Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 1 | Signature |
| 2 | ========= |
| 3 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 4 | .. _DataSignature: |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 5 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 6 | Data Signature |
| 7 | -------------- |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 8 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 9 | The NDN Data packet signature is defined as two consecutive TLV elements: ``SignatureInfo`` and ``SignatureValue``. |
Alexander Afanasyev | 7455e9b | 2014-06-25 09:41:08 -0700 | [diff] [blame] | 10 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 11 | :: |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 12 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 13 | DataSignature = SignatureInfo SignatureValue |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 14 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 15 | SignatureInfo = SIGNATURE-INFO-TYPE TLV-LENGTH |
| 16 | SignatureType |
| 17 | [KeyLocator] |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 18 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 19 | SignatureValue = SIGNATURE-VALUE-TYPE TLV-LENGTH *OCTET |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 20 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 21 | The ``SignatureInfo`` element fully describes the digital signature algorithm utilized and any other relevant information to locate its parent certificate(s), such as :ref:`KeyLocator`. |
| 22 | |
| 23 | The ``SignatureValue`` element holds the actual bits of the signature. The exact encoding of the TLV-VALUE of this element depends on the specific signature type. See :ref:`SignatureTypes` for details. |
| 24 | |
| 25 | The cryptographic signature contained in ``SignatureValue`` covers all TLV elements inside ``Data``, starting from ``Name`` and up to, but not including, ``SignatureValue``. |
| 26 | These TLV elements are hereby referred to as the "*signed portion*" of a Data packet. |
| 27 | |
| 28 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 29 | .. _InterestSignature: |
| 30 | |
| 31 | Interest Signature |
| 32 | ------------------ |
| 33 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 34 | The NDN Interest packet signature is defined as two consecutive TLV elements: ``InterestSignatureInfo`` and ``InterestSignatureValue``. |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 35 | |
| 36 | :: |
| 37 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 38 | InterestSignature = InterestSignatureInfo InterestSignatureValue |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 39 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 40 | InterestSignatureInfo = INTEREST-SIGNATURE-INFO-TYPE TLV-LENGTH |
| 41 | SignatureType |
| 42 | [KeyLocator] |
| 43 | [SignatureNonce] |
| 44 | [SignatureTime] |
| 45 | [SignatureSeqNum] |
| 46 | |
| 47 | InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE TLV-LENGTH *OCTET |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 48 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 49 | The ``InterestSignatureInfo`` element fully describes the digital signature algorithm utilized and any other relevant information to locate its parent certificate(s), such as :ref:`KeyLocator`. |
| 50 | To ensure the uniqueness of a signed Interest and to mitigate potential replay attacks, the ``InterestSignatureInfo`` element SHOULD include at least one of the following elements (described below): ``SignatureNonce``, ``SignatureTime``, ``SignatureSeqNum``. |
| 51 | |
| 52 | The ``InterestSignatureValue`` element holds the actual bits of the signature. The exact encoding of the TLV-VALUE of this element depends on the specific signature type. See :ref:`SignatureTypes` for details. |
| 53 | |
| 54 | The cryptographic signature contained in ``InterestSignatureValue`` covers all the ``NameComponent`` elements in the Interest's ``Name`` up to, but not including, ``ParametersSha256DigestComponent``, and the complete TLV elements starting from ``ApplicationParameters`` up to, but not including, ``InterestSignatureValue``. |
| 55 | These TLV elements are hereby referred to as the "*signed portion*" of an Interest packet. |
| 56 | |
| 57 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 58 | Signature Elements |
| 59 | ------------------ |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 60 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 61 | SignatureType |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 62 | ^^^^^^^^^^^^^ |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 63 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 64 | :: |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 65 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 66 | SignatureType = SIGNATURE-TYPE-TYPE TLV-LENGTH nonNegativeInteger |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 67 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 68 | This specification defines the following values for ``SignatureType``: |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 69 | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 70 | +---------+----------------------------------------+-------------------------------------------------+ |
| 71 | | Value | Reference | Description | |
| 72 | +=========+========================================+=================================================+ |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 73 | | 0 | :ref:`DigestSha256` | Integrity protection using a SHA-256 digest | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 74 | +---------+----------------------------------------+-------------------------------------------------+ |
