S/MIME Working Group S. Moriai Internet Draft Nippon Telegraph and Telephone Corporation Expiration Date: April 2003 A. Kato NTT Software Corporation October 2002 Use of the Camellia Encryption Algorithm in CMS Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Comments or suggestions for improvement may be made on the "ietf-smime" mailing list, or directly to the author. Abstract This document specifies how to incorporate the Camellia encryption algorithm into the S/MIME Cryptographic Message Syntax (CMS) as an additional algorithm for symmetric encryption. The relevant OIDs and processing steps are provided so that Camellia may be included in the CMS specification (RFC 3369, RFC 3370) for content and key encryption. 1. Introduction This document specifies the conventions for using the Camellia encryption algorithm [CamelliaSpec][CamelliaID] for encryption with the Cryptographic Message Syntax (CMS) [CMS]. MORIAI [Page 1] Internet-Draft Use of Camellia in CMS October 2002 Camellia is a block cipher with 128-bit block size and 128-, 192-, and 256-bit keys, i.e. the same interface as the Advanced Encryption Standard (AES). Camellia offers excellent efficiency on both software and hardware platforms in addition to a high level of security [CamelliaTech]. CMS values are generated using ASN.1 (X.208-88), using the Basic Encoding Rules (BER) (X.209-88) and the Distinguished Encoding Rules (DER) (X.509-88). The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase, as shown) are to be interpreted as described in [RFC2119]. 2. Object Identifiers for Content and Key Encryption This section provides the OIDs and processing information necessary for Camellia to be used for content and key encryption in CMS. Camellia is added to the set of optional symmetric encryption algorithms in CMS by providing two classes of unique object identifiers (OIDs). One OID class defines the content encryption algorithms and the other defines the key encryption algorithms. Thus a CMS agent can apply Camellia either for content or key encryption by selecting the corresponding object identifier, supplying the required parameter, and starting the program code. 2.1 OIDs for Content Encryption For content encryption the use of Camellia in cipher block chaining (CBC) mode is RECOMMENDED. The Camellia content-encryption algorithm, in CBC mode, for the three different key sizes are identified by the following object identifiers: id-camellia128-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia128-cbc(2) } id-camellia192-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia192-cbc(3) } id-camellia256-cbc OBJECT IDENTIFIER ::= { iso(1) member-body(2) 392 200011 61 security(1) algorithm(1) symmetric-encryption-algorithm(1) camellia256-cbc(4) } To determine the value of IV, the above algorithms take parameter as: MORIAI [Page 2] Internet-Draft Use of Camellia in CMS October 2002 CamelliaCBCParameter ::= CamelliaIV -- Initialization Vector CamelliaIV ::= OCTET STRING (SIZE(16)) When these object identifiers are used, plaintext is padded before encrypt it. At least 1 padding octet is appended at the end of the plaintext to make the length of the plaintext to the multiple of 16 octets. The value of these octets is as same as the number of appended octets. (e.g., If 10 octets are needed to pad, the value is 0x0a.) 2.2 OIDs for Key Encryption The key-wrap/unwrap procedures used to encrypt/decrypt a Camellia content-encryption key (CEK) with a Camellia key-encryption key (KEK) are specified in Section 3. Generation and distribution of key-encryption keys are beyond the scope of this document. The Camellia key-encryption algorithm has the following object identifier:    id-camellia128-wrap OBJECT IDENTIFIER ::=     { iso(1) member-body(2) 392 200011 61 security(1)     algorithm(1) key-wrap-algorithm(3)     camellia128-wrap(2) }    id-camellia192-wrap OBJECT IDENTIFIER ::=     { iso(1) member-body(2) 392 200011 61 security(1)     algorithm(1) key-wrap-algorithm(3)     camellia192-wrap(3) }    id-camellia256-wrap OBJECT IDENTIFIER ::=     { iso(1) member-body(2) 392 200011 61 security(1)     algorithm(1) key-wrap-algorithm(3)     camellia256-wrap(4) } In all cases the parameters field of AlgorithmIdentifier MUST be NULL. The OID gives the KEK key size, but does not make any statements as to the size of the wrapped Camellia CEK. Implementations MAY use different KEK and CEK sizes. Implements MUST support the CEK and the KEK having the same length. If different lengths are supported, the KEK MUST be of equal or greater length than the CEK. We don't need additional parameter information associated with this object identifier contains, because the key wrapping procedure itself defines how and when to use an IV. 3. Key Wrap Algorithm Camellia key wrapping and unwrapping is done in conformance with the MORIAI [Page 3] Internet-Draft Use of Camellia in CMS October 2002 AES key wrap algorithm [AES-WRAP][RFC3394], because Camellia and AES have the same block and key sizes, i.e. the block size of 128 bits and key sizes of 128, 192, and 256 bits. 3.1 Camellia Key Wrap Key wrapping with Camellia is identical to [RFC3394], Section 2.2.1, with "AES" replaced by "Camellia". 3.2 Camellia Key Unwrap Key unwrapping with Camellia is identical to [RFC3394], Section 2.2.2, with "AES" replaced by "Camellia". 4. Security Considerations This document specifies the use of Camellia for encrypting the content of a CMS message and for encrypting the symmetric key used to encrypt the content of a CMS message. Since Camellia supports the key length of 128, 192 and 256 bits, it provides enough security against exhaustive key attacks. Against other attacks Camellia is believed to be secure, and it has withstood extensive cryptanalytic efforts in several open, worldwide cryptographic evaluation projects. For other security considerations, please refer to the security considerations of the CMS specifications [CMS][CMSALG] and the AES key wrap algorithm [AES-WRAP][RFC3394]. 5. Intellectual Property Statement Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon Telegraph and Telephone Corporation (NTT) have pending applications or filed patents which are essential to Camellia. License policy for these essential patents will be available on the IETF page of Intellectual Property Rights Notices. References [AES-WRAP] National Institute of Standards and Technology. AES Key Wrap Specification. 17 November 2001. http://csrc.nist.gov/encryption/kms/key-wrap.pdf [CamelliaID] J. Nakajima and S. Moriai, "A Description of the Camellia Encryption Algorithm", Internet-Draft, July 2001. draft-nakajima-camellia-02.txt [CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Specification of Camellia - a 128-bit Block Cipher''. http://info.isl.ntt.co.jp/camellia/ MORIAI [Page 4] Internet-Draft Use of Camellia in CMS October 2002 [CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai, J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher Suitable for Multiple Platforms - Design and Analysis -'', In Selected Areas in Cryptography, 7th Annual International Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in Computer Science 2012, pp.39--56, Springer-Verlag, 2001. [CMS] R. Housley, "Cryptographic Message Syntax", RFC 3369, August 2002. [CMSALG] R. Housley, "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002. [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3394] J. Schaad and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, September 2002. Authors' Address Shiho Moriai Nippon Telegraph and Telephone Corporation Phone: +81-468-59-2007 FAX: +81-468-59-3858 Email: shiho@isl.ntt.co.jp Akihiro Kato NTT Software Corporation Phone: +81-45-212-7404 FAX: +81-45-212-7410 Email: akato@po.ntts.co.jp MORIAI [Page 5]