ETSI TS 102 176-1 V2.1.1 (2011-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)2 Reference RTS/ESI-000080-1 Keywords e-commerce, electronic signature, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2011. All rights reserved. DECT TM , PLUGTESTS TM , UMTS TM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPP TM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)3 Contents Intellectual Property Rights................................................................................................................................6 Foreword.............................................................................................................................................................6 Introduction ........................................................................................................................................................6 1 Scope........................................................................................................................................................8 2 References................................................................................................................................................9 2.1 Normative references .........................................................................................................................................9 2.2 Informative references......................................................................................................................................12 3 Definitions and abbreviations.................................................................................................................13 3.1 Definitions........................................................................................................................................................13 3.2 Abbreviations ...................................................................................................................................................13 4 Maintenance of the document ................................................................................................................14 5 Hash functions........................................................................................................................................15 5.1 General .............................................................................................................................................................15 5.2 Recommended one way hash functions............................................................................................................16 5.2.1 SHA-1 is no more recommended................................................................................................................16 5.2.2 RIPEMD-160 is no more recommended.....................................................................................................16 5.2.3 SHA-224.....................................................................................................................................................16 5.2.4 SHA-256.....................................................................................................................................................17 5.2.5 WHIRLPOOL.............................................................................................................................................17 5.2.6 SHA-384.....................................................................................................................................................17 5.2.7 SHA-512.....................................................................................................................................................17 5.2.8 SHA-3.........................................................................................................................................................17 6 Signature schemes..................................................................................................................................17 6.1 Signature algorithms.........................................................................................................................................17 6.1.1 General........................................................................................................................................................17 6.1.2 Recommended signature algorithms...........................................................................................................18 6.1.2.1 RSA.......................................................................................................................................................18 6.1.2.2 DSA.......................................................................................................................................................18 6.1.2.3 Elliptic curve analogue of DSA based on a group E(Fp) ......................................................................19 6.1.2.4 Elliptic curve analogue of DSA based on a group E(F2m) ....................................................................20 6.1.2.5 EC-GDSA based on a group E(Fp).......................................................................................................20 6.1.2.6 EC-GDSA based on a group E(F2m).....................................................................................................20 6.2 Recommended key pair generation methods....................................................................................................21 6.2.1 General........................................................................................................................................................21 6.2.2 Recommended key pair generation methods ..............................................................................................21 6.2.2.1 Key and parameter generation algorithm rsagen1.................................................................................21 6.2.2.2 Key and parameter generation algorithm dsagen1 ................................................................................22 6.2.2.3 Key and parameter generation algorithm ecgen1 for ecdsa-Fp.............................................................22 6.2.2.4 Key and parameter generation algorithm ecgen2 for ecdsa-F2m..........................................................22 6.2.2.5 Key and parameter generation algorithm ecgen1 for ecgdsa-Fp...........................................................22 6.2.2.6 Key and parameter generation algorithm ecgen2 for ecgdsa-F2m........................................................23 7 Signature suites ......................................................................................................................................23 7.1 General .............................................................................................................................................................23 7.2 Padding methods ..............................................................................................................................................23 7.3 Recommended signature suites ........................................................................................................................24 8 Random number generation methods.....................................................................................................25 8.1 General .............................................................................................................................................................25 8.2 Recommended random number generation methods .......................................................................................25 8.2.1 Random generator requirements trueran.....................................................................................................26 8.2.2 Random generator requirements pseuran....................................................................................................27 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)4 9 Recommended hash functions and key sizes versus time ......................................................................28 9.1 Basis for the recommendations ........................................................................................................................28 9.2 Recommended hash functions versus time.......................................................................................................29 9.3 Recommended key sizes versus time ...............................................................................................................29 10 Time period resistance of hash functions and keys................................................................................32 10.1 Time period resistance for hash functions........................................................................................................32 10.2 Time period resistance for signer's key ............................................................................................................32 10.3 Time period resistance for trust anchors...........................................................................................................32 10.4 Time period resistance for other keys...............................................................................................................32 11 Practical ways to identify hash functions and signature algorithms.......................................................33 11.1 Hash functions and signature algorithms objects identified using OIDs..........................................................33 11.1.1 Hash functions ............................................................................................................................................33 11.1.2 Signature algorithms...................................................................................................................................33 11.1.3 Signature suites...........................................................................................................................................34 11.2 Hash functions and signature algorithms identified objects using URNs.........................................................35 11.2.1 Hash functions ............................................................................................................................................35 11.2.2 Signature algorithms...................................................................................................................................35 11.2.3 Signature suites...........................................................................................................................................35 11.3 Recommended hash functions and signature algorithms objects that do not yet have an OID or a description........................................................................................................................................................36 11.4 Recommended hash functions and signature algorithms objects that do not yet have a URN or a description........................................................................................................................................................36 Annex A (normative): Algorithms for various data structures..................................................................37 A.1 Advanced Electronic Signatures based on TS 101 733..........................................................................37 A.2 Advanced Electronic Signatures based on TS 101 903..........................................................................38 A.3 Signer's certificates.................................................................................................................................38 A.4 CRLs.......................................................................................................................................................39 A.5 OCSP responses .....................................................................................................................................39 A.6 CA certificates........................................................................................................................................40 A.7 Self-signed certificates for CA issuing CA certificates..........................................................................40 A.8 TSTs based on RFC 3161 and TS 101 861 ............................................................................................41 A.9 TSU certificates......................................................................................................................................41 A.10 Self-signed certificates for CAs issuing TSU certificates ......................................................................41 A.11 Attribute certificates...............................................................................................................................42 A.12 AA certificates........................................................................................................................................42 Annex B (informative): Recommended key sizes (historical).....................................................................43 B.1 Changes in 2005.....................................................................................................................................43 B.2 Changes in 2007.....................................................................................................................................45 B.3 Changes in 2011.....................................................................................................................................45 Annex C (informative): Generation of RSA modulus.................................................................................46 Annex D (informative): Generation of elliptic curve domain parameters ................................................47 D.1 ECDSA and ECGDSA based on a group E(Fp).....................................................................................47 D.2 ECDSA and ECGDSA based on a group E(F2 m)..................................................................................48 D.3 The class number condition....................................................................................................................49 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)5 Annex E (informative): On the generation of random data .......................................................................51 E.1 Classes of random number generators....................................................................................................51 E.2 On tests for NRNGs ...............................................................................................................................52 Annex F (informative): Algorithm identifiers defined in various documents...........................................53 F.1 Algorithm identifiers defined in RFC 3278............................................................................................53 F.2 Algorithm identifiers defined in RFC 3279............................................................................................53 F.3 Algorithm identifiers defined in RFC 3370............................................................................................54 F.4 Algorithm identifiers defined in RFC 3447............................................................................................54 F.5 Algorithm identifier defined in RFC 3874.............................................................................................54 F.6 Algorithm identifiers defined in XML-Signature Syntax and Processing W3C Recommendation.......54 F.7 Algorithm identifiers defined in XML Encryption Syntax and Processing. W3C Recommendation....55 F.8 Algorithm identifiers defined in RFC 4050............................................................................................55 F.9 Algorithm identifiers defined in RFC 4051............................................................................................55 F.10 Algorithm identifiers defined in RFC 4055............................................................................................56 Annex G (informative): Abstracts of ISO/IEC 10118-3 and ISO/IEC 9796-2 ..........................................57 Annex H (informative): Signature maintenance..........................................................................................58 Annex I (informative): Major changes from previous versions .................................................................59 Annex J (informative): National Bodies .......................................................................................................60 Annex K (informative): Bibliography...........................................................................................................64 History..............................................................................................................................................................66 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)6 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http://ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 1 of a multi-part deliverable covering the Algorithms and Parameters for Secure Electronic Signatures, as identified below: Part 1: "Hash functions and asymmetric algorithms"; Part 2: "Secure channel protocols and algorithms for signature creation devices". Introduction The present document provides for security and interoperability for the application of the underlying mathematical algorithms and related parameters for electronic signatures in accordance with the Directive 1999/93/EC [1] of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. On the other side the present document is not a legal document answering the question which key lengths or use dates are sufficient to ensure a certain level of liability. In particular the reader is advised that some national signature laws or regulations may require a different level of security for qualified electronic signatures than recommended here by the key lengths and use dates in the present document. The present document is based on cryptographic analysis of the algorithms and it recommends using at least the parameters given here. The present document defines a list of hash functions, as well as a list of signature schemes together with the requirements on their parameters, as well as the recommended combinations of these schemes with hash functions and padding method in the form of "signature suites" to be used with the data structures defined in the documents developed under the European Electronic Signature Standardization Initiative (EESSI). The present document contains several informative annexes which provide useful information on a number of subjects mentioned in the text. The present document is not a general purpose document dealing with hash functions and asymmetrical algorithms in general. The goal of the present document is not to list all "good" signature algorithms but those that are most important to be used in the context of advanced electronic signatures. In addition, the intent of the present document is not to have a catalog of all algorithms suitable for advanced electronic signatures, but to limit the list to a reasonable set so that interoperability can be achieved. Interoperability with security is the main issue. The primary criterion for inclusion of an algorithm in the document is "Secure, widely used and deployed in practice". Whereas all listed algorithms have been checked for security by cryptographic experts, it cannot be concluded from the document, that an algorithm not listed would be insecure. Therefore algorithms are not listed as recommended if they require a restricted environment or remain secure for a short time frame only. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)7 The second part of this multi-part deliverable (protocols and algorithms for SCDev secure channels) is outdated. It defined at the date of issuance protocols and symmetric algorithms that may optionally be used to construct a secure channel providing either only integrity or both integrity and confidentiality between an application and a signature creation device (SCDev). Such a secure channel may be used during the operational phase of a signature creation device: • when the key pair is not generated by the SCDev, to remotely download in the SCDev both a private key and the associated public key certificate; • when the key pair is generated by the SCDev, to remotely download in the SCDev a public key certificate and associate it with the previously generated private key. The protocols and symmetric algorithms in the former scope of part 2 of this multi-part deliverable are defined now in the European Norm EN 14890-1 [16]. Additionally second part is in preparation. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)8 1 Scope The present document is targeted to support advanced electronic signatures and the related infrastructure. The present document defines a list of hash functions and a list of signature schemes, as well as the recommended combinations of hash functions and signatures schemes in the form of "signature suites". The primary criteria for inclusion of an algorithm in the present document are: • the algorithm is considered as secure; • the algorithm is commonly used; and • the algorithm can easily be referenced (for example by means of an OID). This does not mean that other hash functions and signature suites cannot be used, but either they do not correspond to the above criteria or their security has not been assessed. The document also provides guidance on the hash functions, signature schemes and signature suites to be used with the data structures used in the context of electronic signatures. For each data structure, the set of algorithms to be used is specified. Each set is identified by an identifier which is either an OID (Object IDENTIFIER) or a URI /URN. The use of such identifiers is necessary so that interoperability can be achieved. In order to allow for data interchange, the document references algorithms in terms of OIDs and URIs / URNs together with algorithm parameters. Different requirements apply to the issuers and to the users of the data structures in order to allow for interoperability. RFC documents use the terms SHALL, SHOULD, MAY, RECOMMENDED in order to allow for interoperability. The same terminology is used in the present document (see RFC 2119 [25]). Issuers of the data structures (e.g. CSPs, CRL Issuers, OCSP responders, TSUs) need to know the algorithms and key sizes they SHOULD or MAY support. There SHOULD be at least one algorithm recommended to support, but may be more than one. Users of the data structures (i.e. signers or verifiers of electronic signatures) need to know the algorithms and key sizes they SHALL, SHOULD or MAY support. Users may support more than one algorithm for each data structure. These requirements are listed in annex A. Annex B provides historical information on the recommended hash functions, algorithms and key sizes for the generation and verification of electronic signatures. This annex will be periodically updated. Annex C provides more information on the generation of RSA modulus. Annex D provides more information on the generation of elliptic curve domain parameters. Annex E addresses the generation of random data. Annex F lists the algorithm identifiers defined in various documents. Annex G provides a short abstract of ISO/IEC 10118-3 [3] and ISO/IEC 9796-2 [17]. Annex H provides some guidance on signature maintenance. Annex I lists the major changes from the previous versions. The present document defines a set of algorithms (i.e. hash functions, signature schemes and signature suites) and the corresponding parameters that are recommended to be used. If such algorithms are used according to the context where they are expected to be used, then a reasonable security level can be assumed. The algorithms defined in the present document are usable in particular with the following documents: • TS 101 733 [18]: "Electronic Signatures and Infrastructures (ESI); Electronic Signature Formats"; • TS 101 903 [19]: "XML Advanced Electronic Signatures (XAdES)"; ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)9 NOTE: XML language is defined in RFC 3275 [10]. • TS 101 861 [20]: "Time stamping profile"; • TS 101 456 [32]: "Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates"; • TS 102 042 [33]: "Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates"; • EN 14169 [34]: Protection profiles for Secure signature creation device; • CWA 14170 [35]: "Security requirements for signature creation applications"; • CWA 14171 [36]: "Procedures for electronic signature verification"; • CWA 14167-1 [37]: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements"; • CWA 14167-2 [38]: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2: Cryptographic module for CSP Signing Operations with Backup - Protection Profile"; • CWA 14167-3 [39]: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 3: Cryptographic module for CSP key generation services - Protection profile (CMCKG-PP)"; • CWA 14167-4 [40]: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 4: Cryptographic module for CSP signing operations - Protection profile - CMCSO PP"; • RFC 5280 [2]: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"; • RFC 5755 [i.22]: "An Internet Attribute Certificate profile for authorization"; • RFC 3161 [9]: "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)"; • RFC 2560 [22]: "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP". The CWA documents are processed by CEN/TC224 for re-issuing as European Norms. Patent related issues are out of the scope of the present document. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http://docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. [1] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)10 [2] IETF RFC 5280 (2008): "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". . [3] ISO/IEC 10118-3 (2004): "Information technology - Security techniques - Hash functions Part 3: Dedicated hash functions". NOTE: See annex G for main content description. [4] FIPS Publication 180-3 (2008): "Secure Hash Standard (SHS)". [5] IEEE P1363 (2000): "Standard Specifications for Public-Key Cryptography". [6] FIPS Publication 186-3 (2009): "Digital Signature Standard (DSS)". [7] ANSI X9.62 (2005): "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)". NOTE: This standard is consistent with Elliptic Curve Cryptography (SEC 1) Part 1, Version 1.0, Certicom, 2000 (http://www.secg.org/collateral/sec1_final.pdf). The current draft is Version 1.7 (http://www.secg.org/download/aid-631/sec1_1point7.pdf). [8] ISO/IEC 14888-3 (2006) "Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms". [9] IETF RFC 3161 (2001): "Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)". [10] IETF RFC 3275 (2002): "(Extensible Markup Language) XML-Signature Syntax and Processing". [11] IETF RFC 5752 (2010): "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)". [12] IETF RFC 3279 (2002): "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile". NOTE: Updated by RFC 4055, RFC 4491, RFC 5480, RFC 5758. [13] IETF RFC 3370 (2002): "Cryptographic Message Syntax (CMS) Algorithms". NOTE: Updated by RFC 5754. [14] IETF RFC 3447 (2003): "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1". [15] IETF RFC 4055 (2005): "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile". [16] CEN EN 14890-1 (2008): "Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services". [17] ISO/IEC 9796-2 (2002): "Information technology - Security techniques - Digital signature schemes giving message recovery - Part 2: Integer factorization based mechanisms". NOTE 1: Not to be confused with ISO/IEC 9796-2 (1997): Mechanisms using a hash-function. NOTE 2: See annex G for main content description. [18] ETSI TS 101 733: "Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)". [19] ETSI TS 101 903: "Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES)". [20] ETSI TS 101 861: "Electronic Signatures and Infrastructures (ESI); Time stamping profile". [21] IETF RFC 3281 (2002): "An Internet Attribute Certificate profile for Authorization". ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)11 [22] IETF RFC 2560 (1999): "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP". [23] IETF RFC 3852 (2004): "Cryptographic Message Syntax (CMS)". [24] Void. [25] IETF RFC 2119 (1997): "Key words for use in RFCs to Indicate Requirement Levels". [26] Common PKI Specifications for Interoperable Applications, Version 2.0 (2009), TeleTrusT e.V. Deutschland. NOTE: See http://www.common-pki.org. [27] IETF RFC 3874 (2005): "A 224-bit One-way Hash Function: SHA-224". [28] IETF RFC 4050 (2005): "Using the Elliptic Curve Signature Algorithm (ECDSA) for XML Digital Signatures". [29] IETF RFC 4051 (2005): "Additional XML Security Uniform Resource Identifiers (URIs)". [30] W3C Recommendation - 12 February 2002: "XML-Signature Syntax and Processing". NOTE: See http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/. [31] W3C Recommendation - 10 December 2002: "XML Encryption Syntax and Processing". NOTE: See http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/. [32] ETSI TS 101 456: "Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing qualified certificates". [33] ETSI TS 102 042: "Electronic Signatures and Infrastructures (ESI); Policy requirements for certification authorities issuing public key certificates". [34] CWA 14169: "Secure Signature-Creation Devices "EAL 4+"". [35] CWA 14170: "Security requirements for signature creation applications". [36] CWA 14171: "Procedures for electronic signature verification". [37] CWA 14167-1: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements". [38] CWA 14167-2: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 2: Cryptographic module for CSP Signing Operations with Backup Protection Profile". [39] CWA 14167-3: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 3: Cryptographic module for CSP key generation services - Protection profile (CMCKG-PP)". [40] CWA 14167-4: "Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 4: Cryptographic module for CSP signing operations - Protection profile - CMCSO PP". NOTE: The CWA documents are processed by CEN/TC224 for re-issuing as European Norms. [41] DIN 66291-1: "Chipcards with digital signatur application/function according to SigG and SigV Part 1: Application interface". [42] ANSI X9.175: "Pseudo Random Number Generator (RNG)". [43] IETF RFC 3278: "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)". ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)12 [44] Required Canonical XML (omits comments). NOTE: Available at: http://www.w3.org/TR/2001/REC-xml-c14n-20010315. [45] Recommended Canonical XML with Comments. NOTE: Available at: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. [i.1] Void. [i.2] Void. [i.3] Void. [i.4] Void. [i.5] DigitPA. Determinazione n. 69/2010: "Modifiche alla Deliberazione n. 45 del Centro Nazionale per l'Informatica nella pubblica Amministrazione". NOTE: Available at: http://www.digitpa.gov.it/sites/default/files/normativa/DTcommissario%2069- 2010%20Modifiche%20del%20%20Cnipa%20n%2045- 2009%20su%20regole%20tecniche%20documento%20informatico%20.pdf [i.6] ECRYPT II, Yearly Report on Algorithms and Keysizes (2010), Rev. 1.0, ICT-2007-216676, 2010-03-30. NOTE: See http://www.ecrypt.eu.org/documents/D.SPA.13.pdf. [i.7] NIST, Transitions: "Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths", NIST Special Publication 800-131A, 2011-01-13. NOTE: See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf. [i.8] ISO/IEC 18032 (2005): "Information technology - Security techniques - Prime number generation". [i.9] Wiener, M.: "Cryptanalysis of short RSA secret exponents", IEEE Transactions on Information Theory, Vol. 36 1990. [i.10] Boneh, D. and Durfee, G.: "Cryptanalysis of RSA with private key less than N0.292", Proc. Eurocrypt '99, LNCS, J. Stern (ed.), Springer-Verlag, 1999. Final version in IEEE Trans. Information Theory, Vol. 46 2000. [i.11] Durfee, G. and Nguyen, P.: "Cryptanalysis of RSA with short private exponent", Proc. Asiacrypt '99, LNCS, Springer-Verlag, 1999. [i.12] R.L. Rivest, R.D. Silverman: "Are 'Strong' Primes needed for RSA?", Peprint 1999 December 1, 1998. [i.13] IETF RFC 5639 (2010): "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation". [i.14] ISO/IEC 18031 (2005): "Information technology - Security techniques - Random bit generation". [i.15] ANSI X9.82 (2006) Random Number Generation Parts 1. [i.16] AIS 20: "Application Notes and Interpretation of the Scheme: Functionality classes and evaluation methodology for deterministic random number generators", Version 1. NOTE: Available at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/ais20e_pdf.pdf. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)13 [i.17] ANSI X9.17-1985: "Financial Institution Key Management (wholesale)". [i.18] Ruhkin, A. et al.: "A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications", NIST Special Publication 800-22 with revisions dated 15.05.2001; available at Menezes, A., van Oorschot, P. and Vanstone, S., "Handbook of Applied Cryptography (chapter 5)", CRC Press, 1997. NOTE: See http://www.cacr.math.uwaterloo.ca/hac. [i.19] AIS 31: "Functionality Classes and Evaluation Methodology for Physical Random Number Generators", Version 3.1 (25.09.2001). NOTE: Available at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/ais31e_pdf.pdf. [i.20] Maurer, U.: "A universal statistical test for random bit generators", Advances in Cryptology Crypto '90, LNCS 537, pp. 409-420, 1991. [i.21] ISO/IEC 15946-2 (withdrawn): "Information technology - Security techniques - Cryptographic techniques based on elliptic curves -- Part 2: Digital signatures". [i.22] IETF RFC 5755: "An Internet Attribute Certificate Profile for Authorization". [i.23] "Elliptic Curve Cryptography (ECC)" Bundesamt für Sicherheit in der Informationstechnik, TR-03111(2006). [i.24] J.S. Coron: "Optimal Security Proofs for PSS and Other Signature Suites", EUROCRYPT 2002, LNCS 2332, Springer, Berlin, 2002. [i.25] H. Cohen: "A Course in Computational Algebraic Number Theory", Springer, Berlin, 1993. [i.26] IETF RFC 2459: "Internet X.509 Public Key Infrastructure Certificate and CRL Profile". 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definitions apply: bit length: bit length of an integer p is r if 2r-1 ≤ p < 2r signature policy: set of rules for the creation and validation of an electronic signature, that defines the technical and procedural requirements for electronic signature creation and validation, in order to meet a particular business need, and under which the signature can be determined to be valid signature scheme: triplet of three algorithms composed of a signature creation algorithm, a signature verification algorithm and a key generation algorithm NOTE: The key generation algorithm generates the keys for the two others algorithms. signature suite: combination of a signature scheme with a padding method and a cryptographic hash function 3.2 Abbreviations For the purposes of the present document, the following abbreviations apply: AA Attribute Authority AC Attribute Certificates ANSI American National Standards Institute CA Certification Authority CRL Certificate Revocation List ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)14 CRT Chinese Remainder Theorem CSP Certification-Service-Provider CWA CEN Workshop Agreement DRNG Deterministic Random Number Generator DSA Digital Signature Algorithm ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm ECGDSA Elliptic Curve German Digital Signature Algorithm IETF Internet Engineering Task Force ISO International Organization for Standardization MGF Mask Generation Function NIST National Institute of Standards and Technology NRNG Non-deterministic Random Number Generator OCSP Online Certificate Status Protocol OID Object IDentifier RfC Request for Comments RNG Random Number Generator RSA Rivest, Shamir and Adleman algorithm SCDev Secure Signature Creation Device TST Time-Stamp Token TSU Time-Stamping Unit URI Uniform Resource Identifier URN Uniform Resource Number 4 Maintenance of the document As a response to relevant developments in the area of cryptography and technology, activities for the maintenance of the present document shall enable dynamic updating of the lists of recommended algorithms and signature suites. The current list of recommended cryptographic hash functions and signature algorithms is given in the present document. The maintenance activities will introduce new cryptographic hash functions and signature algorithms and will lead to remove cryptographic hash functions and signature algorithms from the list and need to respond to the following situations: 1) The need to introduce new algorithms and relevant parameters will call for a mechanism that is rather dynamic. Since it is important to maintain interoperability, updates may result from the adoption or removal of an algorithm in a document on which an ETSI TS or CWA is based upon. 2) Advances in cryptography will call for a phasing out of some algorithms or parameters. Such phasing out will normally be known well in advance. 3) In the case of new attacks the immediate need to remove an algorithm could arise. The maintenance activity will be carried by ETSI. For cases 1 and 2, ETSI shall review the present document at regular intervals of at most two years. In case 3, ETSI shall update the present document as soon as possible. In that case, affected algorithms should no longer be used even before the present document will be revised. However, immediate response is up to legislation and/or supervision of CSPs. For that reason an informative annex J is included that list National Bodies, known at the issuing time of this Technical Specification. The maintenance activity for cases 1 and 2 allow for some transition period during which the algorithm/parameter values to be revised may be used in already issued certificates and electronic-signature products. However, the revised items should not be considered for use in certificates to be issued and new electronic-signature products. The transition period shall allow vendors using the revised items to alter their production process. If the security implications of a revision are considered very serious, the certificates and electronic-signature products using the revised item should be withdrawn before their planned expiry date and other measures, like archival time stamps according to TS 101 733 [18] should be undertaken to preserve the security status of electronic signatures based on it. In order to allow an easy follow up of the present document, a history of the tables provided in the main body of the document will be maintained and kept as annexes. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)15 5 Hash functions 5.1 General A hash function takes as input a variable-length message and produces as output a fixed-length hash value. NOTE: In the present document, "hash function" means a hash function with the three properties defined in this clause (i.e. clause 5.1). Hash functions may be used in a variety of cases, such as: • Advanced Electronic Signatures include the identifier of the hash function used to compute the digital signature. • Time-Stamp tokens include the identifier of the hash algorithm used to compute the hash value for the time-stamped data. • Public key certificates include the identifier of a signature suite which defines the hash function used to compute the digital signature. For the purpose of generating signatures the following (informally defined) three properties are required from the hash function h: 1) Pre-image resistance: Given y = h(m) (but not m) it is practically infeasible to find m. Without this property, a signature scheme may otherwise be vulnerable to an attack based on generating the signature "backwards", applying the verification function to a randomly chosen signature value. 2) 2nd pre-image resistance: Given h(m) and m, it is practically infeasible to find another m' ≠ m such that h(m) = h(m'). For signatures, this property protects from re-using an already existing signature for another message. 3) Collision resistance: It is practically infeasible to find any pair of distinct values m, m' such that h(m) = h(m'). This property is obviously needed to protect signature against chosen message attacks. While one can construct examples of functions that are collision resistant, but not pre-image resistant, one would for practical purposes nevertheless expect that the above list of properties is ordered by difficulty for an attacker, i.e. breaking pre-image resistance is the most difficult. New attacks against hash function MD5 and SHA-1 succeeded, it was shown that MD5 is not collision resistant by constructing classes of messages-pairs with the same hash value. Whereas the loss of collision resistance does not imply that a pre-image or second pre-image can easier be constructed, it is recommended to migrate to other hash functions, if the collision resistance becomes weaker. In addition to this, more subtle properties are often required as a consequence of mathematical properties of the signature scheme itself. For instance, "h" should not preserve algebraic structure. The perhaps best known example is the multiplicatively of the (naive) RSA scheme, which would otherwise give a valid signature for a x b from two valid signatures of a and b. The above properties have led to some signature schemes being defined and proven secure in the so-called Random Oracle Model, where one assumes "h" "behaves" like a completely random function. Intuitively, a completely random function should have all of the above properties as long as the range of the function is large enough. The list of currently recommended hash functions is given in table 1. Each hash function has a unique entry index represented by a string beginning with "1." followed by a two-digit entry number. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)16 Table 1: The list of recommended hash functions Hash function entry index Short hash function entry name Adoption date Normative references 1.03 sha224 2004 FIPS Publication 180-3 [4] 1.04 sha256 2004 ISO/IEC 10118-3 [3] and FIPS Publication 180-3 [4] 1.05 whirlpool 2004 ISO/IEC 10118-3 [3] 1.06 sha384 31.03.2007 FIPS Publication 180-3 [4] 1.07 sha512 31.03.2007 FIPS Publication 180-3 [4] NOTE: Additional secure hash algorithms, beside the SHA-2 family, were needed. For that reason the Whirlpool algorithm has been added. This algorithm has been reviewed by NESSIE experts. 5.2 Recommended one way hash functions 5.2.1 SHA-1 is no more recommended SHA-1 MAY be used to hash a message, M, having a length of up to 264-1 bits. The final result of SHA-1 is a 160-bit message digest. The SHA-1 algorithm is described in ISO/IEC 10118-3 [3] and FIPS Publication 180-3 [4]. NOTE 1: Several attacks against SHA-1 have been discovered since February 2005. Although a collision of the full 80-round SHA-1 has not yet been published, at least SHA-224 and SHA-256 SHOULD be implemented for any new product for electronic signatures. NOTE 2: All known collision attacks on SHA-1 require full control of certain substrings within the data to be hashed and knowledge of the data bits prior to these strings. This is be considered as a realistic attack scenario for documents signed by signers (in particular, when a kind of "active" program element may be hidden in the document). On the other hand for X.509 certificates such attacks can be prevented by the CA by including a reasonable amount of entropy (i.e. data bits neither known to nor predictable by the attacker) in the certificate string prior to any data bits controllable by the attacker. This method leads to a considerably higher resistance of certificates against collision attacks. Collision attacks on SHA-1 were recently improved and colliding messages may be constructed in the near future. Therefore SHA-1 SHOULD NOT be used for document signatures. SHA-1 remains resistant against second pre-image attacks, so it can be used for certificate creation and verification if the certificate body includes sufficient entropy (i.e. data bits neither known to nor predictable by the attacker) prior to any data bits controllable by the attacker. 5.2.2 RIPEMD-160 is no more recommended RIPEMD-160 is no more recommended due to the short hash value length. NOTE: RIPEMD-320 is constructed from RIPEMD-160 by initializing the two parallel lines with different initial values, omitting the combination of the two lines at the end of every application of the compression function, and exchanging a chaining variable between the 2 parallel lines after each round. The security level of the 320-bit extension of RIPEMD-160 is the same as that of RIPEMD-160 itself. Similarly the 256-bit extension of RIPEMD-128, i.e. RIPEMD-256 is the same as that of RIPEMD-128. 5.2.3 SHA-224 SHA-224 MAY be used to hash a message, M, having a length of up to 264-1 bits and the output size is 224 bits. The function is defined in the exact same manner as SHA-256 (clause 5.2.4), except for the initial value and the truncation of the final hash value. The SHA-224 algorithm is described in FIPS Publication 180-3 [4]. The specification for SHA-224 is identical to SHA-256, except that different initial values are used, and the final hash value is truncated to 224 bits. Therefore it is NOT RECOMMENDED to use SHA-224, if SHA-256 can be used instead without truncation. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)17 5.2.4 SHA-256 SHA-256 MAY be used to hash a message, M, having a length of up to 264-1bits. The final result of SHA-256 is a 256-bit message digest. The SHA-256 algorithm is described in FIPS Publication 180-3 [4]. 5.2.5 WHIRLPOOL WHIRLPOOL is a hash function defined in ISO/IEC 10118-3 [3] that operates on messages less than 2256-1 bits in length, and produces a message digest of 512 bits. Whirlpool MAY be used to compute the imprint of a message placed in a time-stamp token. Whirlpool MAY be used with the RSA algorithm. The WHIRLPOOL algorithm is described in ISO/IEC 10118-3 [3]. NOTE: The Whirlpool output, i.e. 512 bits, is more than what may be needed for DSA and ECDSA, but there is a general principle to use the leftmost bits of the output as the hash value, but currently there is no Whirlpool algorithm variant defined by an OID/URN with a truncated length. Whirlpool has been included as an alternative to the SHA-2 family and can be used either to compute a hash value (for a time-stamp token) or with the RSA algorithm. 5.2.6 SHA-384 SHA-384 MAY be used to hash a message, M, having a length of up to 2128-1 bits and the output size is 384 bits. The function is defined in the exact same manner as SHA-512 (clause 5.2.7), except for the initial value and the truncation of the final hash value. The SHA-384 algorithm is described in FIPS Publication 180-3 [4]. The specification for SHA-384 is identical to SHA-512, except that different initial values are used, and the final hash value is truncated to 384 bits. Therefore it is NOT RECOMMENDED to use SHA-384, if SHA-512 can be used instead without truncation. 5.2.7 SHA-512 SHA-512 MAY be used to hash a message, M, having a length of up to 2128-1bits. The final result of SHA-512 is a 512-bit message digest. The SHA-512 algorithm is described in FIPS Publication 180-3 [4]. 5.2.8 SHA-3 NIST announced a public competition on November 2, 2007 to develop a new cryptographic hash algorithm. Based on the public discussion of the second-round candidates, NIST selected on December 9, 2010 five SHA-3 finalists BLAKE, Grøstl, JH, Keccak, and Skein to advance to the third (and final) round of the competition. The final selection will be announced in 2012. 6 Signature schemes A signature scheme consists of three algorithms: a key generation algorithm and a signature creation algorithm and a signature verification algorithm. The latter are identified hereafter as a pair of algorithms. Each pair has its own name. 6.1 Signature algorithms 6.1.1 General The list of currently recommended signature algorithms is given in table 2. Each signature algorithm has a unique entry index represented by a string beginning with "2." followed by a two-digit entry number. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)18 Table 2: The list of recommended signature algorithms Signature algorithm entry index Short signature algorithm entry name Key and Parameter generation algorithms Normative references 2.01 Rsa rsagen1 RFC 3447 [14] 2.02 Dsa dsagen1 FIPS Publication 186-3 [6], ISO/IEC 14888-3:2006 [8] 2.03 ecdsa-Fp ecgen1 ANSI X9.62 [7] 2.04 ecdsa-F2m ecgen2 ANSI X9.62 [7] 2.05 ecgdsa-Fp ecgen1 ISO/IEC 14888-3 [8] 2.06 ecgdsa-F2m ecgen2 ISO/IEC 14888-3 [8] The following clauses describe the parameters and key generation algorithms for the signature algorithms listed in table 2. 6.1.2 Recommended signature algorithms 6.1.2.1 RSA The RSA algorithm's security is based on the difficulty of factoring large integers. The RSA computations SHALL be performed as described in RFC 3447 [14]. To generate the key pair two prime numbers, p and q, are generated randomly and independently, satisfying the following requirements: • the bit length of the modulus n = p q must be at least MinModLen; its length is also referred to as ModLen; • p and q should have roughly the same length, e.g. set a range such as 0,1 < | log2p - log2q | < 30; • the set of primes from which p and q are (randomly and independently) selected SHALL be sufficiently large and reasonably uniformly distributed. The private key consists of a positive integer d (the private exponent) and the modulus n. The public key consists of a positive integer e (the public exponent) and the modulus n. CRT (Chinese Remainder Theorem) implementations are also allowed, in which case the private key will contain more values derived from the factorization of the modulus n. For RSA signatures also a padding method has to be specified. 6.1.2.2 DSA The DSA algorithm's security is based on the difficulty of computing the discrete logarithm in the multiplicative group of a prime field Fp. The DSA computations SHALL be performed as described in FIPS Publication 186-3 [6] with the change notice. The same algorithm is also specified in ISO/IEC 14888-3 [8] which can be used for information and for selection of larger parameters. The public parameters p, q and g MAY be common to a group of users. The bit length α of the prime modulus p SHALL be at least pMinLen bits long. The bit length β of q, which is a prime divisor of (p-1), SHALL be at least qMinLen bits long. g SHALL be computed as indicated in FIPS Publication 186-3 [6] with the change notice. According to ISO/IEC 14888-3 [8] only the following choices for α and β are specified: α = 1024, β = 160; α = 2048, β = 224; α = 2048, β = 256; α = 3072, β = 256. The value of β determines the defined in FIPS PUBLICATION 180-3 [4] hash function to be used. This requires for β = 160 the function SHA-1, which should not be used for new applications as recommended in clause 9.2. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)19 NOTE: SHA-224 does not provide security advantages over SHA-256. If it is not required by a signature length restriction, since a signature with β =224 occupies 448 bits whereas a signature with β =256 needs 512 bits, it is RECOMMENDED to use parameters with β =256. The private key consists of: • the public parameters p, q and g; • a statistically unique and unpredictable integer x, 0 < x < q, which is signatory-specific; and • a statistically unique and unpredictable integer k, 0 < k < q, which must be regenerated for each signature. If the distribution of k is significantly different from uniform within the interval then there may be weaknesses. Bleichenbacher has presented an attack which can be sub-exhaustive depending on the size of the bias and the number of signatures produced using a single secret key. The value of k must be kept secret as well as the private key, even if k is only partially known there exists an attack (Nguyen/Shparlinski). The public key consists of p, q, g and an integer y computed as y = gx mod p. When computing a signature of a message M, no padding of the hashcode is necessary. However, the hashcode must be converted to an integer by applying the method described in appendix 2.2 of FIPS Publication 186-3 [6] with the change notice. 6.1.2.3 Elliptic curve analogue of DSA based on a group E(Fp) This signature algorithm is referred to as ecdsa-Fp. The algorithm SHOULD be applied as specified in ANSI X9.62 [7]. The same algorithm is also specified in ISO/IEC 14888-3 [8], IEEE P1363 [5] and ISO/IEC 15946-2 (withdrawn) [i.21] which can be used for information. According to ISO/IEC 14888-3 [8] the elliptic curve analogue of DSA can be used with non-SHA hash functions. An OID for the combination with RIPEMD-160 is given in clause 11.1.3. The security of the ecdsa-Fp algorithm is based on the difficulty of computing the elliptic curve discrete logarithm. The public parameters are as follows: • p prime; • q large prime at least qMinLen bits long, p ≠ q; • E elliptic curve over a finite field Fp whose order n is divisible by q; and • P point on E(Fp) of order q. The public parameters MAY be common to a group of users. The quotient h of the group order n divided by q may be considered as a public parameter too. The class number of the maximal order of the endomorphism ring of E SHALL be at least MinClass = 200. The value r0: = min (r: q divides pr-1) SHALL be greater than r0Min=104. h = n/q SHALL be less or equal 4. All standardized elliptic curves fulfil this requirement (note that http://www.secg.org/download/aid-780/sec1-v2.pdf [7] requires only h ≤ 2t/8, where 2t is the bit length of p). In FIPS Publication 186-3 [6] five curves over a prime field are defined. The ECC Brainpool paper on standard curves and curve generation (RFC 5639 [i.13]) contains an alternative set of curves over prime fields with 160 bits, 192 bits, 224 bits, 256 bits, 320 bits, 384 bits and 512 bits. All these curves fulfil the above requirements. The private key consists of: • the public parameters E, m, q and P; • a statistically unique and unpredictable integer x, 0 < x < q, which is signatory-specific; and • a statistically unique and unpredictable integer k, 0 < k < q, which must be regenerated for each signature. The public key consists of E, q, P and Q, a point of E, which is computed as Q = xP. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)20 6.1.2.4 Elliptic curve analogue of DSA based on a group E(F2m) This signature algorithm is referred to as ecdsa-F2m. The algorithm SHALL be applied as specified in ANSI X9.62 [7]. The same algorithm is also specified in ISO/IEC 14888-3 [8], IEEE P1363 [5], and ISO/IEC 15946-2 [i.21] which can be used for information. The security of the ecdsa-F2m algorithm is based on the difficulty of computing the elliptic curve discrete logarithm. The public parameters are as follows: • m prime number; • q large prime at least qMinLen bits long; • E elliptic curve over a finite field F2m whose order n is divisible by q; • it must not be possible to define E over F2; and • P point on E(F2 m) of order q. h = n/q must be less or equal 4 (note that [7] requires only h ≤ 2t/8, where 2t is the bit length of p). The class number of the maximal order of the endomorphism ring of E SHALL be at least MinClass = 200. The value r0:=min(r: q divides 2mr-1) SHALL be greater than r0Min = 104. In FIPS Publication 186-3 [6] five pseudorandomly generated curves over F2m are defined. All these curves satisfy the above requirements. A field representation is required, common to both the signatory and the verifier, so that signatures can be interpreted correctly. The representations given in IEEE P1363 [5] and FIPS Publication 186-3 [6] are recommended. Thus if a polynomial basis is required then an irreducible trinomial of the form xm + xa + 1 with minimal a should be used. If such a polynomial does not exist then an irreducible pentanomial of the form xm + xa + xb + xc + 1 should be used; a should be minimal, b should be minimal given a and c should be minimal given a and b. The private key consists of: • the public parameters E, m, q and P; • a statistically unique and unpredictable integer x, 0 < x < q, which is signatory-specific; and • a statistically unique and unpredictable integer k, 0 < k < q, which must be regenerated for each signature. The public key consists of E, q, P and Q, a point of E which is computed as Q=xP. 6.1.2.5 EC-GDSA based on a group E(Fp) This signature algorithm is referred to as ecgdsa-Fp. The algorithm SHALL be applied as specified in ISO/IEC 14888-3 [8]. The security of the ecgdsa-Fp algorithm is based on the difficulty of computing the elliptic curve discrete logarithm. The ecgdsa-Fp algorithm is a variant of the ecdsa-Fp algorithm with a modified signature creation equation and verification method. The parameters are the same as for ecdsa-Fp and therefore should satisfy all the constraints given in clause 6.1.2.3. NOTE: The basic difference between ECDSA and EC-GDSA is that during signature creation k does not need to be inverted for ECGDSA. Under certain circumstances this can be advantageous for the design and performance of the SCDev. 6.1.2.6 EC-GDSA based on a group E(F2m) This signature algorithm is referred to as ecgdsa-F2m. The algorithm SHALL be applied as specified in ISO/IEC 14888-3 [8]. The security of the ecgdsa-F2m algorithm is based on the difficulty of computing the elliptic curve discrete logarithm. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)21 The ecgdsa-F2m algorithm is a variant of the ecdsa-F2m algorithm with a modified signature creation equation and verification method. The parameters are the same as for ecdsa-F2m and therefore should satisfy all the constraints given in clause 6.1.2.4. NOTE: For the difference between ECDSA and ECGDSA see the note in clause 6.1.2.5. 6.2 Recommended key pair generation methods 6.2.1 General Key pair generation methods are not part of the definition of a signature suite and may evolve without the need to change the identifier of the signature suite. Table 3 summarizes the recommended key pair generation methods for all signature algorithms considered in the present document. Each key pair generation method has a unique entry index represented by a string beginning with "3." followed by a two-digit entry number. Table 3: The list of recommended key pair generation methods Key generator entry index Short key generator entry name Signature algorithm Random number generation method Random generator parameters Adoption date Normative references 3.01 Rsagen1 rsa trueran or pseuran EntropyBits or SeedEntropy, resp. 01.01.2001 3.02 Dsagen1 dsa trueran or pseuran EntropyBits or SeedEntropy, resp. 01.01.2001 FIPS Publication 186-3 [6] 3.03 ecgen1 ecdsa-Fp, ecgdsa-Fp trueran or pseuran EntropyBits or SeedEntropy, resp. 01.01.2001 3.04 ecgen2 ecdsa-F2m, ecgdsa-F2m trueran or pseuran EntropyBits or SeedEntropy, resp. 01.01.2001 6.2.2 Recommended key pair generation methods 6.2.2.1 Key and parameter generation algorithm rsagen1 Generate p and q as indicated in clause 6.1.2.1 by applying a random number generation method satisfying the requirements trueran (see clause 8.2.1) or using a method satisfying pseuran (see clause 8.2.2) with an appropriate size seed. Each prime SHALL effectively be influenced by EntropyBits bits of true randomness or a seed of entropy SeedEntropy bit. Random numbers SHALL be tested for primality until one of them is found to be prime with a probability of error (i.e. of actually being composite) of at most ErrProb. Details on generating random primes can be found in ISO/IEC 18032 [i.8], in particular clause 8.2. Examples of algorithms to produce RSA moduli, i.e. pairs of primes satisfying the condition 0,1 < | log2p - log2q | < 30 are given in annex C. NOTE 1: Annex A of ISO/IEC 18032 [i.8] contains a table of error probabilities for different probabilistic primality tests. EXAMPLE: For a random number of 1 024 bit tested with three successful iterations of the Miller-Rabin test the probability that this number is not a prime is about 2-93. The private exponent d and the public exponent e must satisfy ed ≡ 1 (mod lcm (p-1, q-1)) which is automatically the case if ed ≡ 1 (mod (p-1)(q-1)). The private exponent d must not be too small (Wiener 1990 [i.9], Boneh and Durfee 1999 [i.9], Durfee and Nguyen 1999 [i.11]); it is sufficient to choose d in a range at least n from its minimum and maximum values. In practice by randomly choosing the public exponent e (subject to the condition gcd(e,(p-1)(q-1))=1) the corresponding private exponent d will satisfy that condition with very high probability. If e is chosen small (e.g. less than n0,125) the condition on d will automatically be satisfied. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)22 NOTE 2: It may also be recommendable to choose e not too small (e ≥ 216+1) as for example results of Boneh and Venkatesan suggest that for very small e the RSA problem could be easier than factoring. Nevertheless in contrast to RSA encryption small public exponents generally are not a direct threat for RSA signatures. A small public exponent (e.g. e = 3) MAY be used if performance is critical, otherwise e ≥ 216+1 is RECOMMENDED. A new modulus has to be produced for each user of the signature scheme even if different public exponents are used. In practice if the moduli and public exponents are produced as described above (i.e. random modulus and choosing the public exponent) the probability of producing the same modulus or secret exponent is negligible. NOTE 3: It is not recommended to use a prime selection algorithm which prefers a special class of primes. For example according to Rivest and Silverman [i.12] the use of "strong" primes would not improve security in practice. 6.2.2.2 Key and parameter generation algorithm dsagen1 The primes p and q SHALL be generated as described in appendix 2.2 of FIPS Publication 186-3 [6] with primality of an integer regarded as satisfied if the probability that it is composite is at most ErrProb. Generate x by applying a random number generation method satisfying the requirements trueran (see clause 8.2.1) or using a method satisfying pseuran (see clause 8.2.2) with an appropriate size seed. Each value of x SHALL effectively be influenced by EntropyBits bits of true randomness or a seed of entropy SeedEntropy bit. Generate k using one of these methods; k does not have to be generated using exactly the same method as x. Possible methods for this can be found in FIPS Publication 186-3 [6] which contains a Change Notice (due to Bleichenbacher's attack). 