| 75 | | 1 | :ref:`SignatureSha256WithRsa` | Integrity and provenance protection using | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 76 | | | | an RSA signature over a SHA-256 digest | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 77 | +---------+----------------------------------------+-------------------------------------------------+ |
| 78 | | 3 | :ref:`SignatureSha256WithEcdsa` | Integrity and provenance protection using | |
| 79 | | | | an ECDSA signature over a SHA-256 digest | |
| 80 | +---------+----------------------------------------+-------------------------------------------------+ |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 81 | | 4 | :ref:`SignatureHmacWithSha256` | Integrity and provenance protection using | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 82 | | | | a SHA-256 hash-based message authentication code| |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 83 | +---------+----------------------------------------+-------------------------------------------------+ |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 84 | | 2,5-200 | | Reserved for future assignments | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 85 | +---------+----------------------------------------+-------------------------------------------------+ |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 86 | | >200 | | Unassigned | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 87 | +---------+----------------------------------------+-------------------------------------------------+ |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 88 | |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 89 | .. _KeyLocator: |
| 90 | |
| 91 | KeyLocator |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 92 | ^^^^^^^^^^ |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 93 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 94 | A ``KeyLocator`` specifies either a ``Name`` that points to another Data packet containing a certificate or public key, or a ``KeyDigest`` that identifies the public key within a specific trust model (definition of the trust model is outside the scope of this specification). |
| 95 | Note that although ``KeyLocator`` is defined as an optional field in ``SignatureInfo`` and ``InterestSignatureInfo``, specific signature types may require its presence or absence. |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 96 | |
| 97 | :: |
| 98 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 99 | KeyLocator = KEY-LOCATOR-TYPE TLV-LENGTH (Name / KeyDigest) |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 100 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 101 | KeyDigest = KEY-DIGEST-TYPE TLV-LENGTH *OCTET |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 102 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 103 | See :ref:`Name specification <Name>` for the definition of ``Name``. |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 104 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 105 | The specific definition of the proper usage of the ``Name`` and ``KeyDigest`` options in the ``KeyLocator`` field is outside the scope of this specification. |
| 106 | Generally, ``Name`` names the Data packet containing the corresponding certificate. |
| 107 | However, it is up to the specific trust model to define whether this name is the full name of the Data packet or a prefix that can match multiple Data packets. |
| 108 | For example, the hierarchical trust model :cite:`testbed-key-management` uses the latter approach, requiring clients to fetch the latest version of the Data packet pointed to by ``KeyLocator`` (the latest version of the public key certificate) in order to ensure that the public key was not yet revoked. |
Alexander Afanasyev | 4b89611 | 2014-06-23 21:47:15 -0700 | [diff] [blame] | 109 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 110 | .. _SignatureInfoNonce: |
| 111 | |
| 112 | SignatureNonce |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 113 | ^^^^^^^^^^^^^^ |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 114 | |
| 115 | :: |
| 116 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 117 | SignatureNonce = SIGNATURE-NONCE-TYPE |
| 118 | TLV-LENGTH ; == 4 |
| 119 | 4OCTET |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 120 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 121 | The ``SignatureNonce`` element adds additional assurances that a signature will be unique. |
| 122 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 123 | .. _SignatureTime: |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 124 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 125 | SignatureTime |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 126 | ^^^^^^^^^^^^^ |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 127 | |
| 128 | :: |
| 129 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 130 | SignatureTime = SIGNATURE-TIME-TYPE TLV-LENGTH nonNegativeInteger |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 131 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 132 | The value of the ``SignatureTime`` element is the timestamp of the signature, represented as the number of milliseconds since 1970-01-01T00:00:00Z (Unix epoch). |
| 133 | This element can be used to indicate that the packet was signed at a particular point in time. |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 134 | |
| 135 | .. _SignatureSeqNum: |
| 136 | |
| 137 | SignatureSeqNum |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 138 | ^^^^^^^^^^^^^^^ |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 139 | |
| 140 | :: |
| 141 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 142 | SignatureSeqNum = SIGNATURE-SEQ-NUM-TYPE TLV-LENGTH nonNegativeInteger |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 143 | |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 144 | The ``SignatureSeqNum`` element adds additional assurances that a signature will be unique. |
| 145 | The ``SignatureSeqNum`` may be used to protect against replay attacks. |
| 146 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 147 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 148 | .. _SignatureTypes: |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 149 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 150 | Different Types of Signatures |
| 151 | ----------------------------- |
| 152 | |
| 153 | Each signature type has different requirements on the format of its ``SignatureInfo`` and ``InterestSignatureInfo`` elements. |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 154 | In the following sections, these requirements are specified along 2 dimensions: |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 155 | |
| 156 | * The TLV-VALUE of ``SignatureType`` |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 157 | * Whether ``KeyLocator`` is required/forbidden |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 158 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 159 | .. _DigestSha256: |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 160 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 161 | DigestSha256 |
| 162 | ^^^^^^^^^^^^ |
Alexander Afanasyev | eee8c25 | 2013-11-21 23:22:41 +0000 | [diff] [blame] | 163 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 164 | ``DigestSha256`` provides no information about the provenance of a packet or any guarantee that the packet is from the original source. |
| 165 | This signature type is intended only for debug purposes and in the limited circumstances when it is necessary to protect only against unexpected modification during transmission. |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 166 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 167 | ``DigestSha256`` is defined as the SHA-256 hash of the "signed portion" of an Interest or Data packet: |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 168 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 169 | * The TLV-VALUE of ``SignatureType`` is 0 |
| 170 | * ``KeyLocator`` is forbidden; if present, it must be ignored |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 171 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 172 | :: |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 173 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 174 | SignatureValue = SIGNATURE-VALUE-TYPE |
| 175 | TLV-LENGTH ; == 32 |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 176 | 32OCTET ; == SHA-256{Data signed portion} |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 177 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 178 | InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE |
| 179 | TLV-LENGTH ; == 32 |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 180 | 32OCTET ; == SHA-256{Interest signed portion} |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 181 | |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 182 | .. _SignatureSha256WithRsa: |
| 183 | |
| 184 | SignatureSha256WithRsa |
| 185 | ^^^^^^^^^^^^^^^^^^^^^^ |
| 186 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 187 | ``SignatureSha256WithRsa`` defines an RSA public key signature that is calculated over the SHA-256 hash of the "signed portion" of an Interest or Data packet. |
| 188 | It uses the RSASSA-PKCS1-v1_5 signature scheme, as defined in `RFC 8017, Section 8.2 <https://tools.ietf.org/html/rfc8017#section-8.2>`__. |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 189 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 190 | * The TLV-VALUE of ``SignatureType`` is 1 |
| 191 | * ``KeyLocator`` is required |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 192 | |
| 193 | :: |
| 194 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 195 | SignatureValue = SIGNATURE-VALUE-TYPE |
| 196 | TLV-LENGTH |
| 197 | 1*OCTET ; == RSA over SHA-256{Data signed portion} |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 198 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 199 | InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE |
| 200 | TLV-LENGTH |
| 201 | 1*OCTET ; == RSA over SHA-256{Interest signed portion} |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 202 | |
Alexander Afanasyev | 16962fc | 2014-02-12 19:53:47 +0000 | [diff] [blame] | 203 | .. note:: |
| 204 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 205 | The TLV-LENGTH of these elements varies depending on the length of the private key used for signing (e.g., 256 bytes for a 2048-bit key). |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 206 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 207 | This type of signature, if verified, provides very strong assurances that a packet was created by the claimed producer (authentication/provenance) and was not tampered with while in transit (integrity). |
| 208 | The ``KeyDigest`` option in :ref:`KeyLocator` is defined as the SHA-256 digest over the DER encoding of the ``SubjectPublicKeyInfo`` for an RSA key as defined by `RFC 3279 <https://tools.ietf.org/html/rfc3279>`__." |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 209 | |
| 210 | .. note:: |
| 211 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 212 | It is the application's responsibility to define rules (a trust model) concerning when a specific issuer (``KeyLocator``) is authorized to sign a specific packet. |
| 213 | While trust models are outside the scope of this specification, generally, trust models need to specify authorization rules between key names and Data packet names, as well as clearly define trust anchor(s). |
| 214 | For example, an application can elect to use a hierarchical trust model :cite:`testbed-key-management` to ensure Data integrity and provenance. |
