rfc3278.txt

RFC 的详细文档！

   bit string KeyAgreeRecipientInfo originator, with a value of the type
   ECPoint (see Section 8.2) encapsulated as a bit string.  The
   receiving agent performs the key agreement operation of the Elliptic
   Curve Diffie-Hellman Scheme specified in [SEC1, Section 6.1].  As a
   result, the receiving agent obtains a shared secret bit string "K",
   which is used as the pairwise key-encryption key to unwrap the CEK.

3.2  EnvelopedData using 1-Pass ECMQV

   This section describes how to use the 1-Pass elliptic curve MQV
   (ECMQV) key agreement algorithm with EnvelopedData.  ECMQV is
   specified in [SEC1] and [IEEE1363].  Like the KEA algorithm [CMS-
   KEA], 1-Pass ECMQV uses three key pairs: an ephemeral key pair, a
   static key pair of the sending agent, and a static key pair of the
   receiving agent.  An advantage of using 1-Pass ECMQV is that it can
   be used with both EnvelopedData and AuthenticatedData.

   In an implementation that uses 1-Pass ECMQV with CMS EnvelopedData
   with key agreement, the following techniques and formats MUST be
   used.

3.2.1  Fields of KeyAgreeRecipientInfo

   When using 1-Pass ECMQV with EnvelopedData, the fields of
   KeyAgreeRecipientInfo are:

      originator identifies the static EC public key of the sender.  It
      SHOULD be one of the alternatives, issuerAndSerialNumber or
      subjectKeyIdentifier, and point to one of the sending agent's
      certificates.

      ukm MUST be present.  The ukm field MUST contain an octet string
      which is the DER encoding of the type MQVuserKeyingMaterial (see
      Section 8.2).  The MQVuserKeyingMaterial ephemeralPublicKey



Blake-Wilson, et al.         Informational                      [Page 6]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


      algorithm field MUST contain the id-ecPublicKey object identifier
      (see Section 8.1) with NULL parameters field.  The
      MQVuserKeyingMaterial ephemeralPublicKey publicKey field MUST
      contain the DER-encoding of the ASN.1 type ECPoint (see Section
      8.2) representing sending agent's ephemeral EC public key.  The
      MQVuserKeyingMaterial addedukm field, if present, SHOULD contain
      an octet string of additional user keying material of the sending
      agent.

      keyEncryptionAlgorithm MUST be the mqvSinglePass-sha1kdf-scheme
      algorithm identifier (see Section 8.1), with the parameters field
      KeyWrapAlgorithm. The KeyWrapAlgorithm indicates the symmetric
      encryption algorithm used to encrypt the CEK with the KEK
      generated using the 1-Pass ECMQV algorithm.

3.2.2  Actions of the sending agent

   When using 1-Pass ECMQV with EnvelopedData, the sending agent first
   obtains the recipient's EC public key and domain parameters, (e.g.
   from the recipient's certificate) and checks that the domain
   parameters are the same.  The sending agent then determines an
   integer "keydatalen", which is the KeyWrapAlgorithm symmetric key-
   size in bits, and also a bit string "SharedInfo", which is the DER
   encoding of ECC-CMS-SharedInfo (see Section 8.2).  The sending agent
   then performs the key deployment and key agreement operations of the
   Elliptic Curve MQV Scheme specified in [SEC1, Section 6.2].  As a
   result, the sending agent obtains:

      -  an ephemeral public key, which is represented as a value of
         type ECPoint (see Section 8.2), encapsulated in a bit string,
         placed in an MQVuserKeyingMaterial ephemeralPublicKey publicKey
         field (see Section 8.2), and

      -  a shared secret bit string "K", which is used as the pairwise
         key-encryption key for that recipient, as specified in [CMS].

   The ephemeral public key can be re-used with an AuthenticatedData for
   greater efficiency.

3.2.3  Actions of the receiving agent

   When using 1-Pass ECMQV with EnvelopedData, the receiving agent
   determines the bit string "SharedInfo", which is the DER encoding of
   ECC-CMS-SharedInfo (see Section 8.2), and the integer "keydatalen"
   from the key-size, in bits, of the KeyWrapAlgorithm.  The receiving
   agent then retrieves the static and ephemeral EC public keys of the
   originator, from the originator and ukm fields as described in
   Section 3.2.1, and its static EC public key identified in the rid



Blake-Wilson, et al.         Informational                      [Page 7]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


   field and checks that the domain parameters are the same.  The
   receiving agent then performs the key agreement operation of the
   Elliptic Curve MQV Scheme [SEC1, Section 6.2].  As a result, the
   receiving agent obtains a shared secret bit string "K" which is used
   as the pairwise key-encryption key to unwrap the CEK.

4  AuthenticatedData using ECC

   This section describes how to use ECC algorithms with the CMS
   AuthenticatedData format.  AuthenticatedData lacks non-repudiation,
   and so in some instances is preferable to SignedData.  (For example,
   the sending agent might not want the message to be authenticated when
   forwarded.)

4.1  AuthenticatedData using 1-pass ECMQV

   This section describes how to use the 1-Pass elliptic curve MQV
   (ECMQV) key agreement algorithm with AuthenticatedData.  ECMQV is
   specified in [SEC1].  An advantage of using 1-Pass ECMQV is that it
   can be used with both EnvelopedData and AuthenticatedData.

4.1.1  Fields of the KeyAgreeRecipientInfo

   The AuthenticatedData KeyAgreeRecipientInfo fields are used in the
   same manner as the fields for the corresponding EnvelopedData
   KeyAgreeRecipientInfo fields of Section 3.2.1 of this document.

4.1.2  Actions of the sending agent

   The sending agent uses the same actions as for EnvelopedData with 1-
   Pass ECMQV, as specified in Section 3.2.2 of this document.

   The ephemeral public key can be re-used with an EnvelopedData for
   greater efficiency.

   Note: if there are multiple recipients, an attack is possible where
   one recipient modifies the content without other recipients noticing
   [BON].  A sending agent who is concerned with such an attack SHOULD
   use a separate AuthenticatedData for each recipient.

4.1.3  Actions of the receiving agent

   The receiving agent uses the same actions as for EnvelopedData with
   1-Pass ECMQV, as specified in Section 3.2.3 of this document.

   Note: see Note in Section 4.1.2.





Blake-Wilson, et al.         Informational                      [Page 8]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


5  Recommended Algorithms and Elliptic Curves

   Implementations of this specification MUST implement either
   SignedData with ECDSA or EnvelopedData with ephemeral-static ECDH.
   Implementations of this specification SHOULD implement both
   SignedData with ECDSA and EnvelopedData with ephemeral-static ECDH.
   Implementations MAY implement the other techniques specified, such as
   AuthenticatedData and 1-Pass ECMQV.

   Furthermore, in order to encourage interoperability, implementations
   SHOULD use the elliptic curve domain parameters specified by ANSI
   [X9.62], NIST [FIPS-186-2] and SECG [SEC2].

6  Certificates using ECC

   Internet X.509 certificates [PKI] can be used in conjunction with
   this specification to distribute agents' public keys.  The use of ECC
   algorithms and keys within X.509 certificates is specified in [PKI-
   ALG].

7  SMIMECapabilities Attribute and ECC

   A sending agent MAY announce to receiving agents that it supports one
   or more of the ECC algorithms in this document by using the
   SMIMECapabilities signed attribute [MSG, Section 2.5.2].

   The SMIMECapability value to indicate support for the ECDSA signature
   algorithm is the SEQUENCE with the capabilityID field containing the
   object identifier ecdsa-with-SHA1 with NULL parameters.  The DER
   encoding is:

      30 0b 06 07  2a 86 48 ce   3d 04 01 05  00

   The SMIMECapability capabilityID object identifiers for the supported
   key agreement algorithms in this document are dhSinglePass-stdDH-
   sha1kdf-scheme, dhSinglePass-cofactorDH-sha1kdf-scheme, and
   mqvSinglePass-sha1kdf-scheme.  For each of these SMIMECapability
   SEQUENCEs, the parameters field is present and indicates the
   supported key-encryption algorithm with the KeyWrapAlgorithm
   algorithm identifier.  The DER encodings that indicate capability of
   the three key agreement algorithms with CMS Triple-DES key wrap are:

      30 1c 06 09  2b 81 05 10   86 48 3f 00  02 30 0f 06
      0b 2a 86 48  86 f7 0d 01   09 10 03 06  05 00

   for ephemeral-static ECDH,





Blake-Wilson, et al.         Informational                      [Page 9]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


      30 1c 06 09  2b 81 05 10   86 48 3f 00  03 30 0f 06
      0b 2a 86 48  86 f7 0d 01   09 10 03 06  05 00

   for ephemeral-static ECDH with cofactor method, and

      30 1c 06 09  2b 81 05 10   86 48 3f 00  10 30 0f 06
      0b 2a 86 48  86 f7 0d 01   09 10 03 06  05 00

   for ECMQV.

8  ASN.1 Syntax

   The ASN.1 syntax used in this document is gathered in this section
   for reference purposes.

8.1  Algorithm identifiers

   The algorithm identifiers used in this document are taken from
   [X9.62], [SEC1] and [SEC2].

   The following object identifier indicates the hash algorithm used in
   this document:

      sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
         oiw(14) secsig(3) algorithm(2) 26 }

   The following object identifier is used in this document to indicate
   an elliptic curve public key:

      id-ecPublicKey OBJECT IDENTIFIER ::= { ansi-x9-62 keyType(2) 1 }

   where

      ansi-x9-62 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
        10045 }

   When the object identifier id-ecPublicKey is used here with an
   algorithm identifier, the associated parameters contain NULL.

   The following object identifier indicates the digital signature
   algorithm used in this document:

      ecdsa-with-SHA1 OBJECT IDENTIFIER ::= { ansi-x9-62 signatures(4)
         1 }







Blake-Wilson, et al.         Informational                     [Page 10]

RFC 3278              Use of ECC Algorithms in CMS            April 2002


   When the object identifier ecdsa-with-SHA1 is used within an
   algorithm identifier, the associated parameters field contains NULL.

   The following object identifiers indicate the key agreement
   algorithms used in this document:

      dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
         x9-63-scheme 2}

      dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
         x9-63-scheme 3}

      mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
         x9-63-scheme 16}

   where

      x9-63-scheme OBJECT IDENTIFIER ::= { iso(1)
         identified-organization(3) tc68(133) country(16) x9(840)
         x9-63(63) schemes(0) }

   When the object identifiers are used here within an algorithm
   identifier, the associated parameters field contains the CMS
   KeyWrapAlgorithm algorithm identifier.

8.2  Other syntax

   The following additional syntax is used here.

   When using ECDSA with SignedData, ECDSA signatures are encoded using
   the type:

      ECDSA-Sig-Value ::= SEQUENCE {
         r INTEGER,