|
RE: Section 12, take 2
1998-07-16 20:38:01
This was suppose to have gone to the list not just Paul.
I have had some more time to think on item #1 below and here are my updated
comments:
1. Key Encryption Algorithms should be divided into three different
sections:
12.3.1 Key Agreement Key Encryption Algorithms
used in KeyAgreeRecipientInfo.
Sub-sections are Static Diffie-Hellman with tripleDES and Static
Diffie-Hellman with RC2
12.3.2 Key Transport Key Encryption Algorithms
Used in KeyTransRecipientInfo
Sub-section would be RSA
12.3.3 Mail List Key Encryption Algorithms
Used in MailListRecipientInfo
Sub-Sections are Mail List tripleDES and Mail List RC2
Mail list key encryption is defined in this section. The key material used
to encrypt the message encryption key is distributed by an independent
mechinism. Two different mail list key encryption algorithms are defined by
this draft. CMS implementations must include mail list key encryption with
tripleDES if mail list key encrytion is implemtented. CMS implemeations may
also implement mail list key encryption with RC2.
12.3.3.1 Mail List Key Encryption with tripleDES
Mail list key encryption with triple DES has the algorithm identifier
id-smime-cms-mlk-with-tripleDES ::= {TBD}
The AlgorithmIdentifier parameter field must be encoded as ASN.1 NULL.
Distribution of the key material used to encryption the message encryption
key is out of the scope of this document.
12.3.3.2 Mail List Key Encryption with RC2
Mail list key encryption with RC2 has the algorithm identifier
id-smime-cms-mlk-with-rC2 ::= {TBD}
For the effective-key-bits (key size) greater than 32 and less than 256, the
algorithm parameters are encoded as:
id-smime-cms-dh-with-rC2 parameter ::= SEQUENCE {
rc2ParameterVersion INTEGER,
iv OCTET STRING (8)}
For the effective-key-bits of 40, 64, and 128, the rc2ParameterVersion
values are 160, 120, 58 respectively. It is very important to note that
these values are not simply the RC2 keylength. Also note that the value 160
must be encoded as two octets (00 A0), because encoding as one octet (A0) is
a negative number in ASN.1.
jim
-----Original Message-----
From: Jim Schaad (Exchange)
Sent: Thursday, July 16, 1998 3:59 PM
To: 'Paul Hoffman / IMC'
Subject: RE: Section 12, take 2
Comments take 2
1. Section 12.3 - the set of Key Encrytion Algs is not what
will be used for MailListReipientInfo. This should be if the
form id-smime-cms-with-tripleDES. THere is no static d-h as
the bulk key to do the key encryption is what is distributed
as the mail list key.
2. Section 12.5.1 Change "CBCParameter :: IV" to
"CBCParameter ::= IV"
3. Section 12.1.1 - My dev people are saying that they
really want to include a NULL parameter for SHA just like
Eric says should be done for the MD5 ones. Where did you see
the docs saying omit the parameters so that I can reference
it to my people. Or should we just make them all consistant.
-----Original Message-----
From: Paul Hoffman / IMC [mailto:phoffman(_at_)imc(_dot_)org]
Sent: Wednesday, July 15, 1998 9:01 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Section 12, take 2
Here's the second pass on CMS section 12. I think I included all
of the comments other than Jim's about padding, which I didn't
see where it would go.
DO NOT CODE TO THIS MESSAGE. Y'all saw how many errors
there were in the first draft; I expect that there are still
some here.
Please review it carefully and post comments to the list. Won't
Russ be pleased when he comes back from vacation? :-)
12 Supported Algorithms
This section lists the algorithms that must be implemented.
Additional algorithms that may be implemented are also included.
12.1 Digest Algorithms
CMS implementations must include SHA-1. CMS implementations
may include MD5.
Digest algorithm identifiers are used in the SignedData
digestAlgorithms
field, the SignerInfo digestAlgorithm field, and the DigestedData
digestAlgorithm field.
Digest values are located in the DigestedData digest field.
In addition,
digest values are located in the Message Digest authenticated
attribute.
12.1.1 SHA-1
The SHA-1 digest algorithm is defined in FIPS Pub 180-1 [FIPS
180-1]. The
algorithm identifier for SHA-1 is:
sha-1 OBJECT IDENTIFIER ::= {iso(1)
identified-organization(3) oiw(14)
secsig(3) algorithm(2) 26}
The AlgorithmIdentifier parameter field is optional. If
present, the
parameter field must contain an ASN.1 NULL. Implementations should
generate SHA-1 AlgorithmIdentifiers with the parameter field
containing a
NULL value. Implementations should accept SHA-1
AlgorithmIdentifiers with
NULL parameters as well as absent parameters. Note that current CMS
implementations encode SHA-1 both with and without the NULL
attributes.
12.1.2 MD5
The MD5 digest algorithm is defined in RFC 1321. The algorithm
identifier for MD5 is:
md5 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
rsadsi(113549) digestAlgorithm(2) 5}
The AlgorithmIdentifier parameter field is optional. If
present, the
parameter field must contain an ASN.1 NULL. Implementations should
generate MD5 AlgorithmIdentifiers with the parameter field
containing a
NULL value. Implementations should accept MD5
AlgorithmIdentifiers with
NULL parameters as well as absent parameters. Note that current CMS
implementations encode MD5 both with and without the NULL
attributes.
12.2 Signature Algorithms
CMS implementations must include DSA. CMS implementations
may include RSA.
Signature algorithm identifiers are used in the SignerInfo
signatureAlgorithm field.
12.2.1 DSA
The DSA signature algorithm is defined in FIPS Pub 186
[FIPS 186]. The
algorithm identifier for DSA is:
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) x9-57 (10040) x9cm(4) 3 }
The AlgorithmIdentifier parameter field must not be present.
12.2.2 RSA
The RSA signature algorithm is defined in RFC 2313 as
modified below. The
algorithm identifier for RSA is:
rsaEncryption OBJECT IDENTIFIER ::= {iso(1)
member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-1(1) 1}
The AlgorithmIdentifier parameter field is optional. If
present, the
parameter field must contain an ASN.1 NULL. Implementations should
generate RSA AlgorithmIdentifiers with the parameter field
containing a
NULL value. Implementations should accept RSA
AlgorithmIdentifiers with
NULL parameters as well as absent parameters. Note that current CMS
implementations encode RSA both with and without the NULL
attributes.
This specification modifies RFC 2313 to include SHA-1 as an
additional
digest algorithm. Section 10.1.2 of RFC 2313 is modified to
list SHA-1
in the bullet item about digestAlgorithm. The following OID
is added to
the list in section 10.1.2 of RFC 2313:
sha-1 OBJECT IDENTIFIER ::= {iso(1)
identified-organization(3) oiw(14)
secsig(3) algorithm(2) 26}
12.3 Key Encryption Algorithms
CMS implementations must include Static Diffie-Hellman with
tripleDES. CMS
implementations may include RSA. CMS implementations may include
Static Diffie-Hellman with RC2.
Key encryption algorithms are used in the KeyTransRecipientInfo
keyEncryptionAlgorithm field, in the KeyAgreeRecipientInfo
keyEncryptionAlgorithm field, and in the MailListRecipientInfo
keyEncryptionAlgorithm field. These are all part of the
RecipientInfo
type, which is part of the EnvelopedData type.
12.3.1 Static Diffie-Hellman with tripleDES
Static Diffie-Hellman key encryption is defined in RFC TBD
(Diffie-Hellman
Key Agreement Method, currently draft-ietf-smime-x942). The
algorithm
identifier for static Diffie-Hellman with tripleDES is
id-smime-cms-dh-with-tripleDES ::= { TBD }
The AlgorithmIdentifier parameter field is optional. If
present, the
parameter field must contain an ASN.1 NULL. Implementations should
generate Static Diffie-Hellman AlgorithmIdentifiers with
the parameter
field containing a NULL value. Implementations should accept Static
Diffie-HellmanAlgorithmIdentifiers with NULL parameters as
well as absent
parameters.
12.3.2 RSA
The RSA encryption algorithm is defined in RFC 2313 as
modified below. The
algorithm identifier for RSA is:
rsaEncryption OBJECT IDENTIFIER ::= {iso(1)
member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-1(1) 1}
The AlgorithmIdentifier parameter field is optional. If
present, the
parameter field must contain an ASN.1 NULL. Implementations should
generate RSA AlgorithmIdentifiers with the parameter field absent.
