Network Working Group V. Popov Request for Comments: 4357 I. Kurepkin Category: Informational S. Leontiev CRYPTO-PRO January 2006
Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms
Status of This Memo
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes the cryptographic algorithms and parameters supplementary to the original GOST specifications, GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94, for use in Internet applications.
Russian cryptographic standards that define the algorithms GOST 28147-89 [GOST28147], GOST R 34.10-94 [GOSTR341094], GOST R 34.10-2001 [GOSTR341001], and GOST R34.11-94 [GOSTR341194] provide basic information about how the algorithms work, but supplemental specifications are needed to effectively use the algorithms (a brief English technical description of these algorithms can be found in [Schneier95]).
This document is a proposal put forward by the CRYPTO-PRO Company to provide supplemental information and specifications needed by the "Russian Cryptographic Software Compatibility Agreement" community.
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described in [RFC2119].
Popov, et al. Informational [Page 2]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
The following functions and operators are also used in this document:
'|' stands for concatenation.
'~' stands for bitwise NOT operator.
'^' stands for the power operator.
encryptECB (K, D) is D, encrypted with key K using GOST 28147-89 in "prostaya zamena" (ECB) mode.
decryptECB (K, D) is D, decrypted with key K using GOST 28147-89 in ECB mode.
encryptCFB (IV, K, D) is D, encrypted with key K using GOST 28147-89 in "gammirovanie s obratnoj svyaziyu" (64-bit CFB) mode, and IV is used as the initialization vector.
encryptCNT (IV, K, D) is D, encrypted with key K using GOST 28147-89 in "gammirovanie" (counter) mode, and IV is used as the initialization vector.
gostR3411 (D) is the 256-bit result of the GOST R 34.11-94 hash function, used with zero initialization vector, and S-Box parameter, defined by id-GostR3411-94-CryptoProParamSet (see Section 11.2).
gost28147IMIT (IV, K, D) is the 32-bit result of the GOST 28147-89 in "imitovstavka" (MAC) mode, used with D as plaintext, K as key and IV as initialization vector. Note that the standard specifies its use in this mode only with an initialization vector of zero.
When keys and initialization vectors are converted to/from byte arrays, little-endian byte order is assumed.
This document defines four cipher properties that allow an implementer to vary cipher operations. The four parameters are the cipher mode, the key meshing algorithm, the padding mode, and the S-box.
[GOST28147] defines only three cipher modes for GOST 28147-89: ECB, CFB, and counter mode. This document defines an additional cipher mode, CBC.
Popov, et al. Informational [Page 3]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
When GOST 28147-89 is used to process large amounts of data, a symmetric key should be protected by a key meshing algorithm. Key meshing transforms a symmetric key after some amount of data has been processed. This document defines the CryptoPro key meshing algorithm.
The cipher mode, key meshing algorithm, padding mode, and S-box are specified by algorithm parameters.
This section provides the supplemental information for GOST 28147-89 (a block-to-block primitive) needed to operate in CBC mode.
Before each plaintext block is encrypted, it is combined with the cipher text of the previous block via a bitwise XOR operation. This ensures that even if the plaintext contains many identical blocks, each block will encrypt to a different cipher text block. The initialization vector is combined with the first plaintext block by a bitwise XOR operation before the block is encrypted.
This section provides the supplemental information for GOST 28147-89, needed to operate on plaintext where the length is not divisible by GOST 28147-89 block size (8 bytes).
Let x (0 < x <= 8) be the number of bytes in the last, possibly incomplete, block of data.
There are three padding modes: * Zero padding: 8-x remaining bytes are filled with zero * PKCS#5 padding: 8-x remaining bytes are filled with the value of 8-x. If there's no incomplete block, one extra block filled with value 8 is added. * Random padding: 8-x remaining bytes of the last block are set to random.
Key meshing algorithms transform the key after processing a certain amount of data. In applications that must be strictly robust to attacks based on timing and EMI analysis, one symmetric key should not be used for quantities of plaintext larger than 1024 octets.
