Using GOST R 34.10-2012 and GOST R 34.11-2012 Algorithms with the Internet X.509 Public Key Infrastructure

Using GOST R 34.10-2012 and GOST R 34.11-2012 Algorithms with the Internet X.509 Public Key Infrastructure Linaro Ltd.

Harston Mill Royston Rd Harston, Cambridge CB22 7GG United Kingdom dbaryshkov@gmail.com

CryptoPro

18, Suschevsky val Moscow 127018 Russian Federation +7 (495) 995-48-20 nikolaev@cryptopro.ru

InfoTeCS JSC

Aleksandr.Chelpanov@infotecs.ru

GOST PKI This document describes encoding formats, identifiers, and parameter formats for the GOST R 34.10-2012 and GOST R 34.11-2012 algorithms for use in the Internet X.509 Public Key Infrastructure (PKI). This specification is developed to facilitate implementations that wish to support the GOST algorithms. This document does not imply IETF endorsement of the cryptographic algorithms used in this document.

Introduction This document describes the conventions for using the GOST R 34.10-2012 signature algorithm and the GOST R 34.11-2012 hash function in the Internet X.509 Public Key Infrastructure (PKI) . This specification defines the contents of the signatureAlgorithm, signatureValue, signature, and subjectPublicKeyInfo fields within X.509 Certificates and Certificate Revocation Lists (CRLs). For each algorithm, the appropriate alternatives for the keyUsage certificate extension are provided. This specification is developed to facilitate implementations that wish to support the GOST algorithms. This document does not imply IETF endorsement of the cryptographic algorithms used in this document.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Signature Algorithm Support Conforming Certificate Authorities (CAs) MAY use the GOST R 34.10-2012 signature algorithm to sign certificates and CRLs. This signature algorithm MUST always be used with the GOST R 34.11-2012 hash function. It may use a key length of either 256 bits or 512 bits. The ASN.1 object identifier (OID) used to identify the GOST R 34.10-2012 signature algorithm with a 256-bit key length and the GOST R 34.11-2012 hash function with a 256-bit hash code is: The GOST R 34.10-2012 signature algorithm with a 256-bit key length generates a digital signature in the form of two 256-bit integers: r and s. Its octet string representation consists of 64 octets, where the first 32 octets contain the big-endian representation of s and the second 32 octets contain the big-endian representation of r. The ASN.1 OID used to identify the GOST R 34.10-2012 signature algorithm with a 512-bit key length and the GOST R 34.11-2012 hash function with a 512-bit hash code is: The GOST R 34.10-2012 signature algorithm with a 512-bit key length generates a digital signature in the form of two 512-bit integers: r and s. Its octet string representation consists of 128 octets, where the first 64 octets contain the big-endian representation of s and the second 64 octets contain the big-endian representation of r. When either of these OIDs is used as the algorithm field in an AlgorithmIdentifier structure, the encoding MUST omit the parameters field. The described definition of a signature value is directly usable in the Cryptographic Message Syntax (CMS) , where such values are represented as octet strings. However, signature values in certificates and CRLs are represented as bit strings, and thus the octet string representation must be converted. To convert an octet string signature value to a bit string, the most significant bit of the first octet of the signature value SHALL become the first bit of the bit string, and so on through the least significant bit of the last octet of the signature value, which SHALL become the last bit of the bit string.

Hash Function Support The ASN.1 OID used to identify the GOST R 34.11-2012 hash function with a 256-bit hash code is: The ASN.1 OID used to identify the GOST R 34.11-2012 hash function with a 512-bit hash code is: When either of these OIDs is used as the algorithm field in an AlgorithmIdentifier structure, the encoding MUST omit the parameters field.

Subject Public Keys Information Fields

Public Key Identifiers GOST R 34.10-2012 public keys with a 256-bit private key length are identified by the following OID: GOST R 34.10-2012 public keys with a 512-bit private key length are identified by the following OID:

Public Key Parameters When either of these identifiers appears as the algorithm field in the SubjectPublicKeyInfo.algorithm.algorithm field, the parameters field MUST have the following structure: where:

publicKeyParamSet is the public key parameters identifier for GOST R 34.10-2012 parameters (see Sections and of or ) or GOST R 34.10-2001 parameters (see ).
digestParamSet is the parameters identifier for the corresponding GOST R 34.11-2012 parameters (see ).

