Tech-invite   3GPPspecs   RFCs   SIP   Search in Tech-invite

in Index   Prev   Next
in Index   Prev   Next  Group: LAMPS

RFC 8551

Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification

Pages: 63
Proposed STD
Obsoletes:  5751
Part 2 of 5 – Pages 12 to 21
First   Prev   Next

Top   ToC   RFC8551 - Page 12   prevText
2.  CMS Options

   CMS allows for a wide variety of options in content, attributes, and
   algorithm support.  This section puts forth a number of support
   requirements and recommendations in order to achieve a base level of
   interoperability among all S/MIME implementations.  [RFC3370] and
   [RFC5754] provide additional details regarding the use of the
   cryptographic algorithms.  [ESS] provides additional details
   regarding the use of additional attributes.

2.1.  DigestAlgorithmIdentifier

   The algorithms here are used for digesting the body of the message
   and are not the same as the digest algorithms used as part of the
   signature algorithms.  The result of this is placed in the
   message-digest attribute of the signed attributes.  It is RECOMMENDED
   that the algorithm used for digesting the body of the message be of
   similar strength to, or greater strength than, the signature
   algorithm.

   Sending and receiving agents:

   -  MUST support SHA-256.

   -  MUST support SHA-512.

   [RFC5754] provides the details for using these algorithms with
   S/MIME.

2.2.  SignatureAlgorithmIdentifier

   There are different sets of requirements placed on receiving and
   sending agents.  By having the different requirements, the maximum
   amount of interoperability is achieved, as it allows for specialized
   protection of private key material but maximum signature validation.

   Receiving agents:

   -  MUST support ECDSA with curve P-256 and SHA-256.

   -  MUST support EdDSA with curve25519 using PureEdDSA mode [RFC8419].

   -  MUST- support RSA PKCS #1 v1.5 with SHA-256.

   -  SHOULD support the RSA Probabilistic Signature Scheme (RSASSA-PSS)
      with SHA-256.
Top   ToC   RFC8551 - Page 13
   Sending agents:

   -  MUST support at least one of the following algorithms: ECDSA with
      curve P-256 and SHA-256, or EdDSA with curve25519 using PureEdDSA
      mode.

   -  MUST- support RSA PKCS #1 v1.5 with SHA-256.

   -  SHOULD support RSASSA-PSS with SHA-256.

   See Section 4.1 for information on key size and algorithm references.

2.3.  KeyEncryptionAlgorithmIdentifier

   Receiving and sending agents:

   -  MUST support Elliptic Curve Diffie-Hellman (ECDH) ephemeral-static
      mode for P-256, as specified in [RFC5753].

   -  MUST support ECDH ephemeral-static mode for X25519 using HKDF-256
      ("HKDF" stands for "HMAC-based Key Derivation Function") for the
      KDF, as specified in [RFC8418].

   -  MUST- support RSA encryption, as specified in [RFC3370].

   -  SHOULD+ support RSA Encryption Scheme - Optimal Asymmetric
      Encryption Padding (RSAES-OAEP), as specified in [RFC3560].

   When ECDH ephemeral-static is used, a key wrap algorithm is also
   specified in the KeyEncryptionAlgorithmIdentifier [RFC5652].  The
   underlying encryption functions for the key wrap and content-
   encryption algorithms [RFC3370] [RFC3565] and the key sizes for the
   two algorithms MUST be the same (e.g., AES-128 key wrap algorithm
   with AES-128 content-encryption algorithm).  As both 128-bit and
   256-bit AES modes are mandatory to implement as content-encryption
   algorithms (Section 2.7), both the AES-128 and AES-256 key wrap
   algorithms MUST be supported when ECDH ephemeral-static is used.
   Recipients MAY enforce this but MUST use the weaker of the two as
   part of any cryptographic strength computations they might do.

   Appendix B provides information on algorithm support in older
   versions of S/MIME.

2.4.  General Syntax

   There are several CMS content types.  Of these, only the Data,
   SignedData, EnvelopedData, AuthEnvelopedData, and CompressedData
   content types are currently used for S/MIME.
Top   ToC   RFC8551 - Page 14
2.4.1.  Data Content Type

   Sending agents MUST use the id-data content type identifier to
   identify the "inner" MIME message content.  For example, when
   applying a digital signature to MIME data, the CMS SignedData
   encapContentInfo eContentType MUST include the id-data object
   identifier (OID), and the media type MUST be stored in the SignedData
   encapContentInfo eContent OCTET STRING (unless the sending agent is
   using multipart/signed, in which case the eContent is absent, per
   Section 3.5.3 of this document).  As another example, when applying
   encryption to MIME data, the CMS EnvelopedData encryptedContentInfo
   contentType MUST include the id-data OID and the encrypted MIME
   content MUST be stored in the EnvelopedData encryptedContentInfo
   encryptedContent OCTET STRING.

2.4.2.  SignedData Content Type

   Sending agents MUST use the SignedData content type to apply a
   digital signature to a message or, in a degenerate case where there
   is no signature information, to convey certificates.  Applying a
   signature to a message provides authentication, message integrity,
   and non-repudiation of origin.

2.4.3.  EnvelopedData Content Type

   This content type is used to apply data confidentiality to a message.
   In order to distribute the symmetric key, a sender needs to have
   access to a public key for each intended message recipient to use
   this service.

2.4.4.  AuthEnvelopedData Content Type

   This content type is used to apply data confidentiality and message
   integrity to a message.  This content type does not provide
   authentication or non-repudiation.  In order to distribute the
   symmetric key, a sender needs to have access to a public key for each
   intended message recipient to use this service.

2.4.5.  CompressedData Content Type

   This content type is used to apply data compression to a message.
   This content type does not provide authentication, message integrity,
   non-repudiation, or data confidentiality; it is only used to reduce
   the message's size.

   See Section 3.7 for further guidance on the use of this type in
   conjunction with other CMS types.
Top   ToC   RFC8551 - Page 15
2.5.  Attributes and the SignerInfo Type

   The SignerInfo type allows the inclusion of unsigned and signed
   attributes along with a signature.  These attributes can be required
   for the processing of messages (e.g., message digest), information
   the signer supplied (e.g., SMIME capabilities) that should be
   processed, or attributes that are not relevant to the current
   situation (e.g., mlExpansionHistory [RFC2634] for mail viewers).

   Receiving agents MUST be able to handle zero or one instance of each
   of the signed attributes listed here.  Sending agents SHOULD generate
   one instance of each of the following signed attributes in each
   S/MIME message:

   -  Signing time (Section 2.5.1 in this document)

   -  SMIME capabilities (Section 2.5.2 in this document)

   -  Encryption key Preference (Section 2.5.3 in this document)

   -  Message digest (Section 11.2 in [RFC5652])

   -  Content type (Section 11.1 in [RFC5652])

   Further, receiving agents SHOULD be able to handle zero or one
   instance of the signingCertificate and signingCertificateV2 signed
   attributes, as defined in Section 5 of RFC 2634 [ESS] and Section 3
   of RFC 5035 [ESS], respectively.

   Sending agents SHOULD generate one instance of the signingCertificate
   or signingCertificateV2 signed attribute in each SignerInfo
   structure.

   Additional attributes and values for these attributes might be
   defined in the future.  Receiving agents SHOULD handle attributes or
   values that they do not recognize in a graceful manner.

   Interactive sending agents that include signed attributes that are
   not listed here SHOULD display those attributes to the user, so that
   the user is aware of all of the data being signed.

2.5.1.  Signing Time Attribute

   The signingTime attribute is used to convey the time that a message
   was signed.  The time of signing will most likely be created by a
   signer and therefore is only as trustworthy as that signer.
Top   ToC   RFC8551 - Page 16
   Sending agents MUST encode signing time through the year 2049 as
   UTCTime; signing times in 2050 or later MUST be encoded as
   GeneralizedTime.  When the UTCTime CHOICE is used, S/MIME agents MUST
   interpret the year field (YY) as follows:

      If YY is greater than or equal to 50, the year is interpreted as
      19YY; if YY is less than 50, the year is interpreted as 20YY.

