< draft-ietf-smime-3278bis-00.txt   draft-ietf-smime-3278bis-01.txt >
S/MIME WG Sean Turner, IECA S/MIME WG Sean Turner, IECA
Internet Draft Dan Brown, Certicom Internet Draft Dan Brown, Certicom
Intended Status: Informational June 3, 2008 Intended Status: Informational June 30, 2008
Obsoletes: 3278 (once approved) Obsoletes: 3278 (once approved)
Expires: December 3, 2008 Expires: December 30, 2008
Use of Elliptic Curve Cryptography (ECC) Algorithms Use of Elliptic Curve Cryptography (ECC) Algorithms
in Cryptographic Message Syntax (CMS) in Cryptographic Message Syntax (CMS)
draft-ietf-smime-3278bis-00.txt draft-ietf-smime-3278bis-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on December 3, 2008. This Internet-Draft will expire on December 30, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (C) The IETF Trust (2008).
Abstract Abstract
This document describes how to use Elliptic Curve Cryptography (ECC) This document describes how to use Elliptic Curve Cryptography (ECC)
public-key algorithms in the Cryptographic Message Syntax (CMS). The public-key algorithms in the Cryptographic Message Syntax (CMS). The
ECC algorithms support the creation of digital signatures and the ECC algorithms support the creation of digital signatures and the
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Discussion Discussion
This draft is being discussed on the 'ietf-smime' mailing list. To This draft is being discussed on the 'ietf-smime' mailing list. To
subscribe, send a message to ietf-smime-request@imc.org with the subscribe, send a message to ietf-smime-request@imc.org with the
single word subscribe in the body of the message. There is a Web site single word subscribe in the body of the message. There is a Web site
for the mailing list at <http://www.imc.org/ietf-smime/>. for the mailing list at <http://www.imc.org/ietf-smime/>.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................2
1.1. Requirements Terminology..................................3 1.1. Requirements Terminology..................................3
1.2. Changes since RFC 3278....................................3 1.2. Changes since RFC 3278....................................3
2. SignedData using ECC...........................................4 2. SignedData using ECC...........................................4
2.1. SignedData using ECDSA....................................4 2.1. SignedData using ECDSA....................................4
2.1.1. Fields of the SignedData.............................5
2.1.2. Actions of the sending agent.........................5
2.1.3. Actions of the receiving agent.......................6
3. EnvelopedData using ECC Algorithms.............................6 3. EnvelopedData using ECC Algorithms.............................6
3.1. EnvelopedData using (ephemeral-static) ECDH...............6 3.1. EnvelopedData using (ephemeral-static) ECDH...............6
3.1.1. Fields of KeyAgreeRecipientInfo......................6
3.1.2. Actions of the sending agent.........................7
3.1.3. Actions of the receiving agent.......................7
3.2. EnvelopedData using 1-Pass ECMQV..........................7 3.2. EnvelopedData using 1-Pass ECMQV..........................7
3.2.1. Fields of KeyAgreeRecipientInfo......................8 4. AuthenticatedData and AuthEnvelopedData using ECC..............9
3.2.2. Actions of the sending agent.........................8
3.2.3. Actions of the receiving agent.......................9
4. AuthenticatedData using ECC....................................9
4.1. AuthenticatedData using 1-pass ECMQV......................9 4.1. AuthenticatedData using 1-pass ECMQV......................9
4.1.1. Fields of the KeyAgreeRecipientInfo.................10 4.2. AuthEnvelopedData using 1-pass ECMQV.....................10
4.1.2. Actions of the sending agent........................10
4.1.3. Actions of the receiving agent......................10
5. Recommended Algorithms and Elliptic Curves....................10 5. Recommended Algorithms and Elliptic Curves....................10
6. Certificates using ECC........................................11 6. Certificates using ECC........................................12
7. SMIMECapabilities Attribute and ECC...........................12 7. SMIMECapabilities Attribute and ECC...........................12
8. ASN.1 Syntax..................................................14 8. ASN.1 Syntax..................................................15
8.1. Algorithm Identifiers....................................14 8.1. Algorithm Identifiers....................................15
8.2. Other Sytnax.............................................17 8.2. Other Syntax.............................................18
9. Security Considerations.......................................18 9. Security Considerations.......................................19
10. IANA Considerations..........................................22 10. IANA Considerations..........................................24
11. References...................................................22 11. References...................................................24
11.1. Normative...............................................22 11.1. Normative...............................................24
11.2. Informative.............................................23 11.2. Informative.............................................26
Appendix A ASN.1 Modules.........................................27
Annex A ASN.1 Modules............................................25 Appendix A.1 1988 ASN.1 Module................................27
Annex A.1 1988 ASN.1 Module...................................25 Appendix A.2 2004 ASN.1 Module................................34
Annex A.2 2004 ASN.1 Module...................................25
1. Introduction 1. Introduction
The Cryptographic Message Syntax (CMS) is cryptographic algorithm The Cryptographic Message Syntax (CMS) is cryptographic algorithm
independent. This specification defines a profile for the use of independent. This specification defines a profile for the use of
Elliptic Curve Cryptography (ECC) public key algorithms in the CMS. Elliptic Curve Cryptography (ECC) public key algorithms in the CMS.
The ECC algorithms are incorporated into the following CMS content The ECC algorithms are incorporated into the following CMS content
types: types:
- 'SignedData' to support ECC-based digital signature methods - 'SignedData' to support ECC-based digital signature methods
skipping to change at page 3, line 42 skipping to change at page 3, line 30
1.1. Requirements Terminology 1.1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [MUST]. document are to be interpreted as described in [MUST].
1.2. Changes since RFC 3278 1.2. Changes since RFC 3278
The following summarizes the changes: The following summarizes the changes:
- Paragraph 2.1 added sentence indicating SHA is used with EDSA. - Section 2.1 added sentence indicating SHA is used with EDSA.
- Paragraph 2.1.1 limited the digest algorithm to SHA-1. This - Section 2.1.1 limited the digest algorithm to SHA-1. This document
document expands the allowed algorithms to SHA-224, SHA-256, SHA- expands the allowed algorithms to SHA-224, SHA-256, SHA-384, and
384, and SHA-512. SHA-512.
- Paragraph 3.1.1 used SHA1 in the KDF with ECDH std and cofactor - Section 2.1.2 and 2.1.3 - Delete e paragraph and update ANSI X9.42
references.
- Section 3.1 - Updates reference to CMS-ALG vice CMS for DH.
- Section 3.1.1 used SHA1 in the KDF with ECDH std and cofactor
methods. This document expands the set of allowed algorithms by methods. This document expands the set of allowed algorithms by
adding SHA-224, SHA-256, SHA-384, and SHA-512. adding SHA-224, SHA-256, SHA-384, and SHA-512.
- Paragraph 3.2.1 used SHA1 in the KDF with ECMQV. This document - Section 3.2.1 used SHA1 in the KDF with ECMQV. This document
expands the set of allowed algorithms by adding SHA-224, SHA-256, expands the set of allowed algorithms by adding SHA-224, SHA-256,
SHA-384, and SHA-512. SHA-384, and SHA-512.
- Paragraph 5 is updated to include requirements for hash algorithms - Section 4.2 was added to address ECMQV use of AuthEnvelopedData.
- Section 5 is updated to include requirements for hash algorithms
and recommendations for matching curves and hash algorithms. It and recommendations for matching curves and hash algorithms. It
also was expanded to indicate which ECDH and ECMQV variants are also was expanded to indicate which ECDH and ECMQV variants, key
required. wrap algorithms, and content encryption algorithms are required
for each of the content types used in this document..
- Paragraph 7 is updated to include S/MIME capabilities for ECDSA - Section 7 is updated to include S/MIME capabilities for ECDSA with
with SHA-224, SHA-256, SHA-384, and SHA-512. It was also updated SHA-224, SHA-256, SHA-384, and SHA-512. It was also updated to
to include S/MIME capabilities for ECDH and ECMQV using SHA2 include S/MIME capabilities for ECDH and ECMQV using SHA2
algorithms as the KDF. algorithms as the KDF.
- Paragraph 8.1 listed the algorithm identifiers for SHA-1 and SHA-1 - Section 8.1 listed the algorithm identifiers for SHA-1 and SHA-1
with ECDSA. This document adds algorithm identifiers for SHA-224, with ECDSA. This document adds algorithm identifiers for SHA-224,
SHA-256, SHA-384, and SHA-512 as well as SHA-224, SHA-256, SHA- SHA-256, SHA-384, and SHA-512 as well as SHA-224, SHA-256, SHA-
384, and SHA-512 with ECDSA. This document also updates the list 384, and SHA-512 with ECDSA. This document also updates the list
of algorithm identifiers for ECDH std, ECDH cofactor, and ECMQV of algorithm identifiers for ECDH std, ECDH cofactor, and ECMQV
with SHA2 algorithms as the KDF. with SHA2 algorithms as the KDF.
- Deleted summary paragraph. - Deleted summary paragraph.
- Updated references. - Updated references.
skipping to change at page 5, line 37 skipping to change at page 5, line 34
When using ECDSA, the SignedData certificates field MAY include the When using ECDSA, the SignedData certificates field MAY include the
certificate(s) for the EC public key(s) used in the generation of the certificate(s) for the EC public key(s) used in the generation of the
ECDSA signatures in SignedData. ECC certificates are discussed in ECDSA signatures in SignedData. ECC certificates are discussed in
Section 6. Section 6.
