```
CMS-RSA-KEM-2023
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) id-mod-cms-rsa-kem-2023(TBD1) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- EXPORTS ALL
IMPORTS
KEM-ALGORITHM
FROM KEMAlgorithmInformation-2023 -- [I-D.ietf-lamps-cms-kemri]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-kemAlgorithmInformation-2023(TBD2) }
AlgorithmIdentifier{}, PUBLIC-KEY, DIGEST-ALGORITHM,
KEY-DERIVATION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) }
kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap
FROM CMSAesRsaesOaep-2009 -- [RFC5911]
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0)
Housley & Turner Expires 31 January 2025 [Page 20]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
id-mod-cms-aes-02(38) }
kwa-3DESWrap
FROM CryptographicMessageSyntaxAlgorithms-2009 -- [RFC5911]
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cmsalg-2001-02(37) }
id-camellia128-wrap, id-camellia192-wrap, id-camellia256-wrap
FROM CamelliaEncryptionAlgorithmInCMS -- [RFC3657]
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs9(9) smime(16) modules(0)
id-mod-cms-camellia(23) }
mda-sha1, pk-rsa, RSAPublicKey
FROM PKIXAlgs-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56) }
mda-sha224, mda-sha256, mda-sha384, mda-sha512
FROM PKIX1-PSS-OAEP-Algorithms-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs-02(54) } ;
-- Useful types and definitions
OID ::= OBJECT IDENTIFIER -- alias
NullParms ::= NULL
-- ISO/IEC 18033-2 arc
is18033-2 OID ::= { iso(1) standard(0) is18033(18033) part2(2) }
-- NIST algorithm arc
nistAlgorithm OID ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) }
-- PKCS #1 arc
pkcs-1 OID ::= { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-1(1) }
-- X9.44 arc
Housley & Turner Expires 31 January 2025 [Page 21]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
x9-44 OID ::= { iso(1) identified-organization(3) tc68(133)
country(16) x9(840) x9Standards(9) x9-44(44) }
x9-44-components OID ::= { x9-44 components(1) }
-- RSA-KEM Algorithm
id-rsa-kem OID ::= { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) alg(3) 14 }
id-rsa-kem-spki OID ::= id-rsa-kem
GenericHybridParameters ::= SEQUENCE {
kem KeyEncapsulationMechanism,
dem DataEncapsulationMechanism }
KeyEncapsulationMechanism ::=
AlgorithmIdentifier { KEM-ALGORITHM, {KEMAlgorithms} }
KEMAlgorithms KEM-ALGORITHM ::= { kema-kem-rsa | kema-rsa-kem, ... }
kema-rsa-kem KEM-ALGORITHM ::= {
IDENTIFIER id-rsa-kem-spki
PARAMS TYPE GenericHybridParameters ARE optional
PUBLIC-KEYS { pk-rsa | pk-rsa-kem }
UKM ARE optional
SMIME-CAPS { TYPE GenericHybridParameters
IDENTIFIED BY id-rsa-kem-spki } }
kema-kem-rsa KEM-ALGORITHM ::= {
IDENTIFIER id-kem-rsa
PARAMS TYPE RsaKemParameters ARE optional
PUBLIC-KEYS { pk-rsa | pk-rsa-kem }
UKM ARE optional
SMIME-CAPS { TYPE GenericHybridParameters
IDENTIFIED BY id-rsa-kem-spki } }
