rfc3278.txt

RFC 的详细文档！

Network Working Group                                    S. Blake-Wilson
Request for Comments: 3278                                      D. Brown
Category: Informational                                    Certicom Corp
                                                              P. Lambert
                                                   Cosine Communications
                                                              April 2002


          Use of Elliptic Curve Cryptography (ECC) Algorithms
                 in Cryptographic Message Syntax (CMS)

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   This document describes how to use Elliptic Curve Cryptography (ECC)
   public-key algorithms in the Cryptographic Message Syntax (CMS).  The
   ECC algorithms support the creation of digital signatures and the
   exchange of keys to encrypt or authenticate content.  The definition
   of the algorithm processing is based on the ANSI X9.62 standard,
   developed by the ANSI X9F1 working group, the IEEE 1363 standard, and
   the SEC 1 standard.

   The readers attention is called to the Intellectual Property Rights
   section at the end of this document.


















Blake-Wilson, et al.         Informational                      [Page 1]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


Table of Contents

   1  Introduction ................................................... 2
      1.1  Requirements terminology .................................. 3
   2  SignedData using ECC ..........................................  3
      2.1  SignedData using ECDSA ...................................  3
           2.1.1  Fields of the SignedData ..........................  3
           2.1.2  Actions of the sending agent ......................  4
           2.1.3  Actions of the receiving agent ....................  4
   3  EnvelopedData using ECC .......................................  4
      3.1  EnvelopedData using ECDH .................................  5
           3.1.1  Fields of KeyAgreeRecipientInfo ...................  5
           3.1.2  Actions of the sending agent ......................  5
           3.1.3  Actions of the receiving agent ....................  6
      3.2  EnvelopedData using 1-Pass ECMQV .........................  6
           3.2.1  Fields of KeyAgreeRecipientInfo ...................  6
           3.2.2  Actions of the sending agent ......................  7
           3.2.3  Actions of the receiving agent ....................  7
   4  AuthenticatedData using ECC ............ ......................  8
      4.1  AuthenticatedData using 1-pass ECMQV .....................  8
           4.1.1  Fields of KeyAgreeRecipientInfo ...................  8
           4.1.2  Actions of the sending agent ......................  8
           4.1.3  Actions of the receiving agent ....................  8
   5  Recommended Algorithms and Elliptic Curves ....................  9
   6  Certificates using ECC ........................................  9
   7  SMIMECapabilities Attribute and ECC ...........................  9
   8  ASN.1 Syntax .................................................. 10
      8.1  Algorithm identifiers .................................... 10
      8.2  Other syntax ............................................. 11
   9  Summary ....................................................... 12
   References ....................................................... 13
   Security Considerations .......................................... 14
   Intellectual Property Rights ..................................... 14
   Acknowledgments .................................................. 15
   Authors' Addresses ............................................... 15
   Full Copyright Statement ......................................... 16

1  Introduction

   The Cryptographic Message Syntax (CMS) is cryptographic algorithm
   independent.  This specification defines a profile for the use of
   Elliptic Curve Cryptography (ECC) public key algorithms in the CMS.
   The ECC algorithms are incorporated into the following CMS content
   types:

      -  'SignedData' to support ECC-based digital signature methods
         (ECDSA) to sign content




Blake-Wilson, et al.         Informational                      [Page 2]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


      -  'EnvelopedData' to support ECC-based public-key agreement
         methods (ECDH and ECMQV) to generate pairwise key-encryption
         keys to encrypt content-encryption keys used for content
         encryption

      -  'AuthenticatedData' to support ECC-based public-key agreement
         methods (ECMQV) to generate pairwise key-encryption keys to
         encrypt MAC keys used for content authentication and integrity

   Certification of EC public keys is also described to provide public-
   key distribution in support of the specified techniques.

1.1  Requirements terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119
   [MUST].

2  SignedData using ECC

   This section describes how to use ECC algorithms with the CMS
   SignedData format to sign data.

2.1  SignedData using ECDSA

   This section describes how to use the Elliptic Curve Digital
   Signature Algorithm (ECDSA) with SignedData.  ECDSA is specified in
   [X9.62].  The method is the elliptic curve analog of the Digital
   Signature Algorithm (DSA) [FIPS 186-2].

   In an implementation that uses ECDSA with CMS SignedData, the
   following techniques and formats MUST be used.

2.1.1  Fields of the SignedData

   When using ECDSA with SignedData, the fields of SignerInfo are as in
   [CMS], but with the following restrictions:

      digestAlgorithm MUST contain the algorithm identifier sha-1 (see
      Section 8.1) which identifies the SHA-1 hash algorithm.

      signatureAlgorithm contains the algorithm identifier ecdsa-with-
      SHA1 (see Section 8.1) which identifies the ECDSA signature
      algorithm.

      signature MUST contain the DER encoding (as an octet string) of a
      value of the ASN.1 type ECDSA-Sig-Value (see Section 8.2).