Popov, et al. Informational [Page 4]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
A key meshing algorithm affects internal cipher state; it is not a protocol level feature. Its role is similar to that of a cipher mode. The choice of key meshing algorithm is usually dictated by the encryption algorithm parameters, but some protocols explicitly specify applicable key meshing algorithms.
All encryption parameter sets defined in this document specify the use of the CryptoPro key meshing algorithm, except for id-Gost28147- 89-TestParamSet, which specifies use of null key meshing algorithm.
The CryptoPro key meshing algorithm transforms the key and initialization vector every 1024 octets (8192 bits, or 256 64-bit blocks) of plaintext data.
This algorithm has the same drawback as OFB cipher mode: it is impossible to re-establish crypto synch while decrypting a ciphertext if parts of encrypted data are corrupted, lost, or processed out of order. Furthermore, it is impossible to re-synch even if an IV for each data packet is provided explicitly. Use of this algorithm in protocols such as IPsec ESP requires special care.
There are no meaningful parameters to this algorithm. If present, AlgorithmIdentifier.parameters MUST contain NULL.
GOST 28147-89, in encrypt, decrypt, or MAC mode, starts with key K[0] = K, IV0[0] = IV, i = 0. Let IVn[0] be the value of the initialization vector after processing the first 1024 octets of data.
Popov, et al. Informational [Page 5]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Processing of the next 1024 octets will start with K[1] and IV0[1], which are calculated using the following formula:
After processing each 1024 octets of data: * the resulting initialization vector is stored as IVn[i]; * K[i+1] and IV0[i+1] are calculated; * i is incremented; * Encryption or decryption of next 1024 bytes starts, using the new key and IV; The process is repeated until all the data has been processed.
HMAC_GOSTR3411 (K,text) function is based on the hash function GOST R 34.11-94, as defined in [HMAC], with the following parameter values: B = 32, L = 32.
PRF_GOSTR3411 is a pseudorandom function, based on HMAC_GOSTR3411. It is calculated as P_hash, defined in Section 5 of [TLS]. PRF_GOSTR3411(secret,label,seed) = P_GOSTR3411 (secret,label|seed).
This algorithm creates a key encryption key (KEK) using the sender's private key and the recipient's public key (or vice versa).
Popov, et al. Informational [Page 6]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Exchange key KEK is a 256-bit hash of the 1024-bit shared secret that is generated using Diffie-Hellman key agreement.
1) Let K(x,y) = a^(x*y) (mod p), where x - sender's private key, a^x - sender's public key y - recipient's private key, a^y - recipient's public key a, p - parameters 2) Calculate a 256-bit hash of K(x,y): KEK(x,y) = gostR3411 (K(x,y))
Keypairs (x,a^x) and (y,a^y) MUST comply with [GOSTR341094].
This algorithm MUST NOT be used when a^x = a (mod p) or a^y = a (mod p).
This algorithm creates a key encryption key (KEK) using 64 bit UKM, the sender's private key, and the recipient's public key (or the reverse of the latter pair).
1) Let K(x,y,UKM) = ((UKM*x)(mod q)) . (y.P) (512 bit), where x - sender's private key (256 bit) x.P - sender's public key (512 bit) y - recipient's private key (256 bit) y.P - recipient's public key (512 bit) UKM - non-zero integer, produced as in step 2 p. 6.1 [GOSTR341001] P - base point on the elliptic curve (two 256-bit coordinates) UKM*x - x multiplied by UKM as integers x.P - a multiple point 2) Calculate a 256-bit hash of K(x,y,UKM): KEK(x,y,UKM) = gostR3411 (K(x,y,UKM))
Keypairs (x,x.P) and (y,y.P) MUST comply with [GOSTR341001].
This algorithm MUST NOT be used when x.P = P, y.P = P
This document defines two key wrap algorithms: GOST 28147-89 Key Wrap and CryptoPro Key Wrap. These are used to encrypt a Content Encryption Key (CEK) with a Key Encryption Key (KEK).
This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK.
Popov, et al. Informational [Page 7]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Note: This algorithm MUST NOT be used with a KEK produced by VKO GOST R 34.10-94, because such a KEK is constant for every sender-recipient pair. Encrypting many different content encryption keys on the same constant KEK may reveal that KEK.
