L. Martin S/MIME Working Group M. Schertler Internet Draft Voltage Security Expires: April 2007 October 2006 Using the Boneh-Franklin and Boneh-Boyen identity-based encryption algorithms with the Cryptographic Message Syntax (CMS) Status of this Document By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Abstract This document describes the conventions for using the Boneh-Franklin (BF) and Boneh-Boyen (BB1) identity-based encryption algorithms in the Cryptographic Message Syntax (CMS) to encrypt content encryption keys. Object identifiers and the convention for encoding a recipient's identity are also defined. Martin, Schertler Expires April 2007 [Page 1] Internet-Draft Using IBE with CMS October 2006 Table of Contents 1. Introduction...................................................2 1.1. Terminology...............................................3 2. Using identity-based encryption................................3 3. Algorithm object identifiers...................................6 4. Processing by the sender.......................................6 5. Processing by the receiver.....................................7 6. ASN.1 Module...................................................8 7. Security Considerations........................................9 7.1. Attacks that are outside the scope of this document.......9 7.2. Attacks that are within the scope of this document........9 7.3. Attacks that the protocols defined in this document are susceptible to................................................10 7.4. Attacks that the protocols defined in this document protect against.......................................................10 8. IANA Considerations...........................................10 9. References....................................................11 9.1. Normative References.....................................11 Authors' Addresses...............................................12 Intellectual Property Statement..................................12 Disclaimer of Validity...........................................12 Copyright Statement..............................................13 Acknowledgment...................................................13 1. Introduction This document defines the steps needed to use the Boneh-Franklin [BF] and Boneh-Boyen [BB1] identity-based encryption (IBE) public-key algorithms in the Cryptographic Message Syntax (CMS) [CMS]. IBE is a public key technology for encrypting content-encryption keys (CEKs) that can be implemented within the framework of the CMS: the recipient's identity is incorporated into the EnvelopedData CMS content type using the OtherRecipientInfo CHOICE in the RecipientInfo field as defined in section 6.2.5 of [CMS]. This document does not describe the implementation of the BF and BB1 algorithms, which are described in detail in [IBCS]. IBE algorithms are a type of public-key cryptographic algorithm in which the public key is calculated directly from a user's identity instead of being generated randomly. This requires a different set of steps for encryption and decryption than would be used with other public-key algorithms, and these steps are defined in Sections 4 and 5 of this document respectively. Martin, Schertler Expires April 2007 [Page 2] Internet-Draft Using IBE with CMS October 2006 This document also defines the object identifiers and syntax of the object that is used to define the identity of a message recipient. CMS values and identity objects are defined using ANS.1 [ASN1]. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [KEYWORDS]. 2. Using identity-based encryption To use IBE, the OtherRecipientInfo field MUST be set to an IBEOtherRecipient type. IBEOtherRecipientInfo ::= SEQUENCE { ibeORIType OBJECT IDENTIFIER, ibeORIValue IBERecipientInfo } The fields of IBEOtherRecipientInfo have the following meanings: ibeORIType defines the object identifier (OID) that indicates that the subsequent ibeORIValue is the information necessary to decrypt the message using IBE. This field MUST be set to ibeORIType OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) ibcs(1) cms(4) ori-oid(1) } ibeORIValue defines the identity that was used in the IBE algorithm to encrypt the CEK. This is an IBERecipientInfo type. IBERecipientInfo ::= SEQUENCE { cmsVersion