📄 rfc3156.txt
字号:
Network Working Group M. Elkins
Request for Comments: 3156 Network Associates, Inc.
Updates: 2015 D. Del Torto
Category: Standards Track CryptoRights Foundation
R. Levien
University of California at Berkeley
T. Roessler
August 2001
MIME Security with OpenPGP
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document describes how the OpenPGP Message Format can be used to
provide privacy and authentication using the Multipurpose Internet
Mail Extensions (MIME) security content types described in RFC 1847.
1. Introduction
Work on integrating PGP (Pretty Good Privacy) with MIME [3]
(including the since withdrawn "application/pgp" content type) prior
to RFC 2015 suffered from a number of problems, the most significant
of which is the inability to recover signed message bodies without
parsing data structures specific to PGP. RFC 2015 makes use of the
elegant solution proposed in RFC 1847, which defines security
multipart formats for MIME. The security multiparts clearly separate
the signed message body from the signature, and have a number of
other desirable properties. This document revises RFC 2015 to adopt
the integration of PGP and MIME to the needs which emerged during the
work on the OpenPGP specification.
This document defines three content types for implementing security
and privacy with OpenPGP: "application/pgp-encrypted",
"application/pgp-signature" and "application/pgp-keys".
Elkins, et al. Standards Track [Page 1]
RFC 3156 MIME Security with OpenPGP August 2001
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
2. OpenPGP data formats
OpenPGP implementations can generate either ASCII armor (described in
[1]) or 8-bit binary output when encrypting data, generating a
digital signature, or extracting public key data. The ASCII armor
output is the REQUIRED method for data transfer. This allows those
users who do not have the means to interpret the formats described in
this document to be able to extract and use the OpenPGP information
in the message.
When the amount of data to be transmitted requires that it be sent in
many parts, the MIME message/partial mechanism SHOULD be used rather
than the multi-part ASCII armor OpenPGP format.
3. Content-Transfer-Encoding restrictions
Multipart/signed and multipart/encrypted are to be treated by agents
as opaque, meaning that the data is not to be altered in any way [2],
[7]. However, many existing mail gateways will detect if the next
hop does not support MIME or 8-bit data and perform conversion to
either Quoted-Printable or Base64. This presents serious problems
for multipart/signed, in particular, where the signature is
invalidated when such an operation occurs. For this reason all data
signed according to this protocol MUST be constrained to 7 bits (8-
bit data MUST be encoded using either Quoted-Printable or Base64).
Note that this also includes the case where a signed object is also
encrypted (see section 6). This restriction will increase the
likelihood that the signature will be valid upon receipt.
Additionally, implementations MUST make sure that no trailing
whitespace is present after the MIME encoding has been applied.
Note: In most cases, trailing whitespace can either be removed, or
protected by applying an appropriate content-transfer-encoding.
However, special care must be taken when any header lines - either
in MIME entity headers, or in embedded RFC 822 headers - are
present which only consist of whitespace: Such lines must be
removed entirely, since replacing them by empty lines would turn
them into header delimiters, and change the semantics of the
message. The restrictions on whitespace are necessary in order to
make the hash calculated invariant under the text and binary mode
signature mechanisms provided by OpenPGP [1]. Also, they help to
avoid compatibility problems with PGP implementations which
predate the OpenPGP specification.
Elkins, et al. Standards Track [Page 2]
RFC 3156 MIME Security with OpenPGP August 2001
Note: If any line begins with the string "From ", it is strongly
suggested that either the Quoted-Printable or Base64 MIME encoding
be applied. If Quoted-Printable is used, at least one of the
characters in the string should be encoded using the hexadecimal
coding rule. This is because many mail transfer and delivery
agents treat "From " (the word "from" followed immediately by a
space character) as the start of a new message and thus insert a
right angle-bracket (>) in front of any line beginning with
"From " to distinguish this case, invalidating the signature.
Data that is ONLY to be encrypted is allowed to contain 8-bit
characters and trailing whitespace and therefore need not undergo the
conversion to a 7bit format, and the stripping of whitespace.
Implementor's note: It cannot be stressed enough that applications
using this standard follow MIME's suggestion that you "be
conservative in what you generate, and liberal in what you
accept." In this particular case it means it would be wise for an
implementation to accept messages with any content-transfer-
encoding, but restrict generation to the 7-bit format required by
this memo. This will allow future compatibility in the event the
Internet SMTP framework becomes 8-bit friendly.
