| rfc9563v3.txt | rfc9563.txt | |||
|---|---|---|---|---|
| Independent Submission C. Zhang | Independent Submission C. Zhang | |||
| Request for Comments: 9563 Y. Liu | Request for Comments: 9563 Y. Liu | |||
| Category: Informational F. Leng | Category: Informational F. Leng | |||
| ISSN: 2070-1721 Q. Zhao | ISSN: 2070-1721 Q. Zhao | |||
| Z. He | Z. He | |||
| CNNIC | CNNIC | |||
| May 2024 | September 2024 | |||
| SM2 Digital Signature Algorithm for DNSSEC | SM2 Digital Signature Algorithm for DNSSEC | |||
| Abstract | Abstract | |||
| This document specifies the use of the SM2 digital signature | This document specifies the use of the SM2 digital signature | |||
| algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | algorithm and SM3 hash algorithm for DNS Security (DNSSEC). | |||
| This document is an Independent Submission to the RFC series and does | This document is an Independent Submission to the RFC series and does | |||
| not have consensus of the IETF community. | not have consensus of the IETF community. | |||
| skipping to change at line 75 ¶ | skipping to change at line 75 ¶ | |||
| 1. Introduction | 1. Introduction | |||
| DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It | DNSSEC is broadly defined in [RFC4033], [RFC4034], and [RFC4035]. It | |||
| uses cryptographic keys and digital signatures to provide | uses cryptographic keys and digital signatures to provide | |||
| authentication of DNS data. DNSSEC signature algorithms are | authentication of DNS data. DNSSEC signature algorithms are | |||
| registered in the DNSSEC algorithm numbers registry [IANA]. | registered in the DNSSEC algorithm numbers registry [IANA]. | |||
| This document defines the DNSKEY and RRSIG resource records (RRs) of | This document defines the DNSKEY and RRSIG resource records (RRs) of | |||
| new signing algorithms: SM2 uses elliptic curves over 256-bit prime | new signing algorithms: SM2 uses elliptic curves over 256-bit prime | |||
| fields with SM3 hash algorithm. (A description of SM2 can be found | fields with SM3 hash algorithm. (A description of SM2 can be found | |||
| in GB/T 32918.2-2016 [GBT-32918.2-2016] or ISO/IEC14888-3:2018 | in GM/T 0003.2-2012 [GMT-0003.2] or ISO/IEC14888-3:2018 | |||
| [ISO-IEC14888-3_2018], and a description of SM3 can be found in GB/T | [ISO-IEC14888-3_2018], and a description of SM3 can be found in GM/T | |||
| 32905-2016 [GBT-32905-2016] or ISO/IEC10118-3:2018 | 0004-2012 [GMT-0004] or ISO/IEC10118-3:2018 [ISO-IEC10118-3_2018].) | |||
| [ISO-IEC10118-3_2018].) This document also defines the DS RR for the | This document also defines the DS RR for the SM3 one-way hash | |||
| SM3 one-way hash algorithm. In the signing algorithm defined in this | algorithm. In the signing algorithm defined in this document, the | |||
| document, the size of the key for the elliptic curve is matched with | size of the key for the elliptic curve is matched with the size of | |||
| the size of the output of the hash algorithm. Both are 256 bits. | the output of the hash algorithm. Both are 256 bits. | |||
| Many implementations may not support SM2 signatures and SM3 digests. | ||||
| Section 5.2 of [RFC6840] specifies handling of answers in such cases. | ||||
| Caution: This specification is not a standard and does not have IETF | ||||
| community consensus. It makes use of cryptographic algorithms that | ||||
| are national standards for China, as well as ISO/IEC standards (ISO/ | ||||
| IEC 14888:3-2018 [ISO-IEC14888-3_2018] and ISO/IEC 10118:3-2018 | ||||
| [ISO-IEC10118-3_2018]). Neither the IETF nor the IRTF has analyzed | ||||
| that algorithm for suitability for any given application, and it may | ||||
| contain either intended or unintended weaknesses. | ||||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | |||
| BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. SM3 DS Records | 2. SM3 DS Records | |||
| The implementation of SM3 in DNSSEC follows the implementation of | The implementation of SM3 in DNSSEC follows the implementation of | |||
| SHA-256 as specified in [RFC4509] except that the underlying | SHA-256 as specified in [RFC4509] except that the underlying | |||
| algorithm is SM3 with digest type code 6. | algorithm is SM3 with digest type code 6. | |||
| The generation of an SM3 hash value is described in Section 5 of | The generation of an SM3 hash value is described in Section 5 of | |||
| [GBT-32905-2016] and generates a 256-bit hash value. | [GMT-0004] and generates a 256-bit hash value. | |||
| 3. SM2 Parameters | 3. SM2 Parameters | |||
| Verifying SM2 signatures requires agreement between the signer and | Verifying SM2 signatures requires agreement between the signer and | |||
| the verifier on the parameters used. The SM2 digital signature | the verifier on the parameters used. The SM2 digital signature | |||
| algorithm has been added to [ISO-IEC14888-3_2018]. The parameters of | algorithm has been added to [ISO-IEC14888-3_2018]. The parameters of | |||
| the curve used in this profile are as follows: | the curve used in this profile are as follows: | |||
| p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF | |||
| FFFFFFFF 00000000 FFFFFFFF FFFFFFFF | FFFFFFFF 00000000 FFFFFFFF FFFFFFFF | |||
| skipping to change at line 136 ¶ | skipping to change at line 147 ¶ | |||
| 4.2. RRSIG Resource Records | 4.2. RRSIG Resource Records | |||
| The SM2 signature is the combination of two non-negative integers, | The SM2 signature is the combination of two non-negative integers, | |||
| called "r" and "s". The two integers, each of which is formatted as | called "r" and "s". The two integers, each of which is formatted as | |||
| a simple octet string, are combined into a single longer octet string | a simple octet string, are combined into a single longer octet string | |||
| for DNSSEC as the concatenation "r | s". (Conversion of the integers | for DNSSEC as the concatenation "r | s". (Conversion of the integers | |||
| to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) | to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) | |||
| Each integer MUST be encoded as 32 octets. | Each integer MUST be encoded as 32 octets. | |||
| Process details are described in Section 6 of [GBT-32918.2-2016]. | Process details are described in Section 6 of [GMT-0003.2]. | |||
| The algorithm number associated with the DNSKEY and RRSIG resource | The algorithm number associated with the DNSKEY and RRSIG resource | |||
| records is 17, which is described in the IANA Considerations section. | records is 17, which is described in the IANA Considerations section. | |||
| Conformant implementations that create records to be put into the DNS | Conformant implementations that create records to be put into the DNS | |||
| MAY implement signing and verification for the SM2 digital signature | MAY implement signing and verification for the SM2 digital signature | |||
| algorithm. Conformant DNSSEC verifiers MAY implement verification | algorithm. Conformant DNSSEC verifiers MAY implement verification | |||
| for the above algorithm. | for the above algorithm. | |||
| 5. Support for NSEC3 Denial of Existence | 5. Support for NSEC3 Denial of Existence | |||
| skipping to change at line 260 ¶ | skipping to change at line 271 ¶ | |||
| rollovers, taking into account record caching. See [RFC7583] for | rollovers, taking into account record caching. See [RFC7583] for | |||
| details. A suitable replacement algorithm should be both widely | details. A suitable replacement algorithm should be both widely | |||
| implemented and not known to have weaknesses. | implemented and not known to have weaknesses. | |||
| The security considerations listed in [RFC4509] apply here as well. | The security considerations listed in [RFC4509] apply here as well. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [GBT-32905-2016] | ||||
| Standardization Administration of China, "Information | ||||
| security techniques--SM3 Cryptographic Hash Algorithm", | ||||
| [In Chinese], GB/T 32905-2016, March 2017. English | ||||
| translation available at: http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401392982079739.pdf | ||||
| (http://www.gmbz.org.cn/ | ||||
| upload/2018-07-24/1532401392982079739.pdf). | ||||
