Proposed XML Signature 1.1/Algorithm Cross-Reference updates related to Key Sizes from Frederick.Hirsch@nokia.com on 2012-08-27 (public-xmlsec@w3.org from August 2012)

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 27 Aug 2012 16:22:34 +0000
To: <public-xmlsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <9FF32E5D-52E9-482D-AAF9-DAC9BB2FB325@nokia.com>
As discussed on the last teleconference, the key size security considerations in XML Signature 1.1 require an update. These proposed changes should also be carried forward to XML Signature 2.0.

Proposed changes:

(1) change last sentence in 1st paragraph of Security Considerations in DSA in 6.4.1 [1] from

 "Special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>], NIST recommends using at least at 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030)."

to

"NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and  3072-bit keys are recommended for securing information beyond 2030. SP800-57 Part 1 states that DSA 1024-bit key sizes should not be used except to verify and honor signatures  created using older legacy systems."

(2) Change SP800-57 Part 1 reference from 2007 reference to 2012 reference. Specifically, change

"[SP800-57]
Recommendation for Key Management – Part 1: General (Revised).<http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf> SP800-57. U.S. Department of Commerce/National Institute of Standards and Technology. URL:http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf"

to

"[SP800-57]
Recommendation for Key Management – Part 1: General (Revised).<http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf> SP800-57. July 2012.  U.S. Department of Commerce/National Institute of Standards and Technology. URL: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf"

with URL hyperlinked, and Title linked to updated url.


(3) change last  sentence of last paragraph of Security Considerations in DSA in 6.4.1 [1] from

 "XML Signature 1.1 implementations may but are not required to support DSA-based signature generation, and given the short key size and the SP800-57 guidelines, DSA with 1024-bit prime moduli should not be used for signatures that will be verified beyond 2010."

to

 "XML Signature 1.1 implementations may but are not required to support DSA-based signature generation. Given the short key size and SP800-57 guidelines, DSA with 1024-bit prime moduli should not be used to create signatures. DSA with 1024-bit prime moduli  may be used to verify older legacy signatures, with an understanding of the associated risks. Important older signatures should be re-signed with stronger signatures."

(4) change Security Considerations in RSA in 6.4.2 [2] from

"In Special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>], NIST recommends using at least 2048-bit public keys for securing information beyond 2010 (and 3072-bit keys for securing information beyond 2030). All conforming implementations of XML Signature 1.1 must support RSA signature generation and verification with public keys at least 2048 bits in length. RSA public keys of 1024 bits or less should not be used for signatures that will be verified beyond 2010. XML Signature 1.1 implementations should use at least 2048-bit keys for all signatures, and should use at least 3072-bit keys for signatures that will be verified beyond 2030."

to

"NIST provides guidance on the use of keys of various strength for various time frames in special Publication SP 800-57 Part 1 [SP800-57<http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#bib-SP800-57>]. Implementers should consult this publication for guidance on acceptable key lengths for applications, however 2048-bit public keys are the minimum recommended key length and  3072-bit keys are recommended for securing information beyond 2030.

All conforming implementations of XML Signature 1.1 must support RSA signature generation and verification with public keys at least 2048 bits in length. RSA public keys of 1024 bits or less should not be used to create new signatures but MAY be used to verify signatures created by older legacy systems.  XML Signature 1.1 implementations MUST use at least 2048-bit keys for creating signatures, and should use at least 3072-bit keys for signatures that will be verified beyond 2030."

(5) Change XML Security Algorithm Cross Reference section 3.1, DSA-SHA1 [3], from

"Implementation of this algorithm is required in [XMLDSIG-CORE2002<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE2002>], and [XMLDSIG-CORE<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE>]. It is mandatory to implement in [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] for signature verification but support for signature generation is optional. [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] requires verification support for 1024 bit key signatures, however noting that 1024 bit keysshould not be used for signatures that will be verified beyond 2010."

to

"Implementation of this algorithm is required in [XMLDSIG-CORE2002<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE2002>], and [XMLDSIG-CORE<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE>]. It is mandatory to implement in [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] for signature verification. [XMLDSIG-CORE1<http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#bib-XMLDSIG-CORE1>] requires verification support for 1024 bit key legacy signatures, but requires that 1024 bit keys must not be used for new signatures."

Please reply with support or corrections to this proposal on the public list.

Thanks

regards, Frederick

Frederick Hirsch
Nokia


[1]  http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#sec-DSA

[2]  http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core-11/Overview.src.html#sec-PKCS1

[3] http://www.w3.org/2008/xmlsec/Drafts/xmlsec-algorithms/Overview.src.html#DSA

For tracker, this completes ACTION-899
Received on Monday, 27 August 2012 16:23:15 UTC