]> Red Hat, Inc.

Purkynova 115 Brno 61200 Czech Republic hkario@redhat.com

General Internet Engineering Task Force pbmac1, pkcs12, pbkdf2 This document specifies additions and amendments to RFC 7292. It defines a way to use the Password Based Message Authentication Code 1, defined in RFC 8018, inside the PKCS #12 syntax. The purpose of this specification is to permit use of more modern PBKDFs and allow for regulatory compliance.

The PKCS #12 format is widely used for interoperable transfer of certificate, key, and other miscellaneous secrets between machines, applications, browsers, etc. Unfortunately, the original specification mandates the use of a specific password based key derivation function, allowing only for change of the underlying message digest function.

Due to security concerns with PBKDF1 and much higher extensibility of PBMAC1, we propose the use of PBMAC1 for integrity protection of PKCS #12 structures. The new syntax is designed to allow legacy applications to still be able to decrypt the key material, even if they are unable to interpret the new integrity protection, provided that they can ignore failures in MAC verification. Use of the extensible PBMAC1 mechanism also allows for greater flexibility and alignment to different government regulations. As recommended methods for key protection require both encryption and integrity protection, we've decided to amend the PKCS #12 format to support different key derivation functions rather than extending the PKCS #5 by a new field allowing integrity protection.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

The MacData structure in the PFX object is changed as follows: the id-PBMAC1 object identifier is permitted as a valid type for the DigestAlgorithmIdentifier inside the DigestInfo object. If the algorithm field of the DigestAlgorithmIdentifier is id-PBMAC1, then the parameters field MUST be present and have the value consistent with PBMAC1-params if the PBMAC1 algorithm is used, the digest value of the DigestInfo object MUST be the result of the PBMAC1 calculation over the authSafe field using the PBMAC1-params parameters if the PBMAC1 algorithm is used, the macSalt value MUST be ignored, for backwards compatibility it SHOULD NOT be empty if the PBMAC1 algorithm is used, the iteration value MUST be ignored, for backwards compatibility it SHOULD have a non-zero positive value

To provide interoperability between different implementations, all implementations of this specification MUST support the PBKDF2 key derivation function paired with SHA-256 HMAC. It's RECOMMENDED for implementations to support other SHA-2 based HMACs. Implementations MAY use other KDF methods, like the scrypt PBKDF RFC 7914.

While attacks against SHA-1 HMACs are not considered practical to limit the number of algorithms needed for interoperatbility, implementations of this specification SHOULD NOT use PBKDF2 with the SHA-1 HMAC. Additionally the implementation MUST NOT use any other message digest functions with output of 160 bits or smaller.

This memo includes no request to IANA.

Except for use of different key derivation functions, this document doesn't change how the integrity protection on PKCS #12 objects is computed; therefore all the original security considerations from RFC 7292 apply. Use of PBMAC1 and PBKDF2 is unchanged from RFC 8018; therefore all the original security considerations apply.

&RFC2119; &RFC6194; &RFC7292; &RFC8018; &RFC7914;

This becomes an Appendix.