The following values, when used as publicKeyParamSet, define test public key parameter sets and MUST NOT be used outside of testing scenarios:

id-GostR3410-2001-TestParamSet
id-tc26-gost-3410-2012-512-paramSetTest

The digestParamSet field:

SHOULD be omitted if the GOST R 34.10-2012 signature algorithm is used with a 512-bit key length
MUST be present and must be equal to id-tc26-digest-gost3411-12-256 if one of the following values is used as publicKeyParamSet:
- id-GostR3410-2001-TestParamSet
- id-GostR3410-2001-CryptoPro-A-ParamSet
- id-GostR3410-2001-CryptoPro-B-ParamSet
- id-GostR3410-2001-CryptoPro-C-ParamSet
- id-GostR3410-2001-CryptoPro-XchA-ParamSet
- id-GostR3410-2001-CryptoPro-XchB-ParamSet
SHOULD be omitted if publicKeyParamSet is equal to:
- id-tc26-gost-3410-2012-256-paramSetA
MUST be omitted if one of the following values is used as publicKeyParamSet:
- id-tc26-gost-3410-2012-256-paramSetB
- id-tc26-gost-3410-2012-256-paramSetC
- id-tc26-gost-3410-2012-256-paramSetD

Public Key Encoding The GOST R 34.10-2012 public key MUST be ASN.1 DER encoded as an OCTET STRING. This encoding SHALL be used as the content (i.e., the value) of the subjectPublicKey field (a BIT STRING) of the SubjectPublicKeyInfo structure. GostR3410-2012-256-PublicKey MUST contain 64 octets, where the first 32 octets contain the little-endian representation of the x coordinate of the public key and the second 32 octets contain the little-endian representation of the y coordinate of the public key. GostR3410-2012-512-PublicKey MUST contain 128 octets, where the first 64 octets contain the little-endian representation of the x coordinate of the public key and the second 64 octets contain the little-endian representation of the y coordinate of the public key.

Key Usage Extension If the KeyUsage extension is present in a certificate with the GOST R 34.10-2012 public key, the following values MAY be present:

digitalSignature (0)
contentCommitment (1)
keyEncipherment (2)
dataEncipherment (3)
keyAgreement (4)
keyCertSign (5)
cRLSign (6)
encipherOnly (7)
decipherOnly (8)

Note that contentCommitment was named nonRepudiation in previous versions of X.509. If the key is going to be used for key agreement, the keyAgreement flag MUST be present in the KeyUsage extension, with the encipherOnly and decipherOnly flags being optional. However, the encipherOnly and decipherOnly flags MUST NOT be present simultaneously.

Qualified Certificate Extensions This section defines additional OIDs for use in qualified certificates for checking digital signatures.

Distinguished Name Additions OGRN is the main state registration number of juridical entities. The corresponding OID is 1.2.643.100.1. SNILS is the individual insurance account number. The corresponding OID is 1.2.643.100.3. INNLE is the individual taxpayer number (ITN) of the legal entity. The corresponding OID is 1.2.643.100.4. OGRNIP is the main state registration number of individual entrepreneurs (sole traders). The corresponding OID is 1.2.643.100.5. IdentificationKind represents the way the receiver of the certificate was identified by the CA. The corresponding OID is 1.2.643.100.114. INN is the individual taxpayer number (ITN). The corresponding OID is 1.2.643.3.131.1.1.

Certificate Policies The Russian national regulation body for cryptography defines several security levels of cryptographic tools. Depending on the class of cryptographic token used by the certificate owner, the following OIDs must be included in certificate policies. Certificates should include OIDs, starting from the lowest (KC1) up to the strongest applicable.

1.2.643.100.113.1 - class KC1
1.2.643.100.113.2 - class KC2
1.2.643.100.113.3 - class KC3
1.2.643.100.113.4 - class KB1
1.2.643.100.113.5 - class KB2
1.2.643.100.113.6 - class KA1

Subject Sign Tool To denote the token or software type used by the certificate owner, the following non-critical SubjectSignTool extension with OID 1.2.643.100.111 should be included. It is defined as

Issuer Sign Tool To denote the tools used to generate key pairs and tools used by the CA to sign certificates, the following non-critical IssuerSignTool extension with OID 1.2.643.100.112 should be included. It is defined as where:

signTool identifies tools used to create key pairs.
cATool identifies tools used by the CA.
signToolCert and cAToolCert contain the notice of the conformance of respective tools to Russian federal law on digital signatures.

Historical Considerations Note that, for a significant period of time, there were no documents describing GostR3410-2012-PublicKeyParameters. Several old implementations have used GostR3410-2001-PublicKeyParameters instead. These implementations will return an error if the digestParamSet field is not included in public key parameters. Thus, an implementation wishing to collaborate with old implementations might want to include digestParamSet equal to id-tc26-digest-gost3411-12-512 if one of the following values is used as publicKeyParamSet:

id-tc26-gost-3410-12-512-paramSetA
id-tc26-gost-3410-12-512-paramSetB

Note that the usage of keyEncipherment and dataEncipherment values for the KeyUsage extension is not fully defined for the GOST R 34.10-2012 public keys, so they SHOULD be used with additional care.

IANA Considerations This document has no IANA actions.

Security Considerations It is RECOMMENDED that applications verify signature values and subject public keys to conform to the GOST R 34.10-2012 standard prior to their use. It is RECOMMENDED that CAs and applications make sure that the private key for creating signatures is not used for more than its allowed validity period (typically 15 months for the GOST R 34.10-2012 algorithm). Test parameter sets (id-GostR3410-2001-TestParamSet and id-tc26-gost-3410-2012-512-paramSetTest) MUST NOT be used outside of testing scenarios. The use of parameter sets not described herein is NOT RECOMMENDED. When different parameters are used, it is RECOMMENDED that they be subjected to examination by an authorized agency with approved methods of cryptographic analysis. For security discussions concerning the use of algorithm parameters, see and the Security Considerations sections in and .

References Normative References Informative References Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature GOST R 34.10-2012, Federal Agency on Technical Regulating and Metrology Information technology. Cryptographic Data Security. Hashing function GOST R 34.11-2012, Federal Agency on Technical Regulating and Metrology On the security properties of Russian standardized elliptic curves Mathematical Aspects of Cryptography, 9:3, P. 5-32

GostR3410-2012-PKISyntax

GostR3410-2012-RuStrongCertsSyntax

Public Key Parameters Here we define three new OIDs for three existing public key parameter sets defined in . These OIDs MUST be used with GOST R 34.10-2012 public keys only. The elliptic curve of this parameter set is the same as that of id-GostR3410-2001-CryptoPro-A-ParamSet (and id-GostR3410-2001-CryptoPro-XchA-ParamSet), which can be found in . The elliptic curve of this parameter set is the same as that of id-GostR3410-2001-CryptoPro-B-ParamSet, which can be found in . The elliptic curve of this parameter set is the same as that of id-GostR3410-2001-CryptoPro-C-ParamSet (and id-GostR3410-2001-CryptoPro-XchB-ParamSet), which can be found in .

Test Examples

GOST R 34.10-2001 Test Parameters (256-Bit Private Key Length) This example uses the curve defined in . The private key is The public key is

Certificate Request

Certificate

Certificate Revocation List

GOST R 34.10-2012 TC26-256-A Parameters (256-Bit Private Key Length) This example uses the curve defined in . The private key is The public key is

Certificate Request

Certificate

Certificate Revocation List

GOST R 34.10-2012 Test Parameters (512-Bit Private Key Length) This example uses the curve defined in . The private key is The public key is

Certificate Request

Certificate

Certificate Revocation List

GOST R 34.10-2012 Test Parameters (Curve Definition) The following parameters must be used for digital signature generation and verification.

Elliptic Curve Modulus The following value is assigned to parameter p in this example:

Elliptic Curve Coefficients Parameters a and b take the following values in this example:

Elliptic Curve Points Group Order Parameter m takes the following value in this example:

Order of Cyclic Subgroup of Elliptic Curve Points Group Parameter q takes the following value in this example:

Elliptic Curve Point Coordinates Point P coordinates take the following values in this example:

Contributors InfoTeCS JSC

Semen.Pianov@infotecs.ru

InfoTeCS JSC

Ekaterina.Karelina@infotecs.ru

Cryptocom

beldmit@gmail.com