Implementations should accept RSA AlgorithmIdentifiers with
NULL parameters
as well as absent parameters. Note that current CMS
implementations encode
RSA both with and without the NULL attributes.
This specification modifies RFC 2313 to include SHA-1 as an
additional
digest algorithm. Section 10.1.2 of RFC 2313 is modified to
list SHA-1
in the bullet item about digestAlgorithm. The following OID
is added to
the list in section 10.1.2 of RFC 2313:
sha-1 OBJECT IDENTIFIER ::= {iso(1)
identified-organization(3) oiw(14)
secsig(3) algorithm(2) 26}
12.3.3 Static Diffie-Hellman with RC2
Diffie-Hellman key encryption is defined in RFC TBD
(Diffie-Hellman Key
Agreement Method, currently draft-ietf-smime-x942). The algorithm
identifier for static Diffie-Hellman with RC2 is
id-smime-cms-dh-with-rC2 ::= { TBD }
For the effective-key-bits (key size) greater than 32 and less than
256, the algorithm parameters are encoded as:
id-smime-cms-dh-with-rC2 parameter ::= SEQUENCE {
rc2ParameterVersion INTEGER,
iv OCTET STRING (8)}
For the effective-key-bits of 40, 64, and 128, the
rc2ParameterVersion
values are 160, 120, 58 respectively. It is very important to
note that
these values are not simply the RC2 keylength. Also note that
the value 160
must be encoded as two octets (00 A0), because encoding as
one octet (A0)
is a negative number in ASN.1.
12.4 Triple-DES Key Wrap
{{{Jim Schaad wanted this to be more general, and will come
up with the
wording to make it so.}}}
The block size of the key-encryption algorithm can be
determined from the CMS
KeyEncryptionAlgorithmIdentifier protocol field. Likewise,
the size of the
content-encryption key can be determined from the CMS
ContentEncryptionAlgorithmIdentifier protocol field.
Triple-DES may be an
exception here; the same identifier is used for both 2-key
and 3-key Triple
DES. This is probably easily handled by always wrapping
three keys, even if
the first and third keys match.
The key checksum algorithm is:
1. Initialize two 16 bit integers, sum1 and sum2, to zero.
2. Loop through the octets of the content-encryption key, most
significant octet to least significant octet.
2a. Create a 16 bit integer, called temp, by concatenating
8 zero bits and the key octet.
2b. sum1 = sum1 + temp.
2c. sum2 = sum2 + sum1.
3. Use sum2 as the checksum value.
The key wrap algorithm is:
1. Adjust the parity bits on the Triple-DES keys.
2. Compute a 16-bit key checksum value on the content-encryption
key as described above.
3. Generate a 4-octet random salt value.
4. Concatenate the salt, content-encryption key, and key
checksum value.
5. Generate the number of pad octets necessary to make the
result a multiple of 8 bytes (the Triple-DES algorithm block
size), then append them to the result.
{{{Is this a constant or random pad???}}}
6. Encrypt the result with the tripleDES key. Use an IV
with each octet equal to 'A5' hexadecimal.
The key unwrap algorithm is:
1. Decrypt the wrapped ciphertext using the key-encryption key.
Use an IV with each octet equal to 'A5' hexadecimal.
2. Check the parity of the content encryption keys. If any is
incorrect then there is an error.
3. Compute a 16-bit key checksum value on the content-encryption
key as described above.
4. If computed key checksum value does not match the decrypted
key checksum value, then there is an error.
12.5 Content Encryption Algorithms
CMS implementations must include Triple-DES in CBC mode. CMS
implementations may include DES in CBC mode and RC2 in CBC mode.
Content encryption algorithms appear in the EncryptedContentInfo
contentEncryptionAlgorithm field, which is part of the
EnvelopedData type
and the EncryptedData type.
