rfc1423.txt

<VC++网络游戏建摸与实现>源代码

Network Working Group                                        D. Balenson
Request for Comments: 1423                                           TIS
Obsoletes: 1115                               IAB IRTF PSRG, IETF PEM WG
                                                           February 1993


           Privacy Enhancement for Internet Electronic Mail:
              Part III: Algorithms, Modes, and Identifiers

Status of This Memo

   This RFC specifies an IAB standards track protocol for the Internet
   community, and requests discussion and suggestions for improvements.
   Please refer to the current edition of the "IAB Official Protocol
   Standards" for the standardization state and status of this protocol.
   Distribution of this memo is unlimited.

Abstract

   This document provides definitions, formats, references, and
   citations for cryptographic algorithms, usage modes, and associated
   identifiers and parameters used in support of Privacy Enhanced Mail
   (PEM) in the Internet community.  It is intended to become one member
   of the set of related PEM RFCs.  This document is organized into four
   primary sections, dealing with message encryption algorithms, message
   integrity check algorithms, symmetric key management algorithms, and
   asymmetric key management algorithms (including both asymmetric
   encryption and asymmetric signature algorithms).

   Some parts of this material are cited by other documents and it is
   anticipated that some of the material herein may be changed, added,
   or replaced without affecting the citing documents.  Therefore,
   algorithm-specific material has been placed into this separate
   document.

   Use of other algorithms and/or modes will require case-by-case study
   to determine applicability and constraints.  The use of additional
   algorithms may be documented first in Prototype or Experimental RFCs.
   As experience is gained, these protocols may be considered for
   incorporation into the standard.  Additional algorithms and modes
   approved for use in PEM in this context will be specified in
   successors to this document.

Acknowledgments

   This specification was initially developed by the Internet Research
   Task Force's Privacy and Security Research Group (IRTF PSRG) and
   subsequently refined based on discussion in the Internet Engineering



Balenson                                                        [Page 1]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   Task Force's Privacy Enhanced Mail Working Group (IETF PEM WG).  John
   Linn contributed significantly to the predecessor of this document
   (RFC 1115).  I would like to thank the members of the PSRG and PEM
   WG, as well as all participants in discussions on the "pem-
   dev@tis.com" mailing list, for their contributions to this document.

Table of Contents

      1.  Message Encryption Algorithms ....................... 2
      1.1  DES in CBC Mode (DES-CBC) .......................... 2
      2.  Message Integrity Check Algorithms .................. 4
      2.1  RSA-MD2 Message Digest Algorithm ................... 4
      2.2  RSA-MD5 Message Digest Algorithm ................... 5
      3.  Symmetric Key Management Algorithms ................. 6
      3.1  DES in ECB mode (DES-ECB) .......................... 6
      3.2  DES in EDE mode (DES-EDE) .......................... 7
      4.  Asymmetric Key Management Algorithms ................ 7
      4.1  Asymmetric Keys .................................... 7
      4.1.1  RSA Keys ......................................... 7
      4.2  Asymmetric Encryption Algorithms ..................  9
      4.2.1  RSAEncryption ...................................  9
      4.3  Asymmetric Signature Algorithms ................... 10
      4.3.1  md2WithRSAEncryption ............................ 11
      5.  Descriptive Grammar ................................ 11
      References ............................................. 12
      Patent Statement ....................................... 13
      Security Considerations ................................ 14
      Author's Address ....................................... 14

1.  Message Encryption Algorithms

   This section identifies the alternative message encryption algorithms
   and modes that shall be used to encrypt message text and, when
   asymmetric key management is employed in an ENCRYPTED PEM message, for
   encryption of message signatures.  Character string identifiers are
   assigned and any parameters required by the message encryption
   algorithm are defined for incorporation in an encapsulated "DEK-
   Info:" header field.

   Only one alternative is currently defined in this category.

1.1  DES in CBC Mode (DES-CBC)

   Message text and, if required, message signatures are encrypted using
   the Data Encryption Standard (DES) algorithm in the Cipher Block
   Chaining (CBC) mode of operation.  The DES algorithm is defined in
   FIPS PUB 46-1 [1], and is equivalent to the Data Encryption Algorithm
   (DEA) provided in ANSI X3.92-1981 [2].  The CBC mode of operation of



Balenson                                                        [Page 2]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   DES is defined in FIPS PUB 81 [3], and is equivalent to those
   provided in ANSI X3.106 [4] and in ISO IS 8372 [5].  The character
   string "DES-CBC" within an encapsulated PEM header field indicates
   the use of this algorithm/mode combination.

   The input to the DES CBC encryption process shall be padded to a
   multiple of 8 octets, in the following manner.  Let n be the length
   in octets of the input.  Pad the input by appending 8-(n mod 8)
   octets to the end of the message, each having the value 8-(n mod 8),
   the number of octets being added.  In hexadecimal, the possible
   paddings are:  01, 0202, 030303, 04040404, 0505050505, 060606060606,
   07070707070707, and 0808080808080808.  All input is padded with 1 to
   8 octets to produce a multiple of 8 octets in length.  The padding
   can be removed unambiguously after decryption.