The GOST 28147-89 key wrap algorithm is:
1) For a unique symmetric KEK, generate 8 octets at random and call the result UKM. For a KEK, produced by VKO GOST R 34.10-2001, use the UKM that was used for key derivation. 2) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK, CEK). Call the result CEK_MAC. 3) Encrypt the CEK in ECB mode using the KEK. Call the ciphertext CEK_ENC. 4) The wrapped content-encryption key is (UKM | CEK_ENC | CEK_MAC).
This algorithm decrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. The GOST 28147-89 key unwrap algorithm is:
1) If the wrapped content-encryption key is not 44 octets, then error. 2) Decompose the wrapped content-encryption key into UKM, CEK_ENC, and CEK_MAC. UKM is the most significant (first) 8 octets. CEK_ENC is next 32 octets, and CEK_MAC is the least significant (last) 4 octets. 3) Decrypt CEK_ENC in ECB mode using the KEK. Call the output CEK. 4) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK, CEK), compare the result with CEK_MAC. If they are not equal, then error.
This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. It can be used with any KEK (e.g., produced by VKO GOST R 34.10-94 or VKO GOST R 34.10-2001) because a unique UKM is used to diversify the KEK.
The CryptoPro key wrap algorithm is:
1) For a unique symmetric KEK or a KEK produced by VKO GOST R 34.10-94, generate 8 octets at random. Call the result UKM. For a KEK, produced by VKO GOST R 34.10-2001, use the UKM that was used for key derivation. 2) Diversify KEK, using the CryptoPro KEK Diversification Algorithm, described in Section 6.5. Call the result KEK(UKM).
Popov, et al. Informational [Page 8]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
3) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK(UKM), CEK). Call the result CEK_MAC. 4) Encrypt CEK in ECB mode using KEK(UKM). Call the ciphertext CEK_ENC. 5) The wrapped content-encryption key is (UKM | CEK_ENC | CEK_MAC).
This algorithm encrypts GOST 28147-89 CEK with a GOST 28147-89 KEK. The CryptoPro key unwrap algorithm is:
1) If the wrapped content-encryption key is not 44 octets, then it is an error. 2) Decompose the wrapped content-encryption key into UKM, CEK_ENC, and CEK_MAC. UKM is the most significant (first) 8 octets. CEK_ENC is next 32 octets, and CEK_MAC is the least significant (last) 4 octets. 3) Diversify KEK using the CryptoPro KEK Diversification Algorithm, described in section 6.5. Call the result KEK(UKM). 4) Decrypt CEK_ENC in ECB mode using KEK(UKM). Call the output CEK. 5) Compute a 4-byte checksum value, gost28147IMIT (UKM, KEK(UKM), CEK), compare the result with CEK_MAC. If they are not equal, then it is an error.
Given a random 64-bit UKM and a GOST 28147-89 key K, this algorithm creates a new GOST 28147-89 key K(UKM).
1) Let K[0] = K; 2) UKM is split into components a[i,j]: UKM = a[0]|..|a[7] (a[i] - byte, a[i,0]..a[i,7] - it's bits) 3) Let i be 0. 4) K[1]..K[8] are calculated by repeating the following algorithm eight times: A) K[i] is split into components k[i,j]: K[i] = k[i,0]|k[i,1]|..|k[i,7] (k[i,j] - 32-bit integer) B) Vector S[i] is calculated: S[i] = ((a[i,0]*k[i,0] + ... + a[i,7]*k[i,7]) mod 2^32) | (((~a[i,0])*k[i,0] + ... + (~a[i,7])*k[i,7]) mod 2^32); C) K[i+1] = encryptCFB (S[i], K[i], K[i]) D) i = i + 1 5) Let K(UKM) be K[8].
Popov, et al. Informational [Page 9]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
This algorithm creates a GOST 28147-89 key Kd, given GOST R 34.10-94 or GOST R 34.10-2001 secret key K and diversification data D of size 4..40 bytes.
