blob: 319330ff7befa992c6b7043ebfe16b7fd7ab2e6b [file] [log] [blame]
Alexander Afanasyeve2800232013-11-27 02:24:14 +00001.. _Signature:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +00002
3Signature
4---------
5
Alexander Afanasyeve2800232013-11-27 02:24:14 +00006NDN Signature is defined as two consecutive TLV blocks: ``SignatureInfo`` and ``SignatureValue``.
7The following general considerations about SignatureInfo and SignatureValue blocks that apply for all signature types:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +00008
Alexander Afanasyeve2800232013-11-27 02:24:14 +000091. ``SignatureInfo`` is **included** in signature calculation and fully describes the signature, signature algorithm, and any other relevant information to obtain parent certificate(s), such as :ref:`KeyLocator`
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000010
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000112. ``SignatureValue`` is **excluded** from signature calculation and represent actual bits of the signature and any other supporting signature material.
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000012
Alexander Afanasyeve2800232013-11-27 02:24:14 +000013::
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000014
Alexander Afanasyeve2800232013-11-27 02:24:14 +000015 Signature ::= SignatureInfo
16 SignatureBits
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000017
Alexander Afanasyeve2800232013-11-27 02:24:14 +000018 SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH
19 SignatureType
20 ... (SignatureType-specific TLVs)
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000021
Alexander Afanasyev23c2e412014-02-12 19:53:48 +000022 SignatureValue ::= SIGNATURE-VALUE-TYPE TLV-LENGTH
Jeff Thompsond4225d42014-06-09 12:32:21 -070023 ... (SignatureType-specific TLVs and
Alexander Afanasyeve2800232013-11-27 02:24:14 +000024 BYTE+
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000025
Alexander Afanasyeve2800232013-11-27 02:24:14 +000026SignatureType
27~~~~~~~~~~~~~
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000028
Alexander Afanasyeve2800232013-11-27 02:24:14 +000029::
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000030
Alexander Afanasyeve2800232013-11-27 02:24:14 +000031 SignatureType ::= SIGNATURE-TYPE-TYPE TLV-LENGTH
32 nonNegativeInteger
Jeff Thompsond4225d42014-06-09 12:32:21 -070033
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000034
Alexander Afanasyeve2800232013-11-27 02:24:14 +000035This specification defines the following SignatureType values:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000036
Jeff Thompsond4225d42014-06-09 12:32:21 -070037+---------+----------------------------------------+-------------------------------------------------+
38| Value | Reference | Description |
39+=========+========================================+=================================================+
40| 0 | :ref:`DigestSha256` | Integrity protection using SHA-256 digest |
41+---------+----------------------------------------+-------------------------------------------------+
42| 1 | :ref:`SignatureSha256WithRsa` | Integrity and provenance protection using |
43| | | RSA signature over a SHA-256 digest |
44+---------+----------------------------------------+-------------------------------------------------+
45| 3 | :ref:`SignatureSha256WithEcdsa` | Integrity and provenance protection using |
46| | | an ECDSA signature over a SHA-256 digest |
47+---------+----------------------------------------+-------------------------------------------------+
48| 2,4-200 | | reserved for future assignments |
49+---------+----------------------------------------+-------------------------------------------------+
50| >200 | | unassigned |
51+---------+----------------------------------------+-------------------------------------------------+
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000052
Alexander Afanasyeve2800232013-11-27 02:24:14 +000053.. +-------+----------------------------------------+-------------------------------------------------+
54.. | 2 | :ref:`SignatureSha256WithRsaAndMerkle` | Integrity and provenance protection using |
55.. | | | RSA signature over SHA-256-Merkle-Hash digest. |
56.. | | | |
57.. | | | This signature type defines an aggregated |
58.. | | | signing algorithm that reduces cost of signing |
59.. | | | of a large segmented content (e.g., video file).|
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000060
Alexander Afanasyeve2800232013-11-27 02:24:14 +000061.. _DigestSha256:
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000062
Alexander Afanasyeve2800232013-11-27 02:24:14 +000063DigestSha256
64^^^^^^^^^^^^
Alexander Afanasyeveee8c252013-11-21 23:22:41 +000065
Alexander Afanasyeve2800232013-11-27 02:24:14 +000066``DigestSha256`` provides no provenance of a Data packet or any kind of guarantee that packet is from the original source.
67This signature type is indended only for debug purposes and limited circumstances when it is necessary to protect only against unexpected modification during the transmition.
68
69``DigestSha256`` is defined as a SHA256 hash of the :ref:`Name`, :ref:`MetaInfo`, :ref:`Content`, and :ref:`SignatureInfo <Signature>` TLVs:
70
71::
72
73 SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH(=3)
74 SIGNATURE-TYPE-TYPE TLV-LENGTH(=1) 0
75
Alexander Afanasyev23c2e412014-02-12 19:53:48 +000076 SignatureValue ::= SIGNATURE-VALUE-TYPE TLV-LENGTH(=32)
77 BYTE+(=SHA256{Name, MetaInfo, Content, SignatureInfo})
Alexander Afanasyeve2800232013-11-27 02:24:14 +000078
79
80.. _SignatureSha256WithRsa:
81
82SignatureSha256WithRsa
83^^^^^^^^^^^^^^^^^^^^^^
84
85``SignatureSha256WithRsa`` is the basic signature algorithm that MUST be supported by any NDN-compliant software.
86As suggested by the name, it defines an RSA public key signature that is calculated over SHA256 hash of the :ref:`Name`, :ref:`MetaInfo`, :ref:`Content`, and :ref:`SignatureInfo <Signature>` TLVs.
87
88
89::
90
91 SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH
92 SIGNATURE-TYPE-TYPE TLV-LENGTH(=1) 1
93 KeyLocator
94
Alexander Afanasyev23c2e412014-02-12 19:53:48 +000095 SignatureValue ::= SIGNATURE-VALUE-TYPE TLV-LENGTH
96 BYTE+(=RSA over SHA256{Name, MetaInfo, Content, SignatureInfo})
Alexander Afanasyeve2800232013-11-27 02:24:14 +000097
Alexander Afanasyev16962fc2014-02-12 19:53:47 +000098.. note::
99
100 SignatureValue size varies (typically 128 or 256 bytes) depending on the private key length used during the signing process.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000101
102This type of signature ensures strict provenance of a Data packet, provided that the signature verifies and signature issuer is authorized to sign the Data packet.
Jeff Thompsond4225d42014-06-09 12:32:21 -0700103The signature issuer is identified using :ref:`KeyLocator` block in :ref:`SignatureInfo <Signature>` block of ``SignatureSha256WithRsa``.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000104See :ref:`KeyLocator section <KeyLocator>` for more detail.
105
106.. note::
107
108 It is application's responsibility to define rules (trust model) of when a specific issuer (KeyLocator) is authorized to sign a specific Data packet.
109 While trust model is outside the scope of the current specification, generally, trust model needs to specify authorization rules between KeyName and Data packet Name, as well as clearly define trust anchor(s).
Jeff Thompsond4225d42014-06-09 12:32:21 -0700110 For example, an application can elect to use hierarchical trust model :cite:`testbed-key-management` to ensure Data integrity and provenance.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000111
112 .. bibliography:: ndnspec-refs.bib
113
Jeff Thompsond4225d42014-06-09 12:32:21 -0700114.. _SignatureSha256WithEcdsa:
115
116SignatureSha256WithEcdsa
117^^^^^^^^^^^^^^^^^^^^^^^^
118
119``SignatureSha256WithEcdsa`` defines an ECDSA public key signature that is calculated over the SHA256 hash of the :ref:`Name`, :ref:`MetaInfo`, :ref:`Content`, and :ref:`SignatureInfo <Signature>` TLVs.
120The signature algorithm is defined in `[RFC5753], Section 2.1 <http://tools.ietf.org/html/rfc5753#section-2.1>`_.
121
122::
123
124 SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH
125 SIGNATURE-TYPE-TYPE TLV-LENGTH(=1) 3
126 KeyLocator
127
128 SignatureValue ::= SIGNATURE-VALUE-TYPE TLV-LENGTH
129 BYTE+(=ECDSA over SHA256{Name, MetaInfo, Content, SignatureInfo})
130
131.. note::
132
133 The SignatureValue size depends on the private key length used during the signing process (about 63 bytes for a 224 bit key).
134
135This type of signature ensures strict provenance of a Data packet, provided that the signature verifies and the signature issuer is authorized to sign the Data packet.
136The signature issuer is identified using the :ref:`KeyLocator` block in the :ref:`SignatureInfo <Signature>` block of the ``SignatureSha256WithEcdsa``.
137A KeyLocatorDigest is defined over the DER encoding of the SubjectPublicKeyInfo for an EC key as defined by `RFC 5480 <http://www.ietf.org/rfc/rfc5480.txt>`_.
138See the :ref:`KeyLocator section <KeyLocator>` for more detail.
139
140The value of ``SignatureValue`` of ``SignatureSha256WithEcdsa`` is a DER encoded DSA signature as defined in `Section 2.2.3 in RFC 3279 <http://tools.ietf.org/html/rfc3279#section-2.2.3>`_.
141
142::
143
144 Ecdsa-Sig-Value ::= SEQUENCE {
145 r INTEGER,
146 s INTEGER }
147
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000148.. .. _SignatureSha256WithRsaAndMerkle:
149
150.. SignatureSha256WithRsaAndMerkle
151.. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
152
153.. ::
154
155.. SignatureInfo ::= SIGNATURE-INFO-TYPE TLV-LENGTH
156.. SIGNATURE-TYPE-TYPE TLV-LENGTH(=1) 2
157.. KeyLocator
158
Alexander Afanasyev23c2e412014-02-12 19:53:48 +0000159.. SignatureValue ::= SIGNATURE-VALUE-TYPE TLV-LENGTH
160.. BYTE+(=RSA over SHA256{Name, MetaInfo, Content, SignatureInfo})
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000161.. Witness
162
163.. Witness ::= WITNESS-TYPE TLV-LENGTH BYTE+
164
165.. _KeyLocator:
166
167KeyLocator
168~~~~~~~~~~
169
170A ``KeyLocator`` specifies a name that points to another Data packet containing certificate or public key, or can be used by the specific trust model in another way to verify the the content.
171
172::
173
Alexander Afanasyevfffabfb2013-12-11 21:29:05 +0000174 KeyLocator ::= KEY-LOCATOR-TYPE TLV-LENGTH KeyLocatorValue
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000175
Alexander Afanasyevfffabfb2013-12-11 21:29:05 +0000176 KeyLocatorValue ::= Name |
177 KeyLocatorDigest |
178 ...
179
180 KeyLocatorDigest ::= KEY-LOCATOR-DIGEST-TYPE TLV-LENGTH BYTE+
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000181
182.. note::
183
184 KeyLocator has meaning only for specific trust model and the current specification does not imply or suggest use of any specific trust model.
Alexander Afanasyevfffabfb2013-12-11 21:29:05 +0000185 Generally, KeyLocator should point to another Data packet which is interpreted by the trust model, but trust model can allow alternative forms of the KeyLocator.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000186
187 For example, one can define a trust model that does not interpret KeyLocator at all (KeyLocator MUST be present, but TLV-LENGTH could be 0) and uses naming conventions to infer proper public key or public key certificate for the name of the Data packet itself.
Alexander Afanasyevfffabfb2013-12-11 21:29:05 +0000188 Another possibility for the trust model is to define digest-based KeyLocatorValue (``KeyLocatorDigest``), where RSA public key will be identified using SHA256 digest, assuming that the trust model has some other means to obtain the public key.
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000189
Alexander Afanasyeveee8c252013-11-21 23:22:41 +0000190
191Changes from CCNx
192~~~~~~~~~~~~~~~~~
193
194- ``Signature`` is moved to the end of Data packet.
195
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000196- ``KeyLocator`` is moved to be a part of the ``SignatureInfo`` block, if it is applicable for the specific signature type.
197 The rationale for the move is to make Signature (sequence of ``SignatureInfo`` and ``SignatureValue`` TLVs) self-contained and self-sufficient.
Alexander Afanasyeveee8c252013-11-21 23:22:41 +0000198
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000199- Signature type (or signing method information) is expressed as an assigned integer value (with no assumed default), rather than OID.
Alexander Afanasyeveee8c252013-11-21 23:22:41 +0000200
201- Added support for cheaper signatures
202
Alexander Afanasyeve2800232013-11-27 02:24:14 +0000203- The current specification does not define Merkle Hash Tree Aggregated Signatures, but it is expected that such (or similar) signatures will be defined in future version of this specification.