[Top] [All Lists]

Re: More on KEKIdentifiers, and a suggested addition to CMS

1999-03-09 21:02:46

I stayed silent to see if anyone would support your suggestion.  No one
spoke for it, but no one spke against it either.  I would like to heard
from the list members regarding this suggestion.  I do not consider silence
a reason to make an additional recipient type....


At 04:19 AM 2/21/99 +0000, Peter Gutmann wrote:
I don't know what the final resolution on optional vs mandatory
was, but I note that PKCS #15, which AFAIK is the first non-S/MIME use of CMS 
KEK encryption, already has to explicitly state that KEKIdentifiers are null 
strings wherever they occur because they're not useful for anything (actually 
there's a "not recommended" special-case use for them, see below).  I think 
this proves my earlier point that there's going to be very little use for a 
KEKIdentifier outside S/MIME, so that making it optional would be a good idea.

Looking at the way KEKRecipientInfo is being used in PKCS #15, there's a 
rather obvious recipient type missing from CMS: Password-based encryption.  
PKCS #15 has a hack for this which puts the key derivation information into 
the KEKIdentifier (this being the special-case use mentioned above), but I'm 
sure this isn't what it was intended for because it isn't a key identifier at 
all but contains the AlgorithmIdentifier for the password processing.  What's 
really needed is a new recipient type, PasswordRecipientInfo.  Included below 
is a suggestion for this which could drop directly into the CMS draft.


-- Snip --

6.2.4  PasswordRecipientInfo Type

  Recipient information using a user-supplied password is represented in the
  type PasswordRecipientInfo.  Each instance of PasswordRecipientInfo will
  transfer the content-encryption key to one or more recipients who have the
  previously agreed-upon password.

     PasswordRecipientInfo ::= SEQUENCE {
       version CMSVersion,  -- always set to 0
       keyDerivationAlgorithm KeyDerivationAlgorithmIdentifier,
       keyEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier,
       encryptedKey EncryptedKey }

  The fields of type PasswordRecipientInfo have the following meanings:

     version is the syntax version number.  It shall always be 0.

     keyDerivationAlgorithm identifies the key-derivation algorithm, and any
     associated parameters, used to derive the key-encryption key from the
     user-supplied password.

     keyEncryptionAlgorithm identifies the content-encryption algorithm, and
     any associated parameters, used to encrypt the content-encryption key
     with the password-derived key-encryption key.

     encryptedKey is the result of encrypting the content-encryption key with
     the password-derived key-encryption key.

  The key derivation algorithms are:

     KeyDerivationAlgorithmIdentifer ALGORITHM-IDENTIFIER ::= {
       { IDENTIFIED BY id-PBKDF2 },

   For key derivation, CMS implementations must include PBKDF2 [PKCS5v2].
   For content (= key) encryption, CMS implementations must include 
   in CBC mode, should include RC2 in CBC mode, and may include other 
   algorithms (CAST-128, RC5, IDEA, Skipjack) and modes as required.  CMS 
   implementations should not include any KSG ciphers such as RC4.

-- Snip --


The ContentEncryptionAlgorithmIdentifier is something like:

     ContentEncryptionAlgorithmIdentifier ::= {
       { IDENTIFIED BY des-ede3-cbc },
       { IDENTIFIED BY rc2CBC },
       { IDENTIFIED BY cast5CBC },
       { IDENTIFIED BY rc5CBC },
       { IDENTIFIED BY ideaCBC },
       { IDENTIFIED BY desCBC },
       ... -- ... and anything else you can think of, eg Skipjack

but enumerating every possible one is superfluous as they're specified 

The content is encrypted is as per the KEK algorithm, but using the IV given 
in the ContentEncryptionAlgorithmIdentifier instead of a fixed IV - this is 
just standard CMS content encryption.  The advantage of using standard
OIDs is 
that it doesn't require defining a completely new set of OIDs which parallel 
all of the existing ones just to show that you're encrypting a key.  Another 
way to handle this is as EncryptedContentInfo (which just adds an extra 
SEQUENCE around the existing ContentEncryptionAlgorithmIdentifier + 
EncryptedContent (=EncryptedKey)), but this is probably going overboard.

(I'm prepared to accept a 'kekid [0] KEKIdentifier OPTIONAL' after the
number if that's what's required to get people's grunt of approval for the 

(Before people complain that you can't change the key wrap algorithm, if it 
ever does become necessary to change it (and I thought the point of the 
current key wrap design process was to build a solution once and for all), 
all you need to do is increment the RecipientInfo version number and add 
whatever you feel like).