   The DES CBC encryption process requires a 64-bit cryptographic key.
   A new, pseudorandom key shall be generated for each ENCRYPTED PEM
   message.  Of the 64 bits, 56 are used directly by the DES CBC
   process, and 8 are odd parity bits, with one parity bit occupying the
   right-most bit of each octet.  When symmetric key management is
   employed, the setting and checking of odd parity bits is encouraged,
   since these bits could detect an error in the decryption of a DES key
   encrypted under a symmetric key management algorithm (e.g., DES ECB).
   When asymmetric key management is employed, the setting of odd parity
   bits is encouraged, but the checking of odd parity bits is
   discouraged, in order to facilitate interoperability, and since an
   error in the decryption of a DES key can be detected by other means
   (e.g., an incorrect PKCS #1 encryption-block format).  In all cases,
   the encrypted form of a DES key shall carry all 64 bits of the key,
   including the 8 parity bits, though those bits may have no meaning.

   The DES CBC encryption process also requires a 64-bit Initialization
   Vector (IV).  A new, pseudorandom IV shall be generated for each
   ENCRYPTED PEM message.  Section 4.3.1 of [7] provides rationale for
   this requirement, even given the fact that individual DES keys are
   generated for individual messages.  The IV is transmitted with the
   message within an encapsulated PEM header field.

   When this algorithm/mode combination is used for message text
   encryption, the "DEK-Info:" header field carries exactly two
   arguments.  The first argument identifies the DES CBC algorithm/mode
   using the character string defined above.  The second argument
   contains the IV, represented as a contiguous string of 16 ASCII
   hexadecimal digits.

   When symmetric key management is employed with this algorithm/mode
   combination, a symmetrically encrypted DES key will be represented in
   the third argument of a "Key-Info:" header field as a contiguous



Balenson                                                        [Page 3]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   string of 16 ASCII hexadecimal digits (corresponding to a 64-bit
   key).

   To avoid any potential ambiguity regarding the ordering of the octets
   of a DES key that is input as a data value to another encryption
   process (e.g., RSAEncryption), the following holds true.  The first
   (or left-most displayed, if one thinks in terms of a key's "print"
   representation) (For purposes of discussion in this document, data
   values are normalized in terms of their "print" representation.  For a
   octet stream, the "first" octet would appear as the one on the "left",
   and the "last" octet would appear on the "right".) octet of the key
   (i.e., bits 1-8 per FIPS PUB 46-1), when considered as a data value,
   has numerical weight 2**56.  The last (or right-most displayed) octet
   (i.e., bits 57-64 per FIPS PUB 46-1) has numerical weight 2**0.

2.  Message Integrity Check Algorithms

   This section identifies the alternative algorithms that shall be used
   to compute Message Integrity Check (MIC) values for PEM messages.
   Character string identifiers and ASN.1 object identifiers are
   assigned for incorporation in encapsulated "MIC-Info:" and "Key-
   Info:" header fields to indicate the choice of MIC algorithm
   employed.

   A compliant PEM implementation shall be able to process all of the
   alternative MIC algorithms defined here on incoming messages.  It is
   a sender option as to which alternative is employed on an outbound
   message.

2.1  RSA-MD2 Message Digest Algorithm

   The RSA-MD2 message digest is computed using the algorithm defined in
   RFC 1319 [9].  ( An error has been identified in RFC 1319.  The
   statement in the text of Section 3.2 which reads "Set C[j] to S[c xor
   L]" should read "Set C[j] to S[c xor L] xor C[j]".  Note that the C
   source code in the appendix of RFC 1319 is correct.)  The character
   string "RSA-MD2" within an encapsulated PEM header field indicates the
   use of this algorithm.  Also, as defined in RFC 1319, the ASN.1 object
   identifier

     md2 OBJECT IDENTIFIER ::= {
         iso(1) member-body(2) US(840) rsadsi(113549)
         digestAlgorithm(2) 2
     }

   identifies this algorithm.  When this object identifier is used with
   the ASN.1 type AlgorithmIdentifier, the parameters component of that
   type is the ASN.1 type NULL.



Balenson                                                        [Page 4]

RFC 1423         PEM: Algorithms, Modes and Identifiers    February 1993


   The RSA-MD2 message digest algorithm accepts as input a message of
   any length and produces as output a 16-octet quantity.  When
   symmetric key management is employed, an RSA-MD2 MIC is encrypted by
   splitting the MIC into two 8-octet halves, independently encrypting
   each half, and concatenating the results.

   When symmetric key management is employed with this MIC algorithm,
   the symmetrically encrypted MD2 message digest is represented in a
   the fourth argument of a "Key-Info:" header field as a contiguous
   string of 32 ASCII hexadecimal digits (corresponding to a 128-bit MD2
   message digest).

   To avoid any potential ambiguity regarding the ordering of the octets
   of an MD2 message digest that is input as a data value to another
   encryption process (e.g., RSAEncryption), the following holds true.
   The first (or left-most displayed, if one thinks in terms of a
   digest's "print" representation) octet of the digest (i.e., digest[0]
   as specified in RFC 1319), when considered as an RSA data value, has
   numerical weight 2**120.  The last (or right-most displayed) octet
   (i.e., digest[15] as specified in RFC 1319) has numerical weight
   2**0.

2.2  RSA-MD5 Message Digest Algorithm

   The RSA-MD5 message digest is computed using the algorithm defined in
   RFC 1321 [10].  The character string "RSA-MD5" within an encapsulated
   PEM header field indicates the use of this algorithm.  Also, as
   defined in RFC 1321, the object identifier

     md5 OBJECT IDENTIFIER ::= {
         iso(1) member-body(2) US(840) rsadsi(113549)
         digestAlgorithm(2) 5
     }