blob: 46236d20ed920763edc9589c72b0b24021df5ef6 [file] [log] [blame]
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -04001Signature
2=========
3
Davide Pesavento3c0bc312020-05-18 22:03:09 -04004.. _DataSignature:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +00005
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -04006Data Signature
7--------------
Alexander Afanasyeveee8c252013-11-21 23:22:41 +00008
Davide Pesavento3c0bc312020-05-18 22:03:09 -04009The NDN Data packet signature is defined as two consecutive TLV elements: ``SignatureInfo`` and ``SignatureValue``.
Alexander Afanasyev7455e9b2014-06-25 09:41:08 -070010
Alexander Afanasyeve2800232013-11-27 02:24:14 +000011::
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000012
Junxiao Shi78ce2952019-05-07 15:34:00 -040013 DataSignature = SignatureInfo SignatureValue
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000014
Junxiao Shi78ce2952019-05-07 15:34:00 -040015 SignatureInfo = SIGNATURE-INFO-TYPE TLV-LENGTH
16 SignatureType
17 [KeyLocator]
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000018
Junxiao Shi78ce2952019-05-07 15:34:00 -040019 SignatureValue = SIGNATURE-VALUE-TYPE TLV-LENGTH *OCTET
Zhiyi Zhang47e51372019-02-25 13:47:01 -080020
Davide Pesavento3c0bc312020-05-18 22:03:09 -040021The ``SignatureInfo`` element fully describes the digital signature algorithm utilized and any other relevant information to locate its parent certificate(s), such as :ref:`KeyLocator`.
22
23The ``SignatureValue`` element holds the actual bits of the signature. The exact encoding of the TLV-VALUE of this element depends on the specific signature type. See :ref:`SignatureTypes` for details.
24
25The cryptographic signature contained in ``SignatureValue`` covers all TLV elements inside ``Data``, starting from ``Name`` and up to, but not including, ``SignatureValue``.
26These TLV elements are hereby referred to as the "*signed portion*" of a Data packet.
27
28
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -040029.. _InterestSignature:
30
31Interest Signature
32------------------
33
Davide Pesavento3c0bc312020-05-18 22:03:09 -040034The NDN Interest packet signature is defined as two consecutive TLV elements: ``InterestSignatureInfo`` and ``InterestSignatureValue``.
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -040035
36::
37
Junxiao Shi78ce2952019-05-07 15:34:00 -040038 InterestSignature = InterestSignatureInfo InterestSignatureValue
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -040039
Junxiao Shi78ce2952019-05-07 15:34:00 -040040 InterestSignatureInfo = INTEREST-SIGNATURE-INFO-TYPE TLV-LENGTH
41 SignatureType
42 [KeyLocator]
43 [SignatureNonce]
44 [SignatureTime]
45 [SignatureSeqNum]
46
47 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE TLV-LENGTH *OCTET
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -040048
Davide Pesavento3c0bc312020-05-18 22:03:09 -040049The ``InterestSignatureInfo`` element fully describes the digital signature algorithm utilized and any other relevant information to locate its parent certificate(s), such as :ref:`KeyLocator`.
50To ensure the uniqueness of a signed Interest and to mitigate potential replay attacks, the ``InterestSignatureInfo`` element SHOULD include at least one of the following elements (described below): ``SignatureNonce``, ``SignatureTime``, ``SignatureSeqNum``.
51
52The ``InterestSignatureValue`` element holds the actual bits of the signature. The exact encoding of the TLV-VALUE of this element depends on the specific signature type. See :ref:`SignatureTypes` for details.
53
54The cryptographic signature contained in ``InterestSignatureValue`` covers all the ``NameComponent`` elements in the Interest's ``Name`` up to, but not including, ``ParametersSha256DigestComponent``, and the complete TLV elements starting from ``ApplicationParameters`` up to, but not including, ``InterestSignatureValue``.
55These TLV elements are hereby referred to as the "*signed portion*" of an Interest packet.
56
57
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -040058Signature Elements
59------------------
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000060
Alexander Afanasyeve2800232013-11-27 02:24:14 +000061SignatureType
Davide Pesavento3c0bc312020-05-18 22:03:09 -040062^^^^^^^^^^^^^
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000063
Alexander Afanasyeve2800232013-11-27 02:24:14 +000064::
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000065
Davide Pesaventof9353df2020-06-21 19:19:56 -040066 SignatureType = SIGNATURE-TYPE-TYPE TLV-LENGTH NonNegativeInteger
Jeff Thompsond4225d42014-06-09 12:32:21 -070067
Davide Pesavento3c0bc312020-05-18 22:03:09 -040068This specification defines the following values for ``SignatureType``:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000069
Jeff Thompsond4225d42014-06-09 12:32:21 -070070+---------+----------------------------------------+-------------------------------------------------+
71| Value | Reference | Description |
72+=========+========================================+=================================================+
Davide Pesavento3c0bc312020-05-18 22:03:09 -040073| 0 | :ref:`DigestSha256` | Integrity protection using a SHA-256 digest |
Jeff Thompsond4225d42014-06-09 12:32:21 -070074+---------+----------------------------------------+-------------------------------------------------+
75| 1 | :ref:`SignatureSha256WithRsa` | Integrity and provenance protection using |
Davide Pesavento3c0bc312020-05-18 22:03:09 -040076| | | an RSA signature over a SHA-256 digest |
Jeff Thompsond4225d42014-06-09 12:32:21 -070077+---------+----------------------------------------+-------------------------------------------------+
78| 3 | :ref:`SignatureSha256WithEcdsa` | Integrity and provenance protection using |
79| | | an ECDSA signature over a SHA-256 digest |
80+---------+----------------------------------------+-------------------------------------------------+
Jeff Thompson29840e82015-04-06 15:21:21 -070081| 4 | :ref:`SignatureHmacWithSha256` | Integrity and provenance protection using |
Davide Pesavento3c0bc312020-05-18 22:03:09 -040082| | | a SHA-256 hash-based message authentication code|
Jeff Thompson29840e82015-04-06 15:21:21 -070083+---------+----------------------------------------+-------------------------------------------------+
Junxiao Shiac25eab2022-05-27 10:52:17 +000084| 5 | :ref:`SignatureEd25519` | Integrity and provenance protection using |
85| | | an Ed25519 signature |
86+---------+----------------------------------------+-------------------------------------------------+
87| 2,6-200 | | Reserved for future assignments |
Jeff Thompsond4225d42014-06-09 12:32:21 -070088+---------+----------------------------------------+-------------------------------------------------+
Davide Pesavento3c0bc312020-05-18 22:03:09 -040089| >200 | | Unassigned |
Jeff Thompsond4225d42014-06-09 12:32:21 -070090+---------+----------------------------------------+-------------------------------------------------+
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000091
Alexander Afanasyev4b896112014-06-23 21:47:15 -070092.. _KeyLocator:
93
94KeyLocator
Davide Pesavento3c0bc312020-05-18 22:03:09 -040095^^^^^^^^^^
Alexander Afanasyev4b896112014-06-23 21:47:15 -070096
Davide Pesavento3c0bc312020-05-18 22:03:09 -040097A ``KeyLocator`` specifies either a ``Name`` that points to another Data packet containing a certificate or public key, or a ``KeyDigest`` that identifies the public key within a specific trust model (definition of the trust model is outside the scope of this specification).
98Note that although ``KeyLocator`` is defined as an optional field in ``SignatureInfo`` and ``InterestSignatureInfo``, specific signature types may require its presence or absence.
Alexander Afanasyev4b896112014-06-23 21:47:15 -070099
100::
101
Junxiao Shi78ce2952019-05-07 15:34:00 -0400102 KeyLocator = KEY-LOCATOR-TYPE TLV-LENGTH (Name / KeyDigest)
Alexander Afanasyev4b896112014-06-23 21:47:15 -0700103
Junxiao Shi78ce2952019-05-07 15:34:00 -0400104 KeyDigest = KEY-DIGEST-TYPE TLV-LENGTH *OCTET
Alexander Afanasyev4b896112014-06-23 21:47:15 -0700105
Davide Pesaventoec288fe2022-11-26 18:28:01 -0500106See :ref:`Name` for the definition of the ``Name`` element.
Alexander Afanasyev4b896112014-06-23 21:47:15 -0700107
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400108The specific definition of the proper usage of the ``Name`` and ``KeyDigest`` options in the ``KeyLocator`` field is outside the scope of this specification.
Davide Pesavento3a74e132022-11-26 22:10:21 -0500109Generally, ``Name`` names the Data packet containing the corresponding :ref:`certificate <Certificate>`.
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400110However, it is up to the specific trust model to define whether this name is the full name of the Data packet or a prefix that can match multiple Data packets.
Davide Pesavento52c88cb2021-12-02 16:58:02 -0500111For example, the `hierarchical trust model`_ uses the latter approach, requiring clients to fetch the latest version of the Data packet pointed to by ``KeyLocator`` (the latest version of the public key certificate) in order to ensure that the public key was not yet revoked.
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800112
113SignatureNonce
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400114^^^^^^^^^^^^^^
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800115
116::
117
Eric Newberry437dc8c2020-05-29 09:48:18 -0700118 SignatureNonce = SIGNATURE-NONCE-TYPE TLV-LENGTH 1*OCTET
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800119
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800120The ``SignatureNonce`` element adds additional assurances that a signature will be unique.
Eric Newberry437dc8c2020-05-29 09:48:18 -0700121The recommended minimum length for a ``SignatureNonce`` element is 8 octets.
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800122
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400123SignatureTime
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400124^^^^^^^^^^^^^
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800125
126::
127
Davide Pesaventof9353df2020-06-21 19:19:56 -0400128 SignatureTime = SIGNATURE-TIME-TYPE TLV-LENGTH NonNegativeInteger
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800129
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400130The value of the ``SignatureTime`` element is the timestamp of the signature, represented as the number of milliseconds since 1970-01-01T00:00:00Z (Unix epoch).
131This element can be used to indicate that the packet was signed at a particular point in time.
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400132
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400133SignatureSeqNum
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400134^^^^^^^^^^^^^^^
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400135
136::
137
Davide Pesaventof9353df2020-06-21 19:19:56 -0400138 SignatureSeqNum = SIGNATURE-SEQ-NUM-TYPE TLV-LENGTH NonNegativeInteger
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400139
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400140The ``SignatureSeqNum`` element adds additional assurances that a signature will be unique.
141The ``SignatureSeqNum`` may be used to protect against replay attacks.
142
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800143
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400144.. _SignatureTypes:
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800145
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400146Different Types of Signatures
147-----------------------------
148
149Each signature type has different requirements on the format of its ``SignatureInfo`` and ``InterestSignatureInfo`` elements.
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400150In the following sections, these requirements are specified along 2 dimensions:
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800151
152* The TLV-VALUE of ``SignatureType``
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400153* Whether ``KeyLocator`` is required/forbidden
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800154
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000155.. _DigestSha256:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +0000156
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000157DigestSha256
158^^^^^^^^^^^^
Alexander Afanasyeveee8c252013-11-21 23:22:41 +0000159
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400160``DigestSha256`` provides no information about the provenance of a packet or any guarantee that the packet is from the original source.
161This signature type is intended only for debug purposes and in the limited circumstances when it is necessary to protect only against unexpected modification during transmission.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000162
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400163``DigestSha256`` is defined as the SHA-256 hash of the "signed portion" of an Interest or Data packet:
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000164
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800165* The TLV-VALUE of ``SignatureType`` is 0
166* ``KeyLocator`` is forbidden; if present, it must be ignored
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000167
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800168::
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000169
Junxiao Shi78ce2952019-05-07 15:34:00 -0400170 SignatureValue = SIGNATURE-VALUE-TYPE
171 TLV-LENGTH ; == 32
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400172 32OCTET ; == SHA-256{Data signed portion}
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000173
Junxiao Shi78ce2952019-05-07 15:34:00 -0400174 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE
175 TLV-LENGTH ; == 32
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400176 32OCTET ; == SHA-256{Interest signed portion}
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400177
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000178.. _SignatureSha256WithRsa:
179
180SignatureSha256WithRsa
181^^^^^^^^^^^^^^^^^^^^^^
182
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400183``SignatureSha256WithRsa`` defines an RSA public key signature that is calculated over the SHA-256 hash of the "signed portion" of an Interest or Data packet.
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400184It uses the RSASSA-PKCS1-v1_5 signature scheme, as defined in :rfc:`RFC 8017, Section 8.2 <8017#section-8.2>`.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000185
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800186* The TLV-VALUE of ``SignatureType`` is 1
187* ``KeyLocator`` is required
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000188
189::
190
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400191 SignatureValue = SIGNATURE-VALUE-TYPE
192 TLV-LENGTH
193 1*OCTET ; == RSA over SHA-256{Data signed portion}
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000194
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400195 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE
196 TLV-LENGTH
197 1*OCTET ; == RSA over SHA-256{Interest signed portion}
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400198
Alexander Afanasyev16962fc2014-02-12 19:53:47 +0000199.. note::
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400200 The TLV-LENGTH of these elements varies depending on the length of the private key used for signing (e.g., 256 bytes for a 2048-bit key).
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000201
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400202This type of signature, if verified, provides very strong assurances that a packet was created by the claimed producer (authentication/provenance) and was not tampered with while in transit (integrity).
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400203The ``KeyDigest`` option in :ref:`KeyLocator` is defined as the SHA-256 digest over the DER encoding of the ``SubjectPublicKeyInfo`` for an RSA key as defined by :rfc:`3279`.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000204
205.. note::
Davide Pesavento23e340c2021-12-03 04:52:22 -0500206 It is the application's responsibility to define rules (a trust model) concerning when a specific issuer (``KeyLocator``) is authorized to sign a specific packet.
207 While trust models are outside the scope of this specification, generally, trust models need to specify authorization rules between key names and Data packet names, as well as clearly define trust anchor(s).
208 For example, an application can elect to use a `hierarchical trust model`_ to ensure Data integrity and provenance.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000209
Jeff Thompsond4225d42014-06-09 12:32:21 -0700210.. _SignatureSha256WithEcdsa:
211
212SignatureSha256WithEcdsa
213^^^^^^^^^^^^^^^^^^^^^^^^
214
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400215``SignatureSha256WithEcdsa`` defines an ECDSA public key signature that is calculated over the SHA-256 hash of the "signed portion" of an Interest or Data packet.
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400216This signature algorithm is defined in :rfc:`RFC 5753, Section 2.1 <5753#section-2.1>`.
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400217All NDN implementations MUST support this signature type with the NIST P-256 curve.
Jeff Thompsond4225d42014-06-09 12:32:21 -0700218
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800219* The TLV-VALUE of ``SignatureType`` is 3
220* ``KeyLocator`` is required
Jeff Thompsond4225d42014-06-09 12:32:21 -0700221
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800222::
Jeff Thompsond4225d42014-06-09 12:32:21 -0700223
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400224 SignatureValue = SIGNATURE-VALUE-TYPE
225 TLV-LENGTH
226 1*OCTET ; == ECDSA over SHA-256{Data signed portion}
Jeff Thompsond4225d42014-06-09 12:32:21 -0700227
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400228 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE
229 TLV-LENGTH
230 1*OCTET ; == ECDSA over SHA-256{Interest signed portion}
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400231
Jeff Thompsond4225d42014-06-09 12:32:21 -0700232.. note::
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400233 The TLV-LENGTH of these elements depends on the specific elliptic curve used for signing (e.g., up to 72 bytes for the NIST P-256 curve).
Jeff Thompsond4225d42014-06-09 12:32:21 -0700234
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400235This type of signature, if verified, provides very strong assurances that a packet was created by the claimed producer (authentication/provenance) and was not tampered with while in transit (integrity).
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400236The ``KeyDigest`` option in :ref:`KeyLocator` is defined as the SHA-256 digest of the DER encoding of the ``SubjectPublicKeyInfo`` for an EC key as defined by :rfc:`5480`.
Jeff Thompsond4225d42014-06-09 12:32:21 -0700237
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400238The value of ``SignatureValue`` of ``SignatureSha256WithEcdsa`` is a DER-encoded ``Ecdsa-Sig-Value`` structure as defined in :rfc:`RFC 3279, Section 2.2.3 <3279#section-2.2.3>`.
Jeff Thompsond4225d42014-06-09 12:32:21 -0700239
Jeff Thompson29840e82015-04-06 15:21:21 -0700240.. _SignatureHmacWithSha256:
241
242SignatureHmacWithSha256
243^^^^^^^^^^^^^^^^^^^^^^^
244
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400245``SignatureHmacWithSha256`` defines a hash-based message authentication code (HMAC) that is calculated over the "signed portion" of an Interest or Data packet, using SHA-256 as the hash function, salted with a shared secret key.
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400246This signature algorithm is defined in :rfc:`RFC 2104, Section 2 <2104#section-2>`.
Jeff Thompson29840e82015-04-06 15:21:21 -0700247
Davide Pesavento23e340c2021-12-03 04:52:22 -0500248.. warning::
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400249 As stated in :rfc:`RFC 2104, Section 3 <2104#section-3>`, shared keys shorter than the SHA-256 output length (32 bytes) are strongly discouraged.
Davide Pesavento23e340c2021-12-03 04:52:22 -0500250
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800251* The TLV-VALUE of ``SignatureType`` is 4
252* ``KeyLocator`` is required
Jeff Thompson29840e82015-04-06 15:21:21 -0700253
Zhiyi Zhang47e51372019-02-25 13:47:01 -0800254::
Jeff Thompson29840e82015-04-06 15:21:21 -0700255
Junxiao Shi78ce2952019-05-07 15:34:00 -0400256 SignatureValue = SIGNATURE-VALUE-TYPE
257 TLV-LENGTH ; == 32
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400258 32OCTET ; == HMAC-SHA-256{Data signed portion}
Jeff Thompson29840e82015-04-06 15:21:21 -0700259
Junxiao Shi78ce2952019-05-07 15:34:00 -0400260 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE
261 TLV-LENGTH ; == 32
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400262 32OCTET ; == HMAC-SHA-256{Interest signed portion}
Zhiyi Zhang0c04fd82018-09-04 16:29:47 -0400263
Davide Pesavento3c0bc312020-05-18 22:03:09 -0400264Provided that the signature verifies, this type of signature ensures the authenticity of the packet, namely, that it was signed by a party possessing the shared key, and that it was not altered in transit (integrity).
265The shared key used to generate the HMAC signature can be identified by the :ref:`KeyLocator` element, e.g., by using the ``Name`` according to the application's naming conventions.
266It is the application's responsibility to associate the shared key with the identities of the parties who hold the shared key.
Jeff Thompson29840e82015-04-06 15:21:21 -0700267
Davide Pesavento23e340c2021-12-03 04:52:22 -0500268.. danger::
269 The shared secret key is not included in the signature and must not be included anywhere in the packet, as this would invalidate the security properties of HMAC.
270
Junxiao Shiac25eab2022-05-27 10:52:17 +0000271.. _SignatureEd25519:
272
273SignatureEd25519
274^^^^^^^^^^^^^^^^
275
276``SignatureEd25519`` defines an Ed25519 public key signature that is calculated over the "signed portion" of an Interest or Data packet.
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400277This signature algorithm is defined in :rfc:`RFC 8032, Section 5.1 <8032#section-5.1>`.
Junxiao Shiac25eab2022-05-27 10:52:17 +0000278
279* The TLV-VALUE of ``SignatureType`` is 5
280* ``KeyLocator`` is required
281
282::
283
284 SignatureValue = SIGNATURE-VALUE-TYPE
285 TLV-LENGTH
286 64OCTET ; == Ed25519{Data signed portion}
287
288 InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE
289 TLV-LENGTH
290 64OCTET ; == Ed25519{Interest signed portion}
291
292This type of signature, if verified, provides very strong assurances that a packet was created by the claimed producer (authentication/provenance) and was not tampered with while in transit (integrity).
Davide Pesavento4d6c3572022-05-27 12:05:05 -0400293The ``KeyDigest`` option in :ref:`KeyLocator` is defined as the SHA-256 digest over the DER encoding of the ``SubjectPublicKeyInfo`` for an Ed25519 key as defined by :rfc:`RFC 8410, Section 4 <8410#section-4>`.
Junxiao Shiac25eab2022-05-27 10:52:17 +0000294
Davide Pesavento52c88cb2021-12-02 16:58:02 -0500295.. _hierarchical trust model: https://named-data.net/publications/techreports/trpublishkey-rev2/