2.1.2. Actions of the sending agent 2.1.2. Actions of the sending agent
When using ECDSA with SignedData, the sending agent uses the message When using ECDSA with SignedData, the sending agent uses the message
digest calculation process and signature generation process for digest calculation process and signature generation process for
SignedData that are specified in [CMS]. To sign data, the sending SignedData that are specified in [CMS]. To sign data, the sending
agent uses the signature method specified in [X9.62, Section 5.3] agent uses the signature method specified in [X9.62, Section 7.3].
with the following exceptions:
- In [X9.62, Section 5.3.1], the integer "e" is instead determined
by converting the message digest generated according to [CMS,
Section 5.4] to an integer using the data conversion method in
[X9.62, Section 4.3.2].
The sending agent encodes the resulting signature using the ECDSA- The sending agent encodes the resulting signature using the ECDSA-
Sig-Value syntax (see Section 8.2) and places it in the Sig-Value syntax (see Section 8.2) and places it in the
SignerInfosignature field. SignerInfosignature field.
2.1.3. Actions of the receiving agent 2.1.3. Actions of the receiving agent
When using ECDSA with SignedData, the receiving agent uses the When using ECDSA with SignedData, the receiving agent uses the
message digest calculation process and signature verification process message digest calculation process and signature verification process
for SignedData that are specified in [CMS]. To verify SignedData, for SignedData that are specified in [CMS]. To verify SignedData,
the receiving agent uses the signature verification method specified the receiving agent uses the signature verification method specified
in [X9.62, Section 5.4] with the following exceptions: in [X9.62, Section 7.3].
- In [X9.62, Section 5.4.1] the integer "e'" is instead determined
by converting the message digest generated according to [CMS,
Section 5.4] to an integer using the data conversion method in
[X9.62, Section 4.3.2].
In order to verify the signature, the receiving agent retrieves the In order to verify the signature, the receiving agent retrieves the
integers r and s from the SignerInfo signature field of the received integers r and s from the SignerInfo signature field of the received
message. message.
3. EnvelopedData using ECC Algorithms 3. EnvelopedData using ECC Algorithms
This section describes how to use ECC algorithms with the CMS This section describes how to use ECC algorithms with the CMS
EnvelopedData format. EnvelopedData format.
3.1. EnvelopedData using (ephemeral-static) ECDH 3.1. EnvelopedData using (ephemeral-static) ECDH
This section describes how to use the ephemeral-static Elliptic Curve This section describes how to use the ephemeral-static Elliptic Curve
Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData. Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData.
Ephemeral-static ECDH is specified in [SEC1] and [IEEE1363]. Ephemeral-static ECDH is specified in [SEC1] and [IEEE1363].
Ephemeral-static ECDH is the the elliptic curve analog of the Ephemeral-static ECDH is the elliptic curve analog of the
ephemeral-static Diffie-Hellman key agreement algorithm specified ephemeral-static Diffie-Hellman key agreement algorithm specified
jointly in the documents [CMS, Section 12.3.1.1] and [CMS-DH]. jointly in the documents [CMS-ALG, Section 4.1.1] and [CMS-DH].
In an implementation that uses ECDH with CMS EnvelopedData with key In an implementation that uses ECDH with CMS EnvelopedData with key
agreement, the following techniques and formats MUST be used. agreement, the following techniques and formats MUST be used.
3.1.1. Fields of KeyAgreeRecipientInfo 3.1.1. Fields of KeyAgreeRecipientInfo
When using ephemeral-static ECDH with EnvelopedData, the fields of When using ephemeral-static ECDH with EnvelopedData, the fields of
KeyAgreeRecipientInfo are as in [CMS], but with the following KeyAgreeRecipientInfo are as in [CMS], but with the following
restrictions: restrictions:
skipping to change at page 8, line 31 skipping to change at page 8, line 15
certificates. certificates.
ukm MUST be present. The ukm field MUST contain an octet string ukm MUST be present. The ukm field MUST contain an octet string
which is the DER encoding of the type MQVuserKeyingMaterial (see which is the DER encoding of the type MQVuserKeyingMaterial (see
Section 8.2). The MQVuserKeyingMaterial ephemeralPublicKey Section 8.2). The MQVuserKeyingMaterial ephemeralPublicKey
algorithm field MUST contain the id-ecPublicKey object identifier algorithm field MUST contain the id-ecPublicKey object identifier
(see Section 8.1) with NULL parameters field. The (see Section 8.1) with NULL parameters field. The
MQVuserKeyingMaterial ephemeralPublicKey publicKey field MUST MQVuserKeyingMaterial ephemeralPublicKey publicKey field MUST
contain the DER-encoding of the ASN.1 type ECPoint (see Section contain the DER-encoding of the ASN.1 type ECPoint (see Section
8.2) representing sending agent's ephemeral EC public key. The 8.2) representing the sending agent's ephemeral EC public key.
MQVuserKeyingMaterial addedukm field, if present, SHOULD contain The MQVuserKeyingMaterial addedukm field, if present, SHOULD
an octet string of additional user keying material of the sending contain an octet string of additional user keying material of the
agent. sending agent.
keyEncryptionAlgorithm MUST be the key encryption algorithm keyEncryptionAlgorithm MUST be the key encryption algorithm
identifier (see Section 8.1), with the parameters field identifier (see Section 8.1), with the parameters field
KeyWrapAlgorithm. The KeyWrapAlgorithm indicates the symmetric KeyWrapAlgorithm. The KeyWrapAlgorithm indicates the symmetric
encryption algorithm used to encrypt the CEK with the KEK encryption algorithm used to encrypt the CEK with the KEK
generated using the 1-Pass ECMQV algorithm. Algorithm generated using the 1-Pass ECMQV algorithm. Algorithm
requirements are found in paragraph 5. requirements are found in paragraph 5.
3.2.2. Actions of the sending agent 3.2.2. Actions of the sending agent
skipping to change at page 9, line 34 skipping to change at page 9, line 19
ECC-CMS-SharedInfo (see Section 8.2), and the integer "keydatalen" ECC-CMS-SharedInfo (see Section 8.2), and the integer "keydatalen"
from the key-size, in bits, of the KeyWrapAlgorithm. The receiving from the key-size, in bits, of the KeyWrapAlgorithm. The receiving
agent then retrieves the static and ephemeral EC public keys of the agent then retrieves the static and ephemeral EC public keys of the
originator, from the originator and ukm fields as described in field originator, from the originator and ukm fields as described in field
and checks that the domain parameters are the same. The receiving and checks that the domain parameters are the same. The receiving
agent then performs the key agreement operation of the Elliptic Curve agent then performs the key agreement operation of the Elliptic Curve
MQV Scheme [SEC1, Section 6.2]. As a result, the receiving agent MQV Scheme [SEC1, Section 6.2]. As a result, the receiving agent
obtains a shared secret bit string "K" which is used as the pairwise obtains a shared secret bit string "K" which is used as the pairwise
key-encryption key to unwrap the CEK. key-encryption key to unwrap the CEK.
4. AuthenticatedData using ECC 4. AuthenticatedData and AuthEnvelopedData using ECC
This section describes how to use ECC algorithms with the CMS This section describes how to use ECC algorithms with the CMS
AuthenticatedData format. AuthenticatedData lacks non-repudiation, AuthenticatedData format. AuthenticatedData lacks non-repudiation,
and so in some instances is preferable to SignedData. (For example, and so in some instances is preferable to SignedData. (For example,
the sending agent might not want the message to be authenticated when the sending agent might not want the message to be authenticated when
forwarded.) forwarded.)
This section also describes how to use ECC algorithms with the CMS
AuthEnvelopedData format [CMS-AUTHENV]. AuthEnvelopedData supports
authentication and encryption, and in some instances is preferable to
signing and than encrypting data.
4.1. AuthenticatedData using 1-pass ECMQV 4.1. AuthenticatedData using 1-pass ECMQV
This section describes how to use the 1-Pass elliptic curve MQV This section describes how to use the 1-Pass elliptic curve MQV
(ECMQV) key agreement algorithm with AuthenticatedData. ECMQV is (ECMQV) key agreement algorithm with AuthenticatedData. ECMQV is
specified in [SEC1]. An advantage of using 1-Pass ECMQV is that it specified in [SEC1]. An advantage of using 1-Pass ECMQV is that it
can be used with both EnvelopedData and AuthenticatedData. can be used with EnvelopedData, AuthenticatedData, and
AuthEnvelopedData.
4.1.1. Fields of the KeyAgreeRecipientInfo 4.1.1. Fields of the KeyAgreeRecipientInfo
The AuthenticatedData KeyAgreeRecipientInfo fields are used in the The AuthenticatedData KeyAgreeRecipientInfo fields are used in the
same manner as the fields for the corresponding EnvelopedData same manner as the fields for the corresponding EnvelopedData
KeyAgreeRecipientInfo fields of Section 3.2.1 of this document. KeyAgreeRecipientInfo fields of Section 3.2.1 of this document.
4.1.2. Actions of the sending agent 4.1.2. Actions of the sending agent
The sending agent uses the same actions as for EnvelopedData with 1- The sending agent uses the same actions as for EnvelopedData with
Pass ECMQV, as specified in Section 3.2.2 of this document. 1-Pass ECMQV, as specified in Section 3.2.2 of this document.
The ephemeral public key can be re-used with an EnvelopedData for The ephemeral public key can be re-used with an EnvelopedData for
greater efficiency. greater efficiency.
Note: if there are multiple recipients, an attack is possible where Note: if there are multiple recipients, an attack is possible where
one recipient modifies the content without other recipients noticing one recipient modifies the content without other recipients noticing
[BON]. A sending agent who is concerned with such an attack SHOULD [BON]. A sending agent who is concerned with such an attack SHOULD
use a separate AuthenticatedData for each recipient. use a separate AuthenticatedData for each recipient.
4.1.3. Actions of the receiving agent 4.1.3. Actions of the receiving agent
The receiving agent uses the same actions as for EnvelopedData with The receiving agent uses the same actions as for EnvelopedData with
1-Pass ECMQV, as specified in Section 3.2.3 of this document. 1-Pass ECMQV, as specified in Section 3.2.3 of this document.
Note: see Note in Section 4.1.2. Note: see Note in Section 4.1.2.
4.2. AuthEnvelopedData using 1-pass ECMQV
This section describes how to use the 1-Pass elliptic curve MQV
(ECMQV) key agreement algorithm with AuthEnvelopedData. ECMQV is
specified in [SEC1]. An advantage of using 1-Pass ECMQV is that it
can be used with EnvelopedData, AuthenticatedData, and
AuthEnvelopedData.
4.2.1. Fields of the KeyAgreeRecipientInfo
The AuthEnvelopedData KeyAgreeRecipientInfo fields are used in the
same manner as the fields for the corresponding EnvelopedData
KeyAgreeRecipientInfo fields of Section 3.2.1 of this document.
4.2.2. Actions of the sending agent
The sending agent uses the same actions as for EnvelopedData with 1-
Pass ECMQV, as specified in Section 3.2.2 of this document.
The ephemeral public key can be re-used with an EnvelopedData for
greater efficiency.
4.2.3. Actions of the receiving agent
The receiving agent uses the same actions as for EnvelopedData with
1-Pass ECMQV, as specified in Section 3.2.3 of this document.
5. Recommended Algorithms and Elliptic Curves 5. Recommended Algorithms and Elliptic Curves
Implementations of this specification MUST implement either Implementations of this specification MUST implement either
SignedData with ECDSA or EnvelopedData with ephemeral-static ECDH. SignedData with ECDSA or EnvelopedData with ephemeral-static ECDH.
Implementations of this specification SHOULD implement both Implementations of this specification SHOULD implement both
SignedData with ECDSA and EnvelopedData with ephemeral-static ECDH. SignedData with ECDSA and EnvelopedData with ephemeral-static ECDH.
Implementations MAY implement the other techniques specified, such as Implementations MAY implement the other techniques specified, such as
AuthenticatedData and 1-Pass ECMQV. AuthenticatedData and 1-Pass ECMQV.
Furthermore, in order to encourage interoperability, implementations Furthermore, in order to encourage interoperability, implementations
SHOULD use the elliptic curve domain parameters specified by ANSI SHOULD use the elliptic curve domain parameters specified by ANSI
[X9.62], NIST [DSS] and SECG [SEC2]. It is RECOMMENDED that the P- [X9.62], NIST [DSS] and SECG [SEC2]. It is RECOMMENDED that the
256 curve be used with SHA-256, the P-384 curve be used with SHA-384, P-256 curve be used with SHA-256, the P-384 curve be used with
and the P-521 curve be used with SHA-512. SHA-384, and the P-521 curve be used with SHA-512.
Implementations of this specification MUST implement the SHA-256 hash Implementations of this specification MUST implement the SHA-256 hash
algorithm. The SHA-1, SHA-224, SHA-384, SHA-512 hash algorithms MAY algorithm. The SHA-1, SHA-224, SHA-384, SHA-512 hash algorithms MAY
be supported. be supported.
When ECDSA, ECDH, or ECMQV is used, it is RECOMMENDED that the When ECDSA, ECDH, or ECMQV is used, it is RECOMMENDED that the
P-256 curve be used with SHA-256, the P-384 curve be used with SHA- P-256 curve be used with SHA-256, the P-384 curve be used with
384, and the P-521 curve be used with SHA-512. SHA-384, and the P-521 curve be used with SHA-512.
Implementations of this specification that support EnvelopedData with Implementations of this specification that support EnvelopedData with
ephemeral-static ECDH standard primitive MUST support the ephemeral-static ECDH standard primitive MUST support the
dhSinglePass-stdDH-sha256kdf-scheme algorithm. They MUST also support dhSinglePass-stdDH-sha256kdf-scheme algorithm. They MUST also support
the id-aes128-wrap algorithm. The dhSinglePass-stdDH-sha1kdf-scheme, the id-aes128-wrap key wrap and id-aes128-cbc content encryption
dhSinglePass-stdDH-sha224kdf-scheme, dhSinglePass-stdDH-sha384kdf- algorithms. The dhSinglePass-stdDH-sha1kdf-scheme, dhSinglePass-
scheme, and dhSinglePass-stdDH-sha512kdf-scheme algorithms MAY be stdDH-sha224kdf-scheme, dhSinglePass-stdDH-sha384kdf-scheme, and
supported. Likewise, the id-alg-CMS3DESwrap, id-aes192-wrap, and id- dhSinglePass-stdDH-sha512kdf-scheme algorithms MAY be supported.
aes256wrap MAY be supported. Likewise, the id-alg-CMS3DESwrap, id-aes192-wrap, and id-aes256-wrap
key wrap algorithms and the id-aes192-cbc and id-aes256-cbc content
encryption algorithms MAY be supported.
Implementations of this specification that support EnvelopedData with Implementations of this specification that support EnvelopedData with
ephemeral-static ECDH cofactor primitive MUST support the ephemeral-static ECDH cofactor primitive MUST support the
dhSinglePass-cofactorDH-sha256kdf-scheme algorithm. They MUST also dhSinglePass-cofactorDH-sha256kdf-scheme algorithm. They MUST also
support the id-aes128-wrap algorithm. The dhSinglePass-cofactorDH- support the id-aes128-wrap key wrap and id-aes128-cbc content
sha1kdf-scheme, dhSinglePass-cofactorDH-sha224kdf-scheme, encryption algorithms. The dhSinglePass-cofactorDH-sha1kdf-scheme,
dhSinglePass-cofactorDH-sha384kdf-scheme, and dhSinglePass- dhSinglePass-cofactorDH-sha224kdf-scheme, dhSinglePass-cofactorDH-
cofactorDH-sha512kdf-scheme algorithms MAY be supported. Likewise, sha384kdf-scheme, and dhSinglePass-cofactorDH-sha512kdf-scheme
the id-alg-CMS3DESwrap, id-aes192-wrap, and id-aes256wrap MAY be algorithms MAY be supported. Likewise, the id-alg-CMS3DESwrap, id-
supported. aes192-wrap, and id-aes256-wrap MAY be supported.
Implementations of this specification that support EnvelopedData with Implementations of this specification that support EnvelopedData with
ECMQV MUST support the mqvSinglePass-sha256kdf-scheme algorithm. They ECMQV MUST support the mqvSinglePass-sha256kdf-scheme algorithm. They
MUST also support the id-aes128-wrap algorithm. The mqvSinglePass- MUST also support the id-aes128-wrap and id-aes128-cbc algorithms.
sha1kdf-scheme, mqvSinglePass-sha224kdf-scheme, mqvSinglePass- The mqvSinglePass-sha1kdf-scheme, mqvSinglePass-sha224kdf-scheme,
sha384kdf-scheme, and mqvSinglePass-sha512kdf-scheme algorithms MAY mqvSinglePass-sha384kdf-scheme, and mqvSinglePass-sha512kdf-scheme
be supported. Likewise, the id-alg-CMS3DESwrap, id-aes192-wrap, and algorithms MAY be supported. Likewise, the id-alg-CMS3DESwrap, id-
id-aes256wrap MAY be supported. aes192-wrap, and id-aes256-wrap key wrap algorithms and the id-
aes192-cbc and id-aes256-cbc content encryption algorithms MAY be
supported.
Implementations of this specification that support AuthenticatedData Implementations of this specification that support AuthenticatedData
with ECMQV MUST support the with ECMQV MUST support the
mqvSinglePass-sha256kdf-scheme algorithm. They MUST also support the mqvSinglePass-sha256kdf-scheme algorithm. They MUST also support the
id-aes128-wrap algorithm. The mqvSinglePass-sha1kdf-scheme, id-aes128-wrap key wrap, id-aes128-cbc content encryption, and id-
mqvSinglePass-sha224kdf-scheme, mqvSinglePass-sha384kdf-scheme, and hmacWithSHA256 message digest algorithms. The mqvSinglePass-sha1kdf-
mqvSinglePass-sha512kdf-scheme algorithms MAY be supported. Likewise, scheme, mqvSinglePass-sha224kdf-scheme, mqvSinglePass-sha384kdf-
the id-alg-CMS3DESwrap, id-aes192-wrap, and id-aes256wrap MAY be scheme, and mqvSinglePass-sha512kdf-scheme algorithms MAY be
supported. Likewise, the id-alg-CMS3DESwrap, id-aes192-wrap, and id-
aes256-wrap key wrap algorithms and the id-aes192-cbc and id-aes256-
cbc content encryption algorithms MAY be supported. The
id-hmacWithSHA1, id-hmacWithSHA224, id-hmacWithSHA384, and id-
hmacWithSHA512 MAY be supported.