Blake-Wilson, et al.         Informational                      [Page 3]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


   When using ECDSA, the SignedData certificates field MAY include the
   certificate(s) for the EC public key(s) used in the generation of the
   ECDSA signatures in SignedData.  ECC certificates are discussed in
   Section 6.

2.1.2  Actions of the sending agent

   When using ECDSA with SignedData, the sending agent uses the message
   digest calculation process and signature generation process for
   SignedData that are specified in [CMS].  To sign data, the sending
   agent uses the signature method specified in [X9.62, Section 5.3]
   with the following exceptions:

      -  In [X9.62, Section 5.3.1], the integer "e" is instead
         determined by converting the message digest generated according
         to [CMS, Section 5.4] to an integer using the data conversion
         method in [X9.62, Section 4.3.2].

   The sending agent encodes the resulting signature using the ECDSA-
   Sig-Value syntax (see Section 8.2) and places it in the SignerInfo
   signature field.

2.1.3  Actions of the receiving agent

   When using ECDSA with SignedData, the receiving agent uses the
   message digest calculation process and signature verification process
   for SignedData that are specified in [CMS].  To verify SignedData,
   the receiving agent uses the signature verification method specified
   in [X9.62, Section 5.4] with the following exceptions:

      -  In [X9.62, Section 5.4.1] the integer "e'" is instead
         determined by converting the message digest generated according
         to [CMS, Section 5.4] to an integer using the data conversion
         method in [X9.62, Section 4.3.2].

   In order to verify the signature, the receiving agent retrieves the
   integers r and s from the SignerInfo signature field of the received
   message.

3  EnvelopedData using ECC Algorithms

   This section describes how to use ECC algorithms with the CMS
   EnvelopedData format.








Blake-Wilson, et al.         Informational                      [Page 4]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


3.1  EnvelopedData using (ephemeral-static) ECDH

   This section describes how to use the ephemeral-static Elliptic Curve
   Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData.
   Ephemeral-static ECDH is specified in [SEC1] and [IEEE1363].
   Ephemeral-static ECDH is the the elliptic curve analog of the
   ephemeral-static Diffie-Hellman key agreement algorithm specified
   jointly in the documents [CMS, Section 12.3.1.1] and [CMS-DH].

   In an implementation that uses ECDH with CMS EnvelopedData with key
   agreement, the following techniques and formats MUST be used.

3.1.1  Fields of KeyAgreeRecipientInfo

   When using ephemeral-static ECDH with EnvelopedData, the fields of
   KeyAgreeRecipientInfo are as in [CMS], but with the following
   restrictions:

      originator MUST be the alternative originatorKey.  The
      originatorKey algorithm field MUST contain the id-ecPublicKey
      object identifier (see Section 8.1) with NULL parameters.  The
      originatorKey publicKey field MUST contain the DER-encoding of a
      value of the ASN.1 type ECPoint (see Section 8.2), which
      represents the sending agent's ephemeral EC public key.

      keyEncryptionAlgorithm MUST contain the dhSinglePass-stdDH-
      sha1kdf-scheme object identifier (see Section 8.1) if standard
      ECDH primitive is used, or the dhSinglePass-cofactorDH-sha1kdf-
      scheme object identifier (see Section 8.1) if the cofactor ECDH
      primitive is used.  The parameters field contains
      KeyWrapAlgorithm.  The KeyWrapAlgorithm is the algorithm
      identifier that indicates the symmetric encryption algorithm used
      to encrypt the content-encryption key (CEK) with the key-
      encryption key (KEK).

3.1.2  Actions of the sending agent

   When using ephemeral-static ECDH with EnvelopedData, the sending
   agent first obtains the recipient's EC public key and domain
   parameters (e.g. from the recipient's certificate).  The sending
   agent then determines an integer "keydatalen", which is the
   KeyWrapAlgorithm symmetric key-size in bits, and also a bit string
   "SharedInfo", which is the DER encoding of ECC-CMS-SharedInfo (see
   Section 8.2).  The sending agent then performs the key deployment and
   the key agreement operation of the Elliptic Curve Diffie-Hellman
   Scheme specified in [SEC1, Section 6.1].  As a result the sending
   agent obtains:




Blake-Wilson, et al.         Informational                      [Page 5]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


      -  an ephemeral public key, which is represented as a value of the
         type ECPoint (see Section 8.2), encapsulated in a bit string
         and placed in the KeyAgreeRecipientInfo originator field, and

      -  a shared secret bit string "K", which is used as the pairwise
         key-encryption key for that recipient, as specified in [CMS].

3.1.3  Actions of the receiving agent

   When using ephemeral-static ECDH with EnvelopedData, the receiving
   agent determines the bit string "SharedInfo", which is the DER
   encoding of ECC-CMS-SharedInfo (see Section 8.2), and the integer
   "keydatalen" from the key-size, in bits, of the KeyWrapAlgorithm.
   The receiving agent retrieves the ephemeral EC public key from the