   Receiving agents MUST be able to process signingTime attributes that
   are encoded in either UTCTime or GeneralizedTime.

2.5.2.  SMIMECapabilities Attribute

   The SMIMECapabilities attribute includes signature algorithms (such
   as "sha256WithRSAEncryption"), symmetric algorithms (such as "AES-128
   CBC"), authenticated symmetric algorithms (such as "AES-128 GCM"),
   and key encipherment algorithms (such as "rsaEncryption").  The
   presence of an SMIMECapability attribute containing an algorithm
   implies that the sender can deal with the algorithm as well as
   understand the ASN.1 structures associated with that algorithm.
   There are also several identifiers that indicate support for other
   optional features such as binary encoding and compression.  The
   SMIMECapabilities attribute was designed to be flexible and
   extensible so that, in the future, a means of identifying other
   capabilities and preferences such as certificates can be added in a
   way that will not cause current clients to break.

   If present, the SMIMECapabilities attribute MUST be a
   SignedAttribute.  CMS defines SignedAttributes as a SET OF Attribute.
   The SignedAttributes in a signerInfo MUST include a single instance
   of the SMIMECapabilities attribute.  CMS defines the ASN.1 syntax for
   Attribute to include attrValues SET OF AttributeValue.  An
   SMIMECapabilities attribute MUST only include a single instance of
   AttributeValue.  If a signature is detected as violating these
   requirements, the signature SHOULD be treated as failing.

   The semantics of the SMIMECapabilities attribute specify a partial
   list as to what the client announcing the SMIMECapabilities can
   support.  A client does not have to list every capability it
   supports, and it need not list all its capabilities so that the
   capabilities list doesn't get too long.  In an SMIMECapabilities
   attribute, the OIDs are listed in order of their preference but
   SHOULD be separated logically along the lines of their categories
   (signature algorithms, symmetric algorithms, key encipherment
   algorithms, etc.).
Top   ToC   RFC8551 - Page 17
   The structure of the SMIMECapabilities attribute is to facilitate
   simple table lookups and binary comparisons in order to determine
   matches.  For instance, the encoding for the SMIMECapability for
   sha256WithRSAEncryption includes rather than omits the NULL
   parameter.  Because of the requirement for identical encoding,
   individuals documenting algorithms to be used in the
   SMIMECapabilities attribute SHOULD explicitly document the correct
   byte sequence for the common cases.

   For any capability, the associated parameters for the OID MUST
   specify all of the parameters necessary to differentiate between two
   instances of the same algorithm.

   The same OID that is used to identify an algorithm SHOULD also be
   used in the SMIMECapability for that algorithm.  There are cases
   where a single OID can correspond to multiple algorithms.  In these
   cases, a single algorithm MUST be assigned to the SMIMECapability
   using that OID.  Additional OIDs from the smimeCapabilities OID tree
   are then allocated for the other algorithms usages.  For instance, in
   an earlier specification, rsaEncryption was ambiguous because it
   could refer to either a signature algorithm or a key encipherment
   algorithm.  In the event that an OID is ambiguous, it needs to be
   arbitrated by the maintainer of the registered SMIMECapabilities list
   as to which type of algorithm will use the OID, and a new OID MUST be
   allocated under the smimeCapabilities OID to satisfy the other use of
   the OID.

   The registered SMIMECapabilities list specifies the parameters for
   OIDs that need them, most notably key lengths in the case of
   variable-length symmetric ciphers.  In the event that there are no
   differentiating parameters for a particular OID, the parameters MUST
   be omitted and MUST NOT be encoded as NULL.  Additional values for
   the SMIMECapabilities attribute might be defined in the future.
   Receiving agents MUST handle an SMIMECapabilities object that has
   values that it does not recognize in a graceful manner.

   Section 2.7.1 explains a strategy for caching capabilities.

2.5.3.  Encryption Key Preference Attribute

   The encryption key preference attribute allows the signer to
   unambiguously describe which of the signer's certificates has the
   signer's preferred encryption key.  This attribute is designed to
   enhance behavior for interoperating with those clients that use
   separate keys for encryption and signing.  This attribute is used to
   convey to anyone viewing the attribute which of the listed
   certificates is appropriate for encrypting a session key for future
   encrypted messages.
Top   ToC   RFC8551 - Page 18
   If present, the SMIMEEncryptionKeyPreference attribute MUST be a
   SignedAttribute.  CMS defines SignedAttributes as a SET OF Attribute.
   The SignedAttributes in a signerInfo MUST include a single instance
   of the SMIMEEncryptionKeyPreference attribute.  CMS defines the ASN.1
   syntax for Attribute to include attrValues SET OF AttributeValue.  An
   SMIMEEncryptionKeyPreference attribute MUST only include a single
   instance of AttributeValue.  If a signature is detected as violating
   these requirements, the signature SHOULD be treated as failing.

   The sending agent SHOULD include the referenced certificate in the
   set of certificates included in the signed message if this attribute
   is used.  The certificate MAY be omitted if it has been previously
   made available to the receiving agent.  Sending agents SHOULD use
   this attribute if the commonly used or preferred encryption
   certificate is not the same as the certificate used to sign the
   message.

   Receiving agents SHOULD store the preference data if the signature on
   the message is valid and the signing time is greater than the
   currently stored value.  (As with the SMIMECapabilities, the clock
   skew SHOULD be checked and the data not used if the skew is too
   great.)  Receiving agents SHOULD respect the sender's encryption key
   preference attribute if possible.  This, however, represents only a
   preference, and the receiving agent can use any certificate in
   replying to the sender that is valid.

   Section 2.7.1 explains a strategy for caching preference data.

2.5.3.1.  Selection of Recipient Key Management Certificate

   In order to determine the key management certificate to be used when
   sending a future CMS EnvelopedData message for a particular
   recipient, the following steps SHOULD be followed:

   -  If an SMIMEEncryptionKeyPreference attribute is found in a
      SignedData object received from the desired recipient, this
      identifies the X.509 certificate that SHOULD be used as the X.509
      key management certificate for the recipient.

   -  If an SMIMEEncryptionKeyPreference attribute is not found in a
      SignedData object received from the desired recipient, the set of
      X.509 certificates SHOULD be searched for an X.509 certificate
      with the same subject name as the signer of an X.509 certificate
      that can be used for key management.
Top   ToC   RFC8551 - Page 19
   -  Or, use some other method of determining the user's key management
      key.  If an X.509 key management certificate is not found, then
      encryption cannot be done with the signer of the message.  If
      multiple X.509 key management certificates are found, the S/MIME
      agent can make an arbitrary choice between them.

2.6.  SignerIdentifier SignerInfo Type

   S/MIME v4.0 implementations MUST support both issuerAndSerialNumber
   and subjectKeyIdentifier.  Messages that use the subjectKeyIdentifier
   choice cannot be read by S/MIME v2 clients.

   It is important to understand that some certificates use a value for
   subjectKeyIdentifier that is not suitable for uniquely identifying a
   certificate.  Implementations MUST be prepared for multiple
   certificates for potentially different entities to have the same
   value for subjectKeyIdentifier and MUST be prepared to try each
   matching certificate during signature verification before indicating
   an error condition.

2.7.  ContentEncryptionAlgorithmIdentifier

   Sending and receiving agents:

   -  MUST support encryption and decryption with AES-128 GCM and
      AES-256 GCM [RFC5084].

   -  MUST- support encryption and decryption with AES-128 CBC
      [RFC3565].

   -  SHOULD+ support encryption and decryption with ChaCha20-Poly1305
      [RFC7905].

