| Internet-Draft | SM2 Digital Signature Algorithm for DNSS | December 2023 |
| Zhang, et al. | Expires 19 June 2024 | [Page] |
This document describes how to specify SM2 Digital Signature Algorithm keys and signatures in DNS Security (DNSSEC). It lists the curve and uses SM3 as hash algorithm for signatures.¶
This draft is an independent submission to the RFC series, and does not have consensus of the IETF community.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 19 June 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
DNSSEC is broadly defined in RFCs 4033, 4034, and 4035 ([RFC4033], [RFC4034], and [RFC4035]). It uses cryptographic keys and digital signatures to provide authentication of DNS data. DNSSEC signature algorithms are registered in the DNSSEC algorithm IANA registry [IANA].¶
This document defines the DNSKEY and RRSIG resource records (RRs) of new signing algorithms: SM2 uses elliptic curves over 256-bit prime fields with SM3 hash algorithm. (A description of SM2 and SM3 can be found in GB/T 32918.2-2016 [GBT-32918.2-2016] or ISO/IEC14888-3:2018 [ISO-IEC14888-3_2018], and GB/T 32905-2016 [GBT-32905-2016] or ISO/IEC10118-3:2018 [ISO-IEC10118-3_2018].) This document also defines the DS RR for the SM3 one-way hash algorithm. In the signing algorithm defined in this document, the size of the key for the elliptic curve is matched with the size of the output of the hash algorithm. Both are 256 bits.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
The implementation of SM3 in DNSSEC follows the implementation of SHA-256 as specified in RFC 4509[RFC4509] except that the underlying algorithm is SM3 with digest type code [TBD1, waiting for an IANA's code assignment].¶
The generation of a SM3 hash value is described in Section 5 of [GBT-32905-2016] and generates 256-bit hash value.¶
Verifying SM2 signatures requires agreement between the signer and the verifier of the parameters used. SM2 digital signature algorithm has been added to ISO/IEC 14888-3:2018. And the parameters of the curve used in this profile are as follows:¶
p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 xG = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 yG = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0 n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123¶
SM2 public keys consist of a single value, called "P". In DNSSEC keys, P is a string of 32 octets that represents the uncompressed form of a curve point, "x | y". (Conversion of a point to an octet string is described in Section 4.2.8 of GB/T 32918.1-2016 [GBT-32918.1-2016].)¶
The SM2 signature is the combination of two non-negative integers, called "r" and "s". The two integers, each of which is formatted as a simple octet string, are combined into a single longer octet string for DNSSEC as the concatenation "r | s". (Conversion of the integers to bit strings is described in Section 4.2.1 of [GBT-32918.1-2016].) Each integer MUST be encoded as 32 octets.¶
Process details are described in Section 6 "Digital signature generation algorithm and its process" in [GBT-32918.2-2016].¶
The algorithm number associated with the DNSKEY and RRSIG resource records is [TBD2, waiting for an IANA’s code assignment], which is described in the IANA Considerations section.¶
Conformant implementations that create records to be put into the DNS MAY implement signing and verification for the above algorithm. Conformant DNSSEC verifiers MAY implement verification for the above algorithm.¶
This document does not define algorithm aliases mentioned in RFC 5155 [RFC5155].¶
A DNSSEC validator that implements the signing algorithms defined in this document MUST be able to validate negative answers in the form of both NSEC and NSEC3 with hash algorithm 1, as defined in RFC 5155. An authoritative server that does not implement NSEC3 MAY still serve zones that use the signing algorithms defined in this document with NSEC denial of existence.¶
If using NSEC3, the iterations MUST be 0 and salt MUST be an empty string as recommended in Section 3.1 of RFC 9276 [RFC9276].¶
The following is an example of SM2 keys and signatures in DNS zone file format.¶
Private-key-format: v1.3 Algorithm: [TBD2] (SM2SM3) PrivateKey: V24tjJgXxp2ykscKRZdT+iuR5J1xRQN+FKoQACmo9fA=¶
Here is an example program [Example_Program] based on dnspython and gmssl, which supplies key generating, zone signing, zone validating and DS RR generating functions for convenience.¶
This document will update the IANA registry for digest types in DS records, currently called "Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms".¶
Value TBD1
Digest Type SM3
Status OPTIONAL
¶
This document will update the IANA registry "Domain Name System Security (DNSSEC) Algorithm Numbers".¶
Number TBD2
Description SM2 signing algorithm with SM3 hashing algorithm
Mnemonic SM2SM3
Zone Signing Y
Trans. Sec. *
Reference This document
¶
* There has been no determination of standardization of the use of this algorithm with Transaction Security.¶
The security strength of SM2 is considered to be equivalent to half the size of the key, which is 128 bits (as described in [ECC]). The security of ECC-based algorithms is influenced by the curve it uses, too.¶
Concerning the vulnerabilities, if the reason is that the curve is compromised, using a different one may be helpful. If the reason is that the size of the key is too short, increasing the size could increase the security. In the worst case, if the algorithm is compromised, using a different algorithm is the only choice. In the former two situations, extra implementation work is required. Using popular cryptography library which support SM2 and SM3 algorithms may make it convenient for DNS implementations to do so.¶
The security considerations listed in RFC 4509 apply here as well.¶