draft-ietf-smime-multisig-03.txt   draft-ietf-smime-multisig-04.txt 
S/MIME WG Sean Turner, IECA S/MIME WG Sean Turner, IECA
Internet Draft Jim Schaad, Soaring Hawk Internet Draft Jim Schaad, Soaring Hawk
Intended Status: Standard Track November 16, 2007 Intended Status: Standard Track January 22, 2008
Expires: May 16, 2008 Expires: July 22, 2008
Multiple Signatures in S/MIME Multiple Signatures in S/MIME
draft-ietf-smime-multisig-03.txt draft-ietf-smime-multisig-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
This Internet-Draft will expire on May 16, 2008. This Internet-Draft will expire on July 22, 2008.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
Abstract Abstract
CMS SignedData includes the SignerInfo structure to convey per-signer CMS SignedData includes the SignerInfo structure to convey per-signer
information. SignedData supports multiple signers and multiple information. SignedData supports multiple signers and multiple
signature algorithms per-signer with multiple SignerInfo structures. signature algorithms per-signer with multiple SignerInfo structures.
If a signer attaches more than one SignerInfo, there are concerns If a signer attaches more than one SignerInfo, there are concerns
that an attacker could perform a downgrade attack by removing the that an attacker could perform a downgrade attack by removing the
SignerInfo(s) with the 'strong' algorithm(s). This document defines SignerInfo(s) with the 'strong' algorithm(s). This document defines
the multiple-signatures attribute, its generation rules, and its the multiple-signatures attribute, its generation rules, and its
skipping to change at page 2, line 29 skipping to change at page 2, line 29
single word subscribe in the body of the message. There is a Web site single word subscribe in the body of the message. There is a Web site
for the mailing list at <http://www.imc.org/ietf-smime/>. for the mailing list at <http://www.imc.org/ietf-smime/>.
Table of Contents Table of Contents
1. Introduction...................................................3 1. Introduction...................................................3
2. Rationale......................................................3 2. Rationale......................................................3
2.1. Attribute Design Requirements.............................4 2.1. Attribute Design Requirements.............................4
3. Multiple Signature Indication..................................5 3. Multiple Signature Indication..................................5
4. Message Generation and Processing..............................6 4. Message Generation and Processing..............................6
4.1. SignedData Type...........................................6 4.1. SignedData Type...........................................7
4.2. EncapsulatedContentInfo Type..............................7 4.2. EncapsulatedContentInfo Type..............................7
4.3. SignerInfo Type...........................................7 4.3. SignerInfo Type...........................................7
4.4. Message Digest Calculation Process........................7 4.4. Message Digest Calculation Process........................8
4.4.1. multiple-signatures Signed Attribute Generation......7 4.4.1. multiple-signatures Signed Attribute Generation......8
4.4.2. Message Digest calculation Process...................8 4.4.2. Message Digest calculation Process...................8
4.5. Signature Generation Process..............................8 4.5. Signature Generation Process..............................8
4.6. Signature Verification Process............................8 4.6. Signature Verification Process............................8
5. Signature Evaluation Processing................................8 5. Signature Evaluation Processing................................9
5.1. Evaluation of a SignerInfo object.........................9 5.1. Evaluation of a SignerInfo object.........................9
5.2. Evaluation of a SignerInfo Set...........................10 5.2. Evaluation of a SignerInfo Set...........................10
5.3. Evaluation of a SignedData Set...........................11 5.3. Evaluation of a SignedData Set...........................11
6. Security Considerations.......................................11 6. Security Considerations.......................................12
7. IANA Considerations...........................................12 7. IANA Considerations...........................................12
8. References....................................................12 8. References....................................................12
8.1. Normative References.....................................12 8.1. Normative References.....................................12
8.2. Informative References...................................12 8.2. Informative References...................................13
Appendix A. ASN.1 Module.........................................13 Appendix A. ASN.1 Module.........................................14
Appendix B. Background...........................................15 Appendix B. Background...........................................16
B.1. Attacks..................................................15 B.1. Attacks..................................................16
B.2. Hashes in CMS............................................15 B.2. Hashes in CMS............................................16
1. Introduction 1. Introduction
The Cryptographic Message Syntax (CMS), see [CMS], defined SignerInfo The Cryptographic Message Syntax (CMS), see [CMS], defined SignerInfo
to provide data necessary for relying parties to verify the signer's to provide data necessary for relying parties to verify the signer's
digital signature, which is also include in the SignerInfo structure. digital signature, which is also include in the SignerInfo structure.
Signers include more than one SignerInfo in a SignedData if they use Signers include more than one SignerInfo in a SignedData if they use
different digest or signature algorithms. Each SignerInfo exists different digest or signature algorithms. Each SignerInfo exists
independently and new SignerInfo structures can be added or an independently and new SignerInfo structures can be added or an
existing one(s) removed without perturbing the remaining existing one(s) removed without perturbing the remaining
skipping to change at page 5, line 16 skipping to change at page 5, line 16
The multiple-signatures attribute type specifies a pointer to a The multiple-signatures attribute type specifies a pointer to a
signer's other multiple-signatures attribute(s). For example, if a signer's other multiple-signatures attribute(s). For example, if a
signer applies three signatures there must be two attribute values signer applies three signatures there must be two attribute values
for multiple-signatures in each SignerInfo. The 1st SignerInfo for multiple-signatures in each SignerInfo. The 1st SignerInfo
points to the 2nd and 3rd SignerInfos. The 2nd SignerInfo points to points to the 2nd and 3rd SignerInfos. The 2nd SignerInfo points to
the 1st and 3rd SignerInfos. The 3rd SignerInfo points to the 1st and the 1st and 3rd SignerInfos. The 3rd SignerInfo points to the 1st and
2nd SignerInfos. 2nd SignerInfos.
The multiple-signatures attribute MUST be a signed attribute. The The multiple-signatures attribute MUST be a signed attribute. The
number of attributes included in a SignerInfo is the number of number of attribute values included in a SignerInfo is the number of
signatures applied by a signer less one. This attribute is multi- signatures applied by a signer less one. This attribute is multi-
valued and there MAY be more than one AttributeValue present. valued and there MAY be more than one AttributeValue present.
The following object identifier identifies the multiple-signatures The following object identifier identifies the multiple-signatures
attribute: attribute:
id-aa-multipleSignatures OBJECT IDENTIFIER ::= { iso(1) id-aa-multipleSignatures OBJECT IDENTIFIER ::= {
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) TBD } iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
id-aa(16) 51 }
multiple-signatures attribute values have the ASN.1 type multiple-signatures attribute values have the ASN.1 type
MultipleSignatures: MultipleSignatures:
MultipleSignatures ::= SEQUENCE { MultipleSignatures ::= SEQUENCE {
bodyHashAlg DigestAlgorithIdentifier, bodyHashAlg DigestAlgorithmIdentifier,
signAlg SignatureAlgorithmIdentifier, signAlg SignatureAlgorithmIdentifier,
signAttrsHash SignAttrsHash, signAttrsHash SignAttrsHash,
cert ESSCertIDv2 OPTIONAL} cert ESSCertIDv2 OPTIONAL}
SignAttrsHash ::= SEQUENCE { SignAttrsHash ::= SEQUENCE {
algID AlgorithmIdentifier, algID DigestAlgorithmIdentifier,
hash OCTET STRING } hash OCTET STRING }
The fields in MultipleSignatures have the following meaning: The fields in MultipleSignatures have the following meaning:
- bodyHashAlg includes the digest algorithmIdentifier for the - bodyHashAlg includes the digest algorithmIdentifier for the
referenced multiple-signatures attribute. referenced multiple-signatures attribute.
- signAlg includes the signature algorithmIdentifier for the - signAlg includes the signature algorithmIdentifier for the
referenced multiple-signatures attribute. referenced multiple-signatures attribute.
- signAttrsHash has two fields: - signAttrsHash has two fields:
skipping to change at page 7, line 23 skipping to change at page 7, line 42
-- Include their signerInfo. -- Include their signerInfo.
4.2. EncapsulatedContentInfo Type 4.2. EncapsulatedContentInfo Type
The procedures for generating EncapsulatedContentInfo are as The procedures for generating EncapsulatedContentInfo are as
specified in section 5.2 of [CMS]. specified in section 5.2 of [CMS].
4.3. SignerInfo Type 4.3. SignerInfo Type
The procedures for generating a SignerInfo are as specified in The procedures for generating a SignerInfo are as specified in
section 5.3 of [CMS] with the following addition: section 4.4.1 of [CMS] with the following addition:
The signer MUST include the multiple-signatures attribute in The signer MUST include the multiple-signatures attribute in
signedAttrs. signedAttrs.
4.4. Message Digest Calculation Process 4.4. Message Digest Calculation Process
4.4.1. multiple-signatures Signed Attribute Generation 4.4.1. multiple-signatures Signed Attribute Generation
The procedure for generating the multiple-signatures signed attribute The procedure for generating the multiple-signatures signed attribute
are as follows: are as follows:
skipping to change at page 11, line 44 skipping to change at page 12, line 18
Security considerations from the hash and signature algorithms used Security considerations from the hash and signature algorithms used
to produce the SignerInfo apply. to produce the SignerInfo apply.
If the hashing and signing operations are performed by different If the hashing and signing operations are performed by different
entities, the entity performing the signature must ensure the hash entities, the entity performing the signature must ensure the hash
comes from a "trustworthy" source. This can be partially mitigated by comes from a "trustworthy" source. This can be partially mitigated by
requiring that multiple hashes using different algorithms are requiring that multiple hashes using different algorithms are
provided. provided.
