📄 rfc3370.txt
字号:
Network Working Group R. Housley
Request for Comments: 3370 RSA Laboratories
Obsoletes: 2630, 3211 August 2002
Category: Standards Track
Cryptographic Message Syntax (CMS) Algorithms
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document describes the conventions for using several
cryptographic algorithms with the Cryptographic Message Syntax (CMS).
The CMS is used to digitally sign, digest, authenticate, or encrypt
arbitrary message contents.
Table of Contents
1 Introduction ............................................... 2
1.1 Changes Since RFC 2630 ..................................... 2
1.2 Terminology ................................................ 2
2 Message Digest Algorithms .................................. 3
2.1 SHA-1 ...................................................... 3
2.2 MD5 ........................................................ 3
3 Signature Algorithms ....................................... 4
3.1 DSA ........................................................ 4
3.2 RSA ........................................................ 5
4 Key Management Algorithms .................................. 6
4.1 Key Agreement Algorithms ................................... 6
4.1.1 X9.42 Ephemeral-Static Diffie-Hellman ...................... 7
4.1.2 X9.42 Static-Static Diffie-Hellman ......................... 8
4.2 Key Transport Algorithms ................................... 9
4.2.1 RSA (PKCS #1 v1.5) ......................................... 10
4.3 Symmetric Key-Encryption Key Algorithms .................... 10
4.3.1 Triple-DES Key Wrap ........................................ 11
4.3.2 RC2 Key Wrap ............................................... 12
4.4 Key Derivation Algorithms .................................. 12
Housley Standards Track [Page 1]
RFC 3370 CMS Algorithms August 2002
4.4.1 PBKDF2 ..................................................... 13
5 Content Encryption Algorithms .............................. 13
5.1 Triple-DES CBC ............................................. 14
5.2 RC2 CBC .................................................... 14
6 Message Authentication Code (MAC) Algorithms ............... 15
6.1 HMAC with SHA-1 ............................................ 15
7 ASN.1 Module ............................................... 16
8 References ................................................. 18
9 Security Considerations .................................... 20
10 Acknowledgments ............................................ 22
11 Author's Address ........................................... 23
12 Full Copyright Statement ................................... 24
1 Introduction
The Cryptographic Message Syntax (CMS) [CMS] is used to digitally
sign, digest, authenticate, or encrypt arbitrary message contents.
This companion specification describes the use of common
cryptographic algorithms with the CMS. Implementations of the CMS
may support these algorithms; implementations of the CMS may also
support other algorithms as well. However, if an implementation
chooses to support one of the algorithms discussed in this document,
then the implementation MUST do so as described in this document.
The CMS values are generated using ASN.1 [X.208-88], using BER-
encoding [X.209-88]. Algorithm identifiers (which include ASN.1
object identifiers) identify cryptographic algorithms, and some
algorithms require additional parameters. When needed, parameters
are specified with an ASN.1 structure. The algorithm identifier for
each algorithm is specified, and when needed, the parameter structure
is specified. The fields in the CMS employed by each algorithm are
identified.
1.1 Changes Since RFC 2630
This document obsoletes section 12 of RFC 2630 [OLDCMS]. RFC 3369
[CMS] obsoletes the rest of RFC 2630. Separation of the protocol and
algorithm specifications allows each one to be updated without
impacting the other. However, the conventions for using additional
algorithms with the CMS are likely to be specified in separate
documents.
1.2 Terminology
In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described
in [STDWORDS].
Housley Standards Track [Page 2]
RFC 3370 CMS Algorithms August 2002
2 Message Digest Algorithms
This section specifies the conventions employed by CMS
implementations that support SHA-1 or MD5.
Digest algorithm identifiers are located in the SignedData
digestAlgorithms field, the SignerInfo digestAlgorithm field, the
DigestedData digestAlgorithm field, and the AuthenticatedData
digestAlgorithm field.
Digest values are located in the DigestedData digest field and the
Message Digest authenticated attribute. In addition, digest values
are input to signature algorithms.
2.1 SHA-1
The SHA-1 message digest algorithm is defined in FIPS Pub 180-1
[SHA1]. The algorithm identifier for SHA-1 is:
sha-1 OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
oiw(14) secsig(3) algorithm(2) 26 }
There are two possible encodings for the SHA-1 AlgorithmIdentifier
parameters field. The two alternatives arise from the fact that when
the 1988 syntax for AlgorithmIdentifier was translated into the 1997
syntax, the OPTIONAL associated with the AlgorithmIdentifier
parameters got lost. Later the OPTIONAL was recovered via a defect
report, but by then many people thought that algorithm parameters
were mandatory. Because of this history some implementations encode
parameters as a NULL element and others omit them entirely. The
correct encoding is to omit the parameters field; however,
implementations MUST also handle a SHA-1 AlgorithmIdentifier
parameters field which contains a NULL.
The AlgorithmIdentifier parameters field is OPTIONAL. If present,
the parameters field MUST contain a NULL. Implementations MUST
accept SHA-1 AlgorithmIdentifiers with absent parameters.
Implementations MUST accept SHA-1 AlgorithmIdentifiers with NULL
parameters. Implementations SHOULD generate SHA-1
AlgorithmIdentifiers with absent parameters.
2.2 MD5
The MD5 digest algorithm is defined in RFC 1321 [MD5]. The algorithm
identifier for MD5 is:
md5 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) digestAlgorithm(2) 5 }
Housley Standards Track [Page 3]
RFC 3370 CMS Algorithms August 2002
The AlgorithmIdentifier parameters field MUST be present, and the
parameters field MUST contain NULL. Implementations MAY accept the
MD5 AlgorithmIdentifiers with absent parameters as well as NULL
parameters.
3 Signature Algorithms
This section specifies the conventions employed by CMS
implementations that support DSA or RSA (PKCS #1 v1.5).
Signature algorithm identifiers are located in the SignerInfo
signatureAlgorithm field of SignedData. Also, signature algorithm
identifiers are located in the SignerInfo signatureAlgorithm field of
countersignature attributes.
Signature values are located in the SignerInfo signature field of
SignedData. Also, signature values are located in the SignerInfo
signature field of countersignature attributes.
3.1 DSA
The DSA signature algorithm is defined in FIPS Pub 186 [DSS]. DSA
MUST be used with the SHA-1 message digest algorithm.
The algorithm identifier for DSA subject public keys in certificates
is:
id-dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) x9-57 (10040) x9cm(4) 1 }
DSA signature validation requires three parameters, commonly called
p, q, and g. When the id-dsa algorithm identifier is used, the
AlgorithmIdentifier parameters field is optional. If present, the
AlgorithmIdentifier parameters field MUST contain the three DSA
parameter values encoded using the Dss-Parms type. If absent, the
subject DSA public key uses the same DSA parameters as the
certificate issuer.
Dss-Parms ::= SEQUENCE {
p INTEGER,
q INTEGER,
g INTEGER }
When the id-dsa algorithm identifier is used, the DSA public key,
commonly called Y, MUST be encoded as an INTEGER. The output of this
encoding is carried in the certificate subject public key.
Dss-Pub-Key ::= INTEGER -- Y
Housley Standards Track [Page 4]
RFC 3370 CMS Algorithms August 2002
The algorithm identifier for DSA with SHA-1 signature values is:
id-dsa-with-sha1 OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) x9-57 (10040) x9cm(4) 3 }
When the id-dsa-with-sha1 algorithm identifier is used, the
AlgorithmIdentifier parameters field MUST be absent.
When signing, the DSA algorithm generates two values, commonly called
r and s. To transfer these two values as one signature, they MUST be
encoded using the Dss-Sig-Value type:
Dss-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER }
3.2 RSA
The RSA (PKCS #1 v1.5) signature algorithm is defined in RFC 2437
[NEWPKCS#1]. RFC 2437 specifies the use of the RSA signature
algorithm with the SHA-1 and MD5 message digest algorithms.
The algorithm identifier for RSA subject public keys in certificates
is:
rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
When the rsaEncryption algorithm identifier is used, the
AlgorithmIdentifier parameters field MUST contain NULL.
When the rsaEncryption algorithm identifier is used, the RSA public
key, which is composed of a modulus and a public exponent, MUST be
encoded using the RSAPublicKey type. The output of this encoding is
carried in the certificate subject public key.
RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER } -- e
CMS implementations that include the RSA (PKCS #1 v1.5) signature
algorithm MUST also implement the SHA-1 message digest algorithm.
Such implementations SHOULD also support the MD5 message digest
algorithm.
Housley Standards Track [Page 5]
RFC 3370 CMS Algorithms August 2002
The rsaEncryption algorithm identifier is used to identify RSA (PKCS
#1 v1.5) signature values regardless of the message digest algorithm
employed. CMS implementations that include the RSA (PKCS #1 v1.5)
signature algorithm MUST support the rsaEncryption signature value
algorithm identifier, and CMS implementations MAY support RSA (PKCS
#1 v1.5) signature value algorithm identifiers that specify both the
RSA (PKCS #1 v1.5) signature algorithm and the message digest
algorithm.
The algorithm identifier for RSA (PKCS #1 v1.5) with SHA-1 signature
values is:
sha1WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5 }
The algorithm identifier for RSA (PKCS #1 v1.5) with MD5 signature
values is:
md5WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 4 }
When the rsaEncryption, sha1WithRSAEncryption, or
md5WithRSAEncryption signature value algorithm identifiers are used,
the AlgorithmIdentifier parameters field MUST be NULL.
When signing, the RSA algorithm generates a single value, and that
value is used directly as the signature value.
4 Key Management Algorithms
CMS accommodates the following general key management techniques: key
agreement, key transport, previously distributed symmetric key-
encryption keys, and passwords.
4.1 Key Agreement Algorithms
This section specifies the conventions employed by CMS
implementations that support key agreement using X9.42 Ephemeral-
Static Diffie-Hellman (X9.42 E-S D-H) and X9.42 Static-Static
Diffie-Hellman (X9.42 S-S D-H).
When a key agreement algorithm is used, a key-encryption algorithm is
also needed. Therefore, when key agreement is supported, a key-
encryption algorithm MUST be provided for each content-encryption
algorithm. The key wrap algorithms for Triple-DES and RC2 are
described in RFC 3217 [WRAP].
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -