[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

*To*: spki@c2.net*Subject*: Names of algorithms*From*: rivest@theory.lcs.mit.edu (Ron Rivest)*Date*: Tue, 01 Apr 97 18:19:30 EST*Cc*: blampson@microsoft.com, burt@rsa.com*Sender*: owner-spki@c2.net

This note outlines a scheme for naming cryptographic algorithms using S-expressions rather than a concatenation of byte-strings for the various components. I believe this approach is more modular and flexible. Some details still need to be worked out, but this note gives the flavor of the method. It is based on phone conversations with Carl Ellison and Burt Kaliski. The focus here is on digital signature algorithms. Remember than in SDSI/SPKI a "principal" IS a key for verifying a signature. The proposed format for the name of a signature (verification) algorithm is: ( <key-type> <hash-alg> <data-format-alg> <signature-alg> ) An example of such an algorithm name is ( public-key ( md5 ) ( pkcs1 ) ( rsa ( n &7823fca14457 ) ( e &03 ) ) ) First, note that the elements are in the order in which they are used: first you hash the message, then format the result of the hash for the signature algorithm, then apply the public-key algorithm. The second of these operations may be "no-op" for the identify transformation. Any of these elements may have further parameters. The algorithm-type may be either "public-key" (a verification key) "private-key" (for the private signing key), or "shared-secret-key" (for computing MAC's based on a shared secret key). The format of the remaining items is the same, although it is assumed that a share-secret-key "signature" algorithm is based on symmetric cryptography, so that the key must be kept secret. A collision-resistant hash algorithm is ALWAYS employed. This algorithm must produce an output small enough to be used by the latter processing steps. The following names are allowed (for now): md5 sha1 (The "no-op" operation is not allowed here, as it is not guaranteed to produce a short-enough output.) The data-formatting algorithm takes the hash output value, and prepares it for signing by appropriate transformations. The "no-op" value is OK here. The hash algorithm and the data-formatting operation work together to produce the value "actually signed". These values include pkcs1 no-op The signature algorithm specifies the algorithm and parameters necessary to verify the signature. The initial algorithms supported for the public-key algorithms are rsa dsa and for the secret-key algorithms hare hmac cbc-mac These latter algorithms may have parameters, e.g. ( cbc-mac ( iv &023456 ) ( rc5 ( w 64 ) ( r 20 ) ( b 10 ) ( k &012354769803aaffbbdd ) ) ) or ( hmac ( sha1 ) ) It is assumed that the signature algorithm produces either a byte string or an ordered list of byte-strings as output. (Some algorithms, such as DSA, have two outputs.) Obviously, this needs to be fleshed out with further specific algorithm names and transformations. Summary: We propose using four-part S-expressions to name signature algorithms.

**Re: Names of algorithms***From*: Carl Ellison <cme@cybercash.com>**Re: Names of algorithms***From*: Bill Frantz <frantz@netcom.com>

- Prev by Date:
**Implications of the new reduction algorithm** - Next by Date:
**Re: may-delegate (propagation control) proposal: "stop-at-key"** - Prev by thread:
**Implications of the new reduction algorithm** - Next by thread:
**Re: Names of algorithms** - Index(es):