draft-ietf-smime-ecc-04.txt | draft-ietf-smime-ecc-05.txt | |||
---|---|---|---|---|

INTERNET-DRAFT Simon Blake-Wilson, Certicom Corp | INTERNET-DRAFT Simon Blake-Wilson, Certicom Corp | |||

draft-ietf-smime-ecc-04.txt Daniel R. L. Brown, Certicom Corp | draft-ietf-smime-ecc-05.txt Daniel R. L. Brown, Certicom Corp | |||

Paul Lambert, Cosine Communications | Paul Lambert, Cosine Communications | |||

12 March, 2001 Expires: 12 September, 2001 | 7 May, 2001 Expires: 6 November, 2001 | |||

Use of ECC Algorithms in CMS | Use of ECC Algorithms in CMS | |||

Status of this Memo | Status of this Memo | |||

This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||

all provisions of Section 10 of RFC2026. Internet-Drafts are | all provisions of Section 10 of RFC2026. Internet-Drafts are | |||

working documents of the Internet Engineering Task Force (IETF), | working documents of the Internet Engineering Task Force (IETF), | |||

its areas, and its working groups. Note that other groups may also | its areas, and its working groups. Note that other groups may also | |||

distribute working documents as Internet-Drafts. | distribute working documents as Internet-Drafts. | |||

skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||

The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||

http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||

Abstract | Abstract | |||

This document describes how to use Elliptic Curve Cryptography | This document describes how to use Elliptic Curve Cryptography | |||

(ECC) public-key algorithms in the Cryptographic Message Syntax | (ECC) public-key algorithms in the Cryptographic Message Syntax | |||

(CMS). The ECC algorithms support the creation of digital | (CMS). The ECC algorithms support the creation of digital | |||

signatures and the exchange of keys to encrypt or authenticate | signatures and the exchange of keys to encrypt or authenticate | |||

content. The definition of the algorithm processing is based on | content. The definition of the algorithm processing is based on | |||

the ANSI X9.62 standard and the ANSI X9.63 draft, developed by the | the ANSI X9.62 standard, developed by the ANSI X9F1 working group, | |||

ANSI X9F1 working group. | and the IEEE 1363 standard and the SEC 1 standard. | |||

The readers attention is called to the Intellectual Property Rights | ||||

section at the end of this document. | ||||

Table of Contents | Table of Contents | |||

1 Introduction ........................................ 3 | 1 Introduction ........................................ 3 | |||

1.1 Requirements terminology ....................... 3 | 1.1 Requirements terminology ....................... 3 | |||

2 SignedData using ECC ................................ 3 | 2 SignedData using ECC ................................ 3 | |||

2.1 SignedData using ECDSA ......................... 3 | 2.1 SignedData using ECDSA ......................... 3 | |||

2.1.1 Fields of the SignedData ................ 3 | 2.1.1 Fields of the SignedData ................ 3 | |||

2.1.2 Actions of the sending agent ............ 4 | 2.1.2 Actions of the sending agent ............ 4 | |||

2.1.3 Actions of the receiving agent .......... 4 | 2.1.3 Actions of the receiving agent .......... 4 | |||

skipping to change at page 5, line 14 | skipping to change at page 5, line 14 | |||

3 EnvelopedData using ECC Algorithms | 3 EnvelopedData using ECC Algorithms | |||

This section describes how to use ECC algorithms with the CMS | This section describes how to use ECC algorithms with the CMS | |||

EnvelopedData format. | EnvelopedData format. | |||

3.1 EnvelopedData using (ephemeral-static) ECDH | 3.1 EnvelopedData using (ephemeral-static) ECDH | |||

This section describes how to use ephemeral-static Elliptic Curve | This section describes how to use ephemeral-static Elliptic Curve | |||

Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData. | Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData. | |||

Ephemeral-static ECDH is specified in [X9.63]. Ephemeral-static | Ephemeral-static ECDH is specified in [SEC1] and [IEEE1363]. | |||

ECDH is the elliptic curve analog of the ephemeral-static | Ephemeral-static ECDH is the the elliptic curve analog of the | |||

Diffie-Hellman key agreement algorithm specified jointly in the | ephemeral-static Diffie-Hellman key agreement algorithm specified | |||

documents [CMS, Section 12.3.1.1] and [CMS-DH]. | jointly in the documents [CMS, Section 12.3.1.1] and [CMS-DH]. | |||

In an implementation that uses ECDH with CMS EnvelopedData with key | In an implementation that uses ECDH with CMS EnvelopedData with key | |||

agreement, the following techniques and formats MUST be used. | agreement, the following techniques and formats MUST be used. | |||

3.1.1 Fields of KeyAgreeRecipientInfo | 3.1.1 Fields of KeyAgreeRecipientInfo | |||

When using ephemeral-static ECDH with EnvelopedData, the fields of | When using ephemeral-static ECDH with EnvelopedData, the fields of | |||

KeyAgreeRecipientInfo are as in [CMS], but with the following | KeyAgreeRecipientInfo are as in [CMS], but with the following | |||

restrictions: | restrictions: | |||

skipping to change at page 6, line 12 | skipping to change at page 6, line 12 | |||

symmetric encryption algorithm used to encrypt the CEK with the | symmetric encryption algorithm used to encrypt the CEK with the | |||

KEK. | KEK. | |||

3.1.2 Actions of the sending agent | 3.1.2 Actions of the sending agent | |||

When using ephemeral-static ECDH with EnvelopedData, the sending | When using ephemeral-static ECDH with EnvelopedData, the sending | |||

agent first obtains the recipient's EC public key and domain | agent first obtains the recipient's EC public key and domain | |||

parameters (e.g. from the recipient's certificate). The sending | parameters (e.g. from the recipient's certificate). The sending | |||

agent then determines an integer "keydatalen", which is the | agent then determines an integer "keydatalen", which is the | |||

KeyWrapAlgorithm symmetric key-size in bits, and also a bit string | KeyWrapAlgorithm symmetric key-size in bits, and also a bit string | |||

"SharedData", which is the DER encoding of ECC-CMS-SharedInfo (see | "SharedInfo", which is the DER encoding of ECC-CMS-SharedInfo (see | |||

Section 8.2). The sending agent then performs the initiator | Section 8.2). The sending agent then performs the key deployment | |||

transformation of the 1-Pass Diffie-Hellman scheme specified in | and the key agreement operation of the Elliptic Curve | |||

[X9.63, Section 6.2.1]. As a result the sending agent obtains: | Diffie-Hellman Scheme specified in [SEC1, Section 6.1]. As a | |||

result the sending agent obtains: | ||||

- an ephemeral public key, which is represented as a value of | - an ephemeral public key, which is represented as a value of | |||

the type ECPoint (see Section 8.2), encapsulated in a bit | the type ECPoint (see Section 8.2), encapsulated in a bit | |||

string and placed in the KeyAgreeRecipientInfo originator | string and placed in the KeyAgreeRecipientInfo originator | |||

field, and | field, and | |||

- a shared secret bit string "KeyData" which is used as the | - a shared secret bit string "K" which is used as the pairwise | |||

pairwise key-encryption key for that recipient. | key-encryption key for that recipient, as specified in [CMS]. | |||

3.1.3 Actions of the receiving agent | 3.1.3 Actions of the receiving agent | |||

When using ephemeral-static ECDH with EnvelopedData, the receiving | When using ephemeral-static ECDH with EnvelopedData, the receiving | |||

agent determines the bit string "SharedData", which is the DER | agent determines the bit string "SharedInfo", which is the DER | |||

encoding of ECC-CMS-SharedInfo (see Section 8.2), and the integer | encoding of ECC-CMS-SharedInfo (see Section 8.2), and the integer | |||

"keydatalen" from the key-size, in bits, of the KeyWrapAlgorithm. | "keydatalen" from the key-size, in bits, of the KeyWrapAlgorithm. | |||

The receiving agent retrieves the ephemeral EC public key from the | The receiving agent retrieves the ephemeral EC public key from the | |||

bit string KeyAgreeRecipientInfo originator, which an value of the | bit string KeyAgreeRecipientInfo originator, which an value of the | |||

type ECPoint (see Section 8.2) encapsulated as a bit string. The | type ECPoint (see Section 8.2) encapsulated as a bit string. The | |||

receiving agent completes the responder transformation of the | receiving agent performs the key agreement operation of the | |||