Implementations of this specification that support AuthEnvelopedData
with ECMQV MUST support the
mqvSinglePass-sha256kdf-scheme algorithm. They MUST also support the
id-aes128-wrap key wrap and id-aes128-cbc content encryption
algorithm. The mqvSinglePass-sha1kdf-scheme, mqvSinglePass-sha224kdf-
scheme, mqvSinglePass-sha384kdf-scheme, and mqvSinglePass-sha512kdf-
scheme algorithms MAY be supported. Likewise, the id-alg-CMS3DESwrap,
id-aes192-wrap, and id-aes256-wrap key wrap algorithms and the id-
aes192-cbc and id-aes256-cbc content encryption algorithms MAY be
supported. supported.
6. Certificates using ECC 6. Certificates using ECC
Internet X.509 certificates [PKI] can be used in conjunction with Internet X.509 certificates [PKI] can be used in conjunction with
this specification to distribute agents' public keys. The use of ECC this specification to distribute agents' public keys. The use of ECC
algorithms and keys within X.509 certificates is specified in algorithms and keys within X.509 certificates is specified in
[PKI-ALG]. [PKI-ALG].
7. SMIMECapabilities Attribute and ECC 7. SMIMECapabilities Attribute and ECC
skipping to change at page 17, line 9 skipping to change at page 18, line 9
and and
secg-scheme OBJECT IDENTIFIER ::= { secg-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) schemes(1) } iso(1) identified-organization(3) certicom(132) schemes(1) }
When the object identifiers are used here within an algorithm When the object identifiers are used here within an algorithm
identifier, the associated parameters field contains the CMS identifier, the associated parameters field contains the CMS
KeyWrapAlgorithm algorithm identifier. KeyWrapAlgorithm algorithm identifier.
8.2. Other Sytnax 8.2. Other Syntax
The following additional syntax is used here. The following additional syntax is used here.
When using ECDSA with SignedData, ECDSA signatures are encoded using When using ECDSA with SignedData, ECDSA signatures are encoded using
the type: the type:
ECDSA-Sig-Value ::= SEQUENCE { ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER, r INTEGER,
s INTEGER } s INTEGER }
skipping to change at page 18, line 30 skipping to change at page 19, line 30
Within CMS, ECC-CMS-SharedInfo is DER-encoded and used as input to Within CMS, ECC-CMS-SharedInfo is DER-encoded and used as input to
the key derivation function, as specified in [SEC1, Section 3.6.1]. the key derivation function, as specified in [SEC1, Section 3.6.1].
Note that ECC-CMS-SharedInfo differs from the OtherInfo specified in Note that ECC-CMS-SharedInfo differs from the OtherInfo specified in
[CMS-DH]. Here, a counter value is not included in the keyInfo field [CMS-DH]. Here, a counter value is not included in the keyInfo field
because the key derivation function specified in [SEC1, Section because the key derivation function specified in [SEC1, Section
3.6.1] ensures that sufficient keying data is provided. 3.6.1] ensures that sufficient keying data is provided.
9. Security Considerations 9. Security Considerations
This specification is based on [CMS], [X9.62] and [SEC1] and the Cryptographic algorithms will be broken or weakened over time.
appropriate security considerations of those documents apply. Implementers and users need to check that the cryptographic
algorithms listed in this document continue to provide the expected
level of security. The IETF from time to time may issue documents
dealing with the current state of the art.
This specification is based on [CMS], [CMS-AUTHENV], [CMS-ALG], [CMS-
AESCG], [X9.62], and [SEC1] and the appropriate security
considerations of those documents apply.
In addition, implementors of AuthenticatedData should be aware of the In addition, implementors of AuthenticatedData should be aware of the
concerns expressed in [BON] when using AuthenticatedData to send concerns expressed in [BON] when using AuthenticatedData to send
messages to more than one recipient. Also, users of MQV should be messages to more than one recipient. Also, users of MQV should be
aware of the vulnerability in [K]. aware of the vulnerability in [K].
When implementing EnvelopedData or AuthenticatedData, there are five When implementing EnvelopedData, AuthenticatedData, and
algorithm related choices that need to be made: AuthEnvelopedData, there are five algorithm related choices that need
to be made:
1) What is the public key size? 1) What is the public key size?
2) What is the KDF? 2) What is the KDF?
3) What is the key wrap algorithm? 3) What is the key wrap algorithm?
4) What is the content encryption algorithm? 4) What is the content encryption algorithm?
5) What is the curve? 5) What is the curve?
Consideration must be given to strength of the security provided by Consideration must be given to strength of the security provided by
each of these choices. Security is measured in bits, where a strong each of these choices. Security is measured in bits, where a strong
symmetric cipher with a key of X bits is said to provide X bits of symmetric cipher with a key of X bits is said to provide X bits of
skipping to change at page 20, line 4 skipping to change at page 22, line 4
---------+----------+------------+----------+-------------+--------- ---------+----------+------------+----------+-------------+---------
192 | 384-511 | SHA224 | AES-192 | AES-192 CBC | secp384r1 192 | 384-511 | SHA224 | AES-192 | AES-192 CBC | secp384r1
| | SHA256 | AES-256 | AES-256 CBC | sect409k1 | | SHA256 | AES-256 | AES-256 CBC | sect409k1
| | SHA384 | | | sect409r1 | | SHA384 | | | sect409r1
| | SHA512 | | | | | SHA512 | | |
---------+----------+------------+----------+-------------+--------- ---------+----------+------------+----------+-------------+---------
256 | 512+ | SHA256 | AES-256 | AES-256 CBC | secp521r1 256 | 512+ | SHA256 | AES-256 | AES-256 CBC | secp521r1
| | SHA384 | | | sect571k1 | | SHA384 | | | sect571k1
| | SHA512 | | | sect571r1 | | SHA512 | | | sect571r1
---------+----------+------------+----------+-------------+--------- ---------+----------+------------+----------+-------------+---------
To promote interoperability, the following choices are REOMMENDED: To promote interoperability, the following choices are RECOMMENDED:
Minimum | ECDH or | Key | Key | Content | Curve Minimum | ECDH or | Key | Key | Content | Curve
Bits of | ECQMV | Derivation | Wrap | Encryption | Bits of | ECQMV | Derivation | Wrap | Encryption |
Security | Key Size | Function | Alg. | Alg. | Security | Key Size | Function | Alg. | Alg. |
---------+----------+------------+----------+-------------+---------- ---------+----------+------------+----------+-------------+----------
80 | 192 | SHA256 | 3DES | 3DES CBC | secp192r1 80 | 192 | SHA256 | 3DES | 3DES CBC | secp192r1
---------+----------+------------+----------+-------------+---------- ---------+----------+------------+----------+-------------+----------
112 | 224 | SHA256 | 3DES | 3DES CBC | secp224r1 112 | 224 | SHA256 | 3DES | 3DES CBC | secp224r1
---------+----------+------------+----------+-------------+---------- ---------+----------+------------+----------+-------------+----------
128 | 256 | SHA256 | AES-128 | AES-128 CBC | secp256r1 128 | 256 | SHA256 | AES-128 | AES-128 CBC | secp256r1
skipping to change at page 22, line 13 skipping to change at page 24, line 13
---------+----------+-----------+----------- ---------+----------+-----------+-----------
10. IANA Considerations 10. IANA Considerations
None. None.
11. References 11. References
11.1. Normative 11.1. Normative
[CMS] Housley, R., "Cryptographic Message Syntax", RFC 3852, [CMS] Housley, R., "Cryptographic Message Syntax", RFC
July. 3852, July 2004.
[CMS-AES] Schaad, J., "Use of the Advanced Encryption Standard [CMS-AES] Schaad, J., "Use of the Advanced Encryption Standard
(AES) Encryption Algorithm in Cryptographic Message (AES) Encryption Algorithm in Cryptographic Message
Syntax (CMS)", RFC 3565, July 2003. Syntax (CMS)", RFC 3565, July 2003.
[CMS-AESCG] Housley, R., "Using AES-CCM and AES-GCM Authenticated [CMS-AESCG] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)", Encryption in the Cryptographic Message Syntax
RFC 5084, November 2007. (CMS)", RFC 5084, November 2007.
[CMS-ALG] Housley, R., "Cryptographic Message Syntax (CMS) [CMS-ALG] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002. Algorithms", RFC 3370, August 2002.
[CMS-DH] Rescorla, E., "Diffie-Hellman Key Agreement Method", [CMS-AUTHENV] Housley, R. "Cryptographic Message Syntax (CMS)
RFC 2631, June 1999. Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007.
[IEEE1363] IEEE P1363, "Standard Specifications for Public Key [CMS-DH] Rescorla, E., "Diffie-Hellman Key Agreement Method",
Cryptography", Institute of Electrical and Electronics RFC 2631, June 1999.
Engineers, 2000.
[DSS] FIPS 186-2, "Digital Signature Standard", National [IEEE1363] IEEE P1363, "Standard Specifications for Public Key
Institute of Standards and Technology, January 2000. Cryptography", Institute of Electrical and
Electronics Engineers, 2000.
[MUST] Bradner, S., "Key Words for Use in RFCs to Indicate [DSS] FIPS 186-2, "Digital Signature Standard", National
Requirement Levels", BCP 14, RFC 2119, March 1997. Institute of Standards and Technology, January 2000.
[MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2 [HMAC-SHA] Nystrom, M., "Identifiers and Test Vectors for HMAC-
Message Specification", work-in-progress. SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-
512", RFC 4231, December 2005.
[PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S. [MUST] Bradner, S., "Key Words for Use in RFCs to Indicate
Housley, R., and W. Polk, "Internet X.509 Public Key Requirement Levels", BCP 14, RFC 2119, March 1997.
Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008.
[PKI-ALG] Turner, S., Brown, D., Yiu, K., Housley, R., and W. [MSG] Ramsdell, B., and S. Turner, "S/MIME Version 3.2
Polk, "Elliptic Curve Cryptography Subject Public Key Message Specification", work-in-progress.
Information", work-in-progress.
[SEC1] SECG, "Elliptic Curve Cryptography", Standards for [PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.
Efficient Cryptography Group, 2000. Available from Housley, R., and W. Polk, "Internet X.509 Public Key
www.secg.org/collateral/sec1.pdf. Infrastructure Certificate and Certificate Revocation
List (CRL) Profile", RFC 5280, May 2008.
[SEC2] SECG, "Recommended Elliptic Curve Domain Parameters", [PKI-ALG] Turner, S., Brown, D., Yiu, K., Housley, R., and W.
Standards for Efficient Cryptography Group, 2000. Polk, "Elliptic Curve Cryptography Subject Public Key
Available from www.secg.org/collateral/sec2.pdf. Information", work-in-progress.
[SHS] National Institute of Standards and Technology (NIST), [SEC1] SECG, "Elliptic Curve Cryptography", Standards for
FIPS Publication 180-2: Secure Hash Standard, August Efficient Cryptography Group, 2000. Available from
2002. www.secg.org/collateral/sec1.pdf.
[SMIME-SHA2] Turner, S., "Using SHA2 Algorithms with Cryptographic [SEC2] SECG, "Recommended Elliptic Curve Domain Parameters",
Message Syntax", work-in-progress. Standards for Efficient Cryptography Group, 2000.
Available from www.secg.org/collateral/sec2.pdf.
[X9.62] ANSI X9.62-2005, "Public Key Cryptography For The [SHS] National Institute of Standards and Technology
Financial Services Industry: The Elliptic Curve Digital (NIST), FIPS Publication 180-2: Secure Hash Standard,
Signature Algorithm (ECDSA)", American National August 2002.
Standards Institute, 2005.
[X.208] CCITT Recommendation X.208: Specification of Abstract [SMIME-SHA2] Turner, S., "Using SHA2 Algorithms with Cryptographic
Syntax Notation One (ASN.1), 1988. Message Syntax", work-in-progress.
[X.680] ITU-T Recommendation X.680: Information Technology - [X9.62] ANSI X9.62-2005, "Public Key Cryptography For The
Abstract Syntax Notation One, 1997. Financial Services Industry: The Elliptic Curve
Digital Signature Algorithm (ECDSA)", American
National Standards Institute, 2005.
[X.681] ITU-T Recommendation X.680: Information Technology - [X.208] ITU-T Recommendation X.208 (1998) | ISO/IEC 8824-
Abstract Syntax Notation One: Information Object 1:1998. Specification of Abstract Syntax Notation One
Specification, 1997. (ASN.1).
[X.682] ITU-T Recommendation X.682: Information Technology - [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-
Abstract Syntax Notation One: Constraint Specification, 1 :2002. Information Technology - Abstract Syntax
2002. Notation One.
[X.683] ITU-T Recommendation X.683: Information Technology - [X.681] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-
Abstract Syntax Notation One: Parameterization of ASN.1 2 :2002. Information Technology - Abstract Syntax
Specifications, 2002. Notation One: Information Object Specification.
[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-
3 :2002. Information Technology - Abstract Syntax
Notation One: Constraint Specification.
[X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-
4:2002. Information Technology - Abstract Syntax
Notation One: Parameterization of ASN.1
Specifications, 2002.
11.2. Informative 11.2. Informative
[BON] D. Boneh, "The Security of Multicast MAC", Presentation [BON] D. Boneh, "The Security of Multicast MAC",
at Selected Areas of Cryptography 2000, Center for Presentation at Selected Areas of Cryptography 2000,
Applied Cryptographic Research, University of Waterloo, Center for Applied Cryptographic Research, University
2000. Paper version available from of Waterloo, 2000. Paper version available from
http://crypto.stanford.edu/~dabo/papers/mmac.ps http://crypto.stanford.edu/~dabo/papers/mmac.ps
[CMS-KEA] Pawling, J., "CMS KEA and SKIPJACK Conventions", RFC [CMS-KEA] Pawling, J., "CMS KEA and SKIPJACK Conventions", RFC
2876, July 2000. 2876, July 2000.
[K] B. Kaliski, "MQV Vulnerability", Posting to ANSI X9F1 [K] B. Kaliski, "MQV Vulnerability", Posting to ANSI X9F1
and IEEE P1363 newsgroups, 1998. and IEEE P1363 newsgroups, 1998.
Annex A ASN.1 Modules [NISTSP800-57] National Institute of Standards and Technology
(NIST), Special Publication 800-57: Recommendation
for Key Management, August 2005.
Appendix A ASN.1 Modules
Appendix A.1 provides the normative ASN.1 definitions for the Appendix A.1 provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
[X.208]. [X.208].
Appendix A.2 provides an informative ASN.1 definitions for the Appendix A.2 provides an informative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in structures described in this specification using ASN.1 as defined in
[X.680], [X.681], [X.682], [X.683]. This appendix contains the same [X.680], [X.681], [X.682], [X.683]. This appendix contains the same
information as Appendix A.1 in a more recent (and precise) ASN.1 information as Appendix A.1 in a more recent (and precise) ASN.1
notation, however Appendix A.1 takes precedence in case of conflict. notation, however Appendix A.1 takes precedence in case of conflict.
Annex A.1 1988 ASN.1 Module Appendix A.1 1988 ASN.1 Module
Annex A.2 2004 ASN.1 Module SMIMEECCAlgs-1988
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) TBD }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL
IMPORTS
-- From [PKI]
AlgorithmIdentifier
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) mod(0)
pkix1-explicit(18) }
-- From [CMS-AES]
id-aes128-CBC, id-aes192-CBC, id-aes256-CBC, AES-IV,
id-aes128-wrap, id-aes192-wrap, id-aes1256-wrap
FROM CMSAesRsaesOaep
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-aes(19) }
-- From [CMS-AESCG]
id-aes128-CCM, id-aes192-CCM, id-aes256-CCM, CCMParameters
id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, GCMParameters
FROM CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-aes(32) }
-- From [CMS]
OriginatorPublicKey, UserKeyingMaterial
FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }
-- From [CMS-ALG]
hMAC-SHA1, id-alg-CMS3DESwrap, CBCParameter
FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) }
-- From [PKI-ALG]
id-ecPublicKey, ecdsa-with-SHA1
FROM PKIXAlgs-1988
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) TBD }
;
--
-- ECDSA with SHA-2 Algorithms
--
-- Parameters are NULL
-- ecdsa-with-SHA1 Parameters are NULL
ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 1 }
ecdsa-with-SHA256 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840)ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 2 }
ecdsa-with-SHA384 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 3 }
ecdsa-with-SHA512 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 4 }
-- ECDSA Signature Value
-- Contents of SignatureValue OCTET STRING
ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
--
-- Key Agreement Algorithms
--
x9-63-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9-63(63) schemes(0) }
secg-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) schemes(1) }
--
-- Diffie-Hellman Single Pass, Standard, with KDFs
--
-- Parameters are always present and indicate the Key Wrap Algorithm
dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 2 }
dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 0 }
dhSinglePass-stdDH-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 1 }
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 2 }
dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 3 }
--
-- Diffie-Hellman Single Pass, Cofactor, with KDFs
--
dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 3 }
dhSinglePass-cofactorDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 0 }
dhSinglePass-cofactorDH-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 1 }
dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 2 }
dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 3 }
--
-- MQV Single Pass, Cofactor, with KDFs
--
mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 16 }
mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 0 }
mqvSinglePass-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 1 }
mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 2 }
mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 3 }
--
-- Key Wrap Algorithms
--
-- id-alg-CMS3DESwrap Parameters are NULL
-- id-aes128-wrap Parameters are ABSENT
-- id-aes192-wrap Parameters are ABSENT
-- id-aes256-wrap Parameters are ABSENT
--
-- Content Encryption Algorithms
--
-- des-ede3-cbc Parameters are CBCParameter
-- id-aes128-CBC Parameters are AES-IV
-- id-aes192-CBC Parameters are AES-IV
-- id-aes256-CBC Parameters are AES-IV
-- id-aes128-CCM Parameters are CCMParameters
-- id-aes192-CCM Parameters are CCMParameters
-- id-aes256-CCM Parameters are CCMParameters
-- id-aes128-GCM Parameters are GCMParameters
-- id-aes192-GCM Parameters are GCMParameters
-- id-aes256-GCM Parameters are GCMParameters
--
-- Message Digest Algorithms
--
-- Parameters are NULL
-- HMAC with SHA-224, HMAC with SHA-256, HMAC with SHA-384,
-- HMAC with SHA-512 are specified in [HMAC-SHA]
-- hMACWithSHA1
id-hmacWithSHA224 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 8 }
id-hmacWithSHA256 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 9 }
id-hmacWithSHA384 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 10 }
id-hmacWithSHA512 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 11 }
--
-- Originator Public Key Algorithms
--
-- id-ecPublicKey Parameters are NULL
-- Format for both ephemeral and static public keys
ECPoint ::= OCTET STRING
-- Format of KeyAgreeRecipientInfo ukm field when used with
-- ECMQV
MQVuserKeyingMaterial ::= SEQUENCE {
ephemeralPublicKey OriginatorPublicKey,
addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL
}
-- Format for ECDH and ECMQV key-encryption keys when using
-- EnvelopedData or AuthenticatedData
ECC-CMS-SharedInfo ::= SEQUENCE {
keyInfo AlgorithmIdentifier,
entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
suppPubInfo [2] EXPLICIT OCTET STRING
}
--
-- S/MIME Capabilities
--
--
-- S/MIME Capabilities: ECDSA with SHA2 Algorithms
--
-- ecdsa-with-SHA1 Type NULL
-- ecdsa-with-SHA224 Type NULL
-- ecdsa-with-SHA256 Type NULL
-- ecdsa-with-SHA384 Type NULL
-- ecdsa-with-SHA512 Type NULL
--
-- S/MIME Capabilities: ECDH, Single Pass, Standard
--
-- dhSinglePass-stdDH-sha1kdf Type is the Key Wrap Algorithm
-- dhSinglePass-stdDH-sha224kdf Type is the Key Wrap Algorithm
-- dhSinglePass-stdDH-sha256kdf Type is the Key Wrap Algorithm
-- dhSinglePass-stdDH-sha384kdf Type is the Key Wrap Algorithm
-- dhSinglePass-stdDH-sha512kdf Type is the Key Wrap Algorithm
--
-- S/MIME Capabilities: ECDH, Single Pass, Cofactor
--
-- dhSinglePass-cofactorDH-sha1kdf Type is the Key Wrap Algorithm
-- dhSinglePass-cofactorDH-sha224kdf Type is the Key Wrap Algorithm
-- dhSinglePass-cofactorDH-sha256kdf Type is the Key Wrap Algorithm
-- dhSinglePass-cofactorDH-sha384kdf Type is the Key Wrap Algorithm
-- dhSinglePass-cofactorDH-sha512kdf Type is the Key Wrap Algorithm
--
-- S/MIME Capabilities: ECMQV, Single Pass, Standard
--
-- mqvSinglePass-sha1kdf Type is the Key Wrap Algorithm
-- mqvSinglePass-sha224kdf Type is the Key Wrap Algorithm
-- mqvSinglePass-sha256kdf Type is the Key Wrap Algorithm
-- mqvSinglePass-sha384kdf Type is the Key Wrap Algorithm
-- mqvSinglePass-sha512kdf Type is the Key Wrap Algorithm
END
Appendix A.2 2004 ASN.1 Module
SMIMEECCAlgs-2008 SMIMEECCAlgs-2008
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) TBD } smime(16) modules(0) TBD }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS ALL -- EXPORTS ALL
skipping to change at page 25, line 45 skipping to change at page 34, line 31
ALGORITHM, algorithmIdentifier, MessageDigestAlgorithms, ALGORITHM, algorithmIdentifier, MessageDigestAlgorithms,
SignatureAlgorithms SignatureAlgorithms
ow-sha1, ow-sha224, ow-sha256, ow-sha384, ow-sha512, ow-sha1, ow-sha224, ow-sha256, ow-sha384, ow-sha512,
sa-ecdsaWithSHA1 sa-ecdsaWithSHA1
FROM PKIXAlgs-2008 FROM PKIXAlgs-2008
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) TBD } security(5) mechanisms(5) pkix(7) id-mod(0) TBD }
-- From [CMS-AES] -- From [CMS-AES]
id-aes128-CBC, id-aes192-CBC, id-aes256-CBC, AES-IV id-aes128-CBC, id-aes192-CBC, id-aes256-CBC, AES-IV,
id-aes128-wrap, id-aes192-wrap, id-aes1256-wrap id-aes128-wrap, id-aes192-wrap, id-aes1256-wrap
FROM CMSAesRsaesOaep FROM CMSAesRsaesOaep
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-aes(19) } smime(16) modules(0) id-mod-cms-aes(19) }
-- From [CMS-AESCG] -- From [CMS-AESCG]
id-aes128-CCM, id-aes192-CCM, id-aes256-CCM, CCMParameters id-aes128-CCM, id-aes192-CCM, id-aes256-CCM, CCMParameters,
id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, GCMParameters id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, GCMParameters
FROM CMS-AES-CCM-and-AES-GCM FROM CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-aes(32) } smime(16) modules(0) id-mod-cms-aes(32) }
-- From [CMS] -- From [CMS]
OriginatorPublicKey, UserKeyingMaterial OriginatorPublicKey, UserKeyingMaterial
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
skipping to change at page 27, line 4 skipping to change at page 35, line 37
-- Constrains the SignedData SignerInfo signatureAlgorithm field -- Constrains the SignedData SignerInfo signatureAlgorithm field
SignatureAlgorithms ALGORITHM ::= { SignatureAlgorithms ALGORITHM ::= {
sa-ecdsaWithSHA1 | sa-ecdsaWithSHA1 |
sa-ecdsaWithSHA224 | sa-ecdsaWithSHA224 |
sa-ecdsaWithSHA256 | sa-ecdsaWithSHA256 |
sa-ecdsaWithSHA384 | sa-ecdsaWithSHA384 |
sa-ecdsaWithSHA512 , sa-ecdsaWithSHA512 ,
... -- Extensible ... -- Extensible
} }
--
-- ECDSA with SHA-2 Algorithms
--
-- Parameters are NULL
-- sa-ecdsa-withSHA1
sa-ecdsa-with-SHA224 ALGORITHM ::= { sa-ecdsa-with-SHA224 ALGORITHM ::= {
OID ecdsa-with-SHA224 PARMS NULL } OID ecdsa-with-SHA224 PARMS NULL }
ecdsa-with-SHA224 OBJECT IDENTIFIER ::= { ecdsa-with-SHA224 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 1 } ecdsa-with-SHA2(3) 1 }
sa-ecdsa-with-SHA256 ALGORITHM ::= { sa-ecdsa-with-SHA256 ALGORITHM ::= {
OID ecdsa-with-SHA256 PARMS NULL } OID ecdsa-with-SHA256 PARMS NULL }
skipping to change at page 28, line 4 skipping to change at page 37, line 4
iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4)
ecdsa-with-SHA2(3) 4 } ecdsa-with-SHA2(3) 4 }
-- ECDSA Signature Value -- ECDSA Signature Value
-- Contents of SignatureValue OCTET STRING -- Contents of SignatureValue OCTET STRING
ECDSA-Sig-Value ::= SEQUENCE { ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER, r INTEGER,
s INTEGER s INTEGER
} }
--
-- Key Agreement Algorithms
--
-- Constrains the EnvelopedData RecipientInfo KeyAgreeRecipientInfo -- Constrains the EnvelopedData RecipientInfo KeyAgreeRecipientInfo
-- keyEncryption Algorithm field -- keyEncryption Algorithm field
-- Constrains the AuthenticatedData RecipientInfo -- Constrains the AuthenticatedData RecipientInfo
-- KeyAgreeRecipientInfo keyEncryption Algorithm field -- KeyAgreeRecipientInfo keyEncryption Algorithm field
-- Constrains the AuthEnvelopedData RecipientInfo -- Constrains the AuthEnvelopedData RecipientInfo
-- KeyAgreeRecipientInfo keyEncryption Algorithm field -- KeyAgreeRecipientInfo keyEncryption Algorithm field
-- DH variants are not used with AuthenticatedData or -- DH variants are not used with AuthenticatedData or
-- AuthEnvelopedData -- AuthEnvelopedData
skipping to change at page 28, line 40 skipping to change at page 38, line 5
... -- Extensible ... -- Extensible
} }
x9-63-scheme OBJECT IDENTIFIER ::= { x9-63-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) tc68(133) country(16) x9(840) iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9-63(63) schemes(0) } x9-63(63) schemes(0) }
secg-scheme OBJECT IDENTIFIER ::= { secg-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) schemes(1) } iso(1) identified-organization(3) certicom(132) schemes(1) }
--
-- Diffie-Hellman Single Pass, Standard, with KDFs
--
-- Parameters are always present and indicate the Key Wrap Algorithm
kaa-dhSinglePass-stdDH-sha1kdf ALGORITHM ::= { kaa-dhSinglePass-stdDH-sha1kdf ALGORITHM ::= {
OID dhSinglePass-stdDH-sha1kdf-scheme PARMS KeyWrapAlgorithms } OID dhSinglePass-stdDH-sha1kdf-scheme PARMS KeyWrapAlgorithms }
dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 2 } x9-63-scheme 2 }
kaa-dhSinglePass-stdDH-sha224kdf ALGORITHM ::= { kaa-dhSinglePass-stdDH-sha224kdf ALGORITHM ::= {
OID dhSinglePass-stdDH-sha224kdf-scheme PARMS KeyWrapAlgorithms } OID dhSinglePass-stdDH-sha224kdf-scheme PARMS KeyWrapAlgorithms }
dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
skipping to change at page 29, line 23 skipping to change at page 38, line 41
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 2 } secg-scheme 11 2 }
kaa-dhSinglePass-stdDH-sha512kdf ALGORITHM ::= { kaa-dhSinglePass-stdDH-sha512kdf ALGORITHM ::= {
OID dhSinglePass-stdDH-sha512kdf-scheme PARMS KeyWrapAlgorithms } OID dhSinglePass-stdDH-sha512kdf-scheme PARMS KeyWrapAlgorithms }
dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 3 } secg-scheme 11 3 }
--
-- Diffie-Hellman Single Pass, Cofactor, with KDFs
--
kaa-dhSinglePass-cofactorDH-sha1kdf ALGORITHM ::= { kaa-dhSinglePass-cofactorDH-sha1kdf ALGORITHM ::= {
OID dhSinglePass-cofactorDH-sha1kdf-scheme PARMS KeyWrapAlgorithms } OID dhSinglePass-cofactorDH-sha1kdf-scheme PARMS KeyWrapAlgorithms }
dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 3 } x9-63-scheme 3 }
kaa-dhSinglePass-cofactorDH-sha224kdf ALGORITHM ::= { kaa-dhSinglePass-cofactorDH-sha224kdf ALGORITHM ::= {
OID dhSinglePass-cofactorDH-sha224kdf-scheme OID dhSinglePass-cofactorDH-sha224kdf-scheme
PARMS KeyWrapAlgorithms } PARMS KeyWrapAlgorithms }
skipping to change at page 30, line 12 skipping to change at page 39, line 33
dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 2 } secg-scheme 14 2 }
kaa-dhSinglePass-cofactorDH-sha512kdf ALGORITHM ::= { kaa-dhSinglePass-cofactorDH-sha512kdf ALGORITHM ::= {
OID dhSinglePass-cofactorDH-sha512kdf-scheme OID dhSinglePass-cofactorDH-sha512kdf-scheme
PARMS KeyWrapAlgorithms } PARMS KeyWrapAlgorithms }
dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= { dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 3 } secg-scheme 14 3 }
--
-- MQV Single Pass, Cofactor, with KDFs
--
kaa-mqvSinglePass-sha1kdf ALGORITHM ::= { kaa-mqvSinglePass-sha1kdf ALGORITHM ::= {
OID mqvSinglePass-sha1kdf-scheme PARMS KeyWrapAlgorithms } OID mqvSinglePass-sha1kdf-scheme PARMS KeyWrapAlgorithms }
mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= { mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 16 } x9-63-scheme 16 }
kaa-mqvSinglePass-sha224kdf ALGORITHM ::= { kaa-mqvSinglePass-sha224kdf ALGORITHM ::= {
OID mqvSinglePass-sha224kdf-scheme PARMS KeyWrapAlgorithms } OID mqvSinglePass-sha224kdf-scheme PARMS KeyWrapAlgorithms }
mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= { mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= {
skipping to change at page 30, line 42 skipping to change at page 40, line 20
mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= { mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 2 } secg-scheme 15 2 }
kaa-mqvSinglePass-sha512kdf ALGORITHM ::= { kaa-mqvSinglePass-sha512kdf ALGORITHM ::= {
OID mqvSinglePass-sha512kdf-scheme PARMS KeyWrapAlgorithms } OID mqvSinglePass-sha512kdf-scheme PARMS KeyWrapAlgorithms }
mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= { mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 3 } secg-scheme 15 3 }
--
-- Key Wrap Algorithms
--
KeyWrapAlgorithms ALGORITHM ::= { KeyWrapAlgorithms ALGORITHM ::= {
kwa-3des | kwa-3des |
kwa-aes128 | kwa-aes128 |
kwa-aes192 | kwa-aes192 |
kwa-aes256, kwa-aes256,
... -- Extensible ... -- Extensible
} }
kwa-3des ALGORITHM :: = { kwa-3des ALGORITHM :: = {
OID id-alg-CMS3DESwrap PARMS NULL } OID id-alg-CMS3DESwrap PARMS NULL }
kwa-aes128 ALGORITHM ::= { kwa-aes128 ALGORITHM ::= {
OID id-aes128-wrap PARMS ABSENT } OID id-aes128-wrap PARMS ABSENT }
kwa-aes192 ALGORITHM ::= { kwa-aes192 ALGORITHM ::= {
OID id-aes192-wrap PARMS ABSENT } OID id-aes192-wrap PARMS ABSENT }
kwa-aes256 ALGORITHM ::= { kwa-aes256 ALGORITHM ::= {
OID id-aes256-wrap PARMS ABSENT } OID id-aes256-wrap PARMS ABSENT }
--
-- Content Encryption Algorithms
--
-- Constrains the EnvelopedData EncryptedContentInfo encryptedContent -- Constrains the EnvelopedData EncryptedContentInfo encryptedContent
-- field -- field and the AuthEnvelopedData EncryptedContentInfo
-- contentEncryptionAlgorithm field
ContentEncryptionAlgorithms ALGORITHM ::= { ContentEncryptionAlgorithms ALGORITHM ::= {
cea-des-ede3-cbc | cea-des-ede3-cbc |
cea-aes128-cbc | cea-aes128-cbc |
cea-aes192-cbc | cea-aes192-cbc |
cea-aes256-cbc | cea-aes256-cbc |
cea-aes128-ccm | cea-aes128-ccm |
cea-aes192-ccm | cea-aes192-ccm |
cea-aes256-ccm | cea-aes256-ccm |
cea-aes128-gcm | cea-aes128-gcm |
cea-aes192-gcm | cea-aes192-gcm |
cea-aes256-gcm, cea-aes256-gcm,
... -- Extensible ... -- Extensible
} }
-- des-ede3-cbc and aes*-cbc are used with EnvelopedData and
-- EncryptedData
cea-des-ede3-cbc ALGORITHM ::= { cea-des-ede3-cbc ALGORITHM ::= {
OID des-ede3-cbc PARMS CBCParameter } OID des-ede3-cbc PARMS CBCParameter }
cea-aes128-cbc ALGORITHM ::= { cea-aes128-cbc ALGORITHM ::= {
OID id-aes128-CBC PARMS AES-IV } OID id-aes128-CBC PARMS AES-IV }
cea-aes192-cbc ALGORITHM ::= { cea-aes192-cbc ALGORITHM ::= {
OID id-aes192-CBC PARMS AES-IV } OID id-aes192-CBC PARMS AES-IV }
cea-aes256-cbc ALGORITHM ::= { cea-aes256-cbc ALGORITHM ::= {
OID id-aes256-CBC PARMS AES-IV } OID id-aes256-CBC PARMS AES-IV }
-- aes*-ccm are used with AuthEnvelopedData
cea-aes128-ccm ALGORITHM ::= { cea-aes128-ccm ALGORITHM ::= {
OID id-aes128-CCM PARMS CCMParameters } OID id-aes128-CCM PARMS CCMParameters }
cea-aes192-ccm ALGORITHM ::= { cea-aes192-ccm ALGORITHM ::= {
OID id-aes192-CCM PARMS CCMParameters } OID id-aes192-CCM PARMS CCMParameters }
cea-aes256-ccm ALGORITHM ::= { cea-aes256-ccm ALGORITHM ::= {
OID id-aes256-CCM PARMS CCMParameters } OID id-aes256-CCM PARMS CCMParameters }
-- aes*-gcm are used with AuthEnvelopedData
cea-aes128-gcm ALGORITHM ::= { cea-aes128-gcm ALGORITHM ::= {
OID id-aes128-GCM PARMS GCMParameters } OID id-aes128-GCM PARMS GCMParameters }
cea-aes192-gcm ALGORITHM ::= { cea-aes192-gcm ALGORITHM ::= {
OID id-aes192-GCM PARMS GCMParameters } OID id-aes192-GCM PARMS GCMParameters }
cea-aes256-gcm ALGORITHM ::= { cea-aes256-gcm ALGORITHM ::= {
OID id-aes256-GCM PARMS GCMParameters } OID id-aes256-GCM PARMS GCMParameters }
--
-- Message Digest Algorithms
--
-- HMAC with SHA-224, HMAC with SHA-256, HMAC with SHA-384,
-- HMAC with SHA-512 are specified in [HMAC-SHA]
-- Constrains the AuthenticatedData -- Constrains the AuthenticatedData
-- MessageAuthenticationCodeAlgorithm field -- MessageAuthenticationCodeAlgorithm field
-- Constrains the AuthEnvelopedData -- Constrains the AuthEnvelopedData
-- MessageAuthenticationCodeAlgorithm field -- MessageAuthenticationCodeAlgorithm field
MessageAuthenticationCodeAlgorithms ALGORITHM ::= { MessageAuthenticationCodeAlgorithms ALGORITHM ::= {
maca-sha1 | maca-sha1 |
maca-sha224 | maca-sha224 |
maca-sha256 | maca-sha256 |
maca-sha384 | maca-sha384 |
skipping to change at page 33, line 19 skipping to change at page 43, line 23
iso(1) member-body(2) us(840) rsadsi(113549) iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 10 } digestAlgorithm(2) 10 }
maca-sha512 ALGORITHM ::= { maca-sha512 ALGORITHM ::= {
OID id-hmacWithSHA512 PARMS NULL } OID id-hmacWithSHA512 PARMS NULL }
id-hmacWithSHA512 OBJECT IDENTIFIER ::= { id-hmacWithSHA512 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 11 } digestAlgorithm(2) 11 }
--
-- Originator Public Key Algorithms
--
-- Constraints on KeyAgreeRecipientInfo OriginatorIdentifierOrKey -- Constraints on KeyAgreeRecipientInfo OriginatorIdentifierOrKey
-- OriginatorPublicKey algorithm field -- OriginatorPublicKey algorithm field
-- PARMS are NULL -- PARMS are NULL
OriginatorPKAlgorithms ALGORITHM ::= { OriginatorPKAlgorithms ALGORITHM ::= {
opka-ec, opka-ec,
... -- Extensible ... -- Extensible
} }
skipping to change at page 33, line 43 skipping to change at page 44, line 4
ECPoint ::= OCTET STRING ECPoint ::= OCTET STRING
-- Format of KeyAgreeRecipientInfo ukm field when used with -- Format of KeyAgreeRecipientInfo ukm field when used with
-- ECMQV -- ECMQV
MQVuserKeyingMaterial ::= SEQUENCE { MQVuserKeyingMaterial ::= SEQUENCE {
ephemeralPublicKey OriginatorPublicKey, ephemeralPublicKey OriginatorPublicKey,
addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL
} }
-- Format for ECDH and ECMQV key-encryption keys when using -- Format for ECDH and ECMQV key-encryption keys when using
-- EnvelopedData or AuthenticatedData -- EnvelopedData or AuthenticatedData
ECC-CMS-SharedInfo ::= SEQUENCE { ECC-CMS-SharedInfo ::= SEQUENCE {
keyInfo AlgorithmIdentifier { KeyWrapAlgorithms }, keyInfo AlgorithmIdentifier { KeyWrapAlgorithms },
entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL, entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
suppPubInfo [2] EXPLICIT OCTET STRING suppPubInfo [2] EXPLICIT OCTET STRING
} }
--
-- S/MIME Capabilities
--
SMIME-CAPS ::= CLASS { SMIME-CAPS ::= CLASS {
&Type OPTIONAL, &Type OPTIONAL,
&id OBJECT IDENTIFIER UNIQUE &id OBJECT IDENTIFIER UNIQUE
} }
WITH SYNTAX {TYPE &Type IDENTIFIED BY &id } WITH SYNTAX {TYPE &Type IDENTIFIED BY &id }
SMIMECapability ::= SEQUENCE { SMIMECapability ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({SMimeCapsSet}), capabilityID SMIME-CAPS.&id({SMimeCapsSet}),
parameters SMIME-CAPS. parameters SMIME-CAPS.