id-kem-rsa OID ::= { is18033-2 key-encapsulation-mechanism(2)
rsa(4) }
RsaKemParameters ::= SEQUENCE {
keyDerivationFunction KeyDerivationFunction,
keyLength KeyLength }
pk-rsa-kem PUBLIC-KEY ::= {
IDENTIFIER id-rsa-kem-spki
KEY RSAPublicKey
PARAMS TYPE GenericHybridParameters ARE preferredAbsent
Housley & Turner Expires 31 January 2025 [Page 22]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
-- Private key format is not specified here --
CERT-KEY-USAGE {keyEncipherment} }
KeyDerivationFunction ::=
AlgorithmIdentifier { KEY-DERIVATION, {KDFAlgorithms} }
KDFAlgorithms KEY-DERIVATION ::= { kda-kdf2 | kda-kdf3, ... }
KeyLength ::= INTEGER (1..MAX)
DataEncapsulationMechanism ::=
AlgorithmIdentifier { KEY-WRAP, {DEMAlgorithms} }
DEMAlgorithms KEY-WRAP ::= {
X9-SymmetricKeyWrappingSchemes |
Camellia-KeyWrappingSchemes, ... }
X9-SymmetricKeyWrappingSchemes KEY-WRAP ::= {
kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap |
kwa-3DESWrap, ... }
X9-SymmetricKeyWrappingScheme ::=
AlgorithmIdentifier { KEY-WRAP, {X9-SymmetricKeyWrappingSchemes} }
Camellia-KeyWrappingSchemes KEY-WRAP ::= {
kwa-camellia128-wrap | kwa-camellia192-wrap |
kwa-camellia256-wrap, ... }
Camellia-KeyWrappingScheme ::=
AlgorithmIdentifier { KEY-WRAP, {Camellia-KeyWrappingSchemes} }
kwa-camellia128-wrap KEY-WRAP ::= {
IDENTIFIER id-camellia128-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-camellia128-wrap } }
kwa-camellia192-wrap KEY-WRAP ::= {
IDENTIFIER id-camellia192-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-camellia192-wrap } }
kwa-camellia256-wrap KEY-WRAP ::= {
IDENTIFIER id-camellia256-wrap
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-camellia256-wrap } }
-- Key Derivation Functions
Housley & Turner Expires 31 January 2025 [Page 23]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
id-kdf-kdf2 OID ::= { x9-44-components kdf2(1) }
kda-kdf2 KEY-DERIVATION ::= {
IDENTIFIER id-kdf-kdf2
PARAMS TYPE KDF2-HashFunction ARE required
-- No S/MIME caps defined -- }
KDF2-HashFunction ::=
AlgorithmIdentifier { DIGEST-ALGORITHM, {KDF2-HashFunctions} }
KDF2-HashFunctions DIGEST-ALGORITHM ::= { X9-HashFunctions, ... }
id-kdf-kdf3 OID ::= { x9-44-components kdf3(2) }
kda-kdf3 KEY-DERIVATION ::= {
IDENTIFIER id-kdf-kdf3
PARAMS TYPE KDF3-HashFunction ARE required
-- No S/MIME caps defined -- }
KDF3-HashFunction ::=
AlgorithmIdentifier { DIGEST-ALGORITHM, {KDF3-HashFunctions} }
KDF3-HashFunctions DIGEST-ALGORITHM ::= { X9-HashFunctions, ... }
-- Hash Functions
X9-HashFunctions DIGEST-ALGORITHM ::= {
mda-sha1 | mda-sha224 | mda-sha256 | mda-sha384 |
mda-sha512, ... }
-- Updates for the SMIME-CAPS Set from RFC 5911
SMimeCapsSet SMIME-CAPS ::= {
kema-kem-rsa.&smimeCaps |
kwa-aes128-wrap |
kwa-aes192-wrap |
kwa-aes256-wrap |
kwa-camellia128-wrap.&smimeCaps |
kwa-camellia192-wrap.&smimeCaps |
kwa-camellia256-wrap.&smimeCaps,
... }