This attribute provides no protection if all of the algorithms used This attribute cannot be relied upon in the event that all of the
in the signer attribute are 'cracked'. algorithms used in the signer attribute are 'cracked'. It is not
possible for a verifier to determine that a collision could not be
found that satisfies all of the algorithms.
Local policy and applications greatly affects signature processing. Local policy and applications greatly affects signature processing.
The application of local policy and the requirements specific to an The application of local policy and the requirements specific to an
application can both affect signature processing. This means that a application can both affect signature processing. This means that a
signature valid in one context or location can fail validation in a signature valid in one context or location can fail validation in a
different context or location. different context or location.
7. IANA Considerations 7. IANA Considerations
None: All identifiers are already registered. Please remove this None: All identifiers are already registered. Please remove this
skipping to change at page 13, line 7 skipping to change at page 14, line 7
Agility", RFC 5035, August 2007. Agility", RFC 5035, August 2007.
8.2. Informative References 8.2. Informative References
[ATTACK] Hoffman, P., Schneier, B., "Attacks on Cryptographic [ATTACK] Hoffman, P., Schneier, B., "Attacks on Cryptographic
Hashes in Internet Protocols", RFC 4270, November Hashes in Internet Protocols", RFC 4270, November
2005. 2005.
Appendix A. ASN.1 Module Appendix A. ASN.1 Module
MultipleSignatures MultipleSignatures-2008
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) multisig(TBD) } pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-multipleSig-2008(34) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- EXPORTS All
-- The types and values defined in this module are exported for use -- The types and values defined in this module are exported for use
-- in the other ASN.1 modules. Other applications may use them for -- in the other ASN.1 modules. Other applications may use them for
-- their own purposes. -- their own purposes.
IMPORTS IMPORTS
-- Imports from RFC 3280 [PROFILE], Appendix A.1
AlgorithmIdentifier
FROM PKIX1Explicit88
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
mod(0) pkix1-explicit(18) }
-- Imports from RFC 3852 [CMS], 12.1 -- Imports from RFC 3852 [CMS], 12.1
DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier DigestAlgorithmIdentifier, SignatureAlgorithmIdentifier
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) }
-- Imports from RFC XXX [ESSCertID], Appendix A -- Imports from RFC 5035 [ESSCertID], Appendix A
ESSCertIDv2 ESSCertIDv2
FROM ExtendedSecurityServices-2006 FROM ExtendedSecurityServices-2006
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) ess-2006(TBD) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-ess-2006(30) }
; ;
-- Section 3.0 -- Section 3.0
id-multipleSignatures OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-multipleSignatures OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) TBD } us(840) rsadsi(113549) pkcs(1) pkcs9(9) id-aa(2) 51 }
MultipleSignatures ::= SEQUENCE { MultipleSignatures ::= SEQUENCE {
bodyHashAlg DigestAlgorithIdentifier, bodyHashAlg DigestAlgorithmIdentifier,
signAlg SignatureAlgorithmIdentifier, signAlg SignatureAlgorithmIdentifier,
signAttrsHash SignAttrsHash, signAttrsHash SignAttrsHash,
cert ESSCertIDv2 OPTIONAL } cert ESSCertIDv2 OPTIONAL }
SignAttrsHash ::= SEQUENCE { SignAttrsHash ::= SEQUENCE {
algID AlgorithmIdentifier, algID DigestAlgorithmIdentifier,
hash OCTET STRING } hash OCTET STRING }
END - of MultipleSignatures END -- of MultipleSignatures-2008
Appendix B. Background Appendix B. Background
This is an informative appendix that looks at the locations of hashes This is an informative appendix that looks at the locations of hashes
CMS and possible attacks against them. CMS and possible attacks against them.
B.1. Attacks B.1. Attacks
The following types of resistance against known attacks, see The following types of resistance against known attacks, see
[ATTACK], is needed: [ATTACK], is needed:
skipping to change at page 18, line 8 skipping to change at page 19, line 8
unpredictable by using a random delay before issuing the signature. unpredictable by using a random delay before issuing the signature.
Allowing a third party to provide a hash value could potentially make Allowing a third party to provide a hash value could potentially make
attack simpler when keyed hash functions are used since there is more attack simpler when keyed hash functions are used since there is more
data than can be modified without changing the overall structure of data than can be modified without changing the overall structure of
the Signed Attribute structure. the Signed Attribute structure.
Author's Addresses Author's Addresses
Sean Turner Sean Turner
IECA, Inc. IECA, Inc.
3057 Nutley Street, Suite 106
Fairfax, VA 22031
USA
Email: turners (at) ieca (dot) com Email: turners@ieca.com
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
Email: jimsch (at) exmsft (dot) com Email: jimsch@exmsft.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
skipping to change at page 19, line 42 skipping to change at page 20, line 42
Copies of IPR disclosures made to the IETF Secretariat and any Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf- this standard. Please address the information to the IETF at
ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA). Administrative Support Activity (IASA).
 End of changes. 33 change blocks. 
46 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.34. The latest version is available from http://tools.ietf.org/tools/rfcdiff/