6.2.2.3 Key and parameter generation algorithm ecgen1 for ecdsa-Fp The prime numbers p and q, and the point P on E(Fp) SHALL be selected so that the conditions in clause 6.1.2.3 are satisfied with primality of an integer regarded as satisfied if the probability that it is composite is at most ErrProb. Possible methods to generate p, q, E and P are specified in [7], in the ECC Brainpool paper on standard curves and curve generation [i.13] and also in clause D.1. In situations where an intentional choice of weak public parameters (subject to an unknown "insider" attack) seems to be possible a countermeasure is to request that these parameters are generated verifiably at random. In such situations it is recommended to do so at least for the generation of the curve E. In [7], in the ECC-Brainpool paper on standard curves and curve generation and in clause D.1 possible methods for this are described. Generate x by applying a random number generation method satisfying the requirements trueran (see clause 8.2.1) or using a method satisfying pseuran (see clause 8.2.2) with an appropriate size seed. Generate k using one of these methods; k does not have to be generated using exactly the same method as x. Each value of x and k SHALL effectively be influenced by EntropyBits bits of true randomness or a seed of entropy SeedEntropy bit. 6.2.2.4 Key and parameter generation algorithm ecgen2 for ecdsa-F2m The prime numbers m and q, the elliptic curve E over F2 m and the point P on E(F2m) SHALL be selected so that the conditions in clause 6.1.2.4 are satisfied with primality of an integer regarded as satisfied if the probability that it is composite is at most Err Prob. Possible methods to generate m, q, E and P are specified in [7] (and also in clause D.2). In situations where an intentional choice of weak public parameters (subject to an unknown "insider" attack) seems to be possible a countermeasure is to demand that these parameters are generated verifiably at random. In such situations it is recommended to do so at least for the generation of the curve E. In [7] a possible method for this is described (compare also clause D.2). Generate x by applying a random number generation method satisfying the requirements trueran (see clause 8.2.1) or using a method satisfying pseuran (see clause 8.2.2) with an appropriate size seed. Generate k using one of these methods; k does not have to be generated using exactly the same method as x. Each value of x and k SHALL effectively be influenced by EntropyBits bits of true randomness or a seed of entropy SeedEntropy bit. 6.2.2.5 Key and parameter generation algorithm ecgen1 for ecgdsa-Fp The parameter and key generation methods should be the same as the ecdsa-F2m methods described in clause 6.2.2.3. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)23 6.2.2.6 Key and parameter generation algorithm ecgen2 for ecgdsa-F2m The parameter and key generation methods should be the same as the ecdsa-F2m methods described in clause 6.2.2.4. 7 Signature suites 7.1 General To meet this security requirement and to allow signing of more or less arbitrary long messages, a signature suite requires a hash function, so that the signing/verification algorithms operate on a fixed-size hash of the message. An important issue is to tie the hash function to the signature scheme. Without this, the weakest available hash function could define the overall security level. Due to possible interactions which may influence security of electronic signatures, algorithms and parameters for secure electronic signatures SHALL be used only in predefined combinations referred to as the signature suites. A signature suite consists of the following components: • a hash function; • a padding method; • a signature algorithm and its associated parameters. If any of the components of a suite is modified, then the suite must be modified accordingly. The list of recommended hash functions is defined in clause 5.1. The list of recommended padding methods is defined in clause 7.2. The list of recommended signature algorithms is defined in clause 6.1. The list of currently recommended signature suites is given in clause 7.3. Key generation is not part of the way to identify a signature suite and may change over time. Key generation methods are addressed in clause 6.2. Some key generation methods and some signature suites require to generate a (pseudo-) random number. The (pseudo) random number generation method is not part of the way to identify a signature suite and may change over time. (Pseudo) random number methods are addressed in clause 8. 7.2 Padding methods Padding is algorithm dependent and some algorithms need non-trivial padding. This is the case for the RSA algorithm. Signature algorithms with appendix require methods that encode a message into an integer message representative that will be the input for the signature primitive. This encoding method can be deterministic, for example a padding of a fixed string to the hash value computed from the message, but may be also randomized, incorporating a (randomly generated) salt value, which are converted to and from message representatives. Although these latter encodings are not true padding schemes, they are listed here. The list of currently recommended padding methods is given in table 4. Each padding method has a unique entry index represented by a string beginning with "4." followed by a two-digit entry number. Table 4: The list of recommended padding methods Padding method entry index Short padding function entry name Random number generation method Random generator parameters Normative references 4.01 emsa-pkcs1-v1.5 - - RFC 3447 [14] 4.02 emsa-pkcs1-v2.1 - - RFC 3447 [14], section 9.2 4.03 emsa-pss trueran/pseuran MinSaltEntropy RFC 3447 [14], section 9.1 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)24 Padding method entry index Short padding function entry name Random number generation method Random generator parameters Normative references 4.04 iso9796ds2 trueran/pseuran MinSaltEntropy ISO/IEC 9796-2 [17] 4.05 iso9796-din-rn trueran/pseuran MinSaltEntropy DIN 66291-1 [41] 4.06 iso9796ds3 - - ISO/IEC 9796-2 [17] Each salt value SHALL effectively be influenced by at least MinSaltEntropy bits of true randomness or a seed of entropy at least MinSaltEntropy bits. This rule implies that the salt length is at least MinSaltEntropy bits. NOTE 1: The above rule of MinSaltEntropy bits salt entropy is not meant in the strict and exclusive manner as the demand for EntropyBits/SeedEntropy bits of entropy for key generation in clause 6.2, it is a recommendation. For example Coron [i.24] showed that for emsa-pss already a significantly shorter than 64 bit salt length allows a reduction of the security of the signature scheme to the RSA problem under realistic assumptions. Nevertheless such a reduction analysis does not take into account every kind of possible weaknesses e.g. side channels. The default value for the salt length is 20 Bytes. The bit length of the hash function used in the signature scheme is another appropriate value. Shorter values are not recommended. The emsa-pkcs1-v1.5 padding method is included, but it is NOT RECOMMENDED for new implementations, since it will be phased out. NOTE 2: Up to May 2011, no real attack on emsa-pkcs1-v1.5 has been published. Some attacks on this padding scheme were caused by implementation errors or side channels. It should these attacks are impossible in case the emsa-pss scheme was used. The emsa-pss method is included as, despite not being widely used, it has been stable for a long time and is a good improvement to the two emsa-pkcs1 schemes (i.e. -v1.5 and -v2.1 which only differ by the encoding method) and it is better suited for long term use. The padding method emsa-pss is parameterized by the choice of hash function and a mask generation function MGF, defined in PKCS#1 (RFC 3447 [14]). In the present document, MGF is based ALWAYS on the corresponding hash function used, e.g. SHA-1 or SHA-256. The method iso9796ds2 is "digital signature scheme 2" in ISO/IEC 9796-2 [17]. The method iso9796-din-rn is the variant of a scheme from ISO/IEC 9796-2 [17] called "DSI according to ISO/IEC 9796-2 [17] with random numbers" in DIN 66291-1 [41]. It is described in annex A of [16]. NOTE 3: This is a variant on Digital Signature Scheme 1 of ISO/IEC 9796-2 [17]. The Digital Signature Scheme 1 has wide deployments and is secure but maybe in the future not be recommended for new systems. The method iso9796ds3 is "digital signature scheme 3" in ISO/IEC 9796-2 [17]. NOTE 4: iso9796ds1 no longer represents state-of-the-art and in a paper presented by Coron, Naccache, Stern at Crypto 99 it is shown that the effort to break this padding scheme is about 261 instead of 280. 7.3 Recommended signature suites A signature suite is defined using three parameters: • a hash function; • a padding method; • a signature algorithm and its associated parameters. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)25 Table 4.a Entry name of the signature suite Entry name for the hash function Entry name for the padding method Entry name for the signature algorithm sha224-with-rsa sha224 (see note) rsa sha256-with-rsa sha256 (see note) rsa rsa-pss with mgf1SHA- 1Identifier mgf1SHA-1 rsa rsa-pss with mgf1SHA-224Identifier mgf1SHA-224 Rsa rsa-pss with mgf1SHA- 256Identifier mgf1SHA-256 Rsa sha224-with-ecdsa sha224 no padding required ecdsa-Fp or ecdsa-F2m sha256-with-ecdsa sha256 no padding required ecdsa-Fp or ecdsa-F2m sha384-with-ecdsa sha384 no padding required ecdsa-Fp or ecdsa-F2m sha512-with-ecdsa sha512 no padding required ecdsa-Fp or ecdsa-F2m NOTE: The padding scheme for the RSA signature algorithm SHOULD be selected from the list above. These are the signature suites based on the currently recommended algorithms. While SHA-1 is not broken yet, it is NOT RECOMMENDED for signature creation. RIPEMD-160 is not broken and no attacks are known. Nevertheless it is no more RECOMMENDED due to hash length of 160 bit. SHA-512 is RECOMMENDED for very long term signatures, otherwise SHA-256 SHOULD be used. 8 Random number generation methods 8.1 General The key generation methods and some signature suites require the generation of a random number. NOTE: For detailed information about random number generation and terminology see ISO/IEC 18031 [i.14]. Some basic information is also given in annex E. The random number generation methods combined with the key generation methods have to ensure that the expected effort of guessing a cryptographic key is at least equivalent to guessing a random value that is EntropyBits bit resp. SeedEntropy bit long. This can be satisfied with respect to different demands like information theoretic vs. just complexity theoretic security, backward secrecy and/or forward secrecy and so on. Clause 8.2 and annex E in particular specify by which RNGs these demands can be satisfied. 8.2 Recommended random number generation methods Table 5 lists the recommended random number generation methods. Each random number generation method has a unique entry index represented by a string beginning with "5." followed by a two-digit entry number. The terms "trueran" and "pseuran" denote the requirements for NRNGs and DRNGs respectively (i.e. non-deterministic and deterministic random number generators). ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)26 Table 5: The list of recommended random number generation methods Random generator entry index Short random generator entry name Random generator parameters Adoption date Normative references 5.01 trueran EntropyBits 01.01.2001 5.02 pseuran SeedEntropy 01.01.2001 It is strongly recommended to use trueran methods for generating keys that are used more than once. In the case of the one-time keys k for DSA, ECDSA and ECGDSA there is less urgency for that. 8.2.1 Random generator requirements trueran A random number generator satisfying trueran has to be a pure or hybrid physical NRNG. NOTE 1: Non-physical NRNGs are excluded as the designer has no real control of the amount of the produced entropy. Thus a random number generator satisfying trueran is based on a physical primary entropy source and possibly a cryptographic or mathematical post-treatment of the output of the primary entropy source. The recommended requirements for these components are: • (TR1): There is a stochastical model for the primary entropy source which is found consistent with thorough adapted tests of prototypes of the source. • (TR2): The primary entropy source is subjected to an adapted statistical online test. "Online" means that the test will detect any non-tolerable loss of quality of the primary entropy source during operation sufficiently soon after such an event occurs and that there will then at once be suitable countermeasures (e.g. stop of the generator). "Adapted" means adapted to the statistical model of the primary entropy source. The original output of the primary entropy source should be tested not the output of the post-treatment instead of that (there may be justified exceptions to this general rule). See clause E.2 for some more information about tests for the primary entropy sources. The stochastical model and the tests should deliver an estimate for the amount of the produced entropy. The primary entropy source is regarded to be good if it produces nearly one bit entropy per output bit. For a good primary entropy source no post-treatment is necessary. • (TR3): If the primary entropy source is not good a post-treatment is employed which by some (necessarily compressing) techniques delivers an output of nearly one bit entropy per output bit. There must be a reasonable stochastical model of the post-treatment as well which together with the stochastic model of the primary entropy source and the tests ensures this property of the output. Instead of this set of requirements (TR1) - (TR3) the following modified set of requirements is also sufficient although not recommended: • (TR1"): There are mathematical models for the primary entropy source and the post-treatment that are plausible. • (TR2"): The primary entropy source is subjected to an online test which will detect most defects of the noise source except for special unlikely events. • (TR3"): There is a post-treatment (obligatory in this case) that under the assumption of the models (assuming that the primary entropy source works as expected) delivers an output of nearly one bit entropy per output bit and that even in the case of a complete breakdown of the primary entropy source (after there has been accumulated enough entropy at the beginning) satisfies the requirements pseuran including condition (PR3) of clause 8.2.2. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)27 NOTE 2: This alternative set of requirements is closer to the spirit of ANSI X9.82 [i.15] while the first set is more similar to AIS 31. In both cases the major target is to achieve forward and backward secrecy. In the latter case this secrecy can be completely complexity theoretic under certain circumstances and security relies rather on the post-treatment than on the primary entropy source in contrast to the first case which delivers information theoretical forward and backward secrecy. With the second set of requirements in the situation of a readout or manipulation of the internal state also forward secrecy is not ensured. NOTE 3: An example of a possible random number generator design based on a noisy diode is given in clause E.2 of ISO/IEC 18031 [i.14] although without the necessary details. 8.2.2 Random generator requirements pseuran A random number generator satisfying pseuran is a pure or hybrid DRNG satisfying the following conditions: • (PR1): The DRNG must be initialized by a seed with an entropy of at least SeedEntropy bits. • (PR2): Even with the knowledge of a partial output bit sequence of the DRNG and having all information about its initialization (and in the case of a hybrid DRNG also about the output of the additional entropy source) except for the seed there is no usable method to determine any other m bits of the output with a probability significantly larger than Max (2-m,2-SeedEntropy). NOTE 1: The second condition in particular implies that there is no information ascertainable a priori as to the output bits and that neither the seed nor any internal state of the DRNG can be recovered from a subset of the output. (PR1) is meant in the sense (or even implies) that the seed is produced using a NRNG. This NRNG does not need to be a physical one. Nevertheless to achieve high security it is recommended to use trueran (in particular physical, see clause 8.2.1) NRNGs for seeding. (PR1) does not exclude constructions in which the DRNG is seeded by a chain of DRNGs as described in clause 9.3.2 of ISO/IEC 18031 [i.14]. However the first DRNG in this chain must be seeded with the output of a NRNG and in the output of the last DRNG in the chain enough entropy (i.e. at least EntropyBits bits) has to be left over. Moreover of course the whole system (chain + DRNG to be seeded) regarded as a DRNG (including operational freedom like numbers of cycles before the next seeding of links regarded as non-physical additional entropy source) has to satisfy the second condition. The security of a DRNG is only complexity theoretic. With a known seed or a known internal state any future output can be calculated. So the seed has to be kept secret and seeding SHALL follow procedures similar to those for the generation of root keys. No backups of the seed or internal states of a pseuran generator are permitted. The internal state of the DRNG must be secured against any readout and any adversarial manipulation. In situations in which such readout or manipulation of an internal state of the DRNG does not seem to be completely excluded a re-seeding or a seed-update has to be executed from time to time. If re-seeding is employed the security of the re-seeding process SHALL be as strong as that of the original seeding. The frequency of this procedure (i.e. the amount of entropy that is fed in per output bit) depends on the actual risk of such readouts or manipulations. It is recommended to use DRNGs which in addition to the two above mentioned conditions satisfy the following additional condition ensuring backward secrecy even in the case of a known internal state: • (PR3): Even with complete knowledge of an internal state there is no usable method to determine any previous m output bits with a probability significantly larger than Max(2-m,2-SeedEntropy). NOTE 2: AIS 20 [i.16] defines the classes K3 and K4 for DRNGs. Roughly said K3 DRNGs satisfy conditions (PR1) and (PR2), K4 DRNGs also satisfy (PR3). Depending on the environment it may further be recommendable to use hybrid DRNGs rather than pure ones. In the case of an hybrid DRNG according to (PR2) even with complete knowledge about the output of the additional entropy source or with a certain influence on this output it must not be feasible to determine any bits of the output with higher than the a priori probability. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)28 The following are examples of pseuran generators: • ANSI X9.17 [i.17] generator. This DRNG was designed to pseudo randomly generate keys and initialization vectors for use of DES. It uses the triple-DES algorithm with a fixed key to mix a 64-bit seed with the current date. Iterated encryption enables to generate as many output bits as needed. Condition (PR3) is not satisfied at least without any further assumptions about the clock input. Instead of triple-DES also other strong block ciphers could be used as building block of the generator. • Example E.4 in AIS 20 is another DNRG based on a variable strong block cipher which as well does not satisfy condition (PR3). • FIPS 186 generator (see FIPS Publication 186-3 [6]). • RSA DRNG and Blum-Blum-Shub DRNG [i.18]. Those DRNGs are based on iterated exponentiation modulo a composite modulus. The advantage is to base the security on the intractability of number theoretic problem (respectively RSA and the factorization problem) but the main drawback is the poor efficiency in comparison with the other DRNGs described above, the security of which is only heuristic. 9 Recommended hash functions and key sizes versus time In this clause recommendations are provided regarding the use of hash functions given in clause 5 and the key sizes to be used with the algorithms mentioned in clause 6. This clause is structured as follows: • Clause 9.1 explains the considerations on which the recommendations are based. • In clause 9.2, hash functions versus time are recommended. • In clause 9.3, key sizes versus time are recommended. 