INTEGER { v3(3) }, keyFetchMethod OBJECT IDENTIFIER, recipientIdentity IBEIdentityInfo, serverInfo SEQUENCE OF OIDValuePairs OPTIONAL, encryptedKey EncryptedKey } The fields of IBERecipientInfo have the following meanings: The cmsVersion MUST be set to 3. Martin, Schertler Expires April 2007 [Page 3] Internet-Draft Using IBE with CMS October 2006 The keyFetchMethod is the OID that defines the method of retrieving the private key that the recipient MUST use. How to retrieve an IBE private key using the steps defined in [IBE] is defined by the keyFetchMethod OID. The method for retrieving private keys that is specified in [IBE] is defined by cmsPPSOID. cmsPPSOID OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) pps-schemas(3) ic-schemas(1) pps-uri(1) } The recipientIdentity is the data that was used to calculate the public key that was used to encrypt the CEK. This MUST be an IBEIdentityInfo type. This recipientIdentity is used to calculate IBE public and private keys as described in [IBCS]. IBEIdentityInfo ::= SEQUENCE { District UTF8STRING, Serial INTEGER, identitySchema OBJECT IDENTIFIER, identityData OCTET STRING } The fields of IBEIdentityInfo have the following meanings. The district and serial are unique identifiers that are used to construct the URI for the location of where the IBE public parameters are located. The construction and use of this URI is defined in [IBE]. The identitySchema defines the format that is used to encode the information that defines the identity of the recipient. This MUST be set to cmsIdentityOID. cmsIdentityOID OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) keyschemas(2) icschemas(1) rfc822email(1) } The identityData is the identity of the recipient. For use in S/MIME, this MUST be an EmailIdentitySchema type which is DER encoded. Other applications MAY use other formats for the identityData. Martin, Schertler Expires April 2007 [Page 4] Internet-Draft Using IBE with CMS October 2006 EmailIdentitySchema ::= SEQUENCE { rfc822Email UTF8STRING, time GeneralizedTime } The rfc822Email is the DER-encoded e-mail address of the recipient in the format defined by [RFC822]. The value of "time" is the DER-encoded UTC time after which the sender wants to let the recipient decrypt the message, so it may be called the "not-before" time. This is usually set to the time when the message is encrypted, but MAY be set to a future time. UTC time values are expressed to the nearest second. The sender of an IBE-encrypted message may want to express this time rounded to a larger time interval to create a key lifetime and reduce the number of IBE private keys that a recipient needs to retrieve. Based on the time interval chosen a recipient would only have to retrieve a new IBE key once during the interval. To do this, follow the following steps. Let "time-interval" be the number of seconds in this larger time interval. 1. Find the GeneralizedTime for the not-before value. 2. Convert this GeneralizedTime into the number of seconds since January 1, 1970. Call this "total-time." 3. Calculate reduced-time = ( floor(total-time / time-interval) ) * time-interval. 4. Convert reduced-time to a GeneralizedTime to get the not-before "time" value. An example of this algorithm for computing a one week time interval is: 1. Say the GeneralizedTime is 20020401000000Z 2. The total-time is 1017612000 3. A time-interval of 1 week is 604800 seconds. So the reduced- time = (floor(1017612000/604800))* 604800 = 1017273600 4. Giving the reduced-time GeneralizedTime for a 1 week time interval of 20020328000000Z Martin, Schertler Expires April 2007 [Page 5] Internet-Draft Using IBE with CMS October 2006 3. Algorithm object identifiers The BF and BB1 algorithms as defined in [IBCS] have the following object identifiers: bf OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) ibcs(1) ibcs1(1) ibe-algorithms(2) bf(1) } This is the object identifier that MUST be inserted in the keyEncryptionAlgorithm field in the CMS when the BF algorithm is used to encrypt the CEK. bb1 OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) ibcs(1) ibcs1(1) ibe-algorithms(2) bb1(2) } This is the object identifier that MUST be inserted in the keyEncryptionAlgorithm field in the CMS when the BB1 algorithm is used to encrypt the CEK. 4. Processing by the sender The sender of a message that uses IBE to encrypt content encryption keys performs the following steps: 1. Selects a set of IBE public parameters to use in the subsequent steps in accordance with his local security policy. He then determines the URI where the public parameters can be obtained using the process described in [IBE]. This information MUST be encoded in the IBEIdentityInfo as described in Section 2. 2. Sets the fields of an OtherRecipientInfo object to their appropriate values as described in Section 2. 3. Calculates an IBE public key as defined in [IBCS] using this IBEIdentityInfo as the identity information. 4. This IBE public key is then used to encrypt the content encryption key (CEK), using the algorithms that are defined in [IBCS]. 5. Sets encryptedKey to the IBE-encrypted CEK. 6. Within the CMS, keyEncryptionAlgorithm MUST then be set to the appropriate OID for the IBE algorithm that was used (see Section 3). Martin, Schertler Expires April 2007 [Page 6] Internet-Draft Using IBE with CMS October 2006 5. Processing by the receiver Upon receiving a message that has a CEK encrypted with IBE, the recipient performs the following steps to decrypt the CEK: 1. Determines that the CEK is IBE-encrypted by noting that the oriType of the OtherRecipientInfo type is set to ibeORIType. 2. Determines that the recipientIdentity was used as the identity in IBE encryption of the CEK. 3. Determines the location of the IBE public parameters and the IBE Private Key Generator as described in [IBE]. 4. Obtains the IBE public parameters from the location determined in Step 3 using the process defined in [IBE]. 5. Obtains the IBE private key needed to decrypt the encrypted CEK using the process defined in [IBE]. 6. Decrypts the CEK using the IBE private key obtained in Step 4 using the algorithms described in [IBCS]. Martin, Schertler Expires April 2007 [Page 7] Internet-Draft Using IBE with CMS October 2006 6. ASN.1 Module IBECMS-module { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) ibcs(1) cms(4) module(5) version(1) } DEFINITIONS IMPLICIT TAGS ::= BEGIN IBEOtherRecipientInfo ::= SEQUENCE { oriType OBJECT IDENTIFIER, oriValue IBERecipientInfo } ibeORIType OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) ibcs(1) cms(4) ori-oid(1) } IBERecipientInfo ::= SEQUENCE { cmsVersion INTEGER { v3(3) }, keyFetchMethod OBJECT IDENTIFIER, recipientIdentity IBEIdentityInfo, serverInfo SEQUENCE OF OIDValuePairs OPTIONAL, encryptedKey EncryptedKey } IBEIdentityInfo ::= SEQUENCE { District UTF8STRING, serial INTEGER, identitySchema OBJECT IDENTIFIER, identityData OCTET STRING } OIDValuePairs ::= SEQUENCE { fieldID OBJECT IDENTIFIER, fieldData OCTET STRING } EmailIdentitySchema ::= SEQUENCE { rfc822Email UTF8STRING, time GeneralizedTime } cmsIdentityOID OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) keyschemas(2) icschemas(1) rfc822email(1) } Martin, Schertler Expires April 2007 [Page 8] Internet-Draft Using IBE with CMS October 2006 cmsPPSOID OBJECT IDENTIFIER ::= { joint-iso-itu(2) country(16) us(840) organization(1) identicrypt(114334) pps-schemas(3) ic-schemas(1) pps-uri(1) } END 7. Security Considerations This document is based on [CMS] and [IBCS], and the relevant security considerations of those documents apply. In addition, the following considerations that are particular to this document. 7.1. Attacks that are outside the scope of this document Attacks on the cryptographic algorithms that are used to implement IBE are outside the scope of this document. Such attacks are detailed in [IBCS], which defines parameters that will give the equivalent of 80-bit security, 112-bit security and 128-bit security. We assume that competent administrators of an IBE system will select parameters that provide a sufficient resistance to cryptanalytic attacks by adversaries. Attacks that require access to machines used by either the client or the server components defined in this document are also outside the scope of this document. Attacks that give an attacker the ability to access or change the information on a PPS or PKG, especially the cryptographic material, will defeat the security of an IBE system. To address this concern, the PPS and PKG servers SHOULD be configured in accordance with best current practices [NIST]. An IBE system should be operated in an environment where such illicit access is infeasible for attackers to obtain. We also assume that all administrators of a system implementing the protocols that are defined in this document are trustworthy and will not abuse their authority to bypass the security provided by an IBE system. Similarly, we assume that users of an IBE system will behave responsibly, not sharing their authentication credentials with others. Thus attacks that require such assumptions are outside the scope of this document. 7.2. Attacks that are within the scope of this document Attacks that passively monitor information transmitted between users of an IBE system and the PPS and PKG are within the scope of this Martin, Schertler Expires April 2007 [Page 9] Internet-Draft Using IBE with CMS October 2006 document, as are attacks that let an adversary masquerade as a PPS or PKG are also within the scope of this document. 7.3. Attacks that the protocols defined in this document are susceptible to The protocols defined in this document do not explicitly defend against an attacker masquerading as a legitimate IBE PPS or PKG. To provide protection against this possibility, client software that implements the protocols defined in this document SHOULD have a user interface that allows users to view the details of connections to PPS and PKG servers so that users cannot easily be tricked into providing valid authorization credentials to an attacker. The protocols defined in this document are also vulnerable to Denial of Service attacks against an IBE PPS or PKG. DOS attacks against either component can result in users unable to access the information and services required to encrypt or decrypt using IBE, and users of an IBE system SHOULD take the appropriate countermeasures [RFC2827, RFC3882] that their use of IBE requires. 7.4. Attacks that the protocols defined in this document protect against All communications between users of an IBE system and the PPS or PKG are encrypted using SSL 3.0 [SSL] or TLS 1.1 [TLS], which should provide an adequate level of protection for such communications. The authentication method used by an IBE PKG should also be sufficiently strong to prevent attackers from easily guessing them through trial and error. 8. IANA Considerations All of the object identifiers used in this document were assigned by the National Institute of Standards and Technology (NIST), so no further action by the IANA is necessary for this document. Martin, Schertler Expires April 2007 [Page 10] Internet-Draft Using IBE with CMS October 2006 9. References 9.1. Normative References [ASN1] CCITT, Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1). 1998. [CMS] R. Housley, "Cryptographic Message Syntax," RFC 3369, August 2002. [IBCS] X. Boyen, L. Martin, "Identity-based cryptography standard (IBCS) #1: supersingular curve implementations of the BF and BB1 cryptosystems," draft-ieft-martin-ibcs-00.txt. [IBE] G. Appenzeller, L. Martin, M. Schertler, "Identity-based Encryption Architecture," draft-ietf-ibearch-01.txt. [KEYWORDS] S. Brander, "Key Words for Use in RFCs to Indicate Requirement Levels," BCP 14, RFC 2119, March 1997. [NIST] M. Souppaya, J. Wack, K. Kent, "Security Configuration Checklist Program for IT Products - Guidance for Checklist Users and Developers," NIST Special Publication SP 800-70, May 2005. [RFC822] D. Crocker, "Standard for the format of ARPA internet text messages," RFC 822, August 1982. [RFC2827] P. Ferguson, D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," RFC 2827, BCP 38, May 2000. [RFC3882] D. Turk, "Configuring BGP to Block Denial-of-Service Attacks," RFC 3882, September 2004. Martin, Schertler Expires April 2007 [Page 11] Internet-Draft Using IBE with CMS October 2006 Authors' Addresses Luther Martin Voltage Security 1070 Arastradero Rd Suite 100 Palo Alto CA 94304 Phone: +1 650 543 1280 Email: martin@voltage.com Mark Schertler Voltage Security 1070 Arastradero Rd Suite 100 Palo Alto CA 94304 Phone: +1 650 543 1280 Email: mark@voltage.com Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS Martin, Schertler Expires April 2007 [Page 12] Internet-Draft Using IBE with CMS October 2006 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Martin, Schertler Expires April 2007 [Page 13]