SMPTE Standards Transition Issues for NIST/FIPS Requirements V1.1

SMPTE Standards Transition Issues for NIST/FIPS Requirements V1.1

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1 2010.8.23 DRM inside, Taehyun Kim ETRI, Kisoon Yoon Contents 1 Introduction NIST (National Institute of Standards and Technology) published second draft special document 1 (SP 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Length) [28] in June, 2010. It includes transition recommendations through 9 items associated with the use of cryptography, whose purpose is to keep the security level being still higher as the more powerful computing techniques are available. The 9 items described in the SP 800-131 are: • Encryption (Sec. 2) • Digital Signature (Sec. 3) • Random Number Generation (Sec. 4) • Key Agreement Using Diffie-Hellman and MQV (Sec. 5) • Key Agreement and Key Transport Using RSA (Sec. 6) • Key Wrapping (Sec. 7) • GDIO Protocol (Sec 8.) • Deriving Additional Keys (Sec. 8) • Hash Function (Sec. 9) • Message Authentication Codes (Sec. 10) Currently, SMPTE documents2 refer to the FIPS (Federal Information Processing Standard) to use its cryptographic algorithms which are Secure Hash Standard (FIPS 180-1, 180-2) [1][2], Digital Signature Standard (FIPS 186-2, Jan. 2000) [4], Random Number Generation (FIPS 186-2, Jan. 2000), Advanced Encryption Standard (FIPS 197, Nov. 2001) [6] and Keyed-Hash Message Authentication Code (FIPS 198-1, Apr. 2002) [7]. As upgrade version of the FIPSs and new recommendation are published from the NIST, we need to consider impacts on the SMPTE standard documents. This report summarizes SMPTE documents in cryptographic point of view and new NIST requirements related to the cryptographic algorithm and strength to which SMPTE standards are referring. And it also verifies if current algorithms and key length used in SMPTE standards are compliant to the new requirements. 2 SMPTE Standard List with Cryptography Specification SMPTE Chapter Cryptographic item Purpose Reference S427 5.1 LE_Key generation Random number generation Random number - [15] 6.3.1 Algorithm type RSA_oaep_mgf1p_sha1_2048 Key transport RFC 2437 [9] 1 It is a revised version reflecting public comments related on the delay of the imminent 2010 transition due date of the vulnerable algorithm or key length. The second draft temporarly grants delay of the deadline in some parts until 2013 or 2015 with the term ‘deprecated’. Currently NIST has received additional comments on the second version. 2 All SMPTE documents in this report are “SMPTE Standards for Digital Cinema” published or worked by SMPTE 21 DC. Other standard documents from other TC groups are not considered. 1 6.3.3 Hash SHA1 Integrity FIPS 180-1 [1] 6.4.5 LE Key Type AES-CTR-128 Data encryption FIPS 197 [6] 5.5 Cipher Algorithm AES-CBC-128 Data encryption FIPS 197 S429-6 5.6 MIC Algorithm HMAC-SHA1-128 Integrity RFC 2104 [8] [16] 6.10 MIC (Optional) MIC Key derivation Random number FIPS 186-2 [4] S429-7 Digest method : SHA-1 6.13 Signature (Optional) Digital signature FIPS 186-2 [17] Signature method : RSA-SHA256 8.2.2 Hash SHA-1 Integrity RFC3174 [11] S429-8 Digest method : SHA-1 5.10 Signature (Optional) Digital signature FIPS 186-2 [18] Signature method : RSA-SHA256 6.3 Hash SHA-1 Integrity RFC 3174 S430-1 None [19] (Refer 430-3) Signature algorithm:RSA-SHA256 Digital signature RFC 3280 [13] S430-2 5.2 Field Constraints Public Key : RSA-2048 Key algorithm RFC 3447 [14] [20] Hash for Public Key TP : SHA1 5.4 Thumbprint Key identifier FIPS 180-2 [2] Hash for Certificate Key TP : SHA1 6.1.1 Encryption method rsa-oaep-mgf1p Key agreement RFC 3447 6.1.2 KeyInfo D-Cinema certificate (RSA-2048) Key encryption RFC 3447 S430-3 6.2 EncryptedData AES-CBC-128 Data encryption FIPS 197 [21] Digest method : SHA-256 W3C XML- 7.2 SignatureInfo Digital signature Signature method : RSA-SHA256 Signature [29] 7.1.8 Previous Header Hash SHA-1 FIPS 180-1 7.1.9 Record Body Hash SHA-1 S430-4 7.3.3.1 Record Header Hash SHA-1 Digital signature [22] W3C XML- 7.3.4 Signature (Optional) xml-signature Signature S430-5 Digest method : SHA-256 W3C XML- 6.1.3 Log Record Signature Digital signature [23] Signature method : RSA-SHA256 Signature Communication channel : TLS Key transport RFC 2246 [9] S430-6 Public key algorithm : RSA-2048 Key encryption RFC 3447 6.1 Message Security [24] Cipher algorithm : AES-CBC-128 Data encryption RFC 3268 [12] HASH : SHA1 Integrity - S427: Link Encryption for 1.5Gb/s1 Serial Digital Interface S429-6: D-Cinema Packaging, MXF Track File Essence Encryption S429-7: D-Cinema Packaging, Composition Playlist S429-8: D-Cinema Packaging, Packing List S430-1: D-Cinema Operations Key Delivery Message S430-2: D-Cinema Operations Digital Certificate S430-3: D-Cinema Operations Generic Extra-Theatre Message Format S430-4: D-Cinema Operations, Log Record Format Specification S430-5: D-Cinema Operations, Security Log Event Class and Constraints S430-6: D-Cinema Operations, Auditorium Security Messages for Intra-Theater Communications FIPS 180-x: Secure Hash Standard FIPS 186-x: Digital Signature Standard FIPS 197: Advanced Encryption Standard FIPS 198-x: The Keyed-Hash Message Authentication Code RFC 2104: HMAC: Keyed-Hashing for Message Authentication RFC 2246: The TLS Protocol Version 1.0 RFC 2437: PKCS #1: RSA Cryptography Specifications Version 2.0 RFC 3174: US Secure Hash Algorithm 1 RFC 3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS) RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC 3447:"Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 SP 800-56B: Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography SP 800-57: Recommendation for Key Management SP 800-90: Recommendation for Random Number Generation Using Deterministic Random Bit Generators SP 800-131: Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes 3 SMPTE Transition Issues on the SP 800-131 Recommendation 2 3.1 Encryption NIST recommends using Three-key Triple DES or above AES-128 encryption algorithm on new implementation after 2010. SMPTE currently uses only AES-128 algorithm for symmetric encryption (FIPS 197) in the S427, S429-6, S430-3 and S430-6. So there is NO transition issue on the symmetric encryption /decryption algorithm in the SMPTE standards. And under the current NIST recommendation, AES-128 is valid even beyond 2030. Therefore, there will be also no transition concern on this item for the time being. Algorithm Use (Encryption/Decryption) AES-128 Acceptable beyond 2010 AES-192 Acceptable beyond 2010 AES-256 Acceptable beyond 2010 Table 1 NIST Recommendation for Encryption [28] 3.2 Digital Signatures 3.2.1 Signature method NIST recommends using above 112 bits symmetric key length on new implementation of digital signature after 20103. SMPTE currently uses RSA algorithm with 2048 key size in the S429-7, S429-8, S430-2 and S430- 3. The asymmetric algorithm RSA with 2048 bits is regarded as having 112 bits symmetric key length [28]. So there is no transition issue on the Digital Signature (FIPS 186-x) in those SMPTE standards. However S430-5 (Section 6.1.3 Log record signature) specifies the algorithm to W3C’s xml-signature which allows DSS algorithm as well as RSA with any key length. Although S430-5’s xml-signature implicitly indicates using the digital cinema certificate which is required to have only RSA algorithm and 2048 key length [20], S430-5 needs to consider changing signature method as RSA instead of vague ‘xml-signature’ to keep consistency with other SMPTE standards at least before end of the 2013. And under the current NIST recommendation, RSA-2048 is valid until 2030. Therefore, if SMPTE wants to use this algorithm even beyond 2030, it needs to increase the key length to 3072 bits before 2030. Digital Signature Process Use 80 bits of security strength: Deprecated from 2011 through 2013 Signature RSA: 1024 ≤ |n| < 2048 Generation ≥ 112 bits of security strength: Acceptable beyond 2010 RSA: |n| ≥ 2048 80 bits of security strength: Legacy use after 2010 Signature RSA: 1024 ≤ |n| < 2048 Verification ≥ 112 bits of security strength: Acceptable beyond 2010 RSA: |n| ≥ 2048 Table 2 NIST Recommendation for Digital Signature Method [28] 3.2.2 Digest method NIST recommends using above SHA-224 on new implementation of digital signature after 2010 4. SMPTE currently uses both SHA1 (in S429-7, S429-8 and S430-4) and SHA256 (in S430-2 and S430-5) for the purpose of signature digest. The SHA1 of the SMPTE digest method may not be security critical issue because SMPTE uses it only at the optional signature part. However once someone used signature function, the algorithm is required to be secure enough. So it needs to consider changing SHA1 algorithms in the S429-7, S429-8 and S430-4 into SHA 256 according to FIPS 186-3 [4] at least before end of the 2013. Digital Signature Process Use 3 Transition can be delayed until 2013. But it is recommended to be done as soon as possible since it said the lower bits (e.g. above 80 bits) would be deprecated from 2011 to 2013. 4 Transition can be delayed until 2013. But it is recommended to be done as soon as possible since it said using of SHA-1 would be deprecated from 2011 to 2013. 3 Signature SHA-1 Deprecated from 2011 through 2013 Generation SHA-224, SHA-256, SHA-284, SHA-512 Acceptable beyond 2010 Signature SHA-1 Legacy use after 2010 Verification SHA-224, SHA-256, SHA-284, SHA-512 Acceptable beyond 2010 Table 3 NIST Recommendation for Digital Signature Digest Method [28] 3.3 Random Number Generation NIST recommends using the RNG method described in SP 800-90 [27] on new implementation of RNG after 20105.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us