9.1 Basis for the recommendations The aim of the recommendations given in clauses 9.2 and 9.3 is to achieve the necessary security level for advanced and qualified signatures according to Directive 1999/93/EC [1] and to complement the "generally recognized standards" within the meaning of Article 3(5), in particular the CWA 14167-2 [38] and CWA 14169 [34]. These standards are intended as protection profiles for the evaluation of electronic signature products, in particular trustworthy systems operated by certification service providers and secure signature creation devices. This implies that this update of this multi-part deliverable would primarily affect new electronic signature products, as long as no emergency procedure in the case of new attacks requires the removal of a recommended algorithm (see clause 4). The recommendations for algorithm and parameter strengths are characterized by taking a reasonable margin above minimum key lengths based on both extrapolation of current trends as well as estimations based on the necessary computing power needed to break a given algorithm. Such extrapolations can be found in the literature, e.g. (LenstraVerheul) or the ECRYPT doc base (http://www.ecrypt.eu.org/documents.html). The recommendations are not based on recently achieved records. Unfortunately there are no rigorous security proofs for the components of signature schemes (hash function, signature algorithm, RNG), basically all security statements rely on results about the most effective attacks known today. The possibility of a complete break of such a component (like, e.g. a fast universal factorization algorithm against RSA) that renders it useless can theoretically not completely be excluded but "breakthroughs" of that kind are regarded as improbable. In contrast to that certain unforeseen advances of moderate degree in analyzing cryptographic algorithms are regarded as a realistic threat: A recent example is given by the collision attacks on SHA-1 which demonstrated that this hash function is actually much weaker against collision attacks than predicted. The security margin for the recommendations below are chosen so that advances of this level should be compensated without changing the parameters. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)29 This is justified by the very severe consequences in case that a whole generation of chip cards or, even worse, a root key has to be regarded as no longer secure. Moreover, stability of the requirements in the present document is also highly desirable for reasons of planning reliability. This means that if in e.g. 2007 a key length y is declared as sufficient for resistance during 6 years, i.e. at least until the end of 2012, an updated version in e.g. 2010 should normally still declare this key length y as sufficient at least until the end of 2012. The following tables contain recommendations for the lifetime of keys and were chosen accordingly. The recommendations for a whole decade ("during 10 years") are explicitly declared "speculative" because of the uncertainty of predictions over such long periods. That means that the described principle of stability may not apply to these recommendations. The concept of a "liberal view" appearing in the previous versions of the document is removed for the near time frames, because significant differences did not appear therein. An attempt was made to achieve roughly similar security for all the components. For example the security level demanded by the tables is very roughly equivalent to 80 bits symmetric keys for an intended use in the short term and 100 bit for an intended use in the medium and longer term. 9.2 Recommended hash functions versus time Table 7 provides indication about recommended hash functions during X years. Definitions: Usable: The algorithm with the given security parameters can be considered secure at the given time. Unknown: The security of the algorithm is unknown; it may become secure if additional measures are applied. Unusable: The algorithm cannot be considered secure for any kind of use in the context of electronic signatures. "3 years" in table 7 means "until the end of 2014" and so on. Table 6: recommended hash functions for a resistance during X years entry name of the hash function 1 year 3 years 6 years 10 years (speculative) sha1 unusable unusable unusable unusable ripemd160 unusable unusable unusable unusable sha224 usable usable usable unknown sha256 usable usable usable unknown sha384 usable usable usable usable sha512 usable usable usable usable Whirlpool usable usable usable usable NOTE: The listed hash functions are expected to be 2nd pre-image resistant and pre-image resistant for a longer period of time. NOTE: The listed hash functions are expected to be 2nd pre-image resistant and pre-image resistant for a longer period of time. 9.3 Recommended key sizes versus time In the sequel a recommendation for RSA of the form, MinModLen=y for a resistance during 3 years" means, MinModLen should be y for RSA keys with an intended life time of 3 years from now (i.e. until end of 2004)". A recommendation for EC(G)DSA of the form "qMinLen=y for a resistance during 6 years" means "qMinLen should be y for keys (and curve parameters) with an intended life time of six years from now (i.e. until the end of 2017)". The meaning of all the listed parameters is explained in the respective clauses in clause 6. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)30 Table 7: Recommended parameters for RSA and rsagen1 for a resistance during X years Parameter 1 year 3 years 6 years 10 years (speculative) MinModLen 1 536 2 048 2 048 ? ErrProb 2-80 2-100 2-100 2-100 SeedEntropy/EntropyBits 80 100 100 ? NOTE 1: There exist implementations in hardware for which a few of the 2 048 base number bits may be reserved for some other information such that the maximum modulus length is in fact 1 976 bit for these implementations. Since the loss of security seems to be negligible a MinModLen=1 976 can be considered as recommended at least until the end of 2012 too. NOTE 2: Up to May 2011, no real attacks on RSA-1024 are reported. The factorization of RSA-768 dated on December 2010 was done using several hundred PCs over two years of calendar time. Therefore a freshly generated 1 024 bit RSA key certified for an end user and valid e.g. for one year may be considered today as secure too. Nevertheless it may be necessary to apply additional cryptographic measures urgently during the validity time of the end user certificates, including their revocation, if the algorithm RSA-1024 becomes really weak, e.g. if the next RSA challenges RSA-896 (cf. http://www.rsa.com/rsalabs) is factored. NOTE 3: In the gap left between the recommendations for one and three years it is on the discretion of the issuing CA to use either the first or the second recommendation. Depending on the measures foreseen by the CA in case of cryptographic weakness it may even be still appropriate to use RSA-1024 keys for end user certificates for more than two years, if the CA is prepared to revoke all certificates with that key length and to re-issue new certificates with a greater key length in a timely manner. Table 8: Recommended padding schemes and values for MinSaltEntropy for a resistance during X years Entry name of the padding scheme 1 year 3 years 6 years 10 years (speculative) PKCS#1-v1.5 usable/n.a usable/n.a. usable/n.a. unusable/n.a. PKCS#1-v2.1 usable/n.a usable/n.a usable/n.a. unusable/n.a. PKCS#1-PSS usable/64 usable/64 usable/64 usable/64 ISO-DS 2 usable/64 usable/64 usable/64 usable/64 ISO-DS 3 usable usable usable usable ISO-DIN-RN usable/64 usable/64 usable/64 usable/64 Table 9: Recommended parameters for DSA and dsagen1 for a resistance during X years Parameter 1 year 3 years 6 years 10 years (speculative) pMinLen 1 024 2 048 3 072 3 072 qMinLen 160 224 256 256 ErrProb 2-80 2-80 2-100 2-100 SeedEntropy/EntropyBits 80 80 100 100 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)31 If it is not required by a signature length restriction it is RECOMMENDED for future interoperability to use qMinLen=256, such that DSA can be used with SHA-256 and without truncation. Table 10: Recommended parameters for ecdsa-Fp and ecgen1 for a resistance during X years Parameter 1 year 3 years 6 years 10 years (speculative) pMinLen - - qMinLen 160 224 256 256 r0Min 104 104 104 ? MinClass 200 200 200 ? ErrProb 2-80 2-100 2-100 2-100 SeedEntropy/EntropyBits 80 100 100 256 Table 11: Recommended parameters for ecdsa -F2m and ecgen2 for a resistance during X years Parameter 1 year 3 years 6 years 10 years (speculative) pMinLen - - qMinLen 160 224 256 256 r0Min 104 104 104 ? MinClass 200 200 200 ? ErrProb 2-80 2-100 2-100 2-100 SeedEntropy/EntropyBits 80 100 100 256 Table 12: Void Table 13: Void Table 14 summarizes the recommendations form the tables above. Table 14: Recommended signature suites for a resistance during X years Entry name of the signature suite 1 years 3 years 6 years 10 years sha1-with-rsa not recommended sha256-with-rsa 1 536 2 048 2 048 not recommended RSASSA-PSS with mgf1SHA-1Identifier 1 536 not recommended RSASSA-PSS with mgf1SHA-224Identifier 1 536 2 048 2 048 not recommended RSASSA-PSS with mgf1SHA-256Identifier 1 536 2 048 2 048 3 072 sha1-with-dsa not recommended sha1-with-ecdsa not recommended sha224-with-ecdsa 224 224 224 not recommended sha256-with-ecdsa 256 256 256 256 NOTE 4: Because sha224-with-rsa has no security or performance advantages or disadvantages compared with sha256-with-rsa it is not listed here for interoperability reasons only. NOTE 5: The generation of pseudo random masks used in PSS formatting requires the mixing properties of the MGF (mask generation function), which is not affected by the collision attacks on SHA-1. NOTE 6: In the gap left between the recommendations for one and three years it is on the discretion of the issuing CA to use either the first or the second recommendation. Depending on the measures foreseen by the CA and accepted by the certificate holder in case of algorithmic weaknesses it may be appropriate to use for example RSA-1024 keys in a one year valid end user certificates. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)32 10 Time period resistance of hash functions and keys The hash functions and signature algorithms defined in the present document are suitable to be used in the context of advanced electronic signatures as defined by ETSI Technical Standards and CWAs. As a general rule, a private key SHALL resist during the validity period of certificates, (defined by the "notBefore" and "notAfter" elements of the validity period field) which contain the corresponding public key. NOTE: The validity period is defined by the "notBefore" and "notAfter" elements of the validity period field from the certificate. Since key sizes are directly dependent upon the usage of the certificate, no single key size value may be given. The time period during which a given key SHALL or SHOULD resist depends on the usage of the key. To this respect different use cases will be explored. Once the time period is known, then the figures provided in clause 9 can be used to know the appropriate key size. 10.1 Time period resistance for hash functions As a general rule, hash functions SHOULD resist as long as a signature verification still needs to be done. If not, a specific signature maintenance process SHALL be performed (see annex H for more information). A hash function used to compute the hash of a certificate, which is not a self-signed certificate, SHOULD resist during the validity period of that certificate. However, a hash function used to compute the hash of a self-signed certificate SHALL resist during the validity period of that self-signed certificate. A hash function used to compute the imprint of a message placed in a time-stamp token is not used in combination of a signature scheme. The length of its output is not dependent upon the size of the parameters of the signature scheme. It may be advisable, in order to reduce the signature maintenance process, to use a hash function that is presumed to be resistant over a very long time period. If the signature suite that has been used by the signer is also presumed to be resistant over a very long time period, then the signature maintenance process can be minimized. 10.2 Time period resistance for signer's key The focus is very often placed on the resistance of signer's keys. Signer's keys SHOULD resist during the validity period (from notBefore to notAfter) of the associated certificate. If they do not, revocation will be necessary, and there would be a large burden to re-issue new keys and certificates. However, there is no security breach. If a signer's key does not resist during the validity period of its associated certificate, then the protection provided through the use of time-stamping is sufficient to provide an adequate protection. 10.3 Time period resistance for trust anchors A trust anchor SHOULD remain secure during the whole time period during which advanced electronic signature needs to be verified. If it does not, it cannot be used anymore for immediate verifications. It can be used for subsequent verifications, if a specific maintenance process is performed before the trust anchor becomes insecure. This is an important difference to the estimation of the time period resistance for signer's key, therefore a stronger margin SHOULD be chosen to avoid additional maintenance procedures. 10.4 Time period resistance for other keys All other keys (TSU keys, CA keys, CRL issuer keys, OCSP responder keys) SHOULD resist during the validity period of the associated certificate and the certificates that rely on its validity. This implies that their security parameters SHOULD be chosen stronger than the corresponding parameters of the certified keys. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)33 If they do not resist the for seen time period, a maintenance process SHOULD be applied before the algorithm is broken. For these keys the same rule as for trust anchors applies. 11 Practical ways to identify hash functions and signature algorithms In order to be able to use a function or an algorithm with ETSI TS and CWA documents, it is mandatory to be able to reference it, and when the algorithm has parameters to be able to define these parameters. An "object" needs to be defined to support these parameters. That object MUST be referenced using an OID and/or a URN. Only the owner of the OID or the URN is allowed to define its meaning and thus the meaning of the algorithm, usual referencing another document. It may be observed that ISO standards are not referenced in RFCs documents. The primary reason is that these documents are sold and the IETF always gives its preference to documents that can be obtained for free. As a general rule the "OID/URN criterion" may be applied: An algorithm to be included must be defined unambiguously by an OID/URN. If such an OID/URN is not available the algorithm unusable. 11.1 Hash functions and signature algorithms objects identified using OIDs 11.1.1 Hash functions The hash functions are defined using the following OIDs. Table 15 Short object name OID Normative references id-sha1 { iso(1) identifiedOrganization(3) oIW(14) oIWSecSig(3) oIWSecAlgorithm(2) 26 } RFC 3279 [12] ripemd160 { iso(1) identifiedOrganization(3) teletrust(36) algorithm(3) hashAlgorithm(2) ripemd160(1) } ISIS-MTT Part 6 [26] id-sha224 { joint-iso-itu-t(2)country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) sha224(4) } RFC 4055 [15] id-sha256 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } RFC 4055 [15] whirlpool { iso(1) standard(0) encryption-algorithms(10118) part3(3) algorithm(0) whirlpool(55) } ISO/IEC 10118-3 [3] id-sha384 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } RFC 4055 [15] id-sha512 { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } RFC 4055 [15] 11.1.2 Signature algorithms Table 16 Short object name OID Normative references rsaEncryption { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } RFC 3279 [12] id-dsa { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } RFC 3279 [12] id-ecPublicKey { iso(1) member-body(2) us(840) 10045 2 1 } RFC 3278 [43] ecgPublicKey { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgKeyType(2) 1 } ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)34 11.1.3 Signature suites Table 17 Short object name OID Normative references sha1WithRSAEncryption { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } RFC 3279 [12] sha256WithRSAEncryption { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 11 } RFC 4055 [15] sha512WithRSAEncryption { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 13 } RFC 4055 [15] id-RSASSA-PSS with mgf1SHA-1Identifier { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10 } RFC 4055 [15] id-RSASSA-PSS with mgf1SHA-224Identifier { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10 } RFC 4055 [15] id-RSASSA-PSS with mgf1SHA-256Identifier { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10 } RFC 4055 [15] rsaSignatureWithripemd160 {iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) rsaSignature(1) rsaSignatureWithripemd160(2)} ISIS-MTT [26] id-dsa-with-sha1 { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } RFC 3279 [12] id-dsa-with-sha224 { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 1 } id-dsa-with-sha256 { joint-iso-ccitt(2) country(16) us(840) organization(1) gov(101) csor(3) algorithms(4) id-dsa-with-sha2(3) 2 } ecdsa-with-SHA-1 { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) sha1(1) } RFC 3279 [12] ecdsa-with-Recommended { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) recommended(2) } ANSI X9.62 [7] ecdsa-with-Sha224 { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) specified(3) 1 } ANSI X9.62 [7] ecdsa-with-Sha256 { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) specified(3) 2 } ANSI X9.62 [7] ecdsa-with-Sha384 { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) specified(3) 3 } ANSI X9.62 [7] ecdsa-with-Sha512 { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) specified(3) 4 } ANSI X9.62 [7] ecdsa-with-RIPEMD160 {itu-t(0) identified-organization(4) etsi(0) reserved(127) etsi-identifiedorganization(0) bsi-de(7) algorithms (1) id-ecc(1) signatures(4) ecdsasignatures(1) 6 } ecgSignatureWithripemd160 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 1 } ecgSignatureWithsha1 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 2 } ecgSignatureWithsha224 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 3 } ecgSignatureWithsha256 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 4 } ecgSignatureWithsha384 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 5 } ecgSignatureWithsha512 { iso(1) identified-organization(3) teletrust(36) algorithm(3) signatureAlgorithm(3) ecSign(2) ecgDsaStd(5) ecgSignature(4) 6 } NOTE: Because sha224WithRSAEncryption and sha384WithRSAEncryption have no security or performance advantages or disadvantages compared with sha256WithRSAEncryption and sha512WithRSAEncryption they are not listed here for interoperability reasons only. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)35 11.2 Hash functions and signature algorithms identified objects using URNs 11.2.1 Hash functions The hash functions are defined using the following URNs. Table 18 Short object name URN Normative references sha1 http://www.w3c.org/2000/09/xmldsig#sha1 W3C Recommendation XML-Signature Syntax and Processing [30]. ripemd160 http://www.w3.org/2001/04/xmlenc#ripemd160 W3C Recommendation XML Encryption Syntax and Processing. 10 December 2002 [31] sha224 http://www.w3.org/2001/04/xmldsig-more#sha224 RFC 4051 [29] sha256 http://www.w3.org/2001/04/xmlenc#sha256 W3C Recommendation XML Encryption Syntax and Processing. 10 December 2002 [31] sha384 http://www.w3.org/2001/04/xmldsig-more#sha384 RFC 4051 [29] sha512 http://www.w3.org/2001/04/xmlenc#sha512 W3C Recommendation XML Encryption Syntax and Processing. 10 December 2002 [31] 11.2.2 Signature algorithms There is no need to define such URNs since XAdES uses the signature algorithms contained in X.509 certificates which are referenced using OIDs. 11.2.3 Signature suites The signature suites are defined using the following URNs. Table 19 Short object name URN Normative references dsa-sha1 http://www.w3.org/2000/09/xmldsig#dsa-sha1 XML-Signature Syntax and Processing. W3C Recommendation [30] rsa-sha1 http://www.w3.org/2000/09/xmldsig#rsa-sha1 XML-Signature Syntax and Processing. W3C Recommendation [30] ecdsa-sha1 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 RFC 4051 [29] rsa-ripemd160 http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160 RFC 4051 [29] rsa-sha256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 RFC 4051 [29] rsa-sha384 http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 RFC 4051 [29] rsa-sha512 http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 RFC 4051 [29] ecdsa-sha224 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 RFC 4051 [29] ecdsa-sha256 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 RFC 4051 [29] ecdsa-sha384 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384 RFC 4051 [29] ecdsa-sha512 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 RFC 4051 [29] ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)36 11.3 Recommended hash functions and signature algorithms objects that do not yet have an OID or a description Whirlpool Signature suites based on a combination of a hash algorithm based on Whirlpool and a signature scheme do not yet have an OID. Nevertheless this hash function can be used with any of the mentioned elliptic curves. It is a general principle for ECDSA, that if the output of a hash function generated values longer than the order of the group of points, the hash values are truncated to the leftmost bits. I.e. if the order q has n bits, then the n leftmost bits of the output of the hash function are used as the hash value h. Note that this hash value may be greater than the order q but not longer. ECDSA with other hash functions The ecdsa signature scheme and signature suite based on ecdsa with RIPEMD160 have an OID. The normative description is given in "Elliptic Curve Cryptography (ECC)", Bundesamt für Sicherheit in der Informationstechnik, TR-03111(2006) available at http://www.bsi.bund.de. ecdsa-with-RIPEMD160 "Elliptic Curve DSA with RIPEMD-160" • {itu-t(0) identified-organization(4) etsi(0) reserved(127) etsi-identified-organization(0) bsi-de(7) algorithms (1) id-ecc(1) signatures(4) ecdsa-signatures(1) 6 } 11.4 Recommended hash functions and signature algorithms objects that do not yet have a URN or a description Whirlpool Whirlpool has currently no URN. In addition, it would be desirable to have variants of Whirlpool with an output less than 512 bits in order to match the requirements of Elliptic Curves algorithms. Signature suites based on a combination of a hash algorithm based on Whirlpool and a signature scheme do not yet have a URN. ECGDSA The ecgdsa signature scheme and signature suites based on ecgdsa do not have a URN, and thus no normative reference for the data structures. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)37 Annex A (normative): Algorithms for various data structures TS 101 733 [18] and TS 101 903 [19] define the formats of advanced electronic signatures. These two documents reference other documents defining various standardized data structures. These other documents or companion documents define the algorithms which SHOULD be supported by the issuers of the data structures and the algorithms which SHALL (for interoperability purposes) and SHOULD be supported by the users of the data structures. • Signer Certificates (RFC 5280 [2] and RFC 3279 [12]). • Certificate Revocation Lists (RFC 5280 [2] and RFC 3279 [12]). • OCSP responses (RFC 2560 [22]). • Certification Authority Certificates (RFC 5280 [2] and RFC 3279 [12]). • Self-signed certificates for CA certificates (RFC 5280 [2] and RFC 3279 [12]). • Time-Stamping Tokens (TSTs) (RFC 3161 [9] and TS 101 861 [20]). • Time-Stamping Unit certificates (RFC 3161 [9] and TS 101 861 [20]). • Self-signed certificates for TSU Certificates (RFC 5280 [2] and RFC 3279 [12]). • Attribute Certificates (ACs) (RFC 5280 [2] and RFC 3279 [12]). • Attribute Authority Certificates (RFC 3281 [21]). For each data structure, the set of algorithms to be used is specified. Since many of these documents have been published some years ago, they cannot be all up to date with the latest cryptographic advancements. In particular, some of the algorithms specified in the above documents exhibit weaknesses or, worse, are now broken. For that reason, when it is the case, algorithms that were initially recommended and that shall or should not be used anymore will be indicated. In the same way, more recent algorithms do not appear in these documents. This does not mean that they should not be used, but that at this time they do not yet fall into the SHALL or SHOULD categories. Each set is identified by an identifier which is either an OID (Object IDentifier) or a URI/URN. The use of such identifiers is necessary so that interoperability can be achieved. In order to allow for data interchange, the document references algorithms in terms of OIDs and URIs/URNs together with algorithm parameters. The algorithms which MAY be supported by issuers or users are NOT indicated. A.1 Advanced Electronic Signatures based on TS 101 733 An advanced electronic signature contains an identifier of the hash function that has been used (contained in the digestAlgorithm element from the SignerInfo data structure) and an identifier of the signature algorithm that has been used (contained in the signatureAlgorithm element from the SignerInfo data structure) which must be consistent with the identifier of the signature algorithm contained in the signer's certificate. Requirements apply both to the hash function and the signature algorithm. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)38 Since TS 101 733 [18] is built upon RFC 3852 [23], algorithms may be selected from RFC 3370 [13] or elsewhere. RFC 3370 [13] recommended the MD5 and SHA-1 hash functions. Since MD5 was broken in August 2004, it is no longer mentioned. SHA-1 should be phased out as its security level has significantly decreased since February 2005. Table A.1 AdES based on TS 101 733 [18] Issuers of AdES Users of AdES Hash functions SHOULD support sha256 SHALL support sha1 SHOULD support sha256 Signature algorithms SHOULD support RSA or SHOULD support DSA or SHOULD support ECDSA SHALL support RSA SHOULD support DSA SHOULD support ECDSA NOTE: Because the usage of SHA-224 as hash functions gives no advantage compared with SHA-256 neither in security nor in performance it is not required that SHA-224 should be supported as a hash function. A.2 Advanced Electronic Signatures based on TS 101 903 TS 101 903 [19] uses a URN to reference the hash function in the ds:DigestMethod element. Since TS 101 903 [19] is built upon XML DigSig, the algorithm requirements from XML DigSig apply. Table A.2 AdES based on TS 101 903 [19] Issuers of AdES Users of AdES Hash functions SHOULD support sha256 SHALL support sha1 SHOULD support sha224 SHOULD support sha256 Signature algorithms SHOULD support DSAwithSHA-1 SHALL support DSAwithSHA-1 SHOULD support RSAwithSHA-1 or ECDSA NOTE: For canonicalization: 1. Required Canonical XML (omits comments): http://www.w3.org/TR/2001/REC-xml-c14n-20010315 2. Recommended Canonical XML with Comments: http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments A.3 Signer's certificates A signer certificate contains a subject public key and is signed by a CA issuing key. According to RFC 5280 [2], implementations of that specification are not required to use any particular cryptographic algorithms. However, conforming implementations which use the algorithms identified in RFC 3279 [12] MUST identify and encode the public key materials and digital signatures as described in that specification. These requirements apply to signer public keys and CA issuing keys. RSA is actually the most supported algorithm and therefore it is the only algorithm bearing a SHOULD for issuers of signer certificates. But this requirement does not inhibit a CA to issue DSA- or ECDSA-signed certificates, which may be necessary if a DSA or ECDSA user key is to be certified. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)39 Table A.3 Signer certificates Issuers of signer certificates Users of signer certificates Signer public keys SHOULD support RSA SHALL support RSA SHOULD support DSA SHOULD support ECDSA CA issuing keys SHOULD support RSA with SHA-1 SHALL support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHOULD support ECDSA with SHA-1 SHOULD support ECDSA with SHA-224 SHALL support RSA with SHA-256 SHOULD support DSA with SHA-256 SHOULD support ECDSA with SHA-256 NOTE: Because the usage of SHA-224 with RSA and DSA gives no advantage compared with SHA-256 neither in security nor in performance it is not required that SHA-224 should be supported with these algorithms. It is recommended that with RSA and DSA the hash functions SHA-256 and SHA-512 are used instead of SHA-224 or SHA-384. A.4 CRLs A CRL is signed by a CRL Issuer. According to RFC 5280 [2], implementations of that specification are not required to use any particular cryptographic algorithms. However, conforming implementations which use the algorithms identified in RFC 3279 [12] MUST identify and encode the public key materials and digital signatures as described in that specification. These requirements apply to CRL Issuer public keys. RSA is actually the most supported algorithm and therefore it is the only algorithm bearing a SHOULD for then issuers of CRLs. Table A.4 CRLs Issuers of CRLs Users of CRLs CRL issuer keys SHOULD support RSA with SHA-1 SHALL support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHOULD support ECDSA with SHA-1 SHOULD support ECDSA with SHA-224 SHALL support RSA with SHA-256 SHOULD support DSA with SHA-256 SHOULD support ECDSA with SHA-256 NOTE: Because the usage of SHA-224 with RSA and DSA gives no advantage compared with SHA-256 neither in security nor in performance it is not required that SHA-224 should be supported with these algorithms. It is recommended that with RSA and DSA the hash functions SHA-256 and SHA-512 are used instead of SHA-224 or SHA-384. A.5 OCSP responses A CRL is signed by an OCSP responder. The algorithm requirements from RFC 2560 [22] apply, i.e. "Clients that request OCSP services SHALL be capable of processing responses signed used DSA keys identified by the DSA sigalg-oid specified in clause 7.2.2 of RFC 5280 [2]. Clients SHOULD also be capable of processing RSA signatures as specified in clause 7.2.1 of RFC 5280 [2]. OCSP responders SHALL support the SHA-1 hashing algorithm." These requirements apply to OCSP the hash algorithm and the signature algorithm used by OCSP responders. NOTE: The reference in RFC 2560 [22] to RFC 2459 [i.26] should be replaced by its successor RFC 5280 [2]. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)40 Table A.5 OCSP response Issuers of OCSP responses Users of OCSP response OCSP responder keys SHOULD support sha1 with dsa SHOULD support sha1 with rsa SHOULD support sha256 with rsa SHALL support sha1 with dsa SHALL support sha1 with rsa SHOULD support sha25 with rsa A.6 CA certificates A CA certificate contains a CA public key and is signed by a CA private key. The algorithm requirements from RFC 3279 [12] apply. These requirements apply to CA public keys (as subject) and CA public keys (as issuer). Table A.6 CA certificates Issuers of CA certificates Users of CA certificates Subject CA public key SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHOULD support ECDSA with SHA-1 SHOULD support ECDSA with SHA-224 SHALL support RSA with SHA-256 SHOULD support DSA with SHA-256 SHOULD support ECDSA with SHA-256 Issuer CA public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHOULD support ECDSA with SHA-1 SHOULD support ECDSA with SHA-224 SHALL support RSA with SHA-256 SHOULD support DSA with SHA-256 SHOULD support ECDSA with SHA-256 NOTE: Because the usage of SHA-224 with RSA and DSA gives no advantage compared with SHA-256 neither in security nor in performance it is not required that SHA-224 should be supported with these algorithms. It is recommended that with RSA and DSA SHA-256 and SHA-512 are used instead of SHA-224 or SHA-384. A.7 Self-signed certificates for CA issuing CA certificates A self-signed certificate contains a single root CA public key. The algorithm requirements from RFC 3279 [12] apply. Self-signed certificates need to resist quite long (e.g. more than 10 years). For that reason, at least the hash function SHA-256, used in combination with RSA, is recommended. These requirements apply to root CA public keys. Table A.7 Self-signed certificates Issuers of self-signed certificates Users of self-signed certificates Root CA public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHOULD support ECDSA with SHA-1 SHOULD support ECDSA with SHA-224 SHALL support RSA with SHA-256 SHOULD support DSA with SHA-256 SHOULD support ECDSA with SHA-256 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)41 A.8 TSTs based on RFC 3161 and TS 101 861 The following requirements apply to hash functions and TST signature algorithms. The algorithm requirements from TS 101 861 [20] apply. • for the requests: The following hash algorithms MAY be used to hash the information to be time-stamped: SHA-1, RIPEMD-160; • for the responses, the following signature algorithm must be supported: SHA-1 with RSA. However, for time-stamp tokens that need to resist quite long (e.g. more than 10 years), the SHA-2 family (SHA-256, SHA-384 and SHA-512) is recommended. Table A.8 Time-Stamping Tokens TST requesters TST issuers TST verifiers Hash function SHOULD support sha1 SHOULD support ripemd160 SHOULD support sha256 SHALL support sha1 SHOULD support ripemd160 SHOULD support sha256 SHALL support sha1 SHOULD support ripemd160 SHOULD support sha256 TST signature algorithms SHALL support sha1 with rsa SHOULD support sha256 with rsa SHALL support sha1 with rsa SHALL support sha256 with rsa SHALL support sha1 with rsa SHOULD support sha256 with rsa A.9 TSU certificates A TSU certificate contains a TSU public key and is signed by a CA private key. The algorithm requirements from RFC 3279 [12] apply. These requirements apply to TSU public keys (as subject) and CA public keys (as issuer). Since TST last for longer time the SHA-2 family (SHA-256 and SHA-512) is recommended. Table A.9 TSU certificates Issuers of TSU certificates Users of TSU certificates TSU public key SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHALL support RSA with SHA-256 Issuer CA public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHALL support RSA with SHA-256 A.10 Self-signed certificates for CAs issuing TSU certificates A self-signed certificate contains a single root CA public key. The algorithm requirements from RFC 3279 [12] apply. Self-signed certificates need to resist quite long (e.g. more than 10 years). For that reason, the SHA-2 family (SHA-256 and SHA-512), used in combination with RSA, is recommended. These requirements apply to root CA public keys. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)42 Table A.10 Self-signed certificates Issuers of self-signed certificates Users of self-signed certificates root CA public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHALL support RSA with SHA-256 A.11 Attribute certificates An Attribute Certificate is signed by an Attribute Authority. The algorithm requirements from RFC 3279 [12] apply. These requirements apply to Attribute Authority public keys. Table A.11 Attribute Certificates Issuers of OCSP Attribute Certificates Users of OCSP Attribute Certificates Attribute Authority public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHALL support RSA with SHA-256 A.12 AA certificates An AA certificate contains an Attribute Authority public key and is signed by a CA private key. The algorithm requirements from RFC 3279 [12] apply. These requirements apply to Attribute Authority public keys (as subject) and CA public keys (as issuer). Table A.12 AA certificates Issuers of AA certificates Users of AA certificates Attribute Authority public key SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA1 SHALL support RSA with SHA-256 Issuer CA public keys SHOULD support RSA with SHA-256 SHALL support RSA with SHA-1 SHOULD support DSA with SHA-1 SHALL support RSA with SHA-256 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)43 Annex B (informative): Recommended key sizes (historical) This annex will later on contain the outdated tables provided in clause 9 so that a history about previously recommended hash functions and key sizes can be easily done at a given time and for a given time period. B.1 Changes in 2005 2005-04: Taking in consideration the recently published attacks on hash functions, the clause 9.3 in the main body is updated. The former text is provided here and the values that have been changed are printed in bold and underlined. 10.3 (2005-04) Recommended hash functions versus time Tables 6 and 7 provides indication about recommended hash functions during X years. With respect to the above distinction between conservative and liberal views, the conservative view is first provided and then the liberal. Definitions: Usable: The algorithm with the given security parameters can be considered secure at the given time. Unknown: The security of the algorithm is unknown; it may become secure if additional measures are applied. Table 6/clause 9.3: Conservative view of recommended hash functions for a resistance during X years Entry name of the hash function 3 years (2008) 5 years (2010) 10 years (2015) sha1 usable unknown unknown ripemd160 usable usable unknown sha224 usable usable usable sha256 usable usable usable Whirlpool usable usable unknown Table 7/clause 9.3: Liberal view for recommended hash functions for a resistance during X years Entry name of the hash function 3 years (2008) 5 years (2010) 10 years (2015) sha1 usable usable unknown ripemd160 usable usable unknown sha224 usable usable usable sha256 usable usable usable whirlpool usable usable unknown Table B.3 predicts hash function resistance over 20 years. Due to the inherent unpredictability of such predictions, these predictions are largely speculative, and no distinction is made be between conservative and liberal. Additional definition: Unusable: The algorithm cannot be considered secure for any kind of use in the context of electronic signatures. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)44 Table 8/clause 9.3: Speculated hash function resistance over 20 years, based on current trends and estimated computational power Entry name of the hash function Speculated Usability in 20 years (2025) sha1 unusable ripemd160 unusable sha224 usable sha256 usable Whirlpool usable 2005-04: Taking in consideration the recently published attacks on hash functions, the clause 9.4 in the main body is updated. The former text is provided here and the values that have been changed are printed in bold and underlined. 10.4 (2005-04) Recommended key sizes versus time Tables B.4 and B.5 provides indication about recommended key lengths for a resistance of the algorithm or the signature suite during X years. A conservative view and a liberal view are provided. For explanations of these terms please refer to clauses 2 and 3 in this clause. These tables are provided for 3 years, 5 years and 10 years. Definitions: Unusable: The algorithm cannot be considered secure for any kind of use in the context of electronic signatures. Unknown: The security of the algorithm is unknown at this time; it may become secure if additional measures are applied. Table 9/clause 9.4: Conservative view of recommended key lengths for a resistance during X years entry name of the signature suite 3 years (2008) 5 years (2010) 10 years (2015) sha-1-with-rsa ≥ 768 unknown unknown sha224-with-rsa ≥ 768 1 024 2 048 sha256-with-rsa ≥ 768 1 024 2 048 RSASSA-PSS with mgf1SHA-1Identifier ≥ 768 1 024 unknown RSASSA-PSS with mgf1SHA-224Identifier ≥ 768 1 024 2 048 RSASSA-PSS with mgf1SHA-256Identifier ≥ 768 1 024 2 048 sha1-with-dsa ≥ 768 unknown unknown sha1-with-ecdsa 163 unknown unknown sha224-with-ecdsa 224 224 224 sha256-with-ecdsa 256 256 256 Table 10/clause 9.4: Liberal view of recommended key lengths for a resistance during X years entry name of the signature suite 3 years (2008) 5 years (2010) 10 years (2015) sha-1-with-rsa ≥ 768 1 024 unknown sha224-with-rsa ≥ 768 1 024 2 048 sha256-with-rsa ≥ 768 1 024 2 048 RSASSA-PSS with mgf1SHA-1Identifier ≥ 768 1 024 unknown RSASSA-PSS with mgf1SHA-224Identifier ≥ 768 1 024 2 048 RSASSA-PSS with mgf1SHA-256Identifier ≥ 768 1 024 2 048 sha1-with-dsa ≥ 768 1 024 unknown sha1-with-ecdsa 163 190 unknown sha224-with-ecdsa 224 224 224 sha256-with-ecdsa 256 256 256 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)45 An additional table with speculations regarding security over 20 years is provided. Due to the unpredictability in such long term statements, there is no distinction made between liberal and conservative for the 20 year prediction, and such information should be considered as largely speculative. Table 11/clause 9.4: Speculated resistance of recommended algorithm parameters for the next 20 years, based on current trends and estimated computational power entry name of the signature suite 20 years (2025) sha-1-with-rsa unusable sha224-with-rsa 2 048 sha256-with-rsa 2 048 RSASSA-PSS with mgf1SHA-1Identifier unusable RSASSA-PSS with mgf1SHA-224Identifier 2 048 RSASSA-PSS with mgf1SHA-256Identifier 2 048 sha1-with-dsa 2 048 ecPublicKey unknown sha1-with-ecdsa unknown B.2 Changes in 2007 The document was revised and updated by an STF. Because the changes concern not only the tables, they are documented in annex I and not here. B.3 Changes in 2011 The document was updated by ESI taking in consideration the actual progress in cryptography. Based on publications on cryptographic algorithms and their parameters from ECRYPT [i.6] and NIST [i.7] the usage of SHA-1 is no more recommended. RIPEMD-160 is not broken and no attacks are known. Nevertheless it is no more recommended due to hash length of 160 bit. The recommended parameters for RSA are updated as it was foreseen by the previous version of the present document. The 1 024 bit length is no more recommended. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)46 Annex C (informative): Generation of RSA modulus An RSA modulus is obtained by multiplying two prime numbers of roughly the same size. Furthermore, the two factors must not be too close in order to be far enough from the square root of the modulus. If we let p and q be the two prime factors of the modulus n, we can require that, for example: 0,1 < |log2(p) - log2(q)| < 30 (1) which means that none of the factors is small or close to the square root of the modulus. This condition implies that: log2(n)/2 - 15 < log2(p), log2(q) < log2(n) / 2 + 15 (2) The generation of an RSA modulus of exactly k bits could be done with the following algorithm: • Choose a random prime number p in the range ]2k/2-15, 2k/2+15[. • Choose a random prime number q in the range [2k-1/p, 2k/p[. • If the condition 0,1 < |log2(p)-log2(q)| < 30 is not satisfied, go back to the first step. • Let n be the product of p and q. A more complicated method that avoids the third step altogether but produces differently distributed primes is: • Choose a random prime number p in the range [2k/2-9/20, 2k/2+15[. • Choose a random prime number q in the range]a,b[ where a=max(ceil(2k-1/p)-1, p.2-30) and b=min(2k/p, p.2-1/10). • Let n be the product of p and q. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)47 Annex D (informative): Generation of elliptic curve domain parameters NOTE 1: This annex refers to ANSI X9.62 [7] (1998) which has been replaced by ANSI X9.62 [7] (2005). The latter specifies ways to generate elliptic curve parameters except for the check of the class number condition which is described in clause D.3. By the new version of the ANSI X9.62 [7] clauses D.1 and D.2 have become obsolete. The information contained in clause D.3 can now also be found in the ECC Brainpool paper on standard curves and curve generation [i.13]. This annex describes possible ways to generate elliptic curve domain parameters for ECDSA and ECGDSA satisfying the conditions given in clauses 6.1.2.3 and 6.1.2.4 and also ways to select curves verifiably at random. For this, basically the algorithms described in ANSI X9.62 [7] (1998) annex A.3 can be used. The only necessary modifications are due to the fact that two of the conditions imposed on elliptic curves in the present document were not included in ANSI X9.62 [7] (1998): In step 4. of algorithm A.3.2 only the condition about r0 (which is equivalent to the "MOV condition" of ANSI X9.62 [7] (1998)) and the condition p ≠ q of clause 6.1.2.3 (which follows from the "anomalous condition" of ANSI X9.62 [7] (1998)) are ensured while the condition on the class number of the maximal order of the endomorphism ring of the curve and (in the F2 m case) the condition that the curve is not be definable over F2 are not respected by the algorithm. These latter two conditions should also be checked during the generation of the curve. Clauses D.1 and D.2 describe in more detail how the algorithm A.3.2 of ANSI X9.62 [7] (1998) can be modified accordingly. The algorithms A.3.3.1 and A.3.3.2 of ANSI X9.62 [7] (1998) for selecting curves verifiably at random which basically produce random j-invariants from a seed by means of a hash function only need to be modified in the case that the security of SHA-1 is no longer regarded to be sufficient. Clause D.3 gives more information about the class number condition and in particular describes how it can be checked. For checking the class number condition an integer M has to be factorized and a certain triple (α,β,γ) of integers has to be found. To ease the validation of the domain parameters the prime factorization of M and the triple (α,β,γ) should always be made public together with the domain parameters. Otherwise in particular the factorization of M would consume much time. NOTE 2: Additional standard curves and further information about the class number condition can be found in the ECC Brainpool paper "ECC Brainpool Standard Curves and Curve Generation" [i.13]; OID: {1(iso) 3(identified organization) 36(teletrust) 3(algorithm) 3(signature algorithm) 2(ecSign) 8(ecStdCurvesAndGeneration)}. D.1 ECDSA and ECGDSA based on a group E(Fp) The prime p can be generated by one of the algorithms described in ISO/IEC 18032 [i.8] in a way that the probability of being composite is at most 2-100. The generation of an appropriate curve E, the point P and the prime q can be done with the algorithm in annex A.3.2 of ANSI X9.62 [7] (1998) with lower bound rmin>2qMinLen, the MOV threshold B= r0Min and with Step 4. of algorithm A.3.2 substituted by the following: "4. (a) Check the MOV condition (see annex A.1.1) with inputs B, q and n. If the result is "false" go to Step 1. (b) Check the Anomalous condition (see annex A.1.2). If the result is "false" go to Step 1. (c) Find an element in the ideal class group of the number field K:=Q( d− ) of order at least MinClass where d is the squarefree factor of 2 ))(#1(4: pFEppM −+−= . If such an element of the class group cannot be found go to Step 1." The number M is always a positive integer and by the prime factorization of M one determines uniquely defined positive integers ld, with 2 dlM = . Then d is called the squarefree factor of M . ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)48 If an element of the ideal class group of order at least MinClass can be found then the class number condition of clause 6.1.2.3 is satisfied. Elements of the ideal class group of K can effectively be represented by certain triples (α,β,γ) of integers. The details in particular about the group operation and the neutral element in this set of triples are given in clause D.3. Here it is neither specified how to choose the elements in the ideal class group which are checked for sufficiently high order nor after how many unsuccessful selections of elements to decide that the demanded element "cannot be found". This is another reason to attach the triple (α,β,γ) (which has an order at least MinClass) to the domain parameters for validation. The algorithm to generate E, P and q can be successful only if p is chosen large enough, i.e. at least about as large as q which itself is greater than 2qMinLen-1. To select a curve verifiably at random one can use the algorithm given in annex A.3.3.1 of ANSI X9.62 [7]. The hash function SHA-1 has to be substituted by a more secure hash function after the recommended use date for SHA-1. D.2 ECDSA and ECGDSA based on a group E(F2 m) The selection of an appropriate curve E, the point P and the prime q can be done with the algorithm in annex A.3.2 of ANSI X9.62 [7] (1998) with lower bound rmin > 2qMinLen, with MOV threshold B=r0Min and with Step 4. of algorithm A.3.2 substituted by the following: "4. (a) Verify that b ≠ 1. If this is not the case go to Step 1. (b) Check the MOV condition (see annex A.1.1) with inputs B, q and n. If the result is "false" go to Step 1. (c) Find an element in the ideal class group of the number field K:=Q( d− ) of order at least MinClass where d is the squarefree factor of 2 2 2 ))(#12(2: mFEM mm −+−= + . If such an element in the ideal class group cannot be found go to Step 1." The parameter b is the constant term in the representation y2+xy=x3+ax2+b of the curve E used in the algorithm. b is the j-invariant of E and as in a former step of the algorithm b ≠ 0 was already checked b ≠ 1 means that the j-invariant is not contained in F2 and in particular that E cannot be defined over F2. The number M is always a positive integer and by the prime factorization of M one determines the uniquely defined positive integers ld, with 2 dlM = . Then d is called the squarefree factor of M . If an element of the ideal class group of order at least MinClass can be found then the class number condition of clause 6.1.2.4 is satisfied. Elements of the ideal class group of K can effectively be represented by certain triples (α,β,γ) of integers. The details in particular about the group operation and the neutral element in this set of triples are given in clause D.3. Here it is neither specified how to choose elements in the ideal class group which are checked for sufficiently high order nor after how many unsuccessful selections of elements to decide that the demanded element "cannot be found". This is another reason to attach the triple (α,β,γ) (which has an order at least MinClass) to the domain parameters for validation. The algorithm to generate E and P can be successful only if 2m is chosen large enough, i.e. at least about as large as q which itself is greater than 2qMinLen-1. To select a curve verifiably at random one can use the algorithm given in annex A.3.3.1 of ANSI X9.62 [7] (1998). The hash function SHA-1 has to be substituted by a more secure hash function after the recommended use date for SHA-1. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)49 D.3 The class number condition The class number condition was introduced because of the following reason: A hypothetical lift of the curve to an elliptic curve over a number field cannot exist if the degree of the number field is less than the class number of the endomorphism ring End(E) of E (regarded as order in the imaginary quadratic number field K:=Q( d− ) defined in clauses D.1 and D.2 respectively) and if the degree of the number field is large then a solution of the corresponding lift of the elliptic curve discrete logarithm problem is not feasible. The class number of End(E) is always a multiple of the class number of K so what is actually demanded is a sufficiently large class number of K. Also the recent results of Huang and Raskind (see bibliography) can be regarded as arguments for demanding a sufficiently large class number of K. Because the complexity of the best known algorithms for explicitly determining the class number of K is too high in practice one just tries to find elements of the ideal class group of K with a large order as the class number is not smaller than the order of an element. Randomly selected curves will violate the class number condition with very low probability. But the best known rigorously proven upper bounds do not exclude the possibility that the actual probability is significantly higher than 2-80 and heuristic arguments show that this probability should be at least of about the same magnitude as 2-80 (for a key length of approximately 160 bits). So the class number condition should be checked also for randomly selected curves. We now briefly describe how the elements of the ideal class group of the number field K:=Q( d− ) for a positive squarefree integer d can be represented, how to determine the product of two elements and what the representation of the neutral element with respect to this product looks like. Further information can be found in the text book of Cohen [i.25]. First define ⎩ ⎨ ⎧ ≡−≡−− ≡−− = )4(3)4(24 )4(1 : dordifd difd D A triple (α,β,γ) of integers satisfying =: • gcd(α,β,γ)=1; • α>0 and |β| ≤ α ≤ γ and if α=γ or |β|=α then also β ≥ 0; • β2-4αγ= D ; is called a primitive reduced triple of discriminant D . NOTE 1: (α,β,γ) is a primitive reduced triple of discriminant D if and only if the quadratic form αx2+ βxy+γy2 is primitive reduced and has discriminant D (which in particular implies that it is positive definite). The elements of the ideal class group of the number field K:=Q( d− ) correspond one-to-one to the primitive reduced triples of discriminant D . The group operation in this set of triples can be calculated as follows. Given two primitive reduced triples (α1,β1,γ1) and (α2,β2,γ2) the so called composition (α´,β´,γ´) of (α1,β1,γ1) and (α2,β2,γ2) can be determined by algorithm 5.4.7 of Cohen's book (see bibliography). This triple (α´,β´,γ´) is primitive and has discriminant D but is not necessarily reduced. Applying the reduction algorithm 5.4.2 of the same book to this triple (α´,β´,γ´) delivers a primitive reduced triple (α,β,γ) with determinant D . This triple represents the product of the two elements representing (α1,β1,γ1) and (α2,β2,γ2). (α1,β1,γ1) o (α2,β2,γ2) := (α,β,γ) (3) The neutral element is represented by the triple (1,0,- D /4) if )4(0≡D and it is represented by the triple (1,1,(1- D )/4) if )4(1≡D . In either case the triple corresponding to the neutral element is denoted by I. The following is an algorithm that determines whether the order of an element of the ideal class group of the number field K:=Q( d− ) has an order of at least MinClass: Input: A primitive reduced triple (α,β,γ) of discriminant D . ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)50 Output: The message "true" if the order of the corresponding element of the ideal class group is at least MinClass; the message "false" otherwise. 1) Set t=I. 2) For i from 1 to MinClass-1 do: - Set t:=t o (α,β,γ). - If t=I then output "false" and stop. 3) Output "true". In 2) the triple t o (α,β,γ) is calculated by the procedure described above. NOTE 2: Most of the common computer algebra packages contain implementations for the described manipulations in the class group of K or in the set of primitive reduced quadratic forms respectively. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)51 Annex E (informative): On the generation of random data E.1 Classes of random number generators Figure E.1 shows a schematic classification of random number generators according to ISO/IEC FCD 18031 [i.14] where more detailed information can be found. That document uses the term "random bit generator" while here the term "random number generator" is used. RNG NRNG DRNG physical pure hybridd pure hybridd pure hybridd non-phys. Figure E.1: Schematic classification of random number generators according to ISO/IEC FCD 18031 [i.14] Every random number generator RNG has a primary entropy source. If this entropy source is non-deterministic which means unrepeatable and unpredictable the RNG is called non-deterministic or a NRNG. If this entropy source consists just of seed values it is called deterministic and also the RNG is called deterministic or a DRNG. The primary entropy source of a NRNG can either be physical or non-physical. A physical primary entropy source (also called physical primary noise source) uses dedicated hardware to measure the physical characteristics of a sequence of events in the physical world, e.g. radioactive emissions of atoms or the noise of diodes. Typical non-physical primary entropy sources are based for example on RAM contents, system clocks or "random user inputs" via PC-keyboard or PC-mouse. If the only entropy source for a RNG is the primary entropy source it is called pure RNG. A RNG can also have an additional entropy source. A NRNG with an additional deterministic entropy source (i.e. seed values) is called hybrid NRNG. A DRNG with an additional non-deterministic entropy source is called hybrid DRNG. A well constructed NRNG is information theoretically secure while (pure) DRNGs can only be complexity theoretically secure that means there is no feasible way to break its security. The advantage of the former is obviously that there is no (even theoretical) possibility to calculate future or previous outputs from known ones. The security of DRNGs depends on assumptions about the algorithmic complexity of certain problems which may turn out to be wrong sooner or later. So NRNGs are better suited for long term security. The following terminology for DRNGs is used in clause 8.2.2: • A re-seeding of a DRNG is a complete new initialization of the DRNG with a newly produced seed. • A seed-update of a DRNG is an external modification of the internal state (not by the regular updating function of the DRNG) in a way that: (i) After the modification the modifier has no more information about the internal state than before. (ii) Anybody else than the modifier having some information about the previous internal state has less information about the internal state after the modification. NOTE: The difference between these two possible ways to add new entropy to a DRNG is that if the new seed is known then the future output is known after re-seeding while this is not the case for a seed-update. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)52 Of course it is desirable that after a seed-update the loss of information about the internal state in condition (ii) should be as large as possible. In an ideal case there remains no information. A typical example for that is an XOR of the internal state with a new seed produced with a strong NRNG. E.2 On tests for NRNGs Examples of generic test suites for the statistical properties of the primary entropy source can be found in Ruhkin et al [i.18]. But usually tests specifically adapted to the mathematical model of the source are more suitable. Online tests should be specific to the primary entropy source. An example for such an online test can be found in example E7 of AIS 31 [i.19]. To avoid a misunderstanding about tests and test suites it should be pointed out that: There is no test or test suite which can show that the output of a generator has a certain minimum entropy without certain additional statistical assumptions about the source. EXAMPLE: The term "universal" for Maurer's test (Maurer 1991, [i.20]) could cause some confusion about this fact. Actually in Maurer's article it is assumed that the source is a binary, stationary, ergodic source with finite memory. These assumptions are explicitly mentioned in that article. It should also be observed that an NRNG has to be evaluated as an entire system i.e. taking into account the interaction of the components. Thus it is not enough to regard the mathematical model, the online tests and the evaluation of the post-treatment separately. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)53 Annex F (informative): Algorithm identifiers defined in various documents F.1 Algorithm identifiers defined in RFC 3278 The title of the document is: "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)" [11]. Signature suite ECDSA with SHA-1 ecdsa-with-SHA-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10045 signatures(4) 1 } F.2 Algorithm identifiers defined in RFC 3279 The title of the document is: "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile" [12]. Signature suites for CA issuing keys and CRL issuing keys RSA with SHA-1 sha-1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 } DSA with SHA-1 id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } ECDSA with SHA-1 ecdsa-with-SHA-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10045 signatures(4) 1 } Preferred signature algorithms for subject public keys (any is allowed) RSA rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 1 1} DSA id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57(10040) x9cm(4) 1 } ECDSA id-ecPublicKey OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) 10045 2 1 } ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)54 F.3 Algorithm identifiers defined in RFC 3370 The title of the document is: "Cryptographic Message Syntax (CMS) Algorithms" [13]. Hash-functions sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) oiw(14) secsig(3) algorithm(2) 26 } Signature suite DSA defined in RFC 3370 [13] is always used with the SHA-1 message digest algorithm. The algorithm identifier for DSA is: id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } An alternative OID for DSA with SHA-1 is defined in ISO/IEC 14888-3 [8] id-dswa-dl-DSA OBJECT IDENTIFIER ::= { iso(1) standard(0) digital-signature-with-appendix(14888) part3(3) algorithm(0) 1} F.4 Algorithm identifiers defined in RFC 3447 The title of the document is: "PKCS #1: RSA Cryptography Specifications" [14]. Signature algorithm The algorithm identifier for RSA is: rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 } F.5 Algorithm identifier defined in RFC 3874 The title of the document is: "A 224-bit One-way Hash Function: SHA-224" [27]. id-sha224 id-sha224 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) sha224(4) } F.6 Algorithm identifiers defined in XML-Signature Syntax and Processing W3C Recommendation This recommendation from February 12, 2002 is about "XML-Signature Syntax and Processing" [30]. Hash-function SHA-1: http://www.w3.org/2000/09/xmldsig#sha1 Signature suite DSAwithSHA-1 (DSS): http://www.w3.org/2000/09/xmldsig#dsa-sha1 (Required) RSAwithSHA-1 (RSA): http://www.w3.org/2000/09/xmldsig#rsa-sha1 (Recommended) ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)55 F.7 Algorithm identifiers defined in XML Encryption Syntax and Processing. W3C Recommendation This recommendation from December 10, 2002 is about "in XML Encryption Syntax and Processing" [31]. Hash-functions SHA-1: http://www.w3.org/2000/09/xmldsig#sha1 SHA-256: http://www.w3.org/2001/04/xmlenc#sha256 RIPEMD-160: http://www.w3.org/2001/04/xmlenc#ripemd160 F.8 Algorithm identifiers defined in RFC 4050 The title of the document is: "Using the Elliptic Curve Signature Algorithm (ECDSA) for XML Digital Signatures" [28]. Signature suite ECDSA: http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 NOTE: Like DSA, ECDSA incorporates the use of a hash function. The only hash function defined for use with ECDSA defined in this RFC is the SHA-1 message digest algorithm. F.9 Algorithm identifiers defined in RFC 4051 The title of the document is: "Additional XML Security Uniform Resource Identifiers (URIs)" [29]. SHA-224 http://www.w3.org/2001/04/xmldsig-more#sha224 RSA-SHA-256 http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 RSA-RIPEMD160 http://www.w3.org/2001/04/xmldsig-more/rsa-ripemd160 ECDSA-SHA http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224 http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)56 F.10 Algorithm identifiers defined in RFC 4055 The title of the document is: "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure. Certificate and Certificate Revocation List (CRL) Profile". RFC 4055 [15] supplements RFC 3279 [12] to describe how to use some newer cryptographic algorithms. Hash-functions id-sha224 OBJECT IDENTIFIER ::= {{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 4 } id-sha256 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1 } id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 } id-sha512 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3 } Mask Generation functions mgf1SHA-1Identifier AlgorithmIdentifier ::= { id-mgf1, sha1Identifier } mgf1SHA-224Identifier AlgorithmIdentifier ::= { id-mgf1, sha224Identifier } mgf1SHA-256Identifier AlgorithmIdentifier ::= { id-mgf1, sha256Identifier } mgf1SHA-384Identifier AlgorithmIdentifier ::= { id-mgf1, sha384Identifier } mgf1SHA-512Identifier AlgorithmIdentifier ::= { id-mgf1, sha512Identifier } Signature algorithms id-RSASSA-PSS OBJECT IDENTIFIER ::= { pkcs-1 10 } Signature suites sha224WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 14 } sha256WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 11 } sha384WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 12 } sha512WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 13 } ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)57 Annex G (informative): Abstracts of ISO/IEC 10118-3 and ISO/IEC 9796-2 Abstract of ISO/IEC 10118-3 [3] ISO/IEC 10118-3 [3] specifies the following seven dedicated hash-functions, i.e. specially-designed hash-functions: 1) RIPEMD-160 in clause 7 provides hash-codes of lengths up to 160 bits. 2) RIPEMD-128 in clause 8 provides hash-codes of lengths up to 128 bits. 3) SHA-1 in clause 9 provides hash-codes of lengths up to 160 bits. 4) SHA-256 in clause 10 provides hash-codes of lengths up to 256 bits. 5) SHA-512 in clause 11 provides hash-codes of lengths up to 512 bits. 6) SHA-384 in clause 12 provides hash-codes of a fixed length, 384 bits. 7) WHIRLPOOL in clause 13 provides hash-codes of lengths up to 512 bits. For each of these dedicated hash-functions, ISO/IEC 10118-3 [3] specifies a round-function that consists of a sequence of sub-functions, a padding method, initializing values, parameters, constants, and an object identifier as normative information, and also specifies several computation examples as informative information. Abstract of ISO/IEC 9796-2 [17] ISO/IEC 9796-2 [17] specifies three digital signature schemes giving message recovery, two of which are deterministic (non-randomized) and one of which is randomized. The security of all three schemes is based on the difficulty of factorizing large numbers. All three schemes can provide either total or partial message recovery. The method for key production for the three signature schemes is specified in ISO/IEC 9796-2 [17]. However, techniques for key management and for random number generation (as required for the randomized signature scheme), are outside the scope of ISO/IEC 9796-2 [17]. Wherever possible, the second mechanism (Digital signature scheme 2) is RECOMMENDED. However, in environments where generation of random variables by the signer is deemed infeasible, then Digital signature scheme 3 is RECOMMENDED. Digital signature scheme 1 SHALL only be used in environments where compatibility is required with systems implementing the first edition of this International Standard. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)58 Annex H (informative): Signature maintenance An advanced electronic signatures SHOULD be verified according to a signature policy that meets the business needs. There may exist valid reasons under particular circumstances to use a signature policy different from the one which should normally be used. In such a case, the full implications must be understood and carefully weighted by the verifier. A signature policy MAY include constraints about which algorithms and key lengths are deemed appropriate under that policy and/or define a time beyond which the algorithms/keys related to an advanced electronic signature should not be trusted anymore, unless additional security measures are taken. It may be needed to re-verify advanced electronic signatures (this is called a subsequent verification) well beyond the time they were initially verified. At the time of re-verification, trust anchors and algorithms that were initially defined in the signature policy may not be secure anymore. Additional security measures need to be taken so that this can be done. It may also happen that some keys were secure at the time the initial verification of an advanced electronic signature was performed, but due to some "accident" this is no more the case later on (e.g. due to a key compromise). In both cases, it is possible to maintain the security of an advanced electronic signature which has already been successfully verified. This may be done with security measures such as: • the secure archival of both the definition of the signature policy (or an unambiguous reference to it) and all the data initially used to verify the advanced electronic signature according to that signature policy; or • the secure archival of both the definition of the signature policy and the addition to the advanced electronic signature of other data (e.g. time-stamps) that will allow subsequent verifications. These measures may be defined in the signature policy itself or "elsewhere" in a set of rules called a "signature maintenance policy" which will allow to maintain the validity of advanced electronic signatures. At a time where it is possible or likely that the algorithms and key lengths originally used will not be secure anymore, an application of a signature maintenance process allows nevertheless to re-verify advanced electronic signatures under a given signature policy. The sooner the process is applied, the better. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)59 Annex I (informative): Major changes from previous versions The version 2.0.0 of the present document was a revision and update of clause 9 of version 1.2.1. Beside error correction and update of some references the following changes were made. 4. Maintenance of the document The maintenance activity was described in more details. 5. Hash functions In the table of recommended hash functions SHA-384 and SHA-512 were included, and their description is given in new clauses. This leads also to new signature suites in clause 7. 6. Signature schemes The description was extended for clarification. 7. Signature suites New signature suites with ECDSA and new hash function were added. This implies also additions in the corresponding tables of OIDs in clause 11. 9. Recommended hash functions and key sizes versus time The almost undistinguishable liberal and conservative was removed and all the tables were rebuilt. Annex A (normative): Algorithms for various data structures The phasing out of SHA-1 was reflected in the reworked tables of the sections. The recommendation or support of SHA-256 and the based on its signature suites were added. Annex I (informative): Major changes from previous versions The version 2 of this multi-part deliverable was a revision and update of clause 9. Therefore this former empty annex was used for the description of the major changes. Annex J (informative): National Bodies New clause was added indicating the National Bodies and their contacts at the time of publication of the present document. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)60 Annex J (informative): National Bodies This annex contains references to national bodies known at issuing time. It is based on the information of FESA (http://www.fesa.eu) and lists Bodies responsible for supervision (according Art. 11 of the Directive 1999/93/EC [1]). Contact details of notified supervisory authorities are available at: http://ec.europa.eu/information_society/policy/esignature/index_en.htm 1. Austria Telekom-Control-Kommission Telekom-Control Commission Mariahilfer Str. 77-79, A-1060 Wien/Vienna Tel: +43/1/58058-0 Fax: +43/1/58058-9191 Email: signatur@signatur.rtr.at Website: http://www.signatur.rtr.at/ 2. Belgium SPF Economie, PME, Classes moyennes et Energie - Qualité et Sécurité - Information Management / FOD Economie, KMO, Middenstand en Energie - Kwaliteit en Veiligheid - Information Management / FÖD Wirtschaft, KMB, Mittelstand und Energie - Qualität und Sicherheit - Informationsmanagement FPS Economy, SMEs, Self-employed and Energy - Quality and Security - Information Management NG III - 4 verdiep, Koning Albert II-laan 16, 1000 BRUSSEL Tel: +32 2 277 74 30 Fax: +32 2 277 54 01 Email: be.sign@economie.fgov.be Website: http://www.mineco.fgov.be 3. Bulgaria Communications Regulation Commission (CRC) Комисия за регулиране на съобщенията гр. София 1000, ул. Гурко 6 Email: info@crc.bg Website: http://www.crc.bg 4. Czech Republic Ministerstvo vnitra Ministry of the Interior Nad Štolou 3, poštovní schránka 21, 170 34 Praha 7 Email: posta@mvcr.cz Website: http://www.mvcr.cz 5. Cyprus Υπουργείο Εμπορίου, Βιομηχανίας και Τουρισμού Ministry of Communications and Works 286 Strovolos Avenue, 2048 Nicosia E-Mail: mailto:info.dec@mcw.gov.cy Website: http://www.mcw.gov.cy/dec 6. Denmark IT- og Telestyrelsen National IT and Telecom Agency Holsteinsgade 63, 2100 København Ø Tel: 4535450000 Email: digsig@itst.dk Website: http://www.itst.dk ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)61 7. Estonia Sideamet Estonian National Communications Board Ädala 2, Tallinn 10614 Tel: (0) 693 1154 Fax: (0) 693 1155 Email: sideamet@sa.ee Website: http://www.sa.ee/ 8. Finland Viestintävirasto Finnish Communications Regulatory Authority (FICORA) Itämerenkatu 3 A, PO BOX 313, FI-00181 Helsinki Tel: +358 9 69661 Fax: +358 9 6966 873 Website: http://www.ficora.fi 9. France Agence nationale de la sécurité des systèmes d’information (ANSSI) Secrétariat général de la défense et de la sécurité nationale 51, boulevard de La Tour-Maubourg, F-75700 Paris 07 SP Tel: 0033171758405 Fax: 0033171758400 Email: secretariat.anssi@ssi.gouv.fr Website: http://www.ssi.gouv.fr/ 10. Germany Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway Referat Elektronische Signatur, Canisiusstr. 21, D 55122 Mainz Tel: +49 6131 18-0 Fax: +49 6131 18-5618 Email: ElektronischeSignatur@BNetzA.de Website: http://www.bundesnetzagentur.de/ 11. Greece Εθνικη Επιτροπη Τηλεπικοινωνιων και Ταχυδρομειων (EETT) National Telecommunications and Post Commission (EETT) 60, Kifissias Av. , 151 25 Maroussi Athens GREECE Tel: +30 10 6151000 Fax: +30 10 6105049 Email: info@eett.gr Website: http://www.eett.gr 12. Hungary Nemzeti Média- és Hírközlési Hatóság National Media and Infocommunications Authority H- 1015 Budapest, Ostrom u. 23-25. Tel: +36-1-4577100 Fax: +36-1-356-5520 Email: info@nmhh.hu Website: http://www.nmhh.hu/ 13. Iceland Neytendastofa, The Consumer Agency Borgartúni 21, 105 Reykjavík Tel +354 510 1126 Fax +354 510 1101 Email: postur@neytendastofa.is Website: http://www.neytendastofa.is 14. Ireland Department of Communications, Marine and Natural Resources 29-31 Adelaide Road, Dublin 2 Tel +353 1 6782000 Fax +353 1 6782449 Website: http://www.dcmnr.gov.ie ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)62 15. Italy DigitPA - Ente nazionale per la digitalizzazione della pubblica amministrazione National Center for IT in the Public Administration Viale Marx 31/49, 00137 Roma Tel: +39 06 852641 Fax: +39 06 85264 137 Email: arbia@cert.cnipa.it Website: http://www.digitpa.gov.it 16. Latvia Datu valsts inspekcija, Data State Inspectorate Kr.Barona iela 5-4, Rīga, LV-1050 Website: http://www.dvi.gov.lv Email:info@dvi.gov.lv Tel +371 2 7223131 Fax +371 2 7223556 17. Liechtenstein Amt für Kommunikation, Office for Communications Kirchstrasse 10, Postfach 681, 9490 Vaduz Tel +423 236 64 88 Fax +423 236 64 89 Email: info@ak.llv.li Website: http://www.llv.li/amtsstellen/llv-ak-home.htm 18. Lithuania Lietuvos Respublikos ryšiu reguliavimo tarnyba Communications Regulatory Authority of the Republic of Lithuania Algirdo str. 27A, LT-03219 Vilnius, Lithuania Tel: +370 5 210 5633 Fax: +370 5 216 1564 Email: rrt@rrt.lt Website: http://www.rrt.lt/ 19. Luxembourg Institut Luxembourgeois de la Normalisation, de l'Accréditation, de la Sécurité et qualité des produits et services (ILNAS) 34-40 Avenue de la Porte-Neuve; L-2227 Luxembourg Tel: +352 46 97 46 1 Fax: +352 22 25 24 Email: info@ilnas.public.lu Website: http://www.ilnas.public.lu 20. Malta Awtorita' ta' Malta dwar Il-Komunikazzjoni Malta Communications Authority Il-Piazzetta, Suite 43/44, Tower Road, Sliema SLM 16, Malta, Europe Tel: +356 21 336 840 Fax: +356 21 336 846 Email: mca@mca.org.mt Website: http://www.mca.org.mt/ 21. Netherlands Onafhankelijke Post en Telecommunicatie Autoriteit (OPTA) Independent Post and Telecommunications Authority (OPTA) Zurichtoren, Muzenstraat 41, Postbus 90420, 2509 LK, The Hague Tel: +31703153500 Fax: +31703153501 Email: ttp@opta.nl Website: http://www.opta.nl/ 22. Norway Post- og teletilsynet; Norwegian Post and Telecommunications Authority (NPT) postal address: Postboks 93, 4791 Lillesand Tel +47 22 82 46 00 Fax +47 22 82 46 40 Email: firmapost@npt.no Website: http://www.npt.no/ ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)63 23. Poland Ministerstwo Gospodarki Ministry of Economy Pl. Trzech Krzyzy 3/5, 00-507 Warsaw, Poland Email: Marcin.Fijalkowski@mg.gov.pl Website: http://www.mg.gov.pl 24. Portugal Autoridade Nacional de Segurança National Security Authority Av. Ilha da Madeira, 1, 8º 1449-004 Lisboa Tel +351 213 031 710 Fax +351 213 031 711 Email: gns@netcabo.pt 25. Romania Ministry of Communications and Information Technology Bd.Libertăţii nr.14, 050706, Bucureşti Email: arsadmin@mcti.ro Website: http://ars.mcti.ro 26. Slovak Republic Národný bezpecnostný úrad National Security Authority Budatinska 30, P.O. BOX 16 850 07 Bratislava Tel: +421-2-68699503 Fax: +421-2-63824005 Email: sep@nbusr.sk Website: http://www.nbusr.sk/en/electronic-signature 27. Slovenia Ministry of the Economy Inspectorate for electronic communications, electronic signature and post (Ministrstvo za gospodarstvo; Inšpektorat Republike Slovenije za elektronske komunikacije, elektronsko podpisovanje in pošto), Stegne 7, SI-1000 Ljubljana, Website: http://www.mg.gov.si/ 28. Sweden Post- och telestyrelsen National Post and Telecom Agency P.O. Box 5398, SE-102 49 Stockholm, Sweden Tel: +46 8 678 55 00 Fax: +46 8 678 55 05 Email: pts@pts.se Website: http://www.pts.se 29. Spain Secretaría de Estado de Telecomunicaciones y para la Sociedad de la Información (SETSI). Ministerio de Industria, Turismo y Comercio (MITYC) State Secretariat for Telecommunications and for the Information Society (SETSI). Ministry of Industry, Tourism and Trade (MITYC). C/ Capitán Haya, 41. 28020 Madrid. España-Spain Tel: +34 91 346 1597 Fax: +34 91 346 1577 Website: http://www.mityc.es 30. United Kingdom Department of Business, Innovation & Skills 151 Buckingham Palace Road, London, SW1 9SS Tel: +44 207 215 1961 Fax: +44 207 931 7194 ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)64 Annex K (informative): Bibliography • ECRYPT Yearly Report on Algorithms and Keysizes (2005). Revision 1.1, 29 January 2007. • ECRYPT Position Paper: Recent Collision Attacks on Hash Functions. Revision 1.1 17 February 2005. • IETF RFC 5462 (2009): "Multi-Protocol Label Switching (MPLS) Support of Differentiated Services". • [LenstraVerheul] Selecting Cryptographic Key-sizes, A.K. Lenstra E.R. Verheul, Journal of Cryptology 14 (2001) pp 255-293. • Dobbertin, H., Bosselaers, A. and Preneel, B., "RIPEMD-160: A strengthened version of RIPEMD", in Fast software encryption, Proceedings of the Third International Workshop, Cambridge, UK, February 21-23, 1996, pp. 71-82, D. Gollmann (ed.), LNCS 1039, Springer-Verlag, 1996. • Rivest, R.L., "Finding four million random primes", in Advances in Cryptology - Crypto '90, pp. 625-626, A.J. Menezes (ed.), LNCS 537, Springer-Verlag, 1991. • Blum, M. and Micali, S., "How to generate cryptographically strong sequences of pseudo-random bits", SIAM Journal on Computing, Vol. 4, No. 13, pp. 850-863, 1984. • Rivest, R., Shamir, A. and Adleman, L., "A method for obtaining digital signatures and public key cryptosystems", Communications of the ACM, Vol. 21, No. 2, pp. 120-126, 1978. • BSI. Technical Guideline: Elliptic Curve Cryptography (ECC). Technical Guideline TR-03111, version 1.11, 2009, https://www.bsi.bund.de/ContentBSI/Publikationen/TechnischeRichtlinien/tr03111/index_htm.html • Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, "Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen)", German Federal Gazette No. 85 (2011), pp. 2034ff., http://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/BNetzA/Sachgebiete/QES/Veroeffentlichungen /Algorithmen/2011_2_AlgoKatpdf.pdf. • "Verordnung über elektronische Signaturen (Signaturverordnung – SigV)", Austrian Federal Law Gazette II No. 30/2000 as amended by Austrian Federal Law Gazette II No. 527/2004. • RSA Security, Inc., "RSA Laboratories' Frequently Asked Questions About Today's Cryptography", Version 4.1, July 2000. • GMD, "SECUDE: Algorithms", SECUDE-5.1, November 1997. • Galbraith, S.D., and Smart, N.P., "A Cryptographic Application of Weil Descent", in Cryptography and Coding, M. Walker (ed.), LNCS 1746, Springer-Verlag, 1999. • FESA - Forum of European Supervisory Authorities, http://www.fesa.rtr.at • Johnson, D.B., and Menezes, A.J., "Elliptic Curve DSA (ECDSA). • TeleTrust OID tree structure, Version 0.3. NOTE: Available at: http://www.teletrust.de/projekte/oid/ • Damgard, I., Landrock P.and Pomerance C., "Average case error estimates for the strong probable prime test", Math. Comp., 61:177-194, 1993. • Knuth, D., "The art of computer programming - Volume 2 / Seminumerical algorithms (chapter 3)", Addison-Wesley, 1981. • Kelsey, J., Schneier, B., Wagner, D. and Hall, C., "Cryptanalytic Attacks on Pseudorandom Number Generators", Fast Software Encryption '98, LNCS 1372, pp. 168-188, 1998. ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)65 • M.D. Huang, W. Raskind "Global Methods for Discrete Logarithm Problems". See: http://www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/huang.pdf • "A Unified Approach to the Discrete Logarithm Problem for the Multiplicative Group and for Elliptic Curves over finite Fields". September 20, 2004. See: http://www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/raskind.pdf • Common ISIS-MTT Specification for interoperable PKI applications. Part 6. Cryptographic Algorithms. Version 1.1. 16 March 2004 • FIPS Draft Publication 186-3 (2006): "Digital Signature Standard (DSS)". • IETF RFC 5758: "Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA". NOTE: Available at: http://www.ietf.org/rfc/rfc5758.txt. • TeleTrusT Deutschland e. V., "OID-Liste". NOTE: Available at: http://www.teletrust.de/index.php?id=171. • The Digital Signature Scheme ECGDSA. NOTE: Available at: http://www.teletrust.de/fileadmin/files/oid/ecgdsa_final.pdf. • ANSSI, Référentiel Général de Sécurité Version 1.0, Annexe B1 Mécanismes cryptographiques, Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques Version 1.20, 2010-01-26. NOTE: See http://www.ssi.gouv.fr/IMG/pdf/RGS_B_1.pdf. • Rundfunk und Telekom Regulierungs-GmbH (RTR-GmbH), Empfohlene Algorithmen und Parameter für elektronische Signaturen, 2006-04-03. NOTE: See http://www.signatur.rtr.at/repository/rtr-algorithms-20070601-de.pdf. • Nemzeti Hírközlési Hatóság, A hitelesítés-szolgáltatás területén alkalmazható kriptográfiai algoritmusokról és paraméterekről szóló NHH határozat melléklete, 2006-04-05. NOTE: See http://www.nhh.hu/dokumentum.php?cid=9201 • Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen, Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen), 2011-05-20. NOTE: See http://www.bundesnetzagentur.de/SharedDocs/Downloads/DE/BNetzA/Sachgebiete/QES/Veroeffentlichu ngen/Algorithmen/2011_2_AlgoKatpdf.pdf?__blob=publicationFile ETSI ETSI TS 102 176-1 V2.1.1 (2011-07)66 History Document history V1.1.1 March 2003 Publication as SR 002 176 V1.2.1 July 2005 Publication V2.0.0 November 2007 Publication V2.1.1 July 2011 Publication