2.7.1.  Deciding Which Encryption Method to Use

   When a sending agent creates an encrypted message, it has to decide
   which type of encryption to use.  The decision process involves using
   information garnered from the capabilities lists included in messages
   received from the recipient, as well as out-of-band information such
   as private agreements, user preferences, legal restrictions, and
   so on.

   Section 2.5.2 defines a method by which a sending agent can
   optionally announce, among other things, its decrypting capabilities
   in its order of preference.  The following method for processing and
   remembering the encryption capabilities attribute in incoming signed
   messages SHOULD be used.
Top   ToC   RFC8551 - Page 20
   -  If the receiving agent has not yet created a list of capabilities
      for the sender's public key, then, after verifying the signature
      on the incoming message and checking the timestamp, the receiving
      agent SHOULD create a new list containing at least the signing
      time and the symmetric capabilities.

   -  If such a list already exists, the receiving agent SHOULD verify
      that the signing time in the incoming message is greater than the
      signing time stored in the list and that the signature is valid.
      If so, the receiving agent SHOULD update both the signing time and
      capabilities in the list.  Values of the signing time that lie far
      in the future (that is, a greater discrepancy than any reasonable
      clock skew), or a capabilities list in messages whose signature
      could not be verified, MUST NOT be accepted.

   The list of capabilities SHOULD be stored for future use in creating
   messages.

   Before sending a message, the sending agent MUST decide whether it is
   willing to use weak encryption for the particular data in the
   message.  If the sending agent decides that weak encryption is
   unacceptable for this data, then the sending agent MUST NOT use a
   weak algorithm.  The decision to use or not use weak encryption
   overrides any other decision in this section about which encryption
   algorithm to use.

   Sections 2.7.1.1 and 2.7.1.2 describe the decisions a sending agent
   SHOULD use when choosing which type of encryption will be applied to
   a message.  These rules are ordered, so the sending agent SHOULD make
   its decision in the order given.

2.7.1.1.  Rule 1: Known Capabilities

   If the sending agent has received a set of capabilities from the
   recipient for the message the agent is about to encrypt, then the
   sending agent SHOULD use that information by selecting the first
   capability in the list (that is, the capability most preferred by the
   intended recipient) that the sending agent knows how to encrypt.  The
   sending agent SHOULD use one of the capabilities in the list if the
   agent reasonably expects the recipient to be able to decrypt the
   message.

2.7.1.2.  Rule 2: Unknown Capabilities, Unknown Version of S/MIME

   If the following two conditions are met, the sending agent SHOULD use
   AES-256 GCM, as AES-256 GCM is a stronger algorithm and is required
   by S/MIME v4.0:
Top   ToC   RFC8551 - Page 21
   -  The sending agent has no knowledge of the encryption capabilities
      of the recipient.

   -  The sending agent has no knowledge of the version of S/MIME used
      or supported by the recipient.

   If the sending agent chooses not to use AES-256 GCM in this step,
   given the presumption is that a client implementing AES-GCM would do
   both AES-256 and AES-128, it SHOULD use AES-128 CBC.

2.7.2.  Choosing Weak Encryption

   Algorithms such as RC2 are considered to be weak encryption
   algorithms.  Algorithms such as TripleDES are not state of the art
   and are considered to be weaker algorithms than AES.  A sending agent
   that is controlled by a human SHOULD allow a human sender to
   determine the risks of sending data using a weaker encryption
   algorithm before sending the data, and possibly allow the human to
   use a stronger encryption algorithm such as AES GCM or AES CBC even
   if there is a possibility that the recipient will not be able to
   process that algorithm.

2.7.3.  Multiple Recipients

   If a sending agent is composing an encrypted message to a group of
   recipients where the encryption capabilities of some of the
   recipients do not overlap, the sending agent is forced to send more
   than one message.  Please note that if the sending agent chooses to
   send a message encrypted with a strong algorithm and then send the
   same message encrypted with a weak algorithm, someone watching the
   communications channel could learn the contents of the strongly
   encrypted message simply by decrypting the weakly encrypted message.



(page 21 continued on part 3)

Next Section