1) 40-byte blob B is created from D by cloning it enough times to fill all 40 bytes. For example, if D is 40-bytes long, B = D; If D is 6-bytes long, B = D|D|D|D|D|D|D[0..3]. 2) B is split into 8-byte UKM and 32-byte SRCKEY (B = UKM|SRCKEY). 3) The algorithm from Section 6.5 is used to create K(UKM) from key K and UKM, with two differences: * Instead of S[i], vector (0,0,0,UKM[i],ff,ff,ff,ff XOR UKM[i]) is used. * During each encryption step, only 8 out of 32 GOST 28147-89 rounds are done. 4) Kd is calculated: Kd = encryptCFB (UKM, K(UKM), SRCKEY).
Standards [GOST28147], [GOST341194], [GOSTR341094], and [GOSTR341001] do not define specific values for algorithm parameters.
This document introduces the use of ASN.1 object identifiers (OIDs) to specify algorithm parameters.
Identifiers for all of the proposed parameter sets can be found in Appendix ASN.1 modules. Corresponding parameter values for proposed parameter sets can be found in Section 11.
GOST 28147-89 can be used in several modes; additional CBC mode is defined in Section 2.1. It also has an S-Box parameter. (See the Algorithm Parameters part in [GOST28147] in Russian; for a description in English, see [Schneier95], ch. 14.1, p. 331.)
This table contains the list of proposed parameter sets for GOST 28147-89:
Gost28147-89-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= { { Gost28147-89-ParamSetParameters IDENTIFIED BY id-Gost28147-89-TestParamSet } | { Gost28147-89-ParamSetParameters IDENTIFIED BY id-Gost28147-89-CryptoPro-A-ParamSet } | { Gost28147-89-ParamSetParameters IDENTIFIED BY id-Gost28147-89-CryptoPro-B-ParamSet } |
Popov, et al. Informational [Page 10]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
{ Gost28147-89-ParamSetParameters IDENTIFIED BY id-Gost28147-89-CryptoPro-C-ParamSet } | { Gost28147-89-ParamSetParameters IDENTIFIED BY id-Gost28147-89-CryptoPro-D-ParamSet } }
Identifier values are in the Appendix ASN.1 modules, and corresponding parameters are in Section 11.1.
Parameters for GOST 28147-89 are presented in the following form:
8.3. GOST R 34.10-94 Public Key Algorithm Parameters
This table contains the list of proposed parameter sets for GOST R 34.10-94:
GostR3410-94-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= { { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-TestParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-A-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-B-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-C-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-D-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchA-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchB-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchC-ParamSet } }
Identifier values are in the Appendix ASN.1 modules, and corresponding parameters are in Section 11.3.
Parameters for GOST R 34.10-94 are presented in the following form:
GostR3410-94-ParamSetParameters ::= SEQUENCE { t INTEGER, p INTEGER, q INTEGER, a INTEGER, validationAlgorithm AlgorithmIdentifier {{
Popov, et al. Informational [Page 12]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3410-94-ValidationAlgorithms }} OPTIONAL }
GostR3410-94-ValidationParameters ::= SEQUENCE { x0 INTEGER, c INTEGER, d INTEGER OPTIONAL }
Where t - bit length of p (512 or 1024 bits); p - modulus, prime number, 2^(t-1)<p<2^t; q - order of cyclic group, prime number, 2^254<q<2^256, q is a factor of p-1; a - generator, integer, 1<a<p-1, at that aq (mod p) = 1; validationAlgorithm - constant p, q and a calculating algorithm.
x0 - seed; c - used for p and q generation; d - used for a generation.
8.4. GOST R 34.10-2001 Public Key Algorithm Parameters
This table contains the list of proposed parameter sets for GOST R 34.10-2001:
GostR3410-2001-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= { { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-TestParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-A-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-B-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-C-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-XchA-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-XchB-ParamSet } }
Identifier values are in the Appendix ASN.1 modules, and corresponding parameters are in Section 11.4.
Parameters for GOST R 34.10-2001 are presented in the following form:
Popov, et al. Informational [Page 13]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3410-2001-ParamSetParameters ::= SEQUENCE { a INTEGER, b INTEGER, p INTEGER, q INTEGER, x INTEGER, y INTEGER }
a, b - coefficients a and b of the elliptic curve E; p - prime number - elliptic curve modulus; q - prime number - order of cyclic group; x, y - base point p coordinates.
