 1/draftietfsmimecmsseed00.txt 20060205 01:51:16.000000000 +0100
+++ 2/draftietfsmimecmsseed01.txt 20060205 01:51:16.000000000 +0100
@@ 1,58 +1,56 @@
S/MIME Working Group Jongwook Park (KISA)
Internet Draft Sungjae Lee (KISA)
Document: draftietfsmimecmsseed00.txt Jeeyeon Kim (KISA)
Expires: September 29, 2004 Jaeil Lee (KISA)
Target category : Standard Track March 29, 2004
+Document: draftietfsmimecmsseed01.txt Jeeyeon Kim (KISA)
+Expires: October 2004 Jaeil Lee (KISA)
+Target category : Standard Track April 2004
Use of the SEED Encryption Algorithm in CMS
 draftietfsmimecmsseed00.txt
+
Status of this Memo
This document is an InternetDraft and is in full conformance with
all provisions of Section 10 of RFC2026.
InternetDrafts are working documents of the Internet Engineering
 Task Force (IETF), its areas, and its working groups. Note that
 other groups may also distribute working documents as Internet
 Drafts.
+ Task Force (IETF), its areas, and its working groups. Note that other
+ groups may also distribute working documents as Internet Drafts.
InternetDrafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use InternetDrafts as reference
material or to cite them other than as "work in progress."
The list of current InternetDrafts can be accessed at
 http://www.ietf.org/ietf/1idabstracts.txt
+ http://www.ietf.org/ietf/1idabstracts.txt
The list of InternetDraft Shadow Directories can be accessed at
 http://www.ietf.org/shadow.html.
+ http://www.ietf.org/shadow.html.
Comments or suggestions for improvement may be made on the "ietf
smime" mailing list, or directly to the author.
Abstract
This document specifies the conventions for using the SEED encryption
algorithm for encryption with the Cryptographic Message Syntax (CMS).
1. Introduction
 This document specifies the conventions for usting the SEED
 encryption algorithm [SEED] [TTASSEED] for encryption with the
 Cryptographic Message Syntax (CMS)[CMS]. The relevant object
 identifiers (OIDs) and processing steps are provided so that SEED may
 be used in the CMS specification (RFC 3369, RFC 3370) for content and
 key encryption.
+ This document specifies the conventions for using the SEED encryption
+ algorithm [SEED][TTASSEED] for encryption with the Cryptographic
+ Message Syntax (CMS)[CMS]. The relevant object identifiers (OIDs) and
+ processing steps are provided so that SEED may be used in the CMS
+ specification (RFC 3369, RFC 3370) for content and key encryption.
1.1 SEED
SEED is a symmetric encryption algorithm that had been developed by
KISA (Korea Information Security Agency) and a group of experts since
1998. The input/output block size of SEED is 128bit and the key
length is also 128bit. SEED has the 16round Feistel structure. A
128bit input is divided into two 64bit blocks and the right 64bit
block is an input to the round function with a 64bit subkey
generated from the key scheduling.
@@ 67,21 +65,21 @@
SEED is robust against known attacks including DC (Differential
cryptanalysis), LC (Linear cryptanalysis) and related key attacks,
etc. SEED has gone through wide public scrutinizing procedures.
Especially, it has been evaluated and also considered
cryptographically secure by trustworhty organizations such as ISO/IEC
JTC 1/SC 27 and Japan CRYTEC (Cryptography Reasearch and Evaluation
Comittees) [ISOSEED][CRYPTEC].
SEED is a national industrial association standard [TTASSEED] and is
widely used in South Korea for electronic commerce and financial
 services operated on wired & wireless PKI.
+ services operated on wired & wireless PKI.
1.2 Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
as shown) are to be interpreted as described in [RFC2119].
2. Object Identifiers for Content and Key Encryption
This section provides the OIDs and processing information necessary
@@ 149,73 +147,73 @@
B1  B2 Concatenate B1 and B2
K The keyencryption key K
n The number of 64bit key data blocks
s The number of steps in the wrapping process,
s = 6n
P[i] The ith plaintext key data block
C[i] The ith ciphertext data block
A The 64bit integrity check register
R[i] An array of 64bit registers where
i = 0, 1, 2, ..., n
 A[t], R[i][t] The contents of registers A and R[i] after
+ A[t], R[t][i] The contents of registers A and R[i] after
encryption step t.
IV The 64bit initial value used during the
wrapping process.
In the key wrap algorithm, the concatenation function will be used to
concatenate 64bit quantities to form the 128bit input to the SEED
codebook. The extraction functions will be used to split the 128bit
output from the SEED codebook into two 64bit quantities.
3.2 SEED Key Wrap
Key wrapping with SEED is identical to Section 2.2.1 of [RFC3394]
with "AES" replaced by "SEED".
The inputs to the key wrapping process are the KEK and the plaintext
to be wrapped. The plaintext consists of n 64bit blocks, containing
the key data being wrapped. The key wrapping process is described
below.
 Inputs: Plaintext, n 64bit values {P1, P2, ..., Pn}, and
+ Inputs: Plaintext, n 64bit values {P[1], P[2], ..., P[n]}, and
Key, K (the KEK).
 Outputs: Ciphertext, (n+1) 64bit values {C0, C1, ..., Cn}.
+ Outputs: Ciphertext, (n+1) 64bit values {C[0], C[1], ..., C[n]}.
1) Initialize variables.
Set A[0] to an initial value (see Section 3.4)
For i = 1 to n
R[0][i] = P[i]
2) Calculate intermediate values.
For t = 1 to s, where s = 6n
A[t] = MSB(64, SEED(K, A[t1]  R[t1][1])) ^ t
For i = 1 to n1
R[t][i] = R[t1][i+1]
R[t][n] = LSB(64, SEED(K, A[t1]  R[t1][1]))
3) Output the results.
 Set C[0] = A[t]
+ Set C[0] = A[s]
For i = 1 to n
 C[i] = R[t][i]
+ C[i] = R[s][i]
An alternative description of the key wrap algorithm involves
indexing rather than shifting. This approach allows one to
calculate the wrapped key in place, avoiding the rotation in the
previous description. This produces identical results and is more
easily implemented in software.
 Inputs: Plaintext, n 64bit values {P1, P2, ..., Pn}, and
+ Inputs: Plaintext, n 64bit values {P[1], P[2], ..., P[n]}, and
Key, K (the KEK).
 Outputs: Ciphertext, (n+1) 64bit values {C0, C1, ..., Cn}.
+ Outputs: Ciphertext, (n+1) 64bit values {C[0], C[1], ..., C[n]}.
1) Initialize variables.
Set A = IV, an initial value (see Section 3.4)
For i = 1 to n
R[i] = P[i]
2) Calculate intermediate values.
For j = 0 to 5
@@ 233,23 +231,23 @@
3.3 SEED Key Unwrap
Key unwrapping with SEED is identical to Section 2.2.2 of
[RFC3394], with "AES" replaced by "SEED".
The inputs to the unwrap process are the KEK and (n+1) 64bit blocks
of ciphertext consisting of previously wrapped key. It returns n
blocks of plaintext consisting of the n 64bit blocks of the
decrypted key data.
 Inputs: Ciphertext, (n+1) 64bit values {C0, C1, ..., Cn}, and
+ Inputs: Ciphertext, (n+1) 64bit values {C[0], C[1], ..., C[n]}, and
Key, K (the KEK).
 Outputs: Plaintext, n 64bit values {P1, P2, ..., Pn}.
+ Outputs: Plaintext, n 64bit values {P[1], P[2], ..., P[n]}.
1) Initialize variables.
Set A[s] = C[0] where s = 6n
For i = 1 to n
R[s][i] = C[i]
2) Calculate the intermediate values.
For t = s to 1
@@ 265,23 +263,23 @@
For i = 1 to n
P[i] = R[0][i]
Else
Return an error
The unwrap algorithm can also be specified as an index based
operation, allowing the calculations to be carried out in place.
Again, this produces the same results as the register shifting
approach.
 Inputs: Ciphertext, (n+1) 64bit values {C0, C1, ..., Cn}, and
+ Inputs: Ciphertext, (n+1) 64bit values {C[0], C[1], ..., C[n]}, and
Key, K (the KEK).
 Outputs: Plaintext, n 64bit values {P0, P1, K, Pn}.
+ Outputs: Plaintext, n 64bit values {P[0], P[1], ..., P[n]}.
1) Initialize variables.
Set A = C[0]
For i = 1 to n
R[i] = C[i]
2) Compute intermediate values.
For j = 5 to 0
@@ 364,22 +361,21 @@
If an S/MIME client is required to support symmetric encryption with
SEED, the capabilities attribute MUST contain the SEED OID
specified above in the category of symmetric algorithms. The
parameter associated with this OID MUST be SeedSMimeCapability.
SeedSMimeCapabilty ::= NULL
The SMIMECapability SEQUENCE representing SEED MUST be
DERencoded as the following hexadecimal strings:
 30 0A 06 08 2A 83 1A 8C 9A 44 01 04

+ 30 0C 06 08 2A 83 1A 8C 9A 44 01 04 05 00
When a sending agent creates an encrypted message, it has to decide
which type of encryption algorithm to use. In general the decision
process involves information obtained from the capabilities lists
included in messages received from the recipient, as well as other
information such as private agreements, user preferences, legal
restrictions, and so on. If users require SEED for symmetric
encryption, it MUST be supported by the S/MIME clients on both the
sending and receiving side, and it MUST be set in the user
preferences.
@@ 460,73 +456,78 @@
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2633] Ramsdell, B., Editor. S/MIME Version 3 Message
Specification. RFC 2633. June 1999.
[RFC3394] J. Schaad and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 3394, September 2002.
[AESWRAP] National Institute of Standards and Technology. AES Key
Wrap Specification. 17 November 2001.
 http://csrc.nist.gov/encryption/kms/keywrap.pdf
+ http://csrc.nist.gov/encryption/kms/keywrap.pdf
8.2 Informative Reference
 [SEED] KISA, "SEED Algorithm Specification",
 http://www.kisa.or.kr/seed/seed_eng.html"
+ [SEED] Jongwook Park, Sungjae Lee, Jeeyeon Kim, Jaeil Lee,
+ "The SEED Encryption Algorithm", draftparkseed00.txt
+
+ [SEEDWEB] KISA, "SEED Algorithm Specification",
+ http://www.kisa.or.kr/seed/seed_eng.html"
[TTASSEED] Telecommunications Technology Association (TTA),
South Korea, "128bit Symmetric Block Cipher (SEED)",
TTAS.KO12.0004, September, 1998 (In Korean)
 http://www.tta.or.kr/English/new/main/index.htm
+ http://www.tta.or.kr/English/new/main/index.htm
[ISOSEED] ISO/IEC, ISO/IEC JTC1/SC 27 N 256r1, "National Body
contributions on NP 18033 Encryption algorithms in
response to document SC 27 N 2563", October, 2000
[CRYPTREC] Informationtechnology Promotion Agency (IPA), Japan,
CRYPTREC. "SEED Evaluation Report", February, 2002
 http://www.kisa.or.kr
+ http://www.kisa.or.kr
9. Authors' Address
Jongwook Park
Korea Information Security Agency
Phone: +8224055432
FAX : +8224055499
 Email: khopri@kisa.or.kr
+ Email: khopri@kisa.or.kr
Sungjae Lee
Korea Information Security Agency
Phone: +8224055243
FAX : +8224055499
 Email: sjlee@kisa.or.kr
+ Email: sjlee@kisa.or.kr
Jeeyeon Kim
Korea Information Security Agency
Phone: +8224055238
FAX : +8224055499
 Email: jykim@kisa.or.kr
+ Email: jykim@kisa.or.kr
Jaeil Lee
Korea Information Security Agency
Phone: +8224055300
FAX : +8224055499
 Email: jilee@kisa.or.kr
+ Email: jilee@kisa.or.kr
Appendix A ASN.1 Module
SeedEncryptionAlgorithmInCMS
{ iso(1) memberbody(2) us(840) rsadsi(113549) pkcs(1)
 pkcs9(9) smime(16) modules(0) idmodcmsseed(?) }
+ pkcs9(9) smime(16) modules(0) idmodcmsseed(25) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN
+DEFINITIONS IMPLICIT TAGS ::=
+
+BEGIN
idseedCBC OBJECT IDENTIFIER ::=
{ iso(1) memberbody(2) korea(410) kisa(200004)
algorithm(1) seedCBC(4) }
 Initialization Vector
SeedCBCParameter ::= SeedIV
SeedIV ::= OCTET STRING (SIZE(16))