END
``````
Housley & Turner Expires 31 January 2025 [Page 24]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
Appendix C. SMIMECapabilities Examples
To indicate support for the RSA-KEM algorithm coupled with the KDF3
key-derivation function with SHA-256 and the AES Key Wrap symmetric
key-encryption algorithm 128-bit key-encryption key, the
SMIMECapabilities will include the following entry:
SEQUENCE {
id-rsa-kem-spki, -- RSA-KEM Algorithm
SEQUENCE { -- GenericHybridParameters
SEQUENCE { -- key encapsulation mechanism
id-kem-rsa, -- RSA-KEM
SEQUENCE { -- RsaKemParameters
SEQUENCE { -- key derivation function
id-kdf-kdf3, -- KDF3
SEQUENCE { -- KDF3-HashFunction
id-sha256 -- SHA-256; no parameters (preferred)
},
16 -- KEK length in bytes
},
SEQUENCE { -- data encapsulation mechanism
id-aes128-Wrap -- AES-128 Wrap; no parameters
}
}
}
This SMIMECapability value has the following DER encoding (in
hexadecimal):
30 47
06 0b 2a 86 48 86 f7 0d 01 09 10 03 0e -- id-rsa-kem-spki
30 38
30 29
06 07 28 81 8c 71 02 02 04 -- id-kem-rsa
30 1e
30 19
06 0a 2b 81 05 10 86 48 09 2c 01 02 -- id-kdf-kdf3
30 0b
06 09 60 86 48 01 65 03 04 02 01 -- id-sha256
02 01 10 -- 16 bytes
30 0b
06 09 60 86 48 01 65 03 04 01 05 -- id-aes128-Wrap
To indicate support for the RSA-KEM algorithm coupled with the KDF3
key-derivation function with SHA-384 and the AES Key Wrap symmetric
key-encryption algorithm 192-bit key-encryption key, the
SMIMECapabilities will include the following SMIMECapability value
(in hexadecimal):
Housley & Turner Expires 31 January 2025 [Page 25]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
30 47 06 0b 2a 86 48 86 f7 0d 01 09 10 03 0e 30
38 30 29 06 07 28 81 8c 71 02 02 04 30 1e 30 19
06 0a 2b 81 05 10 86 48 09 2c 01 02 30 0b 06 09
60 86 48 01 65 03 04 02 02 02 01 18 30 0b 06 09
60 86 48 01 65 03 04 01 19
To indicate support for the RSA-KEM algorithm coupled with the KDF3
key-derivation function with SHA-512 and the AES Key Wrap symmetric
key-encryption algorithm 256-bit key-encryption key, the
SMIMECapabilities will include the following SMIMECapability value
(in hexadecimal):
30 47 06 0b 2a 86 48 86 f7 0d 01 09 10 03 0e 30
38 30 29 06 07 28 81 8c 71 02 02 04 30 1e 30 19
06 0a 2b 81 05 10 86 48 09 2c 01 02 30 0b 06 09
60 86 48 01 65 03 04 02 03 02 01 20 30 0b 06 09
60 86 48 01 65 03 04 01 2d
Appendix D. RSA-KEM CMS Enveloped-Data Example
This example shows the establishment of an AES-128 content-encryption
key using:
* RSA-KEM with a 3072-bit key and KDF3 with SHA-256;
* KEMRecipientInfo key derivation using KDF3 with SHA-256; and
* KEMRecipientInfo key wrap using AES-128-KEYWRAP.
In real-world use, the originator would encrypt the content-
encryption key in a manner that would allow decryption with their own
private key as well as the recipient's private key. This is omitted
in an attempt to simplify the example.
D.1. Originator RSA-KEM Encapsulate() Processing
Alice obtains Bob's public key:
Housley & Turner Expires 31 January 2025 [Page 26]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3ocW14cxncPJ47fnEjBZ
AyfC2lqapL3ET4jvV6C7gGeVrRQxWPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JH
Keeza+itfuhsz3yifgeEpeK8T+SusHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqq
vS3jg/VO+OPnZbofoHOOevt8Q/roahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx
2AHHZJevo3nmRnlgJXo6mE00E/6qkhjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0v
SH7qUl8/vN13y4UOFkn8hM4kmZ6bJqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39a
uLNnH3EXdXaV1tk75H3qC7zJaeGWMJyQfOE3YfEGRKn8fxubji716D8UecAxAzFy
FL6m1JiOyV5acAiOpxN14qRYZdHnXOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fS
whSZG7VNf+vgNWTLNYSYLI04KiMdulnvU6ds+QPz+KKtAgMBAAE=
-----END PUBLIC KEY-----
Bob's RSA public key has the following key identifier:
9eeb67c9b95a74d44d2f16396680e801b5cba49c
Alice randomly generates integer z between 0 and n-1:
9c126102a5c1c0354672a3c2f19fc9ddea988f815e1da812c7bd4f8eb082bdd1
4f85a7f7c2f1af11d5333e0d6bcb375bf855f208da72ba27e6fb0655f2825aa6
2b93b1f9bbd3491fed58f0380fa0de36430e3a144d569600bd362609be5b9481
0875990b614e406fa6dff500043cbca95968faba61f795096a7fb3687a51078c
4ca2cb663366b0bea0cd9cccac72a25f3f4ed03deb68b4453bba44b943f4367b
67d6cd10c8ace53f545aac50968fc3c6ecc80f3224b64e37038504e2d2c0e2b2
9d45e46c62826d96331360e4c17ea3ef89a9efc5fac99eda830e81450b6534dc
0bdf042b8f3b706649c631fe51fc2445cc8d447203ec2f41f79cdfea16de1ce6
abdfdc1e2ef2e5d5d8a65e645f397240ef5a26f5e4ff715de782e30ecf477293
e89e13171405909a8e04dd31d21d0c57935fc1ceea8e1033e31e1bc8c56da0f3
d79510f3f380ff58e5a61d361f2f18e99fbae5663172e8cd1f21deaddc5bbbea
060d55f1842b93d1a9c888d0bf85d0af9947fe51acf940c7e7577eb79cabecb3
Alice encrypts integer z using the Bob's RSA public key, the result
is called ct:
c071fc273af8e7bdb152e06bf73310361074154a43abcf3c93c13499d2065344
3eed9ef5d3c0685e4aa76a6854815bb97691ff9f8dac15eea7d74f452bf350a6
46163d68288e978cbf7a73089ee52712f9a4f49e06ace7bbc85ab14d4e336c97
c5728a2654138c7b26e8835c6b0a9fbed26495c4eadf745a2933be283f6a88b1
6695fc06666873cfb6d36718ef3376cefc100c3941f3c494944078325807a559
186b95ccabf3714cfaf79f83bd30537fdd9aed5a4cdcbd8bd0486faed73e9d48
6b3087d6c806546b6e2671575c98461e441f65542bd95de26d0f53a64e7848d7
31d9608d053e8d345546602d86236ffe3704c98ad59144f3089e5e6d527b5497
ba103c79d62e80d0235410b06f71a7d9bd1c38000f910d6312ea2f20a3557535
ad01b3093fb5f7ee507080d0f77d48c9c3b3796f6b7dd3786085fb895123f04c
a1f1c1be22c747a8dface32370fb0d570783e27dbb7e74fca94ee39676fde3d8
a9553d878224736e37e191dab953c7e228c07ad5ca3122421c14debd072a9ab6
Alice derives the shared secret (SS) using KDF3 with SHA-256:
Housley & Turner Expires 31 January 2025 [Page 27]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
3cf82ec41b54ed4d37402bbd8f805a52
D.2. Originator CMS Processing
Alice encodes the CMSORIforKEMOtherInfo structure with the algorithm
identifier for AES-128-KEYWRAP and a key length of 16 octets. The
DER encoding of CMSORIforKEMOtherInfo produces 18 octets:
3010300b0609608648016503040105020110
The CMSORIforKEMOtherInfo structure contains:
0 16: SEQUENCE {
2 11: SEQUENCE {
4 9: OBJECT IDENTIFIER aes128-wrap (2 16 840 1 101 3 4 1 5)
: }
15 1: INTEGER 16
: }
Alice derives the key-encryption key from shared secret produced by
RSA-KEM Encapsulate() and the CMSORIforKEMOtherInfo structure with
KDF3 and SHA-256, the KEK is:
e6dc9d62ff2b469bef604c617b018718
Alice randomly generates a 128-bit content-encryption key:
77f2a84640304be7bd42670a84a1258b
Alice uses AES-128-KEYWRAP to encrypt the 128-bit content-encryption
key with the derived key-encryption key:
28782e5d3d794a7616b863fbcfc719b78f12de08cf286e09
Alice encrypts the padded content using AES-128-CBC with the content-
encryption key. The 16-octet IV used is:
480ccafebabefacedbaddecaf8887781
The padded content plaintext is:
48656c6c6f2c20776f726c6421030303
The resulting ciphertext is:
c6ca65db7bdd76b0f37e2fab6264b66d
Housley & Turner Expires 31 January 2025 [Page 28]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
Alice encodes the EnvelopedData (using KEMRecipientInfo) and
ContentInfo, and then sends the result to Bob. The Base64-encoded
result is:
MIICXAYJKoZIhvcNAQcDoIICTTCCAkkCAQMxggIEpIICAAYLKoZIhvcNAQkQDQMw
ggHvAgEAgBSe62fJuVp01E0vFjlmgOgBtcuknDAJBgcogYxxAgIEBIIBgMBx/Cc6
+Oe9sVLga/czEDYQdBVKQ6vPPJPBNJnSBlNEPu2e9dPAaF5Kp2poVIFbuXaR/5+N
rBXup9dPRSvzUKZGFj1oKI6XjL96cwie5ScS+aT0ngas57vIWrFNTjNsl8VyiiZU
E4x7JuiDXGsKn77SZJXE6t90Wikzvig/aoixZpX8BmZoc8+202cY7zN2zvwQDDlB
88SUlEB4MlgHpVkYa5XMq/NxTPr3n4O9MFN/3ZrtWkzcvYvQSG+u1z6dSGswh9bI
BlRrbiZxV1yYRh5EH2VUK9ld4m0PU6ZOeEjXMdlgjQU+jTRVRmAthiNv/jcEyYrV
kUTzCJ5ebVJ7VJe6EDx51i6A0CNUELBvcafZvRw4AA+RDWMS6i8go1V1Na0Bswk/
tffuUHCA0Pd9SMnDs3lva33TeGCF+4lRI/BMofHBviLHR6jfrOMjcPsNVweD4n27
fnT8qU7jlnb949ipVT2HgiRzbjfhkdq5U8fiKMB61coxIkIcFN69ByqatjAbBgor
gQUQhkgJLAECMA0GCWCGSAFlAwQCAQUAAgEQMAsGCWCGSAFlAwQBBQQYKHguXT15
SnYWuGP7z8cZt48S3gjPKG4JMDwGCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEEgM
yv66vvrO263eyviId4GAEMbKZdt73Xaw834vq2Jktm0=
This result decodes to:
0 604: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 589: [0] {