1-Pass Diffie-Hellman scheme [X9.63, Section 6.2.2]. As a result | Elliptic Curve Diffie-Hellman Scheme specified in [SEC1, Section | |||

the receiving agent obtains a shared secret bit string "KeyData" | 6.1]. As a result the receiving agent obtains a shared secret bit | |||

which is used as the pairwise key-encryption key to unwrap the CEK. | string "K" which is used as the pairwise key-encryption key to | |||

unwrap the CEK. | ||||

3.2 EnvelopedData using 1-Pass ECMQV | 3.2 EnvelopedData using 1-Pass ECMQV | |||

This section describes how to use the 1-Pass elliptic curve MQV | This section describes how to use the 1-Pass elliptic curve MQV | |||

(ECMQV) key agreement algorithm with EnvelopedData. 1-Pass ECMQV | (ECMQV) key agreement algorithm with EnvelopedData. ECMQV is | |||

is specified in [X9.63]. Like the KEA algorithm [CMS-KEA], 1-Pass | specified in [SEC1] and [IEEE1363]. Like the KEA algorithm | |||

ECMQV uses three key pairs: an ephemeral key pair, a static key | [CMS-KEA], 1-Pass ECMQV uses three key pairs: an ephemeral key | |||

pair of the sending agent, and a static key pair of the receiving | pair, a static key pair of the sending agent, and a static key pair | |||

agent. An advantage of using 1-Pass ECMQV is that it can be used | of the receiving agent. An advantage of using 1-Pass ECMQV is that | |||

with both EnvelopedData and AuthenticatedData. | it can be used with both EnvelopedData and AuthenticatedData. | |||

In an implementation that uses 1-Pass ECMQV with CMS EnvelopedData | In an implementation that uses 1-Pass ECMQV with CMS EnvelopedData | |||

with key agreement, the following techniques and formats MUST be | with key agreement, the following techniques and formats MUST be | |||

used. | used. | |||

3.2.1 Fields of KeyAgreeRecipientInfo | 3.2.1 Fields of KeyAgreeRecipientInfo | |||

When using 1-Pass ECMQV with EnvelopedData the fields of | When using 1-Pass ECMQV with EnvelopedData the fields of | |||

KeyAgreeRecipientInfo are: | KeyAgreeRecipientInfo are: | |||

skipping to change at page 7, line 40 | skipping to change at page 7, line 40 | |||

encryption algorithm used to encrypt the CEK with the KEK | encryption algorithm used to encrypt the CEK with the KEK | |||

generated using the 1-Pass ECMQV algorithm. | generated using the 1-Pass ECMQV algorithm. | |||

3.2.2 Actions of the sending agent | 3.2.2 Actions of the sending agent | |||

When using 1-Pass ECMQV with EnvelopedData, the sending agent first | When using 1-Pass ECMQV with EnvelopedData, the sending agent first | |||

obtains the recipient's EC public key and domain parameters, | obtains the recipient's EC public key and domain parameters, | |||

(e.g. from the recipient's certificate) and checks that the domain | (e.g. from the recipient's certificate) and checks that the domain | |||

parameters are the same. The sending agent then determines an | parameters are the same. The sending agent then determines an | |||

integer "keydatalen", which is the KeyWrapAlgorithm symmetric | integer "keydatalen", which is the KeyWrapAlgorithm symmetric | |||

key-size in bits, and also a bit string "SharedData", which is the | key-size in bits, and also a bit string "SharedInfo", which is the | |||

DER encoding of ECC-CMS-SharedInfo (see Section 8.2). The sending | DER encoding of ECC-CMS-SharedInfo (see Section 8.2). The sending | |||

agent then performs the initiator transformation of the 1-Pass | agent then performs the key deployment and key agreement operations | |||

ECMQV scheme specified in [X9.63, Section 6.9.1]. As a result the | of the Elliptic Curve MQV Scheme specified in [SEC1, Section 6.2]. | |||

sending agent obtains | As a result the sending agent obtains | |||

- an ephemeral public key, which is represented as a value of | - an ephemeral public key, which is represented as a value of | |||

type ECPoint (see Section 8.2), encapsulated in a bit string, | type ECPoint (see Section 8.2), encapsulated in a bit string, | |||

placed in an MQVuserKeyingMaterial ephemeralPublicKey | placed in an MQVuserKeyingMaterial ephemeralPublicKey | |||

publicKey field (see Section 8.2), and | publicKey field (see Section 8.2), and | |||

- a shared secret bit string "KeyData" which is used as the | - a shared secret bit string "K" which is used as the pairwise | |||

pairwise key-encryption key for that recipient. Parity bits | key-encryption key for that recipient, as specified in [CMS]. | |||

are adjusted according to the key wrap algorithm. | ||||

The ephemeral public key can be re-used with an AuthenticatedData | The ephemeral public key can be re-used with an AuthenticatedData | |||

for greater efficiency. | for greater efficiency. | |||

3.2.3 Actions of the receiving agent | 3.2.3 Actions of the receiving agent | |||

When using 1-Pass ECMQV with EnvelopedData, the receiving agent | When using 1-Pass ECMQV with EnvelopedData, the receiving agent | |||

determines the bit string "SharedData", which is the DER encoding | determines the bit string "SharedInfo", which is the DER encoding | |||

of ECC-CMS-SharedInfo (see Section 8.2), and the | of ECC-CMS-SharedInfo (see Section 8.2), and the integer | |||

integer "keydatalen" from the key-size, in bits, of the | "keydatalen" from the key-size, in bits, of the KeyWrapAlgorithm. | |||

KeyWrapAlgorithm. The receiving agent then retrieves the static | The receiving agent then retrieves the static and ephemeral EC | |||

and ephemeral EC public keys of the originator, from the originator | public keys of the originator, from the originator and ukm fields | |||

and ukm fields as described in Section 3.2.1, and its static EC | as described in Section 3.2.1, and its static EC public key | |||

public key identified in the rid field and checks that the domain | identified in the rid field and checks that the domain parameters | |||

parameters are the same. The receiving agent then performs the | are the same. The receiving agent then performs the key agreement | |||

responder transformation of the 1-Pass ECMQV scheme [X9.63, Section | operation of the Elliptic Curve MQV Scheme [SEC1, Section 6.2]. As | |||

6.9.2]. As a result the receiving agent obtains a shared secret | a result the receiving agent obtains a shared secret bit string "K" | |||

bit string "KeyData" which is used as the pairwise key-encryption | which is used as the pairwise key-encryption key to unwrap the CEK. | |||

key to unwrap the CEK. | ||||

4 AuthenticatedData using ECC | 4 AuthenticatedData using ECC | |||

This section describes how to use ECC algorithms with the CMS | This section describes how to use ECC algorithms with the CMS | |||

AuthenticatedData format. AuthenticatedData lacks non-repudiation, | AuthenticatedData format. AuthenticatedData lacks non-repudiation, | |||

and so in some instances is preferable to SignedData. (For | and so in some instances is preferable to SignedData. (For | |||

example, the sending agent might not want the message to be | example, the sending agent might not want the message to be | |||

authenticated when forwarded.) | authenticated when forwarded.) | |||

4.1 AuthenticatedData using 1-pass ECMQV | 4.1 AuthenticatedData using 1-pass ECMQV | |||

This section describes how to use the 1-Pass elliptic curve MQV | This section describes how to use the 1-Pass elliptic curve MQV | |||

(ECMQV) key agreement algorithm with AuthenticatedData. 1-Pass | (ECMQV) key agreement algorithm with AuthenticatedData. ECMQV is | |||

ECMQV is specified in [X9.63]. An advantage of using 1-Pass ECMQV | specified in [SEC1]. An advantage of using 1-Pass ECMQV is that it | |||

is that it can be used with both EnvelopedData and | can be used with both EnvelopedData and AuthenticatedData. | |||

AuthenticatedData. | ||||

4.1.1 Fields of the KeyAgreeRecipientInfo | 4.1.1 Fields of the KeyAgreeRecipientInfo | |||

The AuthenticatedData KeyAgreeRecipientInfo fields are used in the | The AuthenticatedData KeyAgreeRecipientInfo fields are used in the | |||

same manner as the fields for the corresponding EnvelopedData | same manner as the fields for the corresponding EnvelopedData | |||

KeyAgreeRecipientInfo fields of Section 3.2.1 of this document. | KeyAgreeRecipientInfo fields of Section 3.2.1 of this document. | |||

4.1.2 Actions of the sending agent | 4.1.2 Actions of the sending agent | |||

The sending agent uses the same actions as for EnvelopedData | The sending agent uses the same actions as for EnvelopedData | |||

skipping to change at page 9, line 28 | skipping to change at page 9, line 28 | |||

Implementations of this specification MUST implement either | Implementations of this specification MUST implement either | |||

SignedData with ECDSA or EnvelopedData with ephemeral-static ECDH. | SignedData with ECDSA or EnvelopedData with ephemeral-static ECDH. | |||

Implementations of this specification SHOULD implement both | Implementations of this specification SHOULD implement both | |||

SignedData with ECDSA and EnvelopedData with ephemeral-static ECDH. | SignedData with ECDSA and EnvelopedData with ephemeral-static ECDH. | |||

Implementations MAY implement the other techniques specified, such | Implementations MAY implement the other techniques specified, such | |||

as AuthenticatedData and 1-Pass ECMQV. | as AuthenticatedData and 1-Pass ECMQV. | |||

Furthermore, in order to encourage interoperability, | Furthermore, in order to encourage interoperability, | |||

implementations SHOULD use the elliptic curve domain parameters | implementations SHOULD use the elliptic curve domain parameters | |||

specified by ANSI [X9.62, X9.63], NIST [FIPS-186-2] and SECG | specified by ANSI [X9.62], NIST [FIPS-186-2] and SECG [SEC2]. | |||

[SEC2]. | ||||

6 Certificates using ECC | 6 Certificates using ECC | |||

Internet X.509 certificates [PKI] can be used in conjunction with | Internet X.509 certificates [PKI] can be used in conjunction with | |||

this specification to distribute agents' public keys. The use of | this specification to distribute agents' public keys. The use of | |||

ECC algorithms and keys within X.509 certificates is specified in | ECC algorithms and keys within X.509 certificates is specified in | |||

[PKI-ALG]. More details can be found in [SEC3]. | [PKI-ALG]. More details can be found in [SEC3]. | |||

7 SMIMECapabilities Attribute and ECC | 7 SMIMECapabilities Attribute and ECC | |||

skipping to change at page 10, line 38 | skipping to change at page 10, line 38 | |||

for ECMQV. | for ECMQV. | |||

8 ASN.1 Syntax | 8 ASN.1 Syntax | |||

The ASN.1 syntax that is used in this document is gathered together | The ASN.1 syntax that is used in this document is gathered together | |||

in this section for reference purposes. | in this section for reference purposes. | |||

8.1 Algorithm identifiers | 8.1 Algorithm identifiers | |||

The algorithm identifiers used in this document are taken from | The algorithm identifiers used in this document are taken from | |||

[X9.62] and [X9.63]. | [X9.62], [SEC1] and [SEC2]. | |||

The following object identifier indicates the hash algorithm used | The following object identifier indicates the hash algorithm used | |||

in this document: | in this document: | |||

sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) | |||

oiw(14) secsig(3) algorithm(2) 26 } | oiw(14) secsig(3) algorithm(2) 26 } | |||

The following object identifier is used in this document to | The following object identifier is used in this document to | |||

indicate an elliptic curve public key: | indicate an elliptic curve public key: | |||

skipping to change at page 13, line 5 | skipping to change at page 13, line 5 | |||

entityUInfo optionally contains additional keying material | entityUInfo optionally contains additional keying material | |||

supplied by the sending agent. When used with ECDH and CMS, the | supplied by the sending agent. When used with ECDH and CMS, the | |||

entityUInfo field contains the octet string ukm. When used with | entityUInfo field contains the octet string ukm. When used with | |||

ECMQV and CMS, the entityUInfo contains the octet string | ECMQV and CMS, the entityUInfo contains the octet string | |||

addedukm (encoded in MQVuserKeyingMaterial). | addedukm (encoded in MQVuserKeyingMaterial). | |||

suppPubInfo contains the length of the generated KEK, in bits, | suppPubInfo contains the length of the generated KEK, in bits, | |||

represented as a 32 bit number, as in [CMS-DH]. (E.g. for 3DES | represented as a 32 bit number, as in [CMS-DH]. (E.g. for 3DES | |||

it would be 00 00 00 c0.) | it would be 00 00 00 c0.) | |||

Within CMS, ECC-CMS-SharedInfo is DER-encoded and used as input to | Within CMS, ECC-CMS-SharedInfo is DER-encoded and used as input to | |||

the key derivation function, as specified in [X9.63, Section | the key derivation function, as specified in [SEC1, Section 3.6.1]. | |||

5.6.3]. Note that ECC-CMS-SharedInfo differs from the OtherInfo | Note that ECC-CMS-SharedInfo differs from the OtherInfo specified | |||

specified in [CMS-DH]. Here a counter value is not included in the | in [CMS-DH]. Here a counter value is not included in the keyInfo | |||

keyInfo field because the key derivation function specified in | field because the key derivation function specified in [SEC1, | |||

[X9.63, Section 5.6.3] ensures that sufficient keying data is | Section 3.6.1] ensures that sufficient keying data is provided. | |||

provided. | ||||

9 Summary | 9 Summary | |||

This document specifies how to use ECC algorithms with the S/MIME | This document specifies how to use ECC algorithms with the S/MIME | |||

CMS. Use of ECC algorithm within CMS can result in reduced | CMS. Use of ECC algorithm within CMS can result in reduced | |||

processing requirements for S/MIME agents, and reduced bandwidth | processing requirements for S/MIME agents, and reduced bandwidth | |||

for CMS messages. | for CMS messages. | |||

References | References | |||

[X9.42] ANSI X9.42-2001, "Agreement Of Symmetric Keys Using | ||||

Diffie-Hellman and MQV Algorithms", American National | ||||

Standards Institute, 2001, Approved draft. | ||||

[X9.62] ANSI X9.62-1998, "Public Key Cryptography For The | [X9.62] ANSI X9.62-1998, "Public Key Cryptography For The | |||

Financial Services Industry: The Elliptic Curve | Financial Services Industry: The Elliptic Curve | |||

Digital Signature Algorithm (ECDSA)", American | Digital Signature Algorithm (ECDSA)", American | |||

National Standards Institute, 1999. | National Standards Institute, 1999. | |||

[X9.63] ANSI X9.63-xxxx, "Public Key Cryptography For The | ||||

Financial Services Industry: Key Agreement and Key | ||||

Transport Using Elliptic Curve Cryptography", American | ||||

National Standards Institute, 2000, Working draft. | ||||

[PKI-ALG] L. Bassham, R. Housley and W. Polk, "Algorithms and | [PKI-ALG] L. Bassham, R. Housley and W. Polk, "Algorithms and | |||

Identifiers for the Internet X.509 Public Key | Identifiers for the Internet X.509 Public Key | |||

Infrastructure Certificate and CRL profile", PKIX | Infrastructure Certificate and CRL profile", PKIX | |||

Working Group Internet-Draft, November 2000. | Working Group Internet-Draft, November 2000. | |||

[BON] D. Boneh, "The Security of Multicast MAC", | [BON] D. Boneh, "The Security of Multicast MAC", | |||

Presentation at Selected Areas of Cryptography 2000, | Presentation at Selected Areas of Cryptography 2000, | |||

Center for Applied Cryptographic Research, University | Center for Applied Cryptographic Research, University | |||

of Waterloo, 2000 | of Waterloo, 2000. Paper version available from | |||

http://crypto.stanford.edu/~dabo/papers/mmac.ps | ||||

[MUST] S. Bradner, "Key Words for Use in RFCs to Indicate | [MUST] S. Bradner, "Key Words for Use in RFCs to Indicate | |||

Requirement Levels", RFC 2119, March 1997. | Requirement Levels", RFC 2119, March 1997. | |||

[FIPS-180] FIPS 180-1, "Secure Hash Standard", National Institute | [FIPS-180] FIPS 180-1, "Secure Hash Standard", National Institute | |||

of Standards and Technology, April 17, 1995. | of Standards and Technology, April 17, 1995. | |||

[FIPS-186-2] FIPS 186-2, "Digital Signature Standard", National | [FIPS-186-2] FIPS 186-2, "Digital Signature Standard", National | |||

Institute of Standards and Technology, 15 February | Institute of Standards and Technology, 15 February | |||

2000. | 2000. | |||

skipping to change at page 14, line 17 | skipping to change at page 14, line 9 | |||