It is RECOMMENDED that software applications verify signature values and subject public keys and algorithm parameters to conform to [GOSTR341001] and [GOSTR341094] standards prior to their use.
Cryptographic algorithm parameters affect rigidity of algorithms. The algorithm parameters proposed and described herein, except for the test parameter sets (id-Gost28147-89-TestParamSet, id-GostR3411- 94-TestParamSet, id-GostR3410-94-TestParamSet, id-GostR3410-2001- TestParamSet), have been analyzed by a special certification laboratory of Scientific and Technical Center, "ATLAS", and by the Center of Certificational Investigations in appropriate levels of target_of_evaluation (TOE), according to [RFDSL], [RFLLIC], and [CRYPTOLIC].
Use of the test parameter sets or parameter sets not described herein is NOT RECOMMENDED. When different parameters are used, it is RECOMMENDED that they be subjected to examination by an authorized agency with approved methods of cryptographic analysis.
Popov, et al. Informational [Page 14]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. -- Crypto-Pro OID branch id-CryptoPro OBJECT IDENTIFIER ::= { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) } id-CryptoPro-algorithms OBJECT IDENTIFIER ::= id-CryptoPro id-CryptoPro-modules OBJECT IDENTIFIER ::= { id-CryptoPro other(1) modules(1) } id-CryptoPro-hashes OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms hashes(30) } id-CryptoPro-encrypts OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms encrypts(31) } id-CryptoPro-signs OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms signs(32) } id-CryptoPro-exchanges OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms exchanges(33) } id-CryptoPro-extensions OBJECT IDENTIFIER ::= { id-CryptoPro extensions(34) } id-CryptoPro-ecc-signs OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms ecc-signs(35) } id-CryptoPro-ecc-exchanges OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms ecc-exchanges(36) } id-CryptoPro-private-keys OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms private-keys(37) } id-CryptoPro-policyIds OBJECT IDENTIFIER ::= { id-CryptoPro policyIds(38) } id-CryptoPro-policyQt OBJECT IDENTIFIER ::= { id-CryptoPro policyQt(39) } id-CryptoPro-pkixcmp-infos OBJECT IDENTIFIER ::=
Popov, et al. Informational [Page 15]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Gost28147-89-EncryptionSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gost28147-89-EncryptionSyntax(4) 1 } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-encrypts, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions
Popov, et al. Informational [Page 17]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Gost28147-89-ParamSetSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gost28147-89-ParamSetSyntax(6) 1 } DEFINITIONS EXPLICIT TAGS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-encrypts, gost28147-89-EncryptionSyntax, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } Gost28147-89-UZ, Gost28147-89-ParamSet,
Popov, et al. Informational [Page 19]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3411-94-DigestSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3411-94-DigestSyntax(1) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-hashes, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } ; -- GOST R 34.11-94 OID id-GostR3411-94 OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms gostR3411-94(9) } -- GOST R 34.11-94 cryptographic parameter set OIDs id-GostR3411-94-TestParamSet OBJECT IDENTIFIER ::= { id-CryptoPro-hashes test(0) } id-GostR3411-94-CryptoProParamSet OBJECT IDENTIFIER ::= { id-CryptoPro-hashes cryptopro(1) } -- GOST R 34.11-94 data types GostR3411-94-Digest ::= OCTET STRING (SIZE (32)) -- GOST R 34.11-94 digest algorithm & parameters GostR3411-94-DigestParameters ::= OBJECT IDENTIFIER ( id-GostR3411-94-TestParamSet | -- Only for testing purposes id-GostR3411-94-CryptoProParamSet ) GostR3411-94-DigestAlgorithms ALGORITHM-IDENTIFIER ::= { { NULL IDENTIFIED BY id-GostR3411-94 } | -- Assume id-GostR3411-94-CryptoProParamSet { GostR3411-94-DigestParameters IDENTIFIED BY id-GostR3411-94 } }