19 585: SEQUENCE {
23 1: INTEGER 3
26 516: SET {
30 512: [4] {
34 11: OBJECT IDENTIFIER
: KEMRecipientInfo (1 2 840 113549 1 9 16 13 3)
47 495: SEQUENCE {
51 1: INTEGER 0
54 20: [0]
: 9E EB 67 C9 B9 5A 74 D4 4D 2F 16 39 66 80 E8 01
: B5 CB A4 9C
76 9: SEQUENCE {
78 7: OBJECT IDENTIFIER kemRSA (1 0 18033 2 2 4)
: }
87 384: OCTET STRING
: C0 71 FC 27 3A F8 E7 BD B1 52 E0 6B F7 33 10 36
: 10 74 15 4A 43 AB CF 3C 93 C1 34 99 D2 06 53 44
: 3E ED 9E F5 D3 C0 68 5E 4A A7 6A 68 54 81 5B B9
: 76 91 FF 9F 8D AC 15 EE A7 D7 4F 45 2B F3 50 A6
: 46 16 3D 68 28 8E 97 8C BF 7A 73 08 9E E5 27 12
: F9 A4 F4 9E 06 AC E7 BB C8 5A B1 4D 4E 33 6C 97
: C5 72 8A 26 54 13 8C 7B 26 E8 83 5C 6B 0A 9F BE
: D2 64 95 C4 EA DF 74 5A 29 33 BE 28 3F 6A 88 B1
: 66 95 FC 06 66 68 73 CF B6 D3 67 18 EF 33 76 CE
: FC 10 0C 39 41 F3 C4 94 94 40 78 32 58 07 A5 59
Housley & Turner Expires 31 January 2025 [Page 29]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
: 18 6B 95 CC AB F3 71 4C FA F7 9F 83 BD 30 53 7F
: DD 9A ED 5A 4C DC BD 8B D0 48 6F AE D7 3E 9D 48
: 6B 30 87 D6 C8 06 54 6B 6E 26 71 57 5C 98 46 1E
: 44 1F 65 54 2B D9 5D E2 6D 0F 53 A6 4E 78 48 D7
: 31 D9 60 8D 05 3E 8D 34 55 46 60 2D 86 23 6F FE
: 37 04 C9 8A D5 91 44 F3 08 9E 5E 6D 52 7B 54 97
: BA 10 3C 79 D6 2E 80 D0 23 54 10 B0 6F 71 A7 D9
: BD 1C 38 00 0F 91 0D 63 12 EA 2F 20 A3 55 75 35
: AD 01 B3 09 3F B5 F7 EE 50 70 80 D0 F7 7D 48 C9
: C3 B3 79 6F 6B 7D D3 78 60 85 FB 89 51 23 F0 4C
: A1 F1 C1 BE 22 C7 47 A8 DF AC E3 23 70 FB 0D 57
: 07 83 E2 7D BB 7E 74 FC A9 4E E3 96 76 FD E3 D8
: A9 55 3D 87 82 24 73 6E 37 E1 91 DA B9 53 C7 E2
: 28 C0 7A D5 CA 31 22 42 1C 14 DE BD 07 2A 9A B6
475 27: SEQUENCE {
477 10: OBJECT IDENTIFIER
: kdf3 (1 3 133 16 840 9 44 1 2)
489 13: SEQUENCE {
491 9: OBJECT IDENTIFIER
: sha-256 (2 16 840 1 101 3 4 2 1)
502 0: NULL
: }
: }
504 1: INTEGER 16
507 11: SEQUENCE {
509 9: OBJECT IDENTIFIER
: aes128-wrap (2 16 840 1 101 3 4 1 5)
: }
520 24: OCTET STRING
: 28 78 2E 5D 3D 79 4A 76 16 B8 63 FB CF C7 19 B7
: 8F 12 DE 08 CF 28 6E 09
: }
: }
: }
546 60: SEQUENCE {
548 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
559 29: SEQUENCE {
561 9: OBJECT IDENTIFIER
: aes128-CBC (2 16 840 1 101 3 4 1 2)
572 16: OCTET STRING
: 48 0C CA FE BA BE FA CE DB AD DE CA F8 88 77 81
: }
590 16: [0] C6 CA 65 DB 7B DD 76 B0 F3 7E 2F AB 62 64 B6 6D
: }
: }
: }
: }
Housley & Turner Expires 31 January 2025 [Page 30]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
D.3. Recipient RSA-KEM Decapsulate() Processing
Bob's private key:
-----BEGIN PRIVATE KEY-----
MIIG5AIBAAKCAYEA3ocW14cxncPJ47fnEjBZAyfC2lqapL3ET4jvV6C7gGeVrRQx
WPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JHKeeza+itfuhsz3yifgeEpeK8T+Su
sHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqqvS3jg/VO+OPnZbofoHOOevt8Q/ro
ahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx2AHHZJevo3nmRnlgJXo6mE00E/6q
khjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0vSH7qUl8/vN13y4UOFkn8hM4kmZ6b
JqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39auLNnH3EXdXaV1tk75H3qC7zJaeGW
MJyQfOE3YfEGRKn8fxubji716D8UecAxAzFyFL6m1JiOyV5acAiOpxN14qRYZdHn
XOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fSwhSZG7VNf+vgNWTLNYSYLI04KiMd
ulnvU6ds+QPz+KKtAgMBAAECggGATFfkSkUjjJCjLvDk4aScpSx6+Rakf2hrdS3x
jwqhyUfAXgTTeUQQBs1HVtHCgxQd+qlXYn3/qu8TeZVwG4NPztyi/Z5yB1wOGJEV
3k8N/ytul6pJFFn6p48VM01bUdTrkMJbXERe6g/rr6dBQeeItCaOK7N5SIJH3Oqh
9xYuB5tH4rquCdYLmt17Tx8CaVqU9qPY3vOdQEOwIjjMV8uQUR8rHSO9KkSj8AGs
Lq9kcuPpvgJc2oqMRcNePS2WVh8xPFktRLLRazgLP8STHAtjT6SlJ2UzkUqfDHGK
q/BoXxBDu6L1VDwdnIS5HXtL54ElcXWsoOyKF8/ilmhRUIUWRZFmlS1ok8IC5IgX
UdL9rJVZFTRLyAwmcCEvRM1asbBrhyEyshSOuN5nHJi2WVJ+wSHijeKl1qeLlpMk
HrdIYBq4Nz7/zXmiQphpAy+yQeanhP8O4O6C8e7RwKdpxe44su4Z8fEgA5yQx0u7
8yR1EhGKydX5bhBLR5Cm1VM7rT2BAoHBAP/+e5gZLNf/ECtEBZjeiJ0VshszOoUq
haUQPA+9Bx9pytsoKm5oQhB7QDaxAvrn8/FUW2aAkaXsaj9F+/q30AYSQtExai9J
fdKKook3oimN8/yNRsKmhfjGOj8hd4+GjX0qoMSBCEVdT+bAjjry8wgQrqReuZnu
oXU85dmb3jvv0uIczIKvTIeyjXE5afjQIJLmZFXsBm09BG87Ia5EFUKly96BOMJh
/QWEzuYYXDqOFfzQtkAefXNFW21Kz4Hw2QKBwQDeiGh4lxCGTjECvG7fauMGlu+q
DSdYyMHif6t6mx57eS16EjvOrlXKItYhIyzW8Kw0rf/CSB2j8ig1GkMLTOgrGIJ1
0322o50FOr5oOmZPueeR4pOyAP0fgQ8DD1L3JBpY68/8MhYbsizVrR+Ar4jM0f96
W2bF5Xj3h+fQTDMkx6VrCCQ6miRmBUzH+ZPs5n/lYOzAYrqiKOanaiHy4mjRvlsy
mjZ6z5CG8sISqcLQ/k3Qli5pOY/v0rdBjgwAW/UCgcEAqGVYGjKdXCzuDvf9EpV4
mpTWB6yIV2ckaPOn/tZi5BgsmEPwvZYZt0vMbu28Px7sSpkqUuBKbzJ4pcy8uC3I
SuYiTAhMiHS4rxIBX3BYXSuDD2RD4vG1+XM0h6jVRHXHh0nOXdVfgnmigPGz3jVJ
B8oph/jD8O2YCk4YCTDOXPEi8Rjusxzro+whvRR+kG0gsGGcKSVNCPj1fNISEte4
gJId7O1mUAAzeDjn/VaS/PXQovEMolssPPKn9NocbKbpAoHBAJnFHJunl22W/lrr
ppmPnIzjI30YVcYOA5vlqLKyGaAsnfYqP1WUNgfVhq2jRsrHx9cnHQI9Hu442PvI
x+c5H30YFJ4ipE3eRRRmAUi4ghY5WgD+1hw8fqyUW7E7l5LbSbGEUVXtrkU5G64T
UR91LEyMF8OPATdiV/KD4PWYkgaqRm3tVEuCVACDTQkqNsOOi3YPQcm270w6gxfQ
SOEy/kdhCFexJFA8uZvmh6Cp2crczxyBilR/yCxqKOONqlFdOQKBwFbJk5eHPjJz
AYueKMQESPGYCrwIqxgZGCxaqeVArHvKsEDx5whI6JWoFYVkFA8F0MyhukoEb/2x
2qB5T88Dg3EbqjTiLg3qxrWJ2OxtUo8pBP2I2wbl2NOwzcbrlYhzEZ8bJyxZu5i1
sYILC8PJ4Qzw6jS4Qpm4y1WHz8e/ElW6VyfmljZYA7f9WMntdfeQVqCVzNTvKn6f
hg6GSpJTzp4LV3ougi9nQuWXZF2wInsXkLYpsiMbL6Fz34RwohJtYA==
-----END PRIVATE KEY-----
Bob checks that the length of the ciphertext is less than nLen bytes.
Bob checks that the ciphertext is greater than zero and is less than
his RSA modulus.
Housley & Turner Expires 31 January 2025 [Page 31]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
Bob decrypts the ciphertext with his RSA private key to obtain the
integer z:
9c126102a5c1c0354672a3c2f19fc9ddea988f815e1da812c7bd4f8eb082bdd1
4f85a7f7c2f1af11d5333e0d6bcb375bf855f208da72ba27e6fb0655f2825aa6
2b93b1f9bbd3491fed58f0380fa0de36430e3a144d569600bd362609be5b9481
0875990b614e406fa6dff500043cbca95968faba61f795096a7fb3687a51078c
4ca2cb663366b0bea0cd9cccac72a25f3f4ed03deb68b4453bba44b943f4367b
67d6cd10c8ace53f545aac50968fc3c6ecc80f3224b64e37038504e2d2c0e2b2
9d45e46c62826d96331360e4c17ea3ef89a9efc5fac99eda830e81450b6534dc
0bdf042b8f3b706649c631fe51fc2445cc8d447203ec2f41f79cdfea16de1ce6
abdfdc1e2ef2e5d5d8a65e645f397240ef5a26f5e4ff715de782e30ecf477293
e89e13171405909a8e04dd31d21d0c57935fc1ceea8e1033e31e1bc8c56da0f3
d79510f3f380ff58e5a61d361f2f18e99fbae5663172e8cd1f21deaddc5bbbea
060d55f1842b93d1a9c888d0bf85d0af9947fe51acf940c7e7577eb79cabecb3
Bob checks that the integer z is greater than zero and is less than
his RSA modulus.
Bob derives the shared secret (SS) using KDF3 with SHA-256:
3cf82ec41b54ed4d37402bbd8f805a52
D.4. Recipient CMS Processing
Bob encodes the CMSORIforKEMOtherInfo structure with the algorithm
identifier for AES-128-KEYWRAP and a key length of 16 octets. The
DER encoding of CMSORIforKEMOtherInfo is not repeated here.
Bob derives the key-encryption key from shared secret and the
CMSORIforKEMOtherInfo structure with KDF3 and SHA-256, the KEK is:
e6dc9d62ff2b469bef604c617b018718
Bob uses AES-KEY-WRAP to decrypt the content-encryption key with the
key-encryption key; the content-encryption key is:
77f2a84640304be7bd42670a84a1258b
Bob decrypts the content using AES-128-CBC with the content-
encryption key. The 16-octet IV used is:
480ccafebabefacedbaddecaf8887781
The received ciphertext content is:
c6ca65db7bdd76b0f37e2fab6264b66d
Housley & Turner Expires 31 January 2025 [Page 32]
Internet-Draft RSA-KEM with CMS KEMRecipientInfo July 2024
The resulting padded plaintext content is:
48656c6c6f2c20776f726c6421030303
After stripping the AES-CBC padding, the plaintext content is:
Hello, world!
Acknowledgements
We thank James Randall, Burt Kaliski, and John Brainard as the
original authors of [RFC5990]; this document is based on their work.
We thank the members of the ASC X9F1 working group for their
contributions to drafts of ANS X9.44, which led to [RFC5990].
We thank Blake Ramsdell, Jim Schaad, Magnus Nystrom, Bob Griffin, and
John Linn for helping bring [RFC5990] to fruition.
We thank Burt Kaliski, Alex Railean, Joe Mandel, Mike Ounsworth,
Peter Campbell, Daniel Van Geest, and David Ireland for careful
review and thoughtful comments that greatly improved this document.
Authors' Addresses
Russ Housley
Vigil Security, LLC
516 Dranesville Road
Herndon, VA, 20170
United States of America
Email: housley@vigilsec.com
Sean Turner
sn3rd
Email: sean@sn3rd.com
Housley & Turner Expires 31 January 2025 [Page 33]
```