 1/draftietfsmimeaesalg05.txt 20060205 01:50:36.000000000 +0100
+++ 2/draftietfsmimeaesalg06.txt 20060205 01:50:36.000000000 +0100
@@ 1,15 +1,15 @@
S/MIME Working Group J. Schaad
Internet Draft Soaring Hawk Consulting
Document: draftietfsmimeaesalg05.txt
Expires: May 2003 November 2002
+Document: draftietfsmimeaesalg06.txt
+Expires: July 2003 January 2003
Use of the AES Encryption Algorithm in CMS
Status of this Memo
This document is an InternetDraft and is in full conformance with
all provisions of Section 10 of RFC 2026.
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
@@ 112,24 +112,24 @@
1) Key Transport: The AES CEK is uniquely wrapped for each recipient
using the recipient's public RSA key and other values. Section 2.2
provides additional details.
Schaad 2
Use of the AES Algorithm in CMS July 2002
2) Key Agreement: The AES CEK is uniquely wrapped for each recipient
using a pairwise symmetric keyencryption key (KEK) generated using
 DHES [DH] using the originator's randomly generated private key, the
+ an originator's randomly generated private key (ESDH [DH]) or
+ previously generated private key (SSDH [DH]), the recipient's public
 recipient's public DH key, and other values. Section 2.3 provides
 additional details.
+ DH key, and other values. Section 2.3 provides additional details.
3) Previously Distributed Symmetric KEK: The AES CEK is wrapped
using a previously distributed symmetric KEK (such as a Mail List
Key). The methods by which the symmetric KEK is generated and
distributed are beyond the scope of this document. Section 2.4
provides additional details.
4) Password Encryption: The AES CEK is wrapped using a KEK derived
from a password or other shared secret. Section 2.5 provides
additional details.
@@ 189,24 +189,24 @@
The KeyTransRecipientInfo keyEncryptionAlgorithm field specifies the
key transport algorithm (i.e. RSAESOAEP [RSAOAEP]), and the
associated parameters used to encrypt the CEK for the recipient.
The KeyTransRecipientInfo encryptedKey is the result of encrypting
the CEK with the recipient's RSA public key.
2.3 KeyAgreeRecipientInfo Fields
 This section describes the conventions for using ESDH and AES with
 the CMS envelopeddata content type to support key agreement. When
 key agreement is used, then the RecipientInfo keyAgreeRecipientInfo
 CHOICE MUST be used.
+ This section describes the conventions for using ESDH or SSDH and
+ AES with the CMS envelopeddata content type to support key
+ agreement. When key agreement is used, then the RecipientInfo
+ keyAgreeRecipientInfo CHOICE MUST be used.
The KeyAgreeRecipient version MUST be 3.
The EnvelopedData originatorInfo field MUST be the originatorKey
alternative. The originatorKey algorithm fields MUST contain the dh
publicnumber object identifier with absent parameters. The
originatorKey publicKey MUST contain the originator's ephemeral
public key.
The EnvelopedData ukm MAY be present.
@@ 489,26 +489,25 @@
process involves information obtained from the capabilities lists
included in messages received from the recipient, as well as other
information such as private agreements, user preferences, legal
restrictions, and so on. If users require AES for symmetric
encryption, the S/MIME clients on both the sending and receiving side
MUST support it, and it MUST be set in the user preferences.
6 Security Considerations
 If RSAOAEP [PKCS#1v2.0] and RSA #1 v1.5 [RSA#1v1.5] are both used to

 transport the same CEK, then an attacker can still use the
 Bleichenbacher attack against the RSA #1 v1.5 encrypted key. It is
 generally unadvisable to mix both RSAOAEP and RSA #1 v1.5 in the
 same set of recipients.
+ If RSAOAEP [PKCS#1v2.0] and RSA PKCS #1 v1.5 [PKCS#1v1.5] are both
+ used to transport the same CEK, then an attacker can still use the
+ Bleichenbacher attack against the RSA PKCS #1 v1.5 encrypted key.
+ It is generally unadvisable to mix both RSAOAEP and RSA PKCS#1 v1.5
+ in the same set of recipients.
Implementations must protect the RSA private key and the CEK.
Compromise of the RSA private key may result in the disclosure of all
messages protected with that key. Compromise of the CEK may result
in disclosure of the associated encrypted content.
The generation of AES CEKs relies on random numbers. The use of
inadequate pseudorandom number generators (PRNGs) to generate these
values can result in little or no security. An attacker may find it
@@ 518,85 +517,88 @@
force searching the whole key space. The generation of quality
random numbers is difficult. RFC 1750 [RANDOM] offers important
guidance in this area.
When wrapping a CEK with a KEK, the KEK MUST always be at least the
same length as the CEK. An attacker will generally work at the
weakest point in an encryption system. This would be the smaller of
the two key sizes for a brute force attack.
References
+Normative References
AES National Institute of Standards.
FIPS Pub 197: Advanced Encryption Standard (AES).
26 November 2001.
AESWRAP Schaad, J., R. Housley, "Advanced Encryption Standard (AES)
+CMS Housley, R., "Cryptographic Message Syntax (CMS)", RFC
Schaad 9
Use of the AES Algorithm in CMS July 2002
 Key Wrap Algorithm", RFC 3394, September 2002

CMS Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3369, August 2002.
+AESWRAP Schaad, J., R. Housley, "Advanced Encryption Standard (AES)
+ Key Wrap Algorithm", RFC 3394, September 2002
+
CMSALG Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms, RFC 3370, August 2002.
DES National Institute of Standards and Technology.
FIPS Pub 46: Data Encryption Standard. 15 January 1977.
DH Rescorla, E., DiffieHellman Key Agreement Method, RFC
2631, June 1999.
+RSAOAEP Housley, R. "Use of the RSAESOAEP Key Transport Algorithm
+ in CMS", draftietfsmimecmsrsaesoaep03.txt, June 2002.
+
+X.20888 CCITT. Recommendation X.208: Specification of Abstract
+ Syntax Notation One (ASN.1). 1988.
+
+X.20988 CCITT. Recommendation X.209: Specification of Basic
+ Encoding Rules for Abstract Syntax Notation One (ASN.1).
+ 1988.
+
+X.50988 CCITT. Recommendation X.509: The Directory 
+ Authentication Framework. 1988.
+
+Informational References
+
MUSTSHOULD Bradner, S., Key Words for Use in RFCs to Indicate
Requirement Levels. BCP 14, RFC 2119. March 1997.
MSG Ramsdell, B., Editor. S/MIME Version 3 Message
Specification. RFC 2633. June 1999.
PKCS#1v1.5 Kaliski, B. PKCS #1: RSA Encryption, Version 1.5.
RFC 2313. March 1998.
PKCS#1v2.0 Kaliski, B. PKCS #1: RSA Encryption, Version 2.0.
RFC 2437. October 1998.
RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness
Recommendations for Security. RFC 1750. December 1994.
RSAOAEP Housley, R. "Use of the RSAESOAEP Key Transport Algorithm
 in CMS", draftietfsmimecmsrsaesoaep03.txt, June 2002.

SYMKEYDIST Turner, S. CMS Symmetric Key Management and Distribution.
RFC TDB. Date TBD.
X.20888 CCITT. Recommendation X.208: Specification of Abstract
 Syntax Notation One (ASN.1). 1988.

X.20988 CCITT. Recommendation X.209: Specification of Basic
 Encoding Rules for Abstract Syntax Notation One (ASN.1).
 1988.

X.50988 CCITT. Recommendation X.509: The Directory 
 Authentication Framework. 1988.

Acknowledgements
+ Schaad 10
+ Use of the AES Algorithm in CMS July 2002
+
This document is the result of contributions from many
professionals. We appreciate the hard work of all members of the
IETF S/MIME Working Group.
Author's Addresses
 Schaad 10
 Use of the AES Algorithm in CMS July 2002
Jim Schaad
Soaring Hawk Consulting
Email: jimsch@exmsft.com
Appendix A ASN.1 Module
CMSAesRsaesOaep {iso(1) memberbody(2) us(840) rsadsi(113549)
pkcs(1) pkcs9(9) smime(16) modules(0) idmodcmsaes(19) }
@@ 624,13 +626,22 @@
idaes256CBC OBJECT IDENTIFIER ::= { aes 42 }
 AESIV is a the parameter for all the above object identifiers.
AESIV ::= OCTET STRING (SIZE(16))
 AES S/MIME Capabilty parameter for all the above object identifiers
AESSMimeCapability ::= NULL
END
+ AES Key Wrap Algorithm Identifiers  Parameter is absent
+
+idaes128wrap OBJECT IDENTIFIER ::= { aes 5 }
+idaes192wrap OBJECT IDENTIFIER ::= { aes 25 }
+idaes256wrap OBJECT IDENTIFIER ::= { aes 45 }
Schaad 11
+ Use of the AES Algorithm in CMS July 2002
+
+END
+
+ Schaad 12