| [GBT-32918.1-2016] | [GBT-32918.1-2016] | |||
| Standardization Administration of China, "Information | Standardization Administration of China, "Information | |||
| security technology--Public key cryptographic algorithm | security technology--Public key cryptographic algorithm | |||
| SM2 based on elliptic curves--Part 1: General", [In | SM2 based on elliptic curves--Part 1: General", [In | |||
| Chinese], GB/T 32918.1-2016, March 2017. English | Chinese], GB/T 32918.1-2016, March 2017. English | |||
| translation available at: http://www.gmbz.org.cn/ | translation available at: http://www.gmbz.org.cn/ | |||
| upload/2018-07-24/1532401673134070738.pdf | upload/2018-07-24/1532401673134070738.pdf | |||
| (http://www.gmbz.org.cn/ | (http://www.gmbz.org.cn/ | |||
| upload/2018-07-24/1532401673134070738.pdf) | upload/2018-07-24/1532401673134070738.pdf) | |||
| [GBT-32918.2-2016] | [GMT-0003.2] | |||
| Standardization Administration of China, "Information | Cryptography Standardization Technical Committee of China, | |||
| security technology--Public key cryptographic algorithm | "SM2 public key cryptographic algorithm based on elliptic | |||
| SM2 based on elliptic curves--Part 2: Digital signature | curves -- Part 2: Digital signature algorithm", [In | |||
| algorithm", [In Chinese], GB/T 32918.2-2016, March 2017. | Chinese], GM/T 0003.2-2012, March 2012. English | |||
| English translation available at: http://www.gmbz.org.cn/ | translation available at: TBD (TBD) | |||
| upload/2018-07-24/1532401673138056311.pdf | ||||
| (http://www.gmbz.org.cn/ | [GMT-0004] Cryptography Standardization Technical Committee of China, | |||
| upload/2018-07-24/1532401673138056311.pdf) | "SM3 Cryptographic Hash Algorithm", [In Chinese], GM/ | |||
| T 0004-2012, March 2012. English translation available | ||||
| at: TBD (TBD). | ||||
| [IANA] IANA, "DNS Security Algorithm Numbers", | [IANA] IANA, "DNS Security Algorithm Numbers", | |||
| <https://www.iana.org/assignments/dns-sec-alg-numbers>. | <https://www.iana.org/assignments/dns-sec-alg-numbers>. | |||
| [ISO-IEC10118-3_2018] | [ISO-IEC10118-3_2018] | |||
| ISO/IEC, "IT Security techniques -- Hash-functions -- Part | ISO/IEC, "IT Security techniques -- Hash-functions -- Part | |||
| 3: Dedicated hash-functions", ISO/IEC 10118-3:2018, | 3: Dedicated hash-functions", ISO/IEC 10118-3:2018, | |||
| October 2018. | October 2018. | |||
| [ISO-IEC14888-3_2018] | [ISO-IEC14888-3_2018] | |||
| skipping to change at line 332 ¶ | skipping to change at line 336 ¶ | |||
| [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer | [RFC4509] Hardaker, W., "Use of SHA-256 in DNSSEC Delegation Signer | |||
| (DS) Resource Records (RRs)", RFC 4509, | (DS) Resource Records (RRs)", RFC 4509, | |||
| DOI 10.17487/RFC4509, May 2006, | DOI 10.17487/RFC4509, May 2006, | |||
| <https://www.rfc-editor.org/info/rfc4509>. | <https://www.rfc-editor.org/info/rfc4509>. | |||
| [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS | |||
| Security (DNSSEC) Hashed Authenticated Denial of | Security (DNSSEC) Hashed Authenticated Denial of | |||
| Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, | |||
| <https://www.rfc-editor.org/info/rfc5155>. | <https://www.rfc-editor.org/info/rfc5155>. | |||
| [RFC6840] Weiler, S., Ed. and D. Blacka, Ed., "Clarifications and | ||||
| Implementation Notes for DNS Security (DNSSEC)", RFC 6840, | ||||
| DOI 10.17487/RFC6840, February 2013, | ||||
| <https://www.rfc-editor.org/info/rfc6840>. | ||||
| [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, | [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, | |||
| "DNSSEC Key Rollover Timing Considerations", RFC 7583, | "DNSSEC Key Rollover Timing Considerations", RFC 7583, | |||
| DOI 10.17487/RFC7583, October 2015, | DOI 10.17487/RFC7583, October 2015, | |||
| <https://www.rfc-editor.org/info/rfc7583>. | <https://www.rfc-editor.org/info/rfc7583>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3 | [RFC9276] Hardaker, W. and V. Dukhovni, "Guidance for NSEC3 | |||
| End of changes. 7 change blocks. | ||||
| 28 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||