4. OpenPGP encrypted data
Before OpenPGP encryption, the data is written in MIME canonical
format (body and headers).
OpenPGP encrypted data is denoted by the "multipart/encrypted"
content type, described in [2], and MUST have a "protocol" parameter
value of "application/pgp-encrypted". Note that the value of the
parameter MUST be enclosed in quotes.
The multipart/encrypted MIME body MUST consist of exactly two body
parts, the first with content type "application/pgp-encrypted". This
body contains the control information. A message complying with this
standard MUST contain a "Version: 1" field in this body. Since the
OpenPGP packet format contains all other information necessary for
decrypting, no other information is required here.
The second MIME body part MUST contain the actual encrypted data. It
MUST be labeled with a content type of "application/octet-stream".
Example message:
From: Michael Elkins <elkins@aero.org>
To: Michael Elkins <elkins@aero.org>
Mime-Version: 1.0
Elkins, et al. Standards Track [Page 3]
RFC 3156 MIME Security with OpenPGP August 2001
Content-Type: multipart/encrypted; boundary=foo;
protocol="application/pgp-encrypted"
--foo
Content-Type: application/pgp-encrypted
Version: 1
--foo
Content-Type: application/octet-stream
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
hIwDY32hYGCE8MkBA/wOu7d45aUxF4Q0RKJprD3v5Z9K1YcRJ2fve87lMlDlx4Oj
eW4GDdBfLbJE7VUpp13N19GL8e/AqbyyjHH4aS0YoTk10QQ9nnRvjY8nZL3MPXSZ
g9VGQxFeGqzykzmykU6A26MSMexR4ApeeON6xzZWfo+0yOqAq6lb46wsvldZ96YA
AABH78hyX7YX4uT1tNCWEIIBoqqvCeIMpp7UQ2IzBrXg6GtukS8NxbukLeamqVW3
1yt21DYOjuLzcMNe/JNsD9vDVCvOOG3OCi8=
=zzaA
-----END PGP MESSAGE-----
--foo--
5. OpenPGP signed data
OpenPGP signed messages are denoted by the "multipart/signed" content
type, described in [2], with a "protocol" parameter which MUST have a
value of "application/pgp-signature" (MUST be quoted).
The "micalg" parameter for the "application/pgp-signature" protocol
MUST contain exactly one hash-symbol of the format "pgp-<hash-
identifier>", where <hash-identifier> identifies the Message
Integrity Check (MIC) algorithm used to generate the signature.
Hash-symbols are constructed from the text names registered in [1] or
according to the mechanism defined in that document by converting the
text name to lower case and prefixing it with the four characters
"pgp-".
Currently defined values are "pgp-md5", "pgp-sha1", "pgp-ripemd160",
"pgp-md2", "pgp-tiger192", and "pgp-haval-5-160".
The multipart/signed body MUST consist of exactly two parts. The
first part contains the signed data in MIME canonical format,
including a set of appropriate content headers describing the data.
The second body MUST contain the OpenPGP digital signature. It MUST
be labeled with a content type of "application/pgp-signature".
Elkins, et al. Standards Track [Page 4]
RFC 3156 MIME Security with OpenPGP August 2001
Note: Implementations can either generate "signatures of a
canonical text document" or "signatures of a binary document", as
defined in [1]. The restrictions on the signed material put forth
in section 3 and in this section will make sure that the various
MIC algorithm variants specified in [1] and [5] will all produce
the same result.
When the OpenPGP digital signature is generated:
(1) The data to be signed MUST first be converted to its content-
type specific canonical form. For text/plain, this means
conversion to an appropriate character set and conversion of
line endings to the canonical <CR><LF> sequence.
(2) An appropriate Content-Transfer-Encoding is then applied; see
section 3. In particular, line endings in the encoded data
MUST use the canonical <CR><LF> sequence where appropriate
(note that the canonical line ending may or may not be present
on the last line of encoded data and MUST NOT be included in
the signature if absent).
(3) MIME content headers are then added to the body, each ending
with the canonical <CR><LF> sequence.
(4) As described in section 3 of this document, any trailing
whitespace MUST then be removed from the signed material.
(5) As described in [2], the digital signature MUST be calculated
over both the data to be signed and its set of content headers.
(6) The signature MUST be generated detached from the signed data
so that the process does not alter the signed data in any way.
Note: The accepted OpenPGP convention is for signed data to end
with a <CR><LF> sequence. Note that the <CR><LF> sequence
immediately preceding a MIME boundary delimiter line is considered
to be part of the delimiter in [3], 5.1. Thus, it is not part of
the signed data preceding the delimiter line. An implementation
which elects to adhere to the OpenPGP convention has to make sure
it inserts a <CR><LF> pair on the last line of the data to be
signed and transmitted (signed message and transmitted message
MUST be identical).
Example message:
From: Michael Elkins <elkins@aero.org>
To: Michael Elkins <elkins@aero.org>
Mime-Version: 1.0
Elkins, et al. Standards Track [Page 5]
RFC 3156 MIME Security with OpenPGP August 2001
Content-Type: multipart/signed; boundary=bar; micalg=pgp-md5;
protocol="application/pgp-signature"
--bar
& Content-Type: text/plain; charset=iso-8859-1
& Content-Transfer-Encoding: quoted-printable
&
& =A1Hola!
&
& Did you know that talking to yourself is a sign of senility?
&
& It's generally a good idea to encode lines that begin with
& From=20because some mail transport agents will insert a greater-
& than (>) sign, thus invalidating the signature.
&
& Also, in some cases it might be desirable to encode any =20
& trailing whitespace that occurs on lines in order to ensure =20
& that the message signature is not invalidated when passing =20
& a gateway that modifies such whitespace (like BITNET). =20
&
& me
--bar
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
HOxEa44b+EI=
=ndaj
-----END PGP MESSAGE-----
--bar--
The "&"s in the previous example indicate the portion of the data
over which the signature was calculated.
Upon receipt of a signed message, an application MUST:
(1) Convert line endings to the canonical <CR><LF> sequence before
the signature can be verified. This is necessary since the
local MTA may have converted to a local end of line convention.
Elkins, et al. Standards Track [Page 6]
RFC 3156 MIME Security with OpenPGP August 2001
(2) Pass both the signed data and its associated content headers
along with the OpenPGP signature to the signature verification
service.
6. Encrypted and Signed Data
Sometimes it is desirable to both digitally sign and then encrypt a
message to be sent. This protocol allows for two methods of
accomplishing this task.
6.1. RFC 1847 Encapsulation
In [2], it is stated that the data is first signed as a
multipart/signature body, and then encrypted to form the final
multipart/encrypted body. This is most useful for standard MIME-
compliant message forwarding.
Example:
Content-Type: multipart/encrypted;
protocol="application/pgp-encrypted"; boundary=foo
--foo
Content-Type: application/pgp-encrypted
Version: 1
--foo
Content-Type: application/octet-stream
-----BEGIN PGP MESSAGE-----
& Content-Type: multipart/signed; micalg=pgp-md5
& protocol="application/pgp-signature"; boundary=bar
&
& --bar
& Content-Type: text/plain; charset=us-ascii
&
& This message was first signed, and then encrypted.
&
& --bar
& Content-Type: application/pgp-signature
&
& -----BEGIN PGP MESSAGE-----
& Version: 2.6.2
&
& iQCVAwUBMJrRF2N9oWBghPDJAQE9UQQAtl7LuRVndBjrk4EqYBIb3h5QXIX/LC//
& jJV5bNvkZIGPIcEmI5iFd9boEgvpirHtIREEqLQRkYNoBActFBZmh9GC3C041WGq
& uMbrbxc+nIs1TIKlA08rVi9ig/2Yh7LFrK5Ein57U/W72vgSxLhe/zhdfolT9Brn
Elkins, et al. Standards Track [Page 7]
RFC 3156 MIME Security with OpenPGP August 2001
& HOxEa44b+EI=
& =ndaj
& -----END PGP MESSAGE-----
&
& --bar--
-----END PGP MESSAGE-----
--foo--
(The text preceded by '&' indicates that it is really encrypted, but
presented as text for clarity.)
6.2. Combined method
The OpenPGP packet format [1] describes a method for signing and
encrypting data in a single OpenPGP message. This method is allowed
in order to reduce processing overhead and increase compatibility
with non-MIME implementations of OpenPGP. The resulting data is
formatted as a "multipart/encrypted" object as described in Section
4.
Messages which are encrypted and signed in this combined fashion are
REQUIRED to follow the same canonicalization rules as
multipart/signed objects.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -