tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 5753

 Errata 
Informational
Pages: 61
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: SMIME

Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)

Part 1 of 3, p. 1 to 10
None       Next RFC Part

Obsoletes:    3278


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                         S. Turner
Request for Comments: 5753                                          IECA
Obsoletes: 3278                                                 D. Brown
Category: Informational                                         Certicom
ISSN: 2070-1721                                             January 2010


          Use of Elliptic Curve Cryptography (ECC) Algorithms
                 in Cryptographic Message Syntax (CMS)

Abstract

   This document describes how to use Elliptic Curve Cryptography (ECC)
   public key algorithms in the Cryptographic Message Syntax (CMS).  The
   ECC algorithms support the creation of digital signatures and the
   exchange of keys to encrypt or authenticate content.  The definition
   of the algorithm processing is based on the NIST FIPS 186-3 for
   digital signature, NIST SP800-56A and SEC1 for key agreement, RFC
   3370 and RFC 3565 for key wrap and content encryption, NIST FIPS
   180-3 for message digest, SEC1 for key derivation, and RFC 2104 and
   RFC 4231 for message authentication code standards.  This document
   obsoletes RFC 3278.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5753.

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents

Page 2 
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1. Introduction ....................................................3
      1.1. Requirements Terminology ...................................3
   2. SignedData Using ECC ............................................3
      2.1. SignedData Using ECDSA .....................................4
   3. EnvelopedData Using ECC Algorithms ..............................5
      3.1. EnvelopedData Using (ephemeral-static) ECDH ................5
      3.2. EnvelopedData Using 1-Pass ECMQV ...........................8
   4. AuthenticatedData and AuthEnvelopedData Using ECC ..............11
      4.1. AuthenticatedData Using 1-Pass ECMQV ......................11
      4.2. AuthEnvelopedData Using 1-Pass ECMQV ......................12
   5. Certificates Using ECC .........................................13
   6. SMIMECapabilities Attribute and ECC ............................13
   7. ASN.1 Syntax ...................................................21
      7.1. Algorithm Identifiers .....................................21
      7.2. Other Syntax ..............................................24
   8. Recommended Algorithms and Elliptic Curves .....................26
   9. Security Considerations ........................................28
   10. IANA Considerations ...........................................33
   11. References ....................................................33
      11.1. Normative References .....................................33
      11.2. Informative References ...................................35
   Appendix A.  ASN.1 Modules.........................................37
      A.1.  1988 ASN.1 Module.........................................37
      A.2.  2004 ASN.1 Module.........................................45
   Appendix B. Changes since RFC 3278.................................59
   Acknowledgements...................................................61

Top      ToC       Page 3 
1.  Introduction

   The Cryptographic Message Syntax (CMS) is cryptographic algorithm
   independent.  This specification defines a profile for the use of
   Elliptic Curve Cryptography (ECC) public key algorithms in the CMS.
   The ECC algorithms are incorporated into the following CMS content
   types:

   -  'SignedData' to support ECC-based digital signature methods
      (ECDSA) to sign content;

   -  'EnvelopedData' to support ECC-based public key agreement methods
      (ECDH and ECMQV) to generate pairwise key-encryption keys to
      encrypt content-encryption keys used for content encryption;

   -  'AuthenticatedData' to support ECC-based public key agreement
      methods (ECMQV) to generate pairwise key-encryption keys to
      encrypt message-authentication keys used for content
      authentication and integrity; and

   -  'AuthEnvelopedData' to support ECC-based public key agreement
      methods (ECMQV) to generate pairwise key-encryption keys to
      encrypt message-authentication and content-encryption keys used
      for content authentication, integrity, and encryption.

   Certification of EC public keys is also described to provide public
   key distribution in support of the specified techniques.

   The document will obsolete [CMS-ECC].  The technical changes
   performed since RFC 3278 are detailed in Appendix B.

1.1.  Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [MUST].

2.  SignedData Using ECC

   This section describes how to use ECC algorithms with the CMS
   SignedData format to sign data.

Top      ToC       Page 4 
2.1.  SignedData Using ECDSA

   This section describes how to use the Elliptic Curve Digital
   Signature Algorithm (ECDSA) with SignedData.  ECDSA is specified in
   [FIPS186-3].  The method is the elliptic curve analog of the Digital
   Signature Algorithm (DSA) [FIPS186-3].  ECDSA is used with the Secure
   Hash Algorithm (SHA) [FIPS180-3].

   In an implementation that uses ECDSA with CMS SignedData, the
   following techniques and formats MUST be used.

2.1.1.  Fields of the SignedData

   When using ECDSA with SignedData, the fields of SignerInfo are as in
   [CMS], but with the following restrictions:

   -  digestAlgorithm MUST contain the algorithm identifier of the hash
      algorithm (see Section 7.1.1), which MUST be one of the following:
      id-sha1, id-sha224, id-sha256, id-sha384, or id-sha512.

   -  signatureAlgorithm contains the signature algorithm identifier
      (see Section 7.1.3): ecdsa-with-SHA1, ecdsa-with-SHA224, ecdsa-
      with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512.  The hash
      algorithm identified in the name of the signature algorithm MUST
      be the same as the digestAlgorithm (e.g., digestAlgorithm is id-
      sha256 therefore signatureAlgorithm is ecdsa-with-SHA256).

   -  signature MUST contain the DER encoding (as an octet string) of a
      value of the ASN.1 type ECDSA-Sig-Value (see Section 7.2).

   When using ECDSA, the SignedData certificates field MAY include the
   certificate(s) for the EC public key(s) used in the generation of the
   ECDSA signatures in SignedData.  ECC certificates are discussed in
   Section 5.

2.1.2.  Actions of the Sending Agent

   When using ECDSA with SignedData, the sending agent uses the message
   digest calculation process and signature generation process for
   SignedData that are specified in [CMS].  To sign data, the sending
   agent uses the signature method specified in [FIPS186-3].

   The sending agent encodes the resulting signature using the ECDSA-
   Sig-Value syntax (see Section 7.2) and places it in the SignerInfo
   signature field.

Top      ToC       Page 5 
2.1.3.  Actions of the Receiving Agent

   When using ECDSA with SignedData, the receiving agent uses the
   message digest calculation process and signature verification process
   for SignedData that are specified in [CMS].  To verify SignedData,
   the receiving agent uses the signature verification method specified
   in [FIPS186-3].

   In order to verify the signature, the receiving agent retrieves the
   integers r and s from the SignerInfo signature field of the received
   message.

3.  EnvelopedData Using ECC Algorithms

   This section describes how to use ECC algorithms with the CMS
   EnvelopedData format.

   This document does not specify the static-static ECDH, method C(0,2,
   ECC CDH) from [SP800-56A].  Static-static ECDH is analogous to
   static-static DH, which is specified in [CMS-ALG].  Ephemeral-static
   ECDH and 1-Pass ECMQV were specified because they provide better
   security due to the originator's ephemeral contribution to the key
   agreement scheme.

3.1.  EnvelopedData Using (ephemeral-static) ECDH

   This section describes how to use the ephemeral-static Elliptic Curve
   Diffie-Hellman (ECDH) key agreement algorithm with EnvelopedData.
   This algorithm has two variations:

   - 'Standard' ECDH, described as the 'Elliptic Curve Diffie-Hellman
     Scheme' with the 'Elliptic Curve Diffie-Hellman Primitive' in
     [SEC1], and

   - 'Co-factor' ECDH, described as the 'One-Pass Diffie-Hellman scheme'
     (method C(1, 1, ECC CDH)) in [SP800-56A].

   Both variations of ephemeral-static ECDH are elliptic curve analogs
   of the ephemeral-static Diffie-Hellman key agreement algorithm
   specified jointly in the documents [CMS-ALG] and [CMS-DH].

   If an implementation uses ECDH with CMS EnvelopedData, then the
   following techniques and formats MUST be used.

   The fields of EnvelopedData are as in [CMS]; as ECDH is a key
   agreement algorithm, the RecipientInfo kari choice is used.

Top      ToC       Page 6 
3.1.1.  Fields of KeyAgreeRecipientInfo

   When using ephemeral-static ECDH with EnvelopedData, the fields of
   KeyAgreeRecipientInfo are as follows:

   -  version MUST be 3.

   -  originator MUST be the alternative originatorKey.  The
      originatorKey algorithm field MUST contain the id-ecPublicKey
      object identifier (see Section 7.1.2).  The parameters associated
      with id-ecPublicKey MUST be absent, ECParameters, or NULL.  The
      parameters associated with id-ecPublicKey SHOULD be absent or
      ECParameters, and NULL is allowed to support legacy
      implementations.  The previous version of this document required
      NULL to be present.  If the parameters are ECParameters, then they
      MUST be namedCurve.  The originatorKey publicKey field MUST
      contain the DER encoding of the value of the ASN.1 type ECPoint
      (see Section 7.2), which represents the sending agent's ephemeral
      EC public key.  The ECPoint in uncompressed form MUST be
      supported.

   -  ukm MAY be present or absent.  However, message originators SHOULD
      include the ukm.  As specified in RFC 3852 [CMS], implementations
      MUST support ukm message recipient processing, so interoperability
      is not a concern if the ukm is present or absent.  The ukm is
      placed in the entityUInfo field of the ECC-CMS-SharedInfo
      structure.  When present, the ukm is used to ensure that a
      different key-encryption key is generated, even when the ephemeral
      private key is improperly used more than once, by using the ECC-
      CMS-SharedInfo as an input to the key derivation function (see
      Section 7.2).

   -  keyEncryptionAlgorithm MUST contain the object identifier of the
      key-encryption algorithm, which in this case is a key agreement
      algorithm (see Section 7.1.4).  The parameters field contains
      KeyWrapAlgorithm.  The KeyWrapAlgorithm is the algorithm
      identifier that indicates the symmetric encryption algorithm used
      to encrypt the content-encryption key (CEK) with the key-
      encryption key (KEK) and any associated parameters (see Section
      7.1.5).  Algorithm requirements are found in Section 8.

   -  recipientEncryptedKeys contains an identifier and an encrypted key
      for each recipient.  The RecipientEncryptedKey
      KeyAgreeRecipientIdentifier MUST contain either the
      issuerAndSerialNumber identifying the recipient's certificate or
      the RecipientKeyIdentifier containing the subject key identifier
      from the recipient's certificate.  In both cases, the recipient's
      certificate contains the recipient's static ECDH public key.

Top      ToC       Page 7 
      RecipientEncryptedKey EncryptedKey MUST contain the content-
      encryption key encrypted with the ephemeral-static, ECDH-generated
      pairwise key-encryption key using the algorithm specified by the
      KeyWrapAlgorithm.

3.1.2.  Actions of the Sending Agent

   When using ephemeral-static ECDH with EnvelopedData, the sending
   agent first obtains the recipient's EC public key and domain
   parameters (e.g., from the recipient's certificate).  The sending
   agent then performs one of the two ECDH variations mentioned above:

   - If the value of keyEncryptionAlgorithm indicates the use of
     'standard' Diffie-Hellman, then the sending agent performs the
     'Elliptic Curve Diffie-Hellman Scheme' with the 'Elliptic Curve
     Diffie-Hellman Primitive' in [SEC1].

   - If the value of keyEncryptionAlgorithm indicates the use of 'co-
     factor' Diffie-Hellman, then the sending agent performs the 'One-
     Pass Diffie-Hellman scheme' (method C(1, 1, ECC CDH)) in
     [SP800-56A].

   In both of these cases, the sending agent uses the KDF defined in
   Section 3.6.1 of [SEC1] with the hash algorithm identified by the
   value of keyEncryptionAlgorithm.  As a result, the sending agent
   obtains:

   -  an ephemeral public key, which is represented as a value of the
      type ECPoint (see Section 7.2), encapsulated in a bit string and
      placed in the KeyAgreeRecipientInfo originator originatorKey
      publicKey field, and

   -  a shared secret bit string "K", which is used as the pairwise key-
      encryption key for that recipient, as specified in [CMS].

   In a single message, if there are multiple layers for a recipient,
   then the ephemeral public key can be reused by the originator for
   that recipient in each of the different layers.

3.1.3.  Actions of the Receiving Agent

   When using ephemeral-static ECDH with EnvelopedData, the receiving
   agent determines the bit string "SharedInfo", which is the DER
   encoding of ECC-CMS-SharedInfo (see Section 7.2), and the integer
   "keydatalen" from the key size, in bits, of the KeyWrapAlgorithm.
   The receiving agent retrieves the ephemeral EC public key from the
   bit string KeyAgreeRecipientInfo originator, with a value of the type
   ECPoint (see Section 7.2) encapsulated as a bit string, and if

Top      ToC       Page 8 
   present, originally supplied additional user key material from the
   ukm field.  The receiving agent then performs one of the two ECDH
   variations mentioned above:

   - If the value of keyEncryptionAlgorithm indicates the use of
     'standard' Diffie-Hellman, then the receiving agent performs the
     'Elliptic Curve Diffie-Hellman Scheme' with the 'Elliptic Curve
     Diffie-Hellman Primitive' in [SEC1].

   - If the value of keyEncryptionAlgorithm indicates the use of 'co-
     factor' Diffie-Hellman, then the receiving agent performs the 'One-
     Pass Diffie-Hellman scheme' (method C(1, 1, ECC CDH)) in
     [SP800-56A].

   In both of these cases, the receiving agent uses the KDF defined in
   Section 3.6.1 of [SEC1] with the hash algorithm identified by the
   value of keyEncryptionAlgorithm.  As a result, the receiving agent
   obtains a shared secret bit string "K", which is used as the pairwise
   key-encryption key to unwrap the CEK.

3.2.  EnvelopedData Using 1-Pass ECMQV

   This section describes how to use the 1-Pass Elliptic Curve Menezes-
   Qu-Vanstone (ECMQV) key agreement algorithm with EnvelopedData,
   method C(1, 2, ECC MQV) from [SP800-56A].  Like the KEA algorithm
   [CMS-KEA], 1-Pass ECMQV uses three key pairs: an ephemeral key pair,
   a static key pair of the sending agent, and a static key pair of the
   receiving agent.  Using an algorithm with the sender static key pair
   allows for knowledge of the message creator; this means that
   authentication can, in some circumstances, be obtained for
   AuthEnvelopedData and AuthenticatedData.  This means that 1-Pass
   ECMQV can be a common algorithm for EnvelopedData, AuthenticatedData,
   and AuthEnvelopedData, while ECDH can only be used in EnvelopedData.

   If an implementation uses 1-Pass ECMQV with CMS EnvelopedData, then
   the following techniques and formats MUST be used.

   The fields of EnvelopedData are as in [CMS]; as 1-Pass ECMQV is a key
   agreement algorithm, the RecipientInfo kari choice is used.  When
   using 1-Pass ECMQV, the EnvelopedData originatorInfo field MAY
   include the certificate(s) for the EC public key(s) used in the
   formation of the pairwise key.  ECC certificates are discussed in
   Section 5.

Top      ToC       Page 9 
3.2.1.  Fields of KeyAgreeRecipientInfo

   When using 1-Pass ECMQV with EnvelopedData, the fields of
   KeyAgreeRecipientInfo are as follows:

   -  version MUST be 3.

   -  originator identifies the static EC public key of the sender.  It
      SHOULD be one of the alternatives, issuerAndSerialNumber or
      subjectKeyIdentifier, and point to one of the sending agent's
      certificates.

   -  ukm MUST be present.  The ukm field is an octet string that MUST
      contain the DER encoding of the type MQVuserKeyingMaterial (see
      Section 7.2).  The MQVuserKeyingMaterial ephemeralPublicKey
      algorithm field MUST contain the id-ecPublicKey object identifier
      (see Section 7.1.2).  The parameters associated with id-
      ecPublicKey MUST be absent, ECParameters, or NULL.  The parameters
      associated with id-ecPublicKey SHOULD be absent or ECParameters,
      as NULL is allowed to support legacy implementations.  The
      previous version of this document required NULL to be present.  If
      the parameters are ECParameters, then they MUST be namedCurve.
      The MQVuserKeyingMaterial ephemeralPublicKey publicKey field MUST
      contain the DER encoding of the ASN.1 type ECPoint (see Section
      7.2) representing the sending agent's ephemeral EC public key.
      The MQVuserKeyingMaterial addedukm field, if present, contains
      additional user keying material from the sending agent.

   -  keyEncryptionAlgorithm MUST contain the object identifier of the
      key-encryption algorithm, which in this case is a key agreement
      algorithm (see Section 7.1.4).  The parameters field contains
      KeyWrapAlgorithm.  The KeyWrapAlgorithm indicates the symmetric
      encryption algorithm used to encrypt the CEK with the KEK
      generated using the 1-Pass ECMQV algorithm and any associated
      parameters (see Section 7.1.5).  Algorithm requirements are found
      in Section 8.

   -  recipientEncryptedKeys contains an identifier and an encrypted key
      for each recipient.  The RecipientEncryptedKey
      KeyAgreeRecipientIdentifier MUST contain either the
      issuerAndSerialNumber identifying the recipient's certificate or
      the RecipientKeyIdentifier containing the subject key identifier
      from the recipient's certificate.  In both cases, the recipient's
      certificate contains the recipient's static ECMQV public key.
      RecipientEncryptedKey EncryptedKey MUST contain the content-
      encryption key encrypted with the 1-Pass ECMQV-generated pairwise
      key-encryption key using the algorithm specified by the
      KeyWrapAlgorithm.

Top      ToC       Page 10 
3.2.2.  Actions of the Sending Agent

   When using 1-Pass ECMQV with EnvelopedData, the sending agent first
   obtains the recipient's EC public key and domain parameters (e.g.,
   from the recipient's certificate), and checks that the domain
   parameters are the same as the sender's domain parameters.  The
   sending agent then determines an integer "keydatalen", which is the
   KeyWrapAlgorithm symmetric key size in bits, and also a bit string
   "SharedInfo", which is the DER encoding of ECC-CMS-SharedInfo (see
   Section 7.2).  The sending agent then performs the key deployment and
   key agreement operations of the Elliptic Curve MQV Scheme specified
   in [SP800-56A], but uses the KDF defined in Section 3.6.1 of [SEC1].
   As a result, the sending agent obtains:

   - an ephemeral public key, which is represented as a value of type
     ECPoint (see Section 7.2), encapsulated in a bit string, placed in
     an MQVuserKeyingMaterial ephemeralPublicKey publicKey field (see
     Section 7.2), and

   - a shared secret bit string "K", which is used as the pairwise key-
     encryption key for that recipient, as specified in [CMS].

   In a single message, if there are multiple layers for a recipient,
   then the ephemeral public key can be reused by the originator for
   that recipient in each of the different layers.

3.2.3.  Actions of the Receiving Agent

   When using 1-Pass ECMQV with EnvelopedData, the receiving agent
   determines the bit string "SharedInfo", which is the DER encoding of
   ECC-CMS-SharedInfo (see Section 7.2), and the integer "keydatalen"
   from the key size, in bits, of the KeyWrapAlgorithm.  The receiving
   agent then retrieves the static and ephemeral EC public keys of the
   originator, from the originator and ukm fields as described in
   Section 3.2.1, and its static EC public key identified in the rid
   field and checks that the originator's domain parameters are the same
   as the recipient's domain parameters.  The receiving agent then
   performs the key agreement operation of the Elliptic Curve MQV Scheme
   [SP800-56A], but uses the KDF defined in Section 3.6.1 of [SEC1].  As
   a result, the receiving agent obtains a shared secret bit string "K",
   which is used as the pairwise key-encryption key to unwrap the CEK.


Next RFC Part