Alexander Afanasyev | e280023 | 2013-11-27 02:24:14 +0000 | [diff] [blame] | 215 | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 216 | .. _SignatureSha256WithEcdsa: |
| 217 | |
| 218 | SignatureSha256WithEcdsa |
| 219 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
| 220 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 221 | ``SignatureSha256WithEcdsa`` defines an ECDSA public key signature that is calculated over the SHA-256 hash of the "signed portion" of an Interest or Data packet. |
| 222 | This signature algorithm is defined in `RFC 5753, Section 2.1 <http://tools.ietf.org/html/rfc5753#section-2.1>`__. |
| 223 | All NDN implementations MUST support this signature type with the NIST P-256 curve. |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 224 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 225 | * The TLV-VALUE of ``SignatureType`` is 3 |
| 226 | * ``KeyLocator`` is required |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 227 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 228 | :: |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 229 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 230 | SignatureValue = SIGNATURE-VALUE-TYPE |
| 231 | TLV-LENGTH |
| 232 | 1*OCTET ; == ECDSA over SHA-256{Data signed portion} |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 233 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 234 | InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE |
| 235 | TLV-LENGTH |
| 236 | 1*OCTET ; == ECDSA over SHA-256{Interest signed portion} |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 237 | |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 238 | .. note:: |
| 239 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 240 | The TLV-LENGTH of these elements depends on the specific elliptic curve used for signing (e.g., up to 72 bytes for the NIST P-256 curve). |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 241 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 242 | This type of signature, if verified, provides very strong assurances that a packet was created by the claimed producer (authentication/provenance) and was not tampered with while in transit (integrity). |
| 243 | The ``KeyDigest`` option in :ref:`KeyLocator` is defined as the SHA-256 digest of the DER encoding of the ``SubjectPublicKeyInfo`` for an EC key as defined by `RFC 5480 <https://tools.ietf.org/html/rfc5480>`__. |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 244 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 245 | The value of ``SignatureValue`` of ``SignatureSha256WithEcdsa`` is a DER-encoded ``Ecdsa-Sig-Value`` structure as defined in `RFC 3279, Section 2.2.3 <http://tools.ietf.org/html/rfc3279#section-2.2.3>`__. |
Jeff Thompson | d4225d4 | 2014-06-09 12:32:21 -0700 | [diff] [blame] | 246 | |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 247 | .. _SignatureHmacWithSha256: |
| 248 | |
| 249 | SignatureHmacWithSha256 |
| 250 | ^^^^^^^^^^^^^^^^^^^^^^^ |
| 251 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 252 | ``SignatureHmacWithSha256`` defines a hash-based message authentication code (HMAC) that is calculated over the "signed portion" of an Interest or Data packet, using SHA-256 as the hash function, salted with a shared secret key. |
| 253 | This signature algorithm is defined in `RFC 2104, Section 2 <http://tools.ietf.org/html/rfc2104#section-2>`__. |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 254 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 255 | * The TLV-VALUE of ``SignatureType`` is 4 |
| 256 | * ``KeyLocator`` is required |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 257 | |
Zhiyi Zhang | 47e5137 | 2019-02-25 13:47:01 -0800 | [diff] [blame] | 258 | :: |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 259 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 260 | SignatureValue = SIGNATURE-VALUE-TYPE |
| 261 | TLV-LENGTH ; == 32 |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 262 | 32OCTET ; == HMAC-SHA-256{Data signed portion} |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 263 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 264 | InterestSignatureValue = INTEREST-SIGNATURE-VALUE-TYPE |
| 265 | TLV-LENGTH ; == 32 |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 266 | 32OCTET ; == HMAC-SHA-256{Interest signed portion} |
Zhiyi Zhang | 0c04fd8 | 2018-09-04 16:29:47 -0400 | [diff] [blame] | 267 | |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 268 | .. note:: |
| 269 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 270 | The shared secret key is not included in the signature and must not be included anywhere in the packet, as this would invalidate the security properties of HMAC. |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 271 | |
| 272 | .. note:: |
| 273 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 274 | As stated in `RFC 2104, Section 3 <http://tools.ietf.org/html/rfc2104#section-3>`__, shared keys shorter than the SHA-256 output byte length (32 bytes) are strongly discouraged. |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 275 | |
Davide Pesavento | 3c0bc31 | 2020-05-18 22:03:09 -0400 | [diff] [blame^] | 276 | Provided that the signature verifies, this type of signature ensures the authenticity of the packet, namely, that it was signed by a party possessing the shared key, and that it was not altered in transit (integrity). |
| 277 | The shared key used to generate the HMAC signature can be identified by the :ref:`KeyLocator` element, e.g., by using the ``Name`` according to the application's naming conventions. |
| 278 | It is the application's responsibility to associate the shared key with the identities of the parties who hold the shared key. |
Jeff Thompson | 29840e8 | 2015-04-06 15:21:21 -0700 | [diff] [blame] | 279 | |
Junxiao Shi | 78ce295 | 2019-05-07 15:34:00 -0400 | [diff] [blame] | 280 | .. bibliography:: ndnspec-refs.bib |