12.5.1 Triple-DES CBC
The Triple-DES algorithm is described in [3DES]. The
algorithm identifier
for Triple-DES is:
DES-EDE3-CBC OBJECT IDENTIFIER ::= {iso(1)
member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 7}
The AlgorithmIdentifier parameter field is required and has
the structure:
CBCParameter :: IV
IV ::= OCTET STRING -- 8 octets.
12.5.2 DES CBC
The DES algorithm in CBC mode is described in [DES]. The algorithm
identifier for DES in CBC mode is:
DES-CBC OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
oiw(14) secsig(3) algorithm(2) 7}
The AlgorithmIdentifier parameter field is required and has
the structure:
CBCParameter ::= IV
IV ::= OCTET STRING -- 8 octets.
12.5.3 RC2 CBC
The RC2 algorithm is described in RFC 2268. The algorithm
identifier for
RC2 in CBC mode is:
RC2-CBC OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
rsadsi(113549) encryptionAlgorithm(3) 2}
For the effective-key-bits (key size) greater than 32 and less than
256, the RC2-CBC algorithm parameters are encoded as:
RC2-CBC parameter ::= SEQUENCE {
rc2ParameterVersion INTEGER,
iv OCTET STRING (8)}
For the effective-key-bits of 40, 64, and 128, the
rc2ParameterVersion
values are 160, 120, 58 respectively. It is very important to
note that
these values are not simply the RC2 keylength. Also note that
the value 160
must be encoded as two octets (00 A0), because encoding as
one octet (A0)
is a negative number in ASN.1.
12.6 Message Authentication Code Algorithms
No MAC algorithms are mandatory. CMS implementations may
include DES
MAC and HMAC.
MAC algorithms appear in the AuthenticatedData mac field.
12.6.1 DES MAC
The DES MAC algorithm is described in FIPS Pub 113 [FIPS-113]. The
algorithm identifier for DES MAC is:
DES-MAC OBJECT IDENTIFIER ::= { iso(1)
identified-organization(3)
oiw(14) secsig(3) algorithm(2) 10 }
The AlgorithmIdentifier parameter field is required. It is an
INTEGER, and
carries the length in bits of the MAC, constrained to
multiples of eight
from 16 to 64.
12.6.2 HMAC-SHA1
The HMAC-SHA1 algorithm is described in RFC 2104. The
algorithm identifier for
HMAC-SHA1 is:
HMAC-SHA1 OBJECT IDENTIFIER ::= {iso(1)
identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) 8 1 2}
The AlgorithmIdentifier parameter field must not be present.
{{{References added}}}
3DES W. Tuchman. "Hellman Presents No Shortcut Solutions To
DES". IEEE
Spectrum, v. 16, n. 7, pp40-41. July 1979.
DES American National Standards Institute. ANSI X3.106,
"American National
Standard for Information Systems- Data Link Encryption". 1983.
FIPS 113 National Institute of Standards and Technology.
FIPS Pub 113:
Computer Data Authentication. May 1985.
FIPS 180-1 National Institute of Standards and Technology.
FIPS Pub 180-1:
Secure Hash Standard. April 1995.
FIPS 186 National Institute of Standards and Technology.
FIPS Pub 186:
Digital Signature Standard. May 1994.
RFC 1321 Rivest, R. The MD5 Message Digest Algorithm. April 1992.
RFC 2104 Krawczyk, H. HMAC: Keyed-Hashing for Message
Authentication.
February 1997.
RFC 2268 Rivest, R. A Description of the RC2 (r) Encryption
Algorithm.
March 1998.
X9.42 ANSI X9.42-199x. Public Key Cryptography for The
Financial Services
Industry: Agreement of Symmetric Algorithm Keys Using Diffie-Hellman
(Working Draft). December 1997.
--Paul Hoffman, Director
--Internet Mail Consortium
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Section 12, take 2, Paul Hoffman / IMC
- RE: Section 12, take 2, Jim Schaad (Exchange)
- RE: Section 12, take 2, Blake Ramsdell
- RE: Section 12, take 2, Jim Schaad (Exchange)
- RE: Section 12, take 2, Blake Ramsdell
- RE: Section 12, take 2,
Jim Schaad (Exchange) <=
- RE: Section 12, take 2, Blake Ramsdell
- RE: Section 12, take 2, Jim Schaad (Exchange)
|
|
|