Popov, et al. Informational [Page 21]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3411-94-ParamSetSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3411-94-ParamSetSyntax(7) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS gost28147-89-EncryptionSyntax, gostR3411-94-DigestSyntax, ALGORITHM-IDENTIFIER FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } Gost28147-89-UZ FROM Gost28147-89-EncryptionSyntax gost28147-89-EncryptionSyntax id-GostR3411-94-TestParamSet, id-GostR3411-94-CryptoProParamSet, GostR3411-94-Digest FROM GostR3411-94-DigestSyntax gostR3411-94-DigestSyntax ; -- GOST R 34.11-94 cryptographic parameter sets: -- OIDs for parameter sets are imported from -- GostR3411-94-DigestSyntax GostR3411-94-ParamSetParameters ::= SEQUENCE { hUZ Gost28147-89-UZ, -- S-Box for digest h0 GostR3411-94-Digest -- initial digest value } GostR3411-94-ParamSetAlgorithms ALGORITHM-IDENTIFIER ::= { { GostR3411-94-ParamSetParameters IDENTIFIED BY id-GostR3411-94-TestParamSet } | { GostR3411-94-ParamSetParameters IDENTIFIED BY
Popov, et al. Informational [Page 22]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
id-GostR3411-94-CryptoProParamSet } } END -- GostR3411-94-ParamSetSyntax
GostR3410-94-PKISyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3410-94-PKISyntax(2) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-signs, id-CryptoPro-exchanges, gost28147-89-EncryptionSyntax, gostR3411-94-DigestSyntax, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } Gost28147-89-ParamSet FROM Gost28147-89-EncryptionSyntax gost28147-89-EncryptionSyntax id-GostR3411-94-TestParamSet, id-GostR3411-94-CryptoProParamSet FROM GostR3411-94-DigestSyntax gostR3411-94-DigestSyntax ; -- GOST R 34.10-94 OIDs id-GostR3410-94 OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms gostR3410-94(20) } id-GostR3410-94DH OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms gostR3410-94DH(99) } id-GostR3411-94-with-GostR3410-94 OBJECT IDENTIFIER ::= { id-CryptoPro-algorithms gostR3411-94-with-gostR3410-94(4) } -- GOST R 34.10-94 public key parameter set OIDs id-GostR3410-94-TestParamSet OBJECT IDENTIFIER ::=
Popov, et al. Informational [Page 23]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3410-94-ParamSetSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3410-94-ParamSetSyntax(8) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-signs, id-CryptoPro-exchanges, gostR3410-94-PKISyntax, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } id-GostR3410-94, id-GostR3410-94-TestParamSet, id-GostR3410-94-CryptoPro-A-ParamSet, id-GostR3410-94-CryptoPro-B-ParamSet, id-GostR3410-94-CryptoPro-C-ParamSet, id-GostR3410-94-CryptoPro-D-ParamSet, id-GostR3410-94-CryptoPro-XchA-ParamSet, id-GostR3410-94-CryptoPro-XchB-ParamSet, id-GostR3410-94-CryptoPro-XchC-ParamSet FROM GostR3410-94-PKISyntax gostR3410-94-PKISyntax AlgorithmIdentifier FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)} ; -- GOST R 34.10-94 public key parameter sets: -- OIDs for parameter sets are imported from -- GostR3410-94-PKISyntax GostR3410-94-ParamSetParameters-t ::= INTEGER (512 | 1024) -- 512 - only for testing purposes
Popov, et al. Informational [Page 25]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3410-94-ParamSetParameters ::= SEQUENCE { t GostR3410-94-ParamSetParameters-t, p INTEGER, -- 2^1020 < p < 2^1024 or 2^509 < p < 2^512 q INTEGER, -- 2^254 < q < 2^256 a INTEGER, -- 1 < a < p-1 < 2^1024-1 validationAlgorithm AlgorithmIdentifier OPTIONAL -- {{ GostR3410-94-ValidationAlgorithms }} } GostR3410-94-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= { { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-TestParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-A-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-B-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-C-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-D-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchA-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchB-ParamSet } | { GostR3410-94-ParamSetParameters IDENTIFIED BY id-GostR3410-94-CryptoPro-XchC-ParamSet } } -- GOST R 34.10-94 validation/constructor id-GostR3410-94-a OBJECT IDENTIFIER ::= { id-GostR3410-94 a(1) } id-GostR3410-94-aBis OBJECT IDENTIFIER ::= { id-GostR3410-94 aBis(2) } id-GostR3410-94-b OBJECT IDENTIFIER ::= { id-GostR3410-94 b(3) } id-GostR3410-94-bBis OBJECT IDENTIFIER ::= { id-GostR3410-94 bBis(4) } GostR3410-94-ValidationParameters-c ::= INTEGER (0 .. 65535) GostR3410-94-ValidationParameters ::= SEQUENCE { x0 GostR3410-94-ValidationParameters-c, c GostR3410-94-ValidationParameters-c, d INTEGER OPTIONAL -- 1 < d < p-1 < 2^1024-1
GostR3410-2001-PKISyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3410-2001-PKISyntax(9) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS id-CryptoPro-algorithms, id-CryptoPro-ecc-signs, id-CryptoPro-ecc-exchanges, gost28147-89-EncryptionSyntax, gostR3411-94-DigestSyntax, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } Gost28147-89-ParamSet FROM Gost28147-89-EncryptionSyntax gost28147-89-EncryptionSyntax
Popov, et al. Informational [Page 27]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
GostR3410-2001-ParamSetSyntax { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) gostR3410-2001-ParamSetSyntax(12) 1 } DEFINITIONS ::= BEGIN -- EXPORTS All -- -- The types and values defined in this module are exported for -- use in the other ASN.1 modules contained within the Russian -- Cryptography "GOST" & "GOST R" Specifications, and for the use -- of other applications that will use them to access Russian -- Cryptography services. Other applications may use them for -- their own purposes, but this will not constrain extensions and -- modifications needed to maintain or improve the Russian -- Cryptography service. IMPORTS gostR3410-2001-PKISyntax, ALGORITHM-IDENTIFIER, cryptographic-Gost-Useful-Definitions FROM Cryptographic-Gost-Useful-Definitions { iso(1) member-body(2) ru(643) rans(2) cryptopro(2) other(1) modules(1) cryptographic-Gost-Useful-Definitions(0) 1 } id-GostR3410-2001, id-GostR3410-2001-TestParamSet, id-GostR3410-2001-CryptoPro-A-ParamSet, id-GostR3410-2001-CryptoPro-B-ParamSet, id-GostR3410-2001-CryptoPro-C-ParamSet, id-GostR3410-2001-CryptoPro-XchA-ParamSet, id-GostR3410-2001-CryptoPro-XchB-ParamSet FROM GostR3410-2001-PKISyntax gostR3410-2001-PKISyntax ; GostR3410-2001-ParamSetParameters ::= SEQUENCE { a INTEGER, -- 0 < a < p < 2^256 b INTEGER, -- 0 < b < p < 2^256 p INTEGER, -- 2^254 < p < 2^256 q INTEGER, -- 2^254 < q < 2^256
Popov, et al. Informational [Page 29]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
x INTEGER, -- 0 < x < p < 2^256 y INTEGER -- 0 < y < p < 2^256 } -- GOST R 34.10-2001 public key parameter set: -- OIDs for parameter sets are imported from -- GostR3410-2001-PKISyntax GostR3410-2001-ParamSetAlgorithm ALGORITHM-IDENTIFIER ::= { { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-TestParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-A-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-B-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-C-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-XchA-ParamSet } | { GostR3410-2001-ParamSetParameters IDENTIFIED BY id-GostR3410-2001-CryptoPro-XchB-ParamSet } } END -- GostR3410-2001-ParamSetSyntax
Parameters here are given as SEQUENCE OF AlgorithmIdentifier in ASN.1 DER encoding [X.660], stored in the same format as the examples in [RFC4134], can be extracted using the same program.
If you want to extract without the program, copy all the lines between the "|>" and "|<" markers, remove any page breaks, and remove the "|" in the first column of each line. The result is a valid Base64 blob that can be processed by any Base64 decoder.
-- K1 K2 K3 K4 K5 K6 K7 K8 -- 9 3 E E B 3 1 B -- 6 7 4 7 5 A D A -- 3 E 6 A 1 D 2 F -- 2 9 2 C 9 C 9 5 -- 8 8 B D 8 1 7 0 -- B A 3 1 D 2 A C -- 1 F D 3 F 0 6 E -- 7 0 8 9 0 B 0 8 -- A 5 C 0 E 7 8 6 -- 4 2 F 2 4 5 C 2 -- E 6 5 B 2 9 4 3 -- F C A 4 3 4 5 9 -- C B 0 F C 8 F 1 -- 0 4 7 8 7 F 3 7 -- D D 1 5 A E B D -- 5 1 9 6 6 6 E 4
-- pi1 pi2 pi3 pi4 pi5 pi6 pi7 pi8 -- 4 E 5 7 6 4 D 1 -- A B 8 D C B B F -- 9 4 1 A 7 A 4 D -- 2 C D 1 1 0 1 0 -- D 6 A 0 5 7 3 5 -- 8 D 3 8 F 2 F 7 -- 0 F 4 9 D 1 5 A -- E A 2 F 8 D 9 4 -- 6 2 E E 4 3 0 9 -- B 3 F 4 A 6 A 2 -- 1 8 C 6 9 8 E 3 -- C 1 7 C E 5 7 E -- 7 0 6 B 0 9 6 6 -- F 7 0 2 3 C 8 B -- 5 5 9 5 B F 2 8 -- 3 9 B 3 2 E C C
: 4E 57 64 D1 AB 8D CB BF 94 1A 7A 4D 2C D1 10 10 : D6 A0 57 35 8D 38 F2 F7 0F 49 D1 5A EA 2F 8D 94 : 62 EE 43 09 B3 F4 A6 A2 18 C6 98 E3 C1 7C E5 7E : 70 6B 09 66 F7 02 3C 8B 55 95 BF 28 39 B3 2E CC
Popov, et al. Informational [Page 33]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
This document was created in accordance with "Russian Cryptographic Software Compatibility Agreement", signed by FGUE STC "Atlas", CRYPTO-PRO, Factor-TS, MD PREI, Infotecs GmbH, SPRCIS (SPbRCZI), Cryptocom, R-Alpha. The aim of this agreement is to achieve mutual compatibility of the products and solutions.
The authors wish to thank the following:
Microsoft Corporation Russia for providing information about company products and solutions, and also for technical consulting in PKI.
RSA Security Russia and Demos Co Ltd for active collaboration and critical help in creation of this document.
Peter Gutmann for his helpful "dumpasn1" program.
Russ Hously (Vigil Security, LLC, housley@vigilsec.com) and Vasilij Sakharov (DEMOS Co Ltd, svp@dol.ru) for encouraging the authors to create this document.
Derek Atkins (IHTFP Consulting, derek@ihtfp.com) and his wife, Heather Anne Harrison, for making the document readable.
Grigorij Chudov for navigating the IETF process for this document.
Popov, et al. Informational [Page 46]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
This document is based on a contribution of CRYPTO-PRO Company. Any substantial use of the text from this document must acknowledge CRYPTO-PRO. CRYPTO-PRO requests that all material mentioning or referencing this document identify this as "CRYPTO-PRO CPALGS".
[GOST28147] "Cryptographic Protection for Data Processing System", GOST 28147-89, Gosudarstvennyi Standard of USSR, Government Committee of the USSR for Standards, 1989. (In Russian)
[GOSTR341094] "Information technology. Cryptographic Data Security. Produce and check procedures of Electronic Digital Signatures based on Asymmetric Cryptographic Algorithm.", GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of the Russia for Standards, 1994. (In Russian)
[GOSTR341001] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature.", GOST R 34.10-2001, Gosudarstvennyi Standard of Russian Federation, Government Committee of the Russia for Standards, 2001. (In Russian)
[GOSTR341194] "Information technology. Cryptographic Data Security. Hashing function.", GOST R 34.11-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of the Russia for Standards, 1994. (In Russian) [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
Anatolij Erkin SPRCIS (SPbRCZI) 1, Obrucheva, St.Petersburg, 195220, Russian Federation
EMail: erkin@nevsky.net
Popov, et al. Informational [Page 50]
RFC 4357 Crypto-Pro Cryptographic Algorithms January 2006
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).