "Twenty Years of Attacks on the RSA Cryptosystem" [Boneh99], MUST NOT be used.
与RSAES-OAEP一起使用的密钥必须遵循[RFC8017]第7.1节中的约束条件。此外,如“RSA密码系统二十年攻击”[Boneh99]第3节所述,不得使用私钥指数值较低的密钥。
[Boneh99] Boneh, D., "Twenty Years of Attacks on the RSA Cryptosystem", Notices of the American Mathematical Society (AMS), Vol. 46, No. 2, pp. 203-213, 1999, <http://www.ams.org/notices/199902/boneh.pdf>.
[Boneh99]Boneh,D.,“对RSA密码系统的二十年攻击”,《美国数学学会通告》,第46卷,第2期,第203-213页,1999年<http://www.ams.org/notices/199902/boneh.pdf>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7049]Bormann,C.和P.Hoffman,“简明二进制对象表示法(CBOR)”,RFC 7049,DOI 10.17487/RFC7049,2013年10月<https://www.rfc-editor.org/info/rfc7049>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7515]Jones,M.,Bradley,J.和N.Sakimura,“JSON网络签名(JWS)”,RFC 7515,DOI 10.17487/RFC7515,2015年5月<https://www.rfc-editor.org/info/rfc7515>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, "PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, <https://www.rfc-editor.org/info/rfc8017>.
[RFC8017]Moriarty,K.,Ed.,Kaliski,B.,Jonsson,J.,和A.Rusch,“PKCS#1:RSA加密规范版本2.2”,RFC 8017,DOI 10.17487/RFC8017,2016年11月<https://www.rfc-editor.org/info/rfc8017>.
[RFC8152] Schaad, J., "CBOR Object Signing and Encryption (COSE)", RFC 8152, DOI 10.17487/RFC8152, July 2017, <https://www.rfc-editor.org/info/rfc8152>.
[RFC8152]Schaad,J.,“CBOR对象签名和加密(COSE)”,RFC 8152,DOI 10.17487/RFC8152,2017年7月<https://www.rfc-editor.org/info/rfc8152>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.
[HASHID] Kaliski, B., "On Hash Function Firewalls in Signature Schemes", Lecture Notes in Computer Science (LNCS), Volume 2271, pp. 1-16, DOI 10.1007/3-540-45760-7_1, February 2002, <https://rd.springer.com/chapter/ 10.1007/3-540-45760-7_1>.
[HASHID]Kaliski,B.,“关于签名方案中的哈希函数防火墙”,《计算机科学讲稿》(LNCS),第2271卷,第1-16页,DOI 10.1007/3-540-45760-7_1,2002年2月<https://rd.springer.com/chapter/ 10.1007/3-540-45760-7_1>.
[IANA.COSE] IANA, "CBOR Object Signing and Encryption (COSE)", <http://www.iana.org/assignments/cose>.
[IANA.COSE]IANA,“CBOR对象签名和加密(COSE)”<http://www.iana.org/assignments/cose>.
[MultiPrimeRSA] Hinek, M. and D. Cheriton, "On the Security of Multi-prime RSA", June 2006, <http://cacr.uwaterloo.ca/techreports/ 2006/cacr2006-16.pdf>.
[MultiPrimeRSA]Hinek,M.和D.Cheriton,“关于多素数RSA的安全性”,2006年6月<http://cacr.uwaterloo.ca/techreports/ 2006/cacr2006-16.pdf>。
Acknowledgements
致谢
This specification incorporates text from "CBOR Encoded Message Syntax" (September 2015) authored by Jim Schaad and Brian Campbell. Thanks are due to Ben Campbell, Roni Even, Steve Kent, Kathleen Moriarty, Eric Rescorla, Adam Roach, Rich Salz, and Jim Schaad for their reviews of the specification.
本规范包含Jim Schaad和Brian Campbell编写的“CBOR编码消息语法”(2015年9月)中的文本。感谢Ben Campbell、Roni Een、Steve Kent、Kathleen Moriarty、Eric Rescorla、Adam Roach、Rich Salz和Jim Schaad对规范的评审。
Author's Address
作者地址
Michael B. Jones Microsoft
迈克尔·琼斯微软公司
Email: mbj@microsoft.com
URI: http://self-issued.info/
Email: mbj@microsoft.com
URI: http://self-issued.info/