Profile", PKIX Working Group Internet-Draft, January | Profile", PKIX Working Group Internet-Draft, January | |||

2001. | 2001. | |||

[CMS] R. Housley, "Cryptographic Message Syntax", RFC 2630, | [CMS] R. Housley, "Cryptographic Message Syntax", RFC 2630, | |||

June 1999. | June 1999. | |||

[IEEE1363] IEEE P1363, "Standard Specifications for Public Key | [IEEE1363] IEEE P1363, "Standard Specifications for Public Key | |||

Cryptography", Institute of Electrical and Electronics | Cryptography", Institute of Electrical and Electronics | |||

Engineers, 2000. | Engineers, 2000. | |||

[K] B. Kaliski, "MQV Vulnerabilty", Posting to ANSI X9F1 | ||||

and IEEE P1363 newsgroups, 1998. | ||||

[LMQSV] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, | [LMQSV] L. Law, A. Menezes, M. Qu, J. Solinas and S. Vanstone, | |||

"An efficient protocol for authenticated key agreement", | "An efficient protocol for authenticated key agreement", | |||

Technical report CORR 98-05, University of Waterloo, | Technical report CORR 98-05, University of Waterloo, | |||

1998. | 1998. | |||

[CMS-KEA] J. Pawling, "CMS KEA and SKIPJACK Conventions", RFC | [CMS-KEA] J. Pawling, "CMS KEA and SKIPJACK Conventions", RFC | |||

2876, July 2000. | 2876, July 2000. | |||

[MSG] B. Ramsdell, "S/MIME Version 3 Message Specification", | [MSG] B. Ramsdell, "S/MIME Version 3 Message Specification", | |||

RFC 2633, June 1999. | RFC 2633, June 1999. | |||

[CMS-DH] E. Rescorla, "Diffie-Hellman Key Agreement Method", | [CMS-DH] E. Rescorla, "Diffie-Hellman Key Agreement Method", | |||

RFC 2631, June 1999. | RFC 2631, June 1999. | |||

[SEC1] SECG, "Elliptic Curve Cryptography", Standards for | [SEC1] SECG, "Elliptic Curve Cryptography", Standards for | |||

Efficient Cryptography Group, 2000. | Efficient Cryptography Group, 2000. | |||

[SEC2] SECG, "Recommended Elliptic Curve Domain Parameters", | [SEC2] SECG, "Recommended Elliptic Curve Domain Parameters", | |||

Standards for Efficient Cryptography Group, 2000. | Standards for Efficient Cryptography Group, 2000. | |||

[SEC3] SECG, "ECC in X.509", Standards for Efficient | ||||

Cryptography Group, Working Draft, 2000. | ||||

Security Considerations | Security Considerations | |||

This specification is based on [CMS], [X9.62] and [X9.63] and the | This specification is based on [CMS], [X9.62] and [SEC1] and the | |||

appropriate security considerations of those documents apply. | appropriate security considerations of those documents apply. | |||

In addition, implementors of AuthenticatedData should be aware of | In addition, implementors of AuthenticatedData should be aware of | |||

the concerns expressed in [BON] when using AuthenticatedData to | the concerns expressed in [BON] when using AuthenticatedData to | |||

send messages to more than one recipient. | send messages to more than one recipient. Also, users of MQV | |||

should be aware of the vulnerability in [K]. | ||||

When 256, 384, and 512 bit hash functions succeed SHA-1 in future | ||||

revisions of [FIPS], [FIPS-186-2], [X9.62] and [SEC1], then they | ||||

can similarly succeed SHA-1 in a future revision of this document. | ||||

Intellectual Property Rights | Intellectual Property Rights | |||

The IETF has been notified of intellectual property rights claimed | The IETF has been notified of intellectual property rights claimed | |||

in regard to the specification contained in this document. For | in regard to the specification contained in this document. For | |||

more information, consult the online list of claimed rights | more information, consult the online list of claimed rights | |||

(http://www.ietf.org/ipr.html). | (http://www.ietf.org/ipr.html). | |||

The IETF takes no position regarding the validity or scope of any | The IETF takes no position regarding the validity or scope of any | |||

intellectual property or other rights that might be claimed to | intellectual property or other rights that might be claimed to | |||

End of changes. | ||||

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |