TOC 
Long-term Archive And NotaryT. Kunz
Services (LTANS)Fraunhofer Institute for Secure
Internet-DraftInformation Technology
Intended status: Standards TrackS. Okunick
Expires: November 20, 2008pawisda systems GmbH
 U. Pordesch
 Fraunhofer Gesellschaft
 May 19, 2008


Data Structure for Security Suitabilities of Cryptographic Algorithms (DSSC)
draft-ietf-ltans-dssc-03.txt

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on November 20, 2008.

Abstract

In many application areas it must be possible to prove the existence and integrity of digital signed data. This proof depends on the security suitability of the used cryptographic algorithms. Because algorithms can become weak over the years, it is necessary to periodically evaluate these security suitabilities. When signing or verifying data, these evaluations must be considered. This document specifies a data structure for security suitabilities of cryptographic algorithms which may be automatically interpreted.

Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).



Table of Contents

1.  Introduction
    1.1.  Motivation
    1.2.  Terminology
    1.3.  Use Cases
2.  Requirements and Assumptions
    2.1.  Requirements
    2.2.  Assumptions
3.  Data Structures
    3.1.  SecuritySuitabilityPolicy
    3.2.  PolicyName
    3.3.  Publisher
    3.4.  Address
    3.5.  PolicyIssueDate
    3.6.  NextUpdate
    3.7.  Usage
    3.8.  Algorithm
    3.9.  AlgorithmIdentifier
    3.10.  Evaluation
    3.11.  Parameter
    3.12.  Validity
    3.13.  Information
    3.14.  Signature
4.  Definition of Parameters
5.  Proceeding
6.  Security Considerations
7.  References
    7.1.  Normative References
    7.2.  Informative References
Appendix A.  Example of a Policy
Appendix B.  DSSC and ERS
    B.1.  Verification of Evidence Records using DSSC
    B.2.  Storing DSSC Policies in Evidence Records
Appendix C.  XML schema
Appendix D.  ASN.1 Module in 1988 Syntax
Appendix E.  ASN.1 Module in 1997 Syntax
§  Authors' Addresses
§  Intellectual Property and Copyright Statements




 TOC 

1.  Introduction



 TOC 

1.1.  Motivation

Digital signatures are means to provide data integrity and authentication. They are based on cryptographic algorithms, which must have certain security properties. For example, hash algorithms have to be resistant to collisions and in case of public key algorithms it must not be possible to compute the private key of a given public key. If algorithms did not have the required properties, signatures could be forged.

Very few algorithms satisfy the security requirements and are suitable for usage in signatures. Besides, because of the increasing performance of computers and progresses in cryptography, algorithms or their parameters become insecure over the years. The hash algorithm MD5, for example, is unsuitable today. A digital signature using a "weak" algorithm has no probative value. Every kind of digital signed data like signed documents, time stamps, certificates, and revocation lists is affected, in particular in the case of long-term archiving. Over long periods of time, it is realistic to assume that the algorithms used in signatures become insecure.

For this reason, it is important to periodically reevaluate algorithms regarding their security properties and to consider these evaluations when creating, verifying or renewing signatures. Since algorithm evaluations contain (predicted) validity periods of algorithms, they help to detect, whether an insecure algorithm is used in a signature or whether a signature has been renewed in time. Algorithm evaluations are made by expert committees after long scientific discussion and are published by specific evaluation institutions. In Germany the Federal Network Agency annually publishes evaluations of cryptographic algorithms [BNetzAg.2008] (Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, “Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen),” December 2007.). Examples for European and international evaluations are [NIST.800‑57‑Part1.2006] (National Institute of Standards and Technology, “Recommendation for Key Management – Part 1: General (Revised),” May 2006.) and [ETSI‑TS102176‑1‑2005] (European Telecommunication Standards Institute (ETSI), “Electronic Signatures and Infrastructures (ESI); "Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms",” July 2005.).

These evaluations are published in written text and are not interpretable by computer programs. Therefore it is necessary to define an automatically interpretable data structure holding them. A standardized data structure can be used for publication and can be interpreted by e.g. signing and verification tools. Algorithm evaluations are pooled in a so-called security suitability policy. In this document a data structure for a security suitability policy is specified.



 TOC 

1.2.  Terminology

Algorithm:
In the context of this document, a cryptographic algorithm, i.e. a public key or hash algorithm. For public key algorithms this is the algorithm with its parameters.
Operator:
Instance which uses and interprets a policy, e.g. a signature component.
Policy:
In this document, an abbreviation for security suitability policy.
Publisher:
Instance that publishes the evaluation of algorithms as a policy.
Security suitability policy:
The evaluation of cryptographic algorithms with regard to their security in a specific application area, e.g. signing or verifying data. The evaluation is published in an electronic format.
Suitable algorithm:
An algorithm which is evaluated in a policy to be valid.



 TOC 

1.3.  Use Cases

In the following some use cases for a security suitability policy are presented.

Long-term archiving:
The most important use case is long-term archiving of signed data. Algorithms or their parameters become insecure over long time periods. Therefore signatures of archived data and timestamps have to be periodically renewed. A policy provides information about suitable and threatened algorithms. Additionally the policy assists in verifying archived as well as re-signed documents.
Services:
Services may provide information about cryptographic algorithms. On the basis of a policy a service is able to provide the date when an algorithm became insecure or presumably will become insecure or to provide all algorithms which are presently valid. Verification tools or long-term archiving systems can request such services and therefore do not need to deal with the algorithm security by themselves. Long-term Archive Services (LTA) as defined in [RFC4810] (Wallace, C., Pordesch, U., and R. Brandner, “Long-Term Archive Service Requirements,” March 2007.)) may use the policy for signature renewal.
Signing and verifying:
When signing documents, certificates or attestations, e.g. within an LTAP transaction ([I‑D.ietf‑ltans‑ltap] (Jerman-Blazic, A., Sylvester, P., and C. Wallace, “Long-term Archive Protocol (LTAP),” February 2008.)), it has to be assured that the algorithms which will be used for signing are suitable. Accordingly when verifying e.g CMS ([RFC3852] (Housley, R., “Cryptographic Message Syntax (CMS),” July 2004.)) or XML signatures ([RFC3275] (Eastlake, D., Reagle, J., and D. Solo, “(Extensible Markup Language) XML-Signature Syntax and Processing,” March 2002.), [ETSI‑TS101903] (European Telecommunication Standards Institute (ETSI), “XML Advanced Electronic Signatures (XAdES),” Feb 2002.)), not only the validity of the certificates may be checked, but also the validity of the used algorithms.
Reencryption:
A security suitability policy can also be used to decide if encrypted documents must be reencrypted because the encryption algorithm is no longer secure.



 TOC 

2.  Requirements and Assumptions

This section first describes general requirements for a data structure containing the security suitabilities of algorithms. Afterwards model assumptions are specified concerning both the design and the usage of the data structure.

A policy contains a list of evaluated algorithms. An algorithm evaluation is described by its identifier, security constraints and predicted validity period. By these constraints the requirements for algorithm properties must be defined, e.g. a public key algorithm is evaluated on the basis of its parameter.



 TOC 

2.1.  Requirements

Automatic interpretation:
The data structure of the policy must allow an automatic interpretation in order to consider the security suitabilities of algorithms when signing, verifying or renewing signatures.
Flexibility:
The data structure must be flexible enough to support new algorithms. In a future policy publication an algorithm could be included, that is currently unknown. It must be possible to add new algorithms with the corresponding security constraints in the data structure. Besides, the data structure must be independent of the intended use, e.g. signing, verifying, and signature renewing.
Considering different policies:
Policies may be published by different institutions, e.g. on national or EU level, whereas one policy needs not to be in agreement with the other one. Furthermore organizations may undertake own evaluations for internal purposes. For this reason a policy must be attributable to its publisher.
Integrity and authenticity:
The integrity and authenticity of a published security suitability policy should be assured. The publisher must be able to sign the policy so that operators may prove the identity and trustworthiness of a policy.



 TOC 

2.2.  Assumptions

It is assumed that a policy contains the evaluations of all currently known algorithms, including the expired ones.

An algorithm is valid now if it is contained in the current policy and the end of the validity period is in the future, respectivly open-end.

If an algorithm appears in a policy for the first time, it will be assumed that the algorithm has already been suitable in the past. Generally an algorithm is used in practice before it is evaluated.

To avoid inconsistencies, multiple instances of the same algorithm definition as well as validity overlaps for one algorithm are prohibited. It is up to the publisher to take care about preventing conflicts within a policy.

Assertions made in the policy are suitable at least until the next policy is published.

An algorithm once expired must not get valid again in a future policy. There must not be any gaps in the validity periods.



 TOC 

3.  Data Structures

This section describes the syntax of a security suitability policy defined as an XML schema. The ASN.1 modules are defined in Appendix D (ASN.1 Module in 1988 Syntax) and Appendix E (ASN.1 Module in 1997 Syntax). The schema uses the following namespace:

http://www.sit.fraunhofer.de/dssc

Within this document, the prefix "dssc" is used for this namespace. The schema starts with the following schema definition:


<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
           xmlns:dssc="http://www.sit.fraunhofer.de/dssc"
           xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
           targetNamespace="http://www.sit.fraunhofer.de/dssc"
           elementFormDefault="qualified"
           attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
           schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
           schemaLocation="xmldsig-core-schema.xsd"/>



 TOC 

3.1.  SecuritySuitabilityPolicy

The SecuritySuitabilityPolicy element is the root element of a policy. It has an optional id attribute which must be used as a reference when signing the policy (Section 3.14 (Signature)). The element is defined by the following schema:


<xs:element name="SecuritySuitabilityPolicy"
            type="dssc:SecuritySuitabilityPolicyType"/>
<xs:complexType name="SecuritySuitabilityPolicyType">
  <xs:sequence>
    <xs:element ref="dssc:PolicyName"/>
    <xs:element ref="dssc:Publisher"/>
    <xs:element name="PolicyIssueDate" type="xs:dateTime"/>
    <xs:element name="NextUpdate" type="xs:dateTime" minOccurs="0"/>
    <xs:element name="Usage" type="xs:string" minOccurs="0"/>
    <xs:element ref="dssc:Algorithm" maxOccurs="unbounded"/>
    <xs:element ref="ds:Signature" minOccurs="0"/>
  </xs:sequence>
  <xs:attribute name="version" type="xs:string" default="1"/>
  <xs:attribute name="id" type="xs:ID"/>
</xs:complexType>



 TOC 

3.2.  PolicyName

The PolicyName element consists of an arbitrary name of the policy and an optional Uniform Resource Identifier (URI).


<xs:element name="PolicyName" type="dssc:PolicyNameType"/>
<xs:complexType name="PolicyNameType">
  <xs:sequence>
    <xs:element ref="dssc:Name"/>
    <xs:element ref="dssc:URI" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>

<xs:element name="Name" type="xs:string"/>
<xs:element name="URI" type="xs:anyURI"/>



 TOC 

3.3.  Publisher

The Publisher element contains information about the publisher of the policy. It is composed of the name, e.g. name of institution, an optional address, and an optional URI.


<xs:element name="Publisher" type="dssc:PublisherType"/>
<xs:complexType name="PublisherType">
  <xs:sequence>
    <xs:element ref="dssc:Name"/>
    <xs:element ref="dssc:Address" minOccurs="0"/>
    <xs:element ref="dssc:URI" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.4.  Address

The Address element consists of the street, the locality, the optional state or province, the postal code, and the country.


<xs:element name="Address" type="dssc:AddressType"/>
<xs:complexType name="AddressType">
  <xs:sequence>
    <xs:element name="Street" type="xs:string"/>
    <xs:element name="Locality" type="xs:string"/>
    <xs:element name="StateOrProvince" type="xs:string" minOccurs="0"/>
    <xs:element name="PostalCode" type="xs:string"/>
    <xs:element name="Country" type="xs:string"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.5.  PolicyIssueDate

The PolicyIssueDate element indicates the point of time when the policy was issued.



 TOC 

3.6.  NextUpdate

The optional NextUpdate element may be used to indicate when the next policy will be issued.



 TOC 

3.7.  Usage

The optional Usage element determines the intended use of the policy (e.g. certificate validation, signing and verifying documents).



 TOC 

3.8.  Algorithm

A security suitability policy must contain at least one Algorithm element. An algorithm is identified by an AlgorithmIdentifier element. Additionally the Algorithm element contains all evaluations of the specific cryptographic algorithm. More than one evaluation may be necessary if the evaluation depends on the parameter constraints. The Algorithm element is defined by the following schema:


<xs:element name="Algorithm" type="dssc:AlgorithmType"/>
<xs:complexType name="AlgorithmType">
  <xs:sequence>
    <xs:element ref="dssc:AlgorithmIdentifier"/>
    <xs:element ref="dssc:Evaluation" maxOccurs="unbounded"/>
    <xs:element ref="dssc:Information" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.9.  AlgorithmIdentifier

The AlgorithmIdentifier element is used to identify a cryptographic algorithm. It consists of the algorithm name and optionally one or more object identifers and URIs. The element is defined as follows:


<xs:element name="AlgorithmIdentifier"
            type="dssc:AlgorithmIdentifierType"/>
<xs:complexType name="AlgorithmIdentifierType">
  <xs:sequence>
    <xs:element ref="dssc:Name"/>
    <xs:element name="ObjectIdentifier" type="xs:string"
                minOccurs="0" maxOccurs="unbounded"/>
    <xs:element ref="dssc:URI" minOccurs="0" maxOccurs="unbounded"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.10.  Evaluation

The evaluation element contains the evaluation of one cryptographic algorithm in dependence of its parameter contraints. E.g. the suitability of the RSA algorithm depends on the modulus length (RSA with a modulus length of 1024 may have another suitability period as RSA with a modulus length of 2048). Current hash algorithms like SHA-1 or RIPEMD-160 do not have any parameters. Therefore the Parameter element is optional. The suitability of the algorithm is expressed by a validity period which is defined by the Validity element.


<xs:element name="Evaluation" type="dssc:EvaluationType"/>
<xs:complexType name="EvaluationType">
  <xs:sequence>
    <xs:element ref="dssc:Parameter" minOccurs="0"
                                     maxOccurs="unbounded"/>
    <xs:element ref="dssc:Validity"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.11.  Parameter

The Parameter element is used to express constraints on algorithm specific parameters like the "moduluslength" parameter in case of RSA.

The Parameter element has a name attribute which holds the name of the parameter (e.g. "moduluslength" for RSA [RFC2437] (Kaliski, B. and J. Staddon, “PKCS #1: RSA Cryptography Specifications Version 2.0,” October 1998.)). Besides a better readability of the policy, the attribute may be used by implementations for output messages. In Section 4 (Definition of Parameters) the parameter names of currently known signature algorithms are defined. For the actual parameter, an exact value or a range of values may be defined. These constraints are expressed by the following elements:

Exact:
The Exact element specifies the exact value of the parameter.
Min:
The Min element defines the minimum value of the parameter. That means, also all other values greater than the given one meet the requirements.
Max:
The Max element defines the maximum value the parameter may take.
Range:
The Range element is used to define a range of values, consisting of a minimum and a maximum value. The parameter may have any value within the defined range.

For one algorithm it is recommended not to mix these elements in order to avoid inconsistencies.

These constraints are sufficient for all current algorithms. If future algorithms will need constraints which cannot be expressed by the elements above, an arbitrary XML structure may be inserted which meets the new constraints. For this reason, the Parameter element contains an "any" element. The schema for the Parameter element is as follows:


<xs:element name="Parameter" type="dssc:ParameterType"/>
<xs:complexType name="ParameterType">
  <xs:choice>
    <xs:element name="Exact" type="xs:string"/>
    <xs:element ref="dssc:Min"/>
    <xs:element ref="dssc:Max"/>
    <xs:element name="Range">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="dssc:Min"/>
          <xs:element ref="dssc:Max"/>
        </xs:sequence>
      </xs:complexType>
    </xs:element>
    <xs:any namespace="##other"/>
  </xs:choice>
  <xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>
<xs:element name="Min" type="xs:string"/>
<xs:element name="Max" type="xs:string"/>



 TOC 

3.12.  Validity

The Validity element is used to define the period of the (predicted) suitability of the algorithm. It is composed of an optional start date and an optional end date. Defining no end date means the algorithm has an open-end validity. Of course this may be restricted by a future policy which sets an end date for the algorithm. If the end of the validity period is in the past, the algorithm is not suitable. The element is defined by the following schema:


<xs:element name="Validity" type="dssc:ValidityType"/>
<xs:complexType name="ValidityType">
  <xs:sequence>
    <xs:element name="Start" type="xs:date" minOccurs="0"/>
    <xs:element name="End" type="xs:date" minOccurs="0"/>
  </xs:sequence>
</xs:complexType>



 TOC 

3.13.  Information

The Information element may be used to give additional textual information about the algorithm or the evaluation, e.g. references on algorithm specifications. The element is defined as follows:


<xs:element name="Information" type="dssc:InformationType"/>
<xs:complexType name="InformationType">
  <xs:sequence>
    <xs:element name="Text" maxOccurs="unbounded">
      <xs:complexType>
        <xs:simpleContent>
          <xs:extension base="xs:string">
            <xs:attribute name="lang"/>
          </xs:extension>
        </xs:simpleContent>
      </xs:complexType>
    </xs:element>
  </xs:sequence>
</xs:complexType>



 TOC 

3.14.  Signature

The optional Signature element may be used to guarantee the integrity and authenticity of the policy. It is an XML signature specified in [RFC3275] (Eastlake, D., Reagle, J., and D. Solo, “(Extensible Markup Language) XML-Signature Syntax and Processing,” March 2002.). The signature must relate to the SecuritySuitabilityPolicy element. If the Signature element is set, the SecuritySuitabilityPolicy element must have the optional id attribute. This attribute must be used to reference the SecuritySuitabilityPolicy element within the Signature element. Since it is an enveloped signature, the signature must use the transformation algorithm identified by the following URI:

http://www.w3.org/2000/09/xmldsig#enveloped-signature



 TOC 

4.  Definition of Parameters

This section defines the parameter names for the currently known public key algorithms. The signature algorithms RSA [RFC2437] (Kaliski, B. and J. Staddon, “PKCS #1: RSA Cryptography Specifications Version 2.0,” October 1998.) and DSA [FIPS.186‑1.1998] (National Institute of Standards and Technology, “Digital Signature Standard,” December 1998.) are always used in conjunction with a one-way hash algorithm. RSA with RIPEMD-160 is such a combined algorithm with its own object identifier. RSA and DSA may be combined with the suitable hash algorithms SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and RIPEMD-160. The following parameters refer to the appropriate combined algorithms as well.

The parameter of RSA should be named "moduluslength".

The parameters for DSA should be "plength" and "qlength".

Publishers of policies must use the same parameter names, so that the correct interpretation is guaranteed.



 TOC 

5.  Proceeding

This section describes how to analyze a policy, i.e. how to extract the information out of the policy needed by the different use cases. To get these information, the latest policy containing all algorithms is relevant.

  1. Is an algorithm currently valid?
    Procedure: The wanted algorithm has to be listed in the current policy. The algorithm is valid, if its validity end date is in the future or not defined.
    Input: algorithm
    Response: true or false
  2. Did an algorithm have been valid at a particular date in the past?
    Procedure: The algorithm is valid, if it is listed in the current policy and the end of the validity period is after the particular date or is not defined.
    Input: algorithm and date
    Response: true or false
  3. Until which date in the future an algorithm is predicted to be valid?
    Procedure: The wanted algorithm has to be listed in the current policy. If the end date of the algorithm is in the future, this is the predicted date. If the validity end date is not defined, the algorithm is valid open-end.
    Input: algorithm
    Response: date or null (open-end) or error, if the algorithm does not exist or the validity end date is in the past
  4. At which date an algorithm became invalid?
    Procedure: The wanted algorithm has to be listed in the current policy. The particular date is the validity end date of the listed algorithm, which has to be in the past.
    Input: algorithm
    Response: date or error, if date has never been valid or is valid now
  5. Which algorithms are currently valid?
    Procedure: All algorithms included in the current policy are valid whose validity end date is in the future or is not defined.
    Response: list of algorithms
  6. Which algorithms have been valid at a particular date in the past?
    Procedure: All algorithms included in the current policy are valid whose validity end date is after the particular date or is not defined. Additionally any algorithm newly added in one following policy has been valid.
    Input: date
    Response: list of algorithms

To determine the validity of a particular algorithm, first the algorithm definition has to be found in the policy. Therefore, the algorithm identifier has to match and the parameter constraints have to be fulfilled. To fulfill means, the exact value is given or a parameter fulfills the constraint definition if its value matches the exactly defined value or is in the defined range.



 TOC 

6.  Security Considerations

The used policy for security suitabilities has great impact on the quality of signatures and verification results. If evaluations of algorithms are wrong, signatures with a low probative force could be created and verification results could be incorrect. The following security considerations have been identified:

  1. An institution publishing a policy must take care via organizational measures that unauthorized manipulation of security suitabilities is impossible before a policy is signed and published.
  2. A client should only accept signed policies issued by a trusted institution. It must not be possible to unnoticeably manipulate or replace security suitabilities once accepted by the client.
  3. A threat arises when a client downloads a policy too late although the policy has already been published. In this case, the client would work with obsolete security suitabilities. To minimize this risk, the client should periodically check if a new policy is published. This check could be done automatically by signature and verification components.
  4. When signing a policy, only algorithms should be used which are suitable according this policy.



 TOC 

7.  References



 TOC 

7.1. Normative References

[ETSI-TS101903] European Telecommunication Standards Institute (ETSI), “XML Advanced Electronic Signatures (XAdES),” ETSI TS 101 903, Feb 2002.
[I-D.ietf-ltans-ltap] Jerman-Blazic, A., Sylvester, P., and C. Wallace, “Long-term Archive Protocol (LTAP),” draft-ietf-ltans-ltap-06 (work in progress), February 2008 (TXT).
[RFC2119] Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML).
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, “(Extensible Markup Language) XML-Signature Syntax and Processing,” RFC 3275, March 2002 (TXT).
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 3280, April 2002 (TXT).
[RFC3852] Housley, R., “Cryptographic Message Syntax (CMS),” RFC 3852, July 2004 (TXT).
[RFC4810] Wallace, C., Pordesch, U., and R. Brandner, “Long-Term Archive Service Requirements,” RFC 4810, March 2007 (TXT).
[RFC4998] Gondrom, T., Brandner, R., and U. Pordesch, “Evidence Record Syntax (ERS),” RFC 4998, August 2007 (TXT).


 TOC 

7.2. Informative References

[BNetzAg.2008] Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, “Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen),” December 2007.
[ETSI-TS102176-1-2005] European Telecommunication Standards Institute (ETSI), “Electronic Signatures and Infrastructures (ESI); "Algorithms and Parameters for Secure Electronic Signatures; Part 1: Hash functions and asymmetric algorithms",” ETSI TS 102 176-1 V1.2.1, July 2005.
[FIPS.186-1.1998] National Institute of Standards and Technology, “Digital Signature Standard,” FIPS PUB 186-1, December 1998.
[NIST.800-57-Part1.2006] National Institute of Standards and Technology, “Recommendation for Key Management – Part 1: General (Revised),” NIST 800-57 Part1, May 2006.
[RFC2437] Kaliski, B. and J. Staddon, “PKCS #1: RSA Cryptography Specifications Version 2.0,” RFC 2437, October 1998 (TXT, HTML, XML).


 TOC 

Appendix A.  Example of a Policy

In the following an example of a policy is presented. It is generated on the basis of the last evaluation of the German Federal Network Agency ([BNetzAg.2008] (Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway, “Bekanntmachung zur elektronischen Signatur nach dem Signaturgesetz und der Signaturverordnung (Übersicht über geeignete Algorithmen),” December 2007.)). The policy consists on hash algorithms as well as public key algorithms. RSA with modulus length of 768 is an example for an expired algorithm.


<SecuritySuitabilityPolicy xmlns="http://www.sit.fraunhofer.de/dssc"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <PolicyName>
    <name>Evaluation of suitable signature algorithms 2008</Name>
  </PolicyName>
  <Publisher>
    <Name>Federal Network Agency</Name>
  </Publisher>
  <PolicyIssueDate>2007-12-17T00:00:00</PolicyIssueDate>
  <Usage>Qualified electronic signatures</Usage>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>SHA-1</Name>
      <ObjectIdentifier>1.3.14.3.2.26</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2008-06-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>RIPEMD-160</Name>
      <ObjectIdentifier>1.3.36.3.2.1</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2010-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>SHA-224</Name>
      <ObjectIdentifier>2.16.840.1.101.3.4.2.4</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>SHA-256</Name>
      <ObjectIdentifier>2.16.840.1.101.3.4.2.1</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>SHA-384</Name>
      <ObjectIdentifier>2.16.840.1.101.3.4.2.2</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>SHA-512</Name>
      <ObjectIdentifier>2.16.840.1.101.3.4.2.3</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>RSA</Name>
      <ObjectIdentifier>1.2.840.113549.1.1.1</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>768</Min>
      </Parameter>
      <Validity>
        <End>2000-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>1024</Min>
      </Parameter>
      <Validity>
        <End>2008-03-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>1280</Min>
      </Parameter>
      <Validity>
        <End>2008-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>1536</Min>
      </Parameter>
      <Validity>
        <End>2009-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>1728</Min>
      </Parameter>
      <Validity>
        <End>2010-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>1976</Min>
      </Parameter>
      <Validity>
        <End>2014-12-31</End>
      </Validity>´
    </Evaluation>
    <Evaluation>
      <Parameter name="moduluslength">
        <Min>2048</Min>
      </Parameter>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
  <Algorithm>
    <AlgorithmIdentifier>
      <Name>DSA</Name>
      <ObjectIdentifier>1.2.840.10040.4.1</ObjectIdentifier>
    </AlgorithmIdentifier>
    <Evaluation>
      <Parameter name="plength">
        <Min>1024</Min>
      </Parameter>
      <Parameter name="qlength">
        <Min>160</Min>
      </Parameter>
      <Validity>
        <End>2007-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="plength">
        <Min>1280</Min>
      </Parameter>
      <Parameter name="qlength">
        <Min>160</Min>
      </Parameter>
      <Validity>
        <End>2008-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="plength">
        <Min>1536</Min>
      </Parameter>
      <Parameter name="qlength">
        <Min>160</Min>
      </Parameter>
      <Validity>
        <End>2009-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="plength">
        <Min>2048</Min>
      </Parameter>
      <Parameter name="qlength">
        <Min>160</Min>
      </Parameter>
      <Validity>
        <End>2009-12-31</End>
      </Validity>
    </Evaluation>
    <Evaluation>
      <Parameter name="plength">
        <Min>2048</Min>
      </Parameter>
      <Parameter name="qlength">
        <Min>224</Min>
      </Parameter>
      <Validity>
        <End>2014-12-31</End>
      </Validity>
    </Evaluation>
  </Algorithm>
</SecuritySuitabilityPolicy>

Combined algorithms should also be part of the policy since some programs know the object identifiers of combined algorithms instead of the general public key algorithm. The following excerpt describes a combined algorithm. The validity end date is given by the end dates of RSA and RIPEMD-160, in particular it is the former one. Combined algorithms could replace the public key algorithms in the policy example. They could also be listed together with public key algorithms.


<Algorithm>
  <AlgorithmIdentifier>
    <Name>RIPEMD-160 with RSA 2048</Name>
    <ObjectIdentifier>1.3.36.3.3.1.2</ObjectIdentifier>
  </AlgorithmIdentifier>
  <Evaluation>
    <Parameter name="moduluslength">
      <Min>2048</Min>
    </Parameter>
    <Validity>
      <End>2010-12-31</End>
    </Validity>
  </Evaluation>
</Algorithm>



 TOC 

Appendix B.  DSSC and ERS



 TOC 

B.1.  Verification of Evidence Records using DSSC

This section describes the verification of an Evidence Record according to the Evidence Record Syntax (ERS, [RFC4998] (Gondrom, T., Brandner, R., and U. Pordesch, “Evidence Record Syntax (ERS),” August 2007.)) by using the presented data structure.

An Evidence Record contains a sequence of archiveTimeStampChains which consist of ArchiveTimeStamps. For each archiveTimeStamp the hash algorithm used for the hash tree (digestAlgorithm) and the public key algorithm and hash algorithm in the timestamp signature have to be examined. The relevant date is the time information in the timestamp (date of issue). Starting with the first ArchiveTimestamp it has to be assured that

  1. The timestamp uses public key and hash algorithms which have been suitable at the date of issue.
  2. The hashtree was build with an hash algorithm that has been suitable at the date of issue as well.
  3. Algorithms for timestamp and hashtree in the preceding ArchiveTimestamp must have been suitable at the issuing date of considered ArchiveTimestamp.
  4. Algorithms in the last ArchiveTimstamp have to be suitable now.

If the check of one of these items fails, this will lead to a failure of the verification.



 TOC 

B.2.  Storing DSSC Policies in Evidence Records

ERS provides the field cryptoInfos for the storage of additional verification data. For the integration of a security suitability policy in an Evidence Record the following content types are defined for both ASN.1 and XML representation:


DSSC_ASN1 {iso(1) identified-organization(3) dod(6)
	internet(1) security(5) mechanisms(5)
	ltans(11) id-ct(1) id-ct-dssc-asn1(2) }


DSSC_XML {iso(1) identified-organization(3) dod(6)
	internet(1) security(5) mechanisms(5)
	ltans(11) id-ct(1) id-ct-dssc-xml(3) }



 TOC 

Appendix C.  XML schema


<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
           xmlns:dssc="http://www.sit.fraunhofer.de/dssc"
           xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
           targetNamespace="http://www.sit.fraunhofer.de/dssc"
           elementFormDefault="qualified"
           attributeFormDefault="unqualified">
  <xs:import namespace="http://www.w3.org/XML/1998/namespace"
             schemaLocation="http://www.w3.org/2001/xml.xsd"/>
  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
             schemaLocation="xmldsig-core-schema.xsd"/>
  <xs:element name="SecuritySuitabilityPolicy"
              type="dssc:SecuritySuitabilityPolicyType"/>
  <xs:complexType name="SecuritySuitabilityPolicyType">
    <xs:sequence>
      <xs:element ref="dssc:PolicyName"/>
      <xs:element ref="dssc:Publisher"/>
      <xs:element name="PolicyIssueDate" type="xs:dateTime"/>
      <xs:element name="NextUpdate" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="Usage" type="xs:string" minOccurs="0"/>
      <xs:element ref="dssc:Algorithm" maxOccurs="unbounded"/>
      <xs:element ref="ds:Signature" minOccurs="0"/>
    </xs:sequence>
    <xs:attribute name="version" type="xs:string" default="1"/>
    <xs:attribute name="id" type="xs:ID"/>
  </xs:complexType>
  <xs:element name="PolicyName" type="dssc:PolicyNameType"/>
  <xs:complexType name="PolicyNameType">
    <xs:sequence>
      <xs:element ref="dssc:Name"/>
      <xs:element ref="dssc:URI" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Publisher" type="dssc:PublisherType"/>
  <xs:complexType name="PublisherType">
    <xs:sequence>
      <xs:element ref="dssc:Name"/>
      <xs:element ref="dssc:Address" minOccurs="0"/>
      <xs:element ref="dssc:URI" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Name" type="xs:string"/>
  <xs:element name="URI" type="xs:anyURI"/>
  <xs:element name="Address" type="dssc:AddressType"/>
  <xs:complexType name="AddressType">
    <xs:sequence>
      <xs:element name="Street" type="xs:string"/>
      <xs:element name="Locality" type="xs:string"/>
      <xs:element name="StateOrProvince" type="xs:string"
                  minOccurs="0"/>
      <xs:element name="PostalCode" type="xs:string"/>
      <xs:element name="Country" type="xs:string"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Algorithm" type="dssc:AlgorithmType"/>
  <xs:complexType name="AlgorithmType">
    <xs:sequence>
      <xs:element ref="dssc:AlgorithmIdentifier"/>
      <xs:element ref="dssc:Evaluation" maxOccurs="unbounded"/>
      <xs:element ref="dssc:Information" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="AlgorithmIdentifier"
              type="dssc:AlgorithmIdentifierType"/>
  <xs:complexType name="AlgorithmIdentifierType">
    <xs:sequence>
      <xs:element ref="dssc:Name"/>
      <xs:element name="ObjectIdentifier" type="xs:string"
                  minOccurs="0" maxOccurs="unbounded"/>
      <xs:element ref="dssc:URI" minOccurs="0" maxOccurs="unbounded"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Validity" type="dssc:ValidityType"/>
  <xs:complexType name="ValidityType">
    <xs:sequence>
      <xs:element name="Start" type="xs:date" minOccurs="0"/>
      <xs:element name="End" type="xs:date" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Information" type="dssc:InformationType"/>
  <xs:complexType name="InformationType">
    <xs:sequence>
      <xs:element name="Text" maxOccurs="unbounded">
        <xs:complexType>
          <xs:simpleContent>
            <xs:extension base="xs:string">
              <xs:attribute name="lang"/>
            </xs:extension>
          </xs:simpleContent>
        </xs:complexType>
      </xs:element>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Evaluation" type="dssc:EvaluationType"/>
  <xs:complexType name="EvaluationType">
    <xs:sequence>
      <xs:element ref="dssc:Parameter" minOccurs="0"
                                       maxOccurs="unbounded"/>
      <xs:element ref="dssc:Validity"/>
    </xs:sequence>
  </xs:complexType>
  <xs:element name="Parameter" type="dssc:ParameterType"/>
  <xs:complexType name="ParameterType">
    <xs:choice>
      <xs:element name="Exact" type="xs:string"/>
      <xs:element ref="dssc:Min"/>
      <xs:element ref="dssc:Max"/>
      <xs:element name="Range">
        <xs:complexType>
          <xs:sequence>
            <xs:element ref="dssc:Min"/>
            <xs:element ref="dssc:Max"/>
          </xs:sequence>
        </xs:complexType>
      </xs:element>
      <xs:any namespace="##other"/>
    </xs:choice>
    <xs:attribute name="name" type="xs:string" use="required"/>
  </xs:complexType>
  <xs:element name="Min" type="xs:string"/>
  <xs:element name="Max" type="xs:string"/>
</xs:schema>



 TOC 

Appendix D.  ASN.1 Module in 1988 Syntax

ASN.1-Module


DSSC {iso(1) identified-organization(3) dod(6)
         internet(1) security(5) mechanisms(5)
         ltans(11) id-mod(0) id-mod-dssc88(6) id-mod-dssc88-v1(1) }

DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- EXPORT ALL --

IMPORTS

-- Imports from RFC 3280 [RFC3280], Appendix A.1

UTF8String, AlgorithmIdentifier, Certificate
     FROM PKIX1Explicit88
            { iso(1) identified-organization(3) dod(6)
            internet(1) security(5) mechanisms(5) pkix(7)
            mod(0) pkix1-explicit(18) }
;


SecuritySuitabilityPolicy ::= SEQUENCE {
     tbsPolicy  TBSPolicy,
     signature  Signature OPTIONAL
}

TBSPolicy ::= SEQUENCE {
     version          INTEGER { v1(1) }      OPTIONAL,
     policyName       PolicyName,
     publisher        Publisher,
     policyIssueDate  GeneralizedTime,
     nextUpdate       GeneralizedTime        OPTIONAL,
     usage            UTF8String             OPTIONAL,
     algorithms       SEQUENCE OF Algorithm
}

PolicyName ::= SEQUENCE {
     name  UTF8String,
     oid   OBJECT IDENTIFIER OPTIONAL
}

Publisher ::= SEQUENCE {
     name        UTF8String,
     address [0] Address     OPTIONAL,
     uri     [1] IA5String   OPTIONAL
}

Address ::= SEQUENCE {
     street           [0] UTF8String,
     locality         [1] UTF8String,
     stateOrProvince  [2] UTF8String OPTIONAL,
     postalCode       [3] UTF8String,
     country          [4] UTF8String
}

Algorithm ::= SEQUENCE {
     algorithmIdentifier     AlgID,
     evaluations             SEQUENCE OF Evaluation,
     information         [0] SEQUENCE OF UTF8String OPTIONAL
}

AlgID ::= SEQUENCE {
     name      UTF8String,
     oid   [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
     uri   [1] SEQUENCE OF IA5String OPTIONAL
}

Evaluation ::= SEQUENCE {
     parameters           [0] SEQUENCE OF Parameter  OPTIONAL,
     validity             [1] Validity
}

Parameter ::= SEQUENCE {
     name        UTF8String,
     constraint  CHOICE {
                   exact  [0] OCTET STRING,
                   min    [1] OCTET STRING,
                   max    [2] OCTET STRING,
                   range  [3] Range,
                   other  [4] OtherConstraints
     }
}

OtherConstraints ::= SEQUENCE {
     otherConstraintType  OBJECT IDENTIFIER,
     otherConstraint      ANY DEFINED BY otherConstraintType
}

Range ::= SEQUENCE {
     min  [0] OCTET STRING,
     max  [1] OCTET STRING
}

Validity ::= SEQUENCE {
     start  [0] GeneralizedTime OPTIONAL,
     end    [1] GeneralizedTime OPTIONAL
}

Signature ::= SEQUENCE {
     signatureAlgorithm  AlgorithmIdentifier,
     signature           OCTET STRING,
     certificates        SEQUENCE OF Certificate OPTIONAL
}

END



 TOC 

Appendix E.  ASN.1 Module in 1997 Syntax

ASN.1-Module


DSSC {iso(1) identified-organization(3) dod(6)
         internet(1) security(5) mechanisms(5)
         ltans(11) id-mod(0) id-mod-dssc(7) id-mod-dssc-v1(1) }

DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- EXPORT ALL --

IMPORTS

-- Imports from AuthenticationFramework

AlgorithmIdentifier, Certificate
     FROM AuthenticationFramework
           {joint-iso-itu-t ds(5) module(1)
           authenticationFramework(7) 4}
;


SecuritySuitabilityPolicy ::= SEQUENCE {
     tbsPolicy  TBSPolicy,
     signature  Signature OPTIONAL
}

TBSPolicy ::= SEQUENCE {
     version          INTEGER { v1(1) }      OPTIONAL,
     policyName       PolicyName,
     publisher        Publisher,
     policyIssueDate  GeneralizedTime,
     nextUpdate       GeneralizedTime        OPTIONAL,
     usage            UTF8String             OPTIONAL,
     algorithms       SEQUENCE OF Algorithm
}

PolicyName ::= SEQUENCE {
     name  UTF8String,
     oid   OBJECT IDENTIFIER OPTIONAL
}

Publisher ::= SEQUENCE {
     name         UTF8String,
     address  [0] Address     OPTIONAL,
     uri      [1] IA5String   OPTIONAL
}

Address ::= SEQUENCE {
     street           [0] UTF8String,
     locality         [1] UTF8String,
     stateOrProvince  [2] UTF8String OPTIONAL,
     postalCode       [3] UTF8String,
     country          [4] UTF8String
}

Algorithm ::= SEQUENCE {
     algorithmIdentifier     AlgID,
     evaluations             SEQUENCE OF Evaluation,
     information         [0] SEQUENCE OF UTF8String OPTIONAL
}

AlgID ::= SEQUENCE {
     name      UTF8String,
     oid   [0] SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
     uri   [1] SEQUENCE OF IA5String         OPTIONAL
}

Evaluation ::= SEQUENCE {
     parameters           [0] SEQUENCE OF Parameter  OPTIONAL,
     validity             [1] Validity
}

Parameter ::= SEQUENCE {
     name        UTF8String,
     constraint  CHOICE {
                    exact  [0] OCTET STRING,
                    min    [1] OCTET STRING,
                    max    [2] OCTET STRING,
                    range  [3] Range,
                    other  [4] OtherConstraints
     }
}

OtherConstraints ::= SEQUENCE {
     otherConstraintType  CONSTRAINT-TYPE.&id ({SupportedConstraints}),
     otherConstraint      CONSTRAINT-TYPE.&Type
                         ({SupportedConstraints}{@otherConstraintType})
}

CONSTRAINT-TYPE ::= TYPE-IDENTIFIER

SupportedConstraints CONSTRAINT-TYPE ::= {...}

Range ::= SEQUENCE {
     min  [0] OCTET STRING,
     max  [1] OCTET STRING
}

Validity ::= SEQUENCE {
     start  [0] GeneralizedTime OPTIONAL,
     end    [1] GeneralizedTime OPTIONAL
}

Signature ::= SEQUENCE {
     signatureAlgorithm  AlgorithmIdentifier,
     signature           OCTET STRING,
     certificates        SEQUENCE OF Certificate OPTIONAL
}

END



 TOC 

Authors' Addresses

  Thomas Kunz
  Fraunhofer Institute for Secure Information Technology
  Rheinstrasse 75
  Darmstadt D-64295
  Germany
Email:  thomas.kunz@sit.fraunhofer.de
  
  Susanne Okunick
  pawisda systems GmbH
  Robert-Koch-Strasse 9
  Weiterstadt D-64331
  Germany
Email:  susanne.okunick@pawisda.de
  
  Ulrich Pordesch
  Fraunhofer Gesellschaft
  Rheinstrasse 75
  Darmstadt D-64295
  Germany
Email:  ulrich.pordesch@zv.fraunhofer.de


 TOC 

Full Copyright Statement

Intellectual Property