&Type({SMimeCapsSet}{@capabilityID}) OPTIONAL &Type({SMimeCapsSet}{@capabilityID}) OPTIONAL
skipping to change at page 34, line 40 skipping to change at page 45, line 28
cap-dhSinglePass-cofactorDH-sha384kdf | cap-dhSinglePass-cofactorDH-sha384kdf |
cap-dhSinglePass-cofactorDH-sha512kdf | cap-dhSinglePass-cofactorDH-sha512kdf |
cap-mqvSinglePass-sha1kdf | cap-mqvSinglePass-sha1kdf |
cap-mqvSinglePass-sha224kdf | cap-mqvSinglePass-sha224kdf |
cap-mqvSinglePass-sha256kdf | cap-mqvSinglePass-sha256kdf |
cap-mqvSinglePass-sha384kdf | cap-mqvSinglePass-sha384kdf |
cap-mqvSinglePass-sha512kdf, cap-mqvSinglePass-sha512kdf,
... -- Extensible ... -- Extensible
} }
--
-- S/MIME Capabilities: ECDSA with SHA2 Algorithms
--
cap-ecdsa-with-SHA1 SMIME-CAPS ::= { cap-ecdsa-with-SHA1 SMIME-CAPS ::= {
TYPE NULL IDENTIFIED BY ecdsa-with-SHA1 } TYPE NULL IDENTIFIED BY ecdsa-with-SHA1 }
cap-ecdsa-with-SHA224 SMIME-CAPS ::= { cap-ecdsa-with-SHA224 SMIME-CAPS ::= {
TYPE NULL IDENTIFIED BY ecdsa-with-SHA224 } TYPE NULL IDENTIFIED BY ecdsa-with-SHA224 }
cap-ecdsa-with-SHA256 SMIME-CAPS ::= { cap-ecdsa-with-SHA256 SMIME-CAPS ::= {
TYPE NULL IDENTIFIED BY ecdsa-with-SHA256 } TYPE NULL IDENTIFIED BY ecdsa-with-SHA256 }
cap-ecdsa-with-SHA384 SMIME-CAPS ::= { cap-ecdsa-with-SHA384 SMIME-CAPS ::= {
TYPE NULL IDENTIFIED BY ecdsa-with-SHA384 } TYPE NULL IDENTIFIED BY ecdsa-with-SHA384 }
cap-ecdsa-with-SHA512 SMIME-CAPS ::= { cap-ecdsa-with-SHA512 SMIME-CAPS ::= {
TYPE NULL IDENTIFIED BY ecdsa-with-SHA512 } TYPE NULL IDENTIFIED BY ecdsa-with-SHA512 }
--
-- S/MIME Capabilities: ECDH, Single Pass, Standard
--
cap-dhSinglePass-stdDH-sha1kdf SMIME-CAPS ::= { cap-dhSinglePass-stdDH-sha1kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha1kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha1kdf }
cap-dhSinglePass-stdDH-sha224kdf SMIME-CAPS ::= { cap-dhSinglePass-stdDH-sha224kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha224kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha224kdf }
cap-dhSinglePass-stdDH-sha256kdf SMIME-CAPS ::= { cap-dhSinglePass-stdDH-sha256kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha256kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha256kdf }
cap-dhSinglePass-stdDH-sha384kdf SMIME-CAPS ::= { cap-dhSinglePass-stdDH-sha384kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha384kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha384kdf }
cap-dhSinglePass-stdDH-sha512kdf SMIME-CAPS ::= { cap-dhSinglePass-stdDH-sha512kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha512kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY dhSinglePass-stdDH-sha512kdf }
--
-- S/MIME Capabilities: ECDH, Single Pass, Cofactor
--
cap-dhSinglePass-cofactorDH-sha1kdf SMIME-CAPS ::= { cap-dhSinglePass-cofactorDH-sha1kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms TYPE KeyWrapAlgorithms
IDENTIFIED BY dhSinglePass-cofactorDH-sha1kdf } IDENTIFIED BY dhSinglePass-cofactorDH-sha1kdf }
cap-dhSinglePass-cofactorDH-sha224kdf SMIME-CAPS ::= { cap-dhSinglePass-cofactorDH-sha224kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms TYPE KeyWrapAlgorithms
IDENTIFIED BY dhSinglePass-cofactorDH-sha224kdf } IDENTIFIED BY dhSinglePass-cofactorDH-sha224kdf }
cap-dhSinglePass-cofactorDH-sha256kdf SMIME-CAPS ::= { cap-dhSinglePass-cofactorDH-sha256kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms TYPE KeyWrapAlgorithms
IDENTIFIED BY dhSinglePass-cofactorDH-sha256kdf } IDENTIFIED BY dhSinglePass-cofactorDH-sha256kdf }
cap-dhSinglePass-cofactorDH-sha384kdf SMIME-CAPS ::= { cap-dhSinglePass-cofactorDH-sha384kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms TYPE KeyWrapAlgorithms
IDENTIFIED BY dhSinglePass-cofactorDH-sha384kdf } IDENTIFIED BY dhSinglePass-cofactorDH-sha384kdf }
cap-dhSinglePass-cofactorDH-sha512kdf SMIME-CAPS ::= { cap-dhSinglePass-cofactorDH-sha512kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms TYPE KeyWrapAlgorithms
IDENTIFIED BY dhSinglePass-cofactorDH-sha512kdf } IDENTIFIED BY dhSinglePass-cofactorDH-sha512kdf }
--
-- S/MIME Capabilities: ECMQV, Single Pass, Standard
--
cap-mqvSinglePass-sha1kdf SMIME-CAPS ::= { cap-mqvSinglePass-sha1kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha1kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha1kdf }
cap-mqvSinglePass-sha224kdf SMIME-CAPS ::= { cap-mqvSinglePass-sha224kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha224kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha224kdf }
cap-mqvSinglePass-sha256kdf SMIME-CAPS ::= { cap-mqvSinglePass-sha256kdf SMIME-CAPS ::= {
TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha256kdf } TYPE KeyWrapAlgorithms IDENTIFIED BY mqvSinglePass-sha256kdf }
cap-mqvSinglePass-sha384kdf SMIME-CAPS ::= { cap-mqvSinglePass-sha384kdf SMIME-CAPS ::= {
skipping to change at page 37, line 14 skipping to change at page 48, line 14
Acknowledgements Acknowledgements
The methods described in this document are based on work done by the The methods described in this document are based on work done by the
ANSI X9F1 working group. The authors wish to extend their thanks to ANSI X9F1 working group. The authors wish to extend their thanks to
ANSI X9F1 for their assistance. The authors also wish to thank Peter ANSI X9F1 for their assistance. The authors also wish to thank Peter
de Rooij for his patient assistance. The technical comments of de Rooij for his patient assistance. The technical comments of
Francois Rousseau were valuable contributions. Francois Rousseau were valuable contributions.
Many thanks go out to the other authors of RFC 3278: Simon Blake- Many thanks go out to the other authors of RFC 3278: Simon Blake-
Wilson, Paul Lambert, and Dan Brown. Without the initial version of Wilson and Paul Lambert. Without the initial version of RFC3278 this
RFC3278 this version wouldn't exist. version wouldn't exist.
The authors also wish to thank Alfred Hines, Jim Schaad, and Russ The authors also wish to thank Alfred Hoenes, Jim Schaad, and Russ
Housley for their valuable input. Housley for their valuable input.
Author's Addresses Author's Addresses
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106 3057 Nutley Street, Suite 106
Fairfax, VA 22031 Fairfax, VA 22031
USA USA
 End of changes. 89 change blocks. 
173 lines changed or deleted 591 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/