RFC 5753
Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)
11. References
11.1. Normative References
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, September 2009. [CMS-AES] Schaad, J., "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, July 2003. [CMS-AESCG] Housley, R., "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", RFC 5084, December 2007. [CMS-ALG] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002. [CMS-AUTHENV] Housley, R., "Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type", RFC 5083, November 2007. [CMS-DH] Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, June 1999. [CMS-SHA2] Turner, S., "Using SHA2 Algorithms with Cryptographic Message Syntax", RFC 5754, January 2010. [FIPS180-3] National Institute of Standards and Technology (NIST), FIPS Publication 180-3: Secure Hash Standard, October 2008. [FIPS186-3] National Institute of Standards and Technology (NIST), FIPS Publication 186-3: Digital Signature Standard, June 2009.
[HMAC-SHA2] Nystrom, M., "Identifiers and Test Vectors for HMAC- SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC- SHA-512", RFC 4231, December 2005. [MUST] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [MSG] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", RFC 5751, January 2010. [PKI] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [PKI-ALG] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009. [RANDOM] Eastlake, D., 3rd, Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005. [RSAOAEP] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, June 2005. [SEC1] Standards for Efficient Cryptography Group, "SEC 1: Elliptic Curve Cryptography", version 2.0, May 2009, available from www.secg.org. [SP800-56A] National Institute of Standards and Technology (NIST), Special Publication 800-56A: Recommendation Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007. [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002. Information Technology - Abstract Syntax Notation One.
11.2. Informative References
[BON] D. Boneh, "The Security of Multicast MAC", Presentation at Selected Areas of Cryptography 2000, Center for Applied Cryptographic Research, University of Waterloo, 2000. Paper version available from http://crypto.stanford.edu/~dabo/papers/mmac.ps [CERTCAP] Santesson, S., "X.509 Certificate Extension for Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities", RFC 4262, December 2005. [CMS-ASN] Hoffman, P. and J. Schaad, "New ASN.1 Modules for CMS and S/MIME", Work in Progress, August 2009. [CMS-ECC] Blake-Wilson, S., Brown, D., and P. Lambert, "Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)", RFC 3278, April 2002. [CMS-KEA] Pawling, J., "Use of the KEA and SKIPJACK Algorithms in CMS", RFC 2876, July 2000. [K] B. Kaliski, "MQV Vulnerability", Posting to ANSI X9F1 and IEEE P1363 newsgroups, 1998. [PKI-ASN] Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", Work in Progress, August 2009. [SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007. [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002. Information Technology - Abstract Syntax Notation One: Information Object Specification. [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002. Information Technology - Abstract Syntax Notation One: Constraint Specification. [X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002. Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications, 2002.
[X9.62] X9.62-2005, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard (ECDSA)", November, 2005.
Appendix A. ASN.1 Modules
Appendix A.1 provides the normative ASN.1 definitions for the structures described in this specification using ASN.1 as defined in [X.680] for compilers that support the 1988 ASN.1. Appendix A.2 provides informative ASN.1 definitions for the structures described in this specification using ASN.1 as defined in [X.680], [X.681], [X.682], and [X.683] for compilers that support the 2002 ASN.1. This appendix contains the same information as Appendix A.1 in a more recent (and precise) ASN.1 notation; however, Appendix A.1 takes precedence in case of conflict.A.1. 1988 ASN.1 Module
CMSECCAlgs-2009-88 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-ecc-alg-2009-88(45) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS -- From [PKI] AlgorithmIdentifier FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) mod(0) pkix1-explicit(18) } -- From [RSAOAEP] id-sha224, id-sha256, id-sha384, id-sha512 FROM PKIX1-PSS-OAEP-Algorithms { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs(33) }
-- From [PKI-ALG] id-sha1, ecdsa-with-SHA1, ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512, id-ecPublicKey, ECDSA-Sig-Value, ECPoint, ECParameters FROM PKIX1Algorithms2008 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 45 } -- From [CMS] OriginatorPublicKey, UserKeyingMaterial FROM CryptographicMessageSyntax2004 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } -- From [CMS-ALG] hMAC-SHA1, des-ede3-cbc, id-alg-CMS3DESwrap, CBCParameter FROM CryptographicMessageSyntaxAlgorithms { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cmsalg-2001(16) } -- From [CMS-AES] id-aes128-CBC, id-aes192-CBC, id-aes256-CBC, AES-IV, id-aes128-wrap, id-aes192-wrap, id-aes256-wrap FROM CMSAesRsaesOaep { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } -- From [CMS-AESCG] id-aes128-CCM, id-aes192-CCM, id-aes256-CCM, CCMParameters id-aes128-GCM, id-aes192-GCM, id-aes256-GCM, GCMParameters FROM CMS-AES-CCM-and-AES-GCM { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(32) } ; -- -- Message Digest Algorithms: Imported from [PKI-ALG] and [RSAOAEP] -- -- id-sha1 Parameters are preferred absent -- id-sha224 Parameters are preferred absent -- id-sha256 Parameters are preferred absent
-- id-sha384 Parameters are preferred absent -- id-sha512 Parameters are preferred absent -- -- Signature Algorithms: Imported from [PKI-ALG] -- -- ecdsa-with-SHA1 Parameters are NULL -- ecdsa-with-SHA224 Parameters are absent -- ecdsa-with-SHA256 Parameters are absent -- ecdsa-with-SHA384 Parameters are absent -- ecdsa-with-SHA512 Parameters are absent -- ECDSA Signature Value -- Contents of SignatureValue OCTET STRING -- ECDSA-Sig-Value ::= SEQUENCE { -- r INTEGER, -- s INTEGER -- } -- -- Key Agreement Algorithms -- x9-63-scheme OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) tc68(133) country(16) x9(840) x9-63(63) schemes(0) } secg-scheme OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) schemes(1) } -- -- Diffie-Hellman Single Pass, Standard, with KDFs -- -- Parameters are always present and indicate the key wrap algorithm -- with KeyWrapAlgorithm. dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= { x9-63-scheme 2 } dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= { secg-scheme 11 0 } dhSinglePass-stdDH-sha256kdf-scheme OBJECT IDENTIFIER ::= { secg-scheme 11 1 }
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 2 }
dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 3 }
--
-- Diffie-Hellman Single Pass, Cofactor, with KDFs
--
dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 3 }
dhSinglePass-cofactorDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 0 }
dhSinglePass-cofactorDH-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 1 }
dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 2 }
dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 3 }
--
-- MQV Single Pass, Cofactor, with KDFs
--
mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 16 }
mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 0 }
mqvSinglePass-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 1 }
mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 2 }
mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 3 }
--
-- Key Wrap Algorithms: Imported from [CMS-ALG] and [CMS-AES]
--
KeyWrapAlgorithm ::= AlgorithmIdentifier -- id-alg-CMS3DESwrap Parameters are NULL -- id-aes128-wrap Parameters are absent -- id-aes192-wrap Parameters are absent -- id-aes256-wrap Parameters are absent -- -- Content Encryption Algorithms: Imported from [CMS-ALG] -- and [CMS-AES] -- -- des-ede3-cbc Parameters are CBCParameter -- id-aes128-CBC Parameters are AES-IV -- id-aes192-CBC Parameters are AES-IV -- id-aes256-CBC Parameters are AES-IV -- id-aes128-CCM Parameters are CCMParameters -- id-aes192-CCM Parameters are CCMParameters -- id-aes256-CCM Parameters are CCMParameters -- id-aes128-GCM Parameters are GCMParameters -- id-aes192-GCM Parameters are GCMParameters -- id-aes256-GCM Parameters are GCMParameters -- -- Message Authentication Code Algorithms -- -- hMAC-SHA1 Parameters are preferred absent -- HMAC with SHA-224, SHA-256, SHA_384, and SHA-512 Parameters are -- absent id-hmacWithSHA224 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 8 } id-hmacWithSHA256 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 9 } id-hmacWithSHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 10 } id-hmacWithSHA512 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) digestAlgorithm(2) 11 }
-- -- Originator Public Key Algorithms: Imported from [PKI-ALG] -- -- id-ecPublicKey Parameters are absent, NULL, or ECParameters -- Format for both ephemeral and static public keys: Imported from -- [PKI-ALG] -- ECPoint ::= OCTET STRING -- ECParameters ::= CHOICE { -- namedCurve OBJECT IDENTIFIER -- commented out in [PKI-ALG] implicitCurve NULL -- commented out in [PKI-ALG] specifiedCurve SpecifiedECDomain -- commented out in [PKI-ALG] ... -- } -- implicitCurve and specifiedCurve MUST NOT be used in PKIX. -- Details for SpecifiedECDomain can be found in [X9.62]. -- Any future additions to this CHOICE should be coordinated -- with ANSI X9. -- Format of KeyAgreeRecipientInfo ukm field when used with -- ECMQV MQVuserKeyingMaterial ::= SEQUENCE { ephemeralPublicKey OriginatorPublicKey, addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL } -- 'SharedInfo' for input to KDF when using ECDH and ECMQV with -- EnvelopedData, AuthenticatedData, or AuthEnvelopedData ECC-CMS-SharedInfo ::= SEQUENCE { keyInfo AlgorithmIdentifier, entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL, suppPubInfo [2] EXPLICIT OCTET STRING } -- -- S/MIME Capabilities -- An identifier followed by type. --
-- -- S/MIME Capabilities: Message Digest Algorithms -- -- Found in [CMS-SHA2]. -- -- S/MIME Capabilities: Signature Algorithms -- -- ecdsa-with-SHA1 Type NULL -- ecdsa-with-SHA224 Type absent -- ecdsa-with-SHA256 Type absent -- ecdsa-with-SHA384 Type absent -- ecdsa-with-SHA512 Type absent -- -- S/MIME Capabilities: ECDH, Single Pass, Standard -- -- dhSinglePass-stdDH-sha1kdf Type is the KeyWrapAlgorithm -- dhSinglePass-stdDH-sha224kdf Type is the KeyWrapAlgorithm -- dhSinglePass-stdDH-sha256kdf Type is the KeyWrapAlgorithm -- dhSinglePass-stdDH-sha384kdf Type is the KeyWrapAlgorithm -- dhSinglePass-stdDH-sha512kdf Type is the KeyWrapAlgorithm -- -- S/MIME Capabilities: ECDH, Single Pass, Cofactor -- -- dhSinglePass-cofactorDH-sha1kdf Type is the KeyWrapAlgorithm -- dhSinglePass-cofactorDH-sha224kdf Type is the KeyWrapAlgorithm -- dhSinglePass-cofactorDH-sha256kdf Type is the KeyWrapAlgorithm -- dhSinglePass-cofactorDH-sha384kdf Type is the KeyWrapAlgorithm -- dhSinglePass-cofactorDH-sha512kdf Type is the KeyWrapAlgorithm -- -- S/MIME Capabilities: ECMQV, Single Pass, Standard -- -- mqvSinglePass-sha1kdf Type is the KeyWrapAlgorithm -- mqvSinglePass-sha224kdf Type is the KeyWrapAlgorithm -- mqvSinglePass-sha256kdf Type is the KeyWrapAlgorithm -- mqvSinglePass-sha384kdf Type is the KeyWrapAlgorithm -- mqvSinglePass-sha512kdf Type is the KeyWrapAlgorithm
-- -- S/MIME Capabilities: Message Authentication Code Algorithms -- -- hMACSHA1 Type is preferred absent -- id-hmacWithSHA224 Type is absent -- if-hmacWithSHA256 Type is absent -- id-hmacWithSHA384 Type is absent -- id-hmacWithSHA512 Type is absent END
A.2. 2004 ASN.1 Module
CMSECCAlgs-2009-02 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-ecc-alg-2009-02(46) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS -- From [PKI-ASN] mda-sha1, sa-ecdsaWithSHA1, sa-ecdsaWithSHA224, sa-ecdsaWithSHA256, sa-ecdsaWithSHA384, sa-ecdsaWithSHA512, id-ecPublicKey, ECDSA-Sig-Value, ECPoint, ECParameters FROM PKIXAlgs-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-algorithms2008-02(56) } -- From [PKI-ASN] mda-sha224, mda-sha256, mda-sha384, mda-sha512 FROM PKIX1-PSS-OAEP-Algorithms-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-rsa-pkalgs-02(54) } -- FROM [CMS-ASN] KEY-WRAP, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM, ALGORITHM, PUBLIC-KEY, MAC-ALGORITHM, CONTENT-ENCRYPTION, KEY-AGREE, SMIME-CAPS, AlgorithmIdentifier{} FROM AlgorithmInformation-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } -- From [CMS-ASN] OriginatorPublicKey, UserKeyingMaterial FROM CryptographicMessageSyntax-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
-- From [CMS-ASN] maca-hMAC-SHA1, cea-3DES-cbc, kwa-3DESWrap, CBCParameter FROM CryptographicMessageSyntaxAlgorithms-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cmsalg-2001-02(37) } -- From [CMS-ASN] cea-aes128-cbc, cea-aes192-cbc, cea-aes256-cbc, kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap FROM CMSAesRsaesOaep-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } -- From [CMS-ASN] cea-aes128-CCM, cea-aes192-CCM, cea-aes256-CCM, cea-aes128-GCM, cea-aes192-GCM, cea-aes256-GCM FROM CMS-AES-CCM-and-AES-GCM-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) } ; -- Constrains the SignedData digestAlgorithms field -- Constrains the SignedData SignerInfo digestAlgorithm field -- Constrains the AuthenticatedData digestAlgorithm field -- Message Digest Algorithms: Imported from [PKI-ASN] -- MessageDigestAlgs DIGEST-ALGORITHM ::= { -- mda-sha1 | -- mda-sha224 | -- mda-sha256 | -- mda-sha384 | -- mda-sha512, -- ... -- } -- Constrains the SignedData SignerInfo signatureAlgorithm field -- Signature Algorithms: Imported from [PKI-ASN] -- SignatureAlgs SIGNATURE-ALGORITHM ::= { -- sa-ecdsaWithSHA1 | -- sa-ecdsaWithSHA224 | -- sa-ecdsaWithSHA256 |
-- sa-ecdsaWithSHA384 | -- sa-ecdsaWithSHA512, -- ... -- } -- ECDSA Signature Value: Imported from [PKI-ALG] -- Contents of SignatureValue OCTET STRING -- ECDSA-Sig-Value ::= SEQUENCE { -- r INTEGER, -- s INTEGER -- } -- -- Key Agreement Algorithms -- -- Constrains the EnvelopedData RecipientInfo KeyAgreeRecipientInfo -- keyEncryption Algorithm field -- Constrains the AuthenticatedData RecipientInfo -- KeyAgreeRecipientInfo keyEncryption Algorithm field -- Constrains the AuthEnvelopedData RecipientInfo -- KeyAgreeRecipientInfo keyEncryption Algorithm field -- DH variants are not used with AuthenticatedData or -- AuthEnvelopedData KeyAgreementAlgs KEY-AGREE ::= { kaa-dhSinglePass-stdDH-sha1kdf-scheme | kaa-dhSinglePass-stdDH-sha224kdf-scheme | kaa-dhSinglePass-stdDH-sha256kdf-scheme | kaa-dhSinglePass-stdDH-sha384kdf-scheme | kaa-dhSinglePass-stdDH-sha512kdf-scheme | kaa-dhSinglePass-cofactorDH-sha1kdf-scheme | kaa-dhSinglePass-cofactorDH-sha224kdf-scheme | kaa-dhSinglePass-cofactorDH-sha256kdf-scheme | kaa-dhSinglePass-cofactorDH-sha384kdf-scheme | kaa-dhSinglePass-cofactorDH-sha512kdf-scheme | kaa-mqvSinglePass-sha1kdf-scheme | kaa-mqvSinglePass-sha224kdf-scheme | kaa-mqvSinglePass-sha256kdf-scheme | kaa-mqvSinglePass-sha384kdf-scheme | kaa-mqvSinglePass-sha512kdf-scheme, ... }
x9-63-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) tc68(133) country(16) x9(840)
x9-63(63) schemes(0) }
secg-scheme OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) certicom(132) schemes(1) }
--
-- Diffie-Hellman Single Pass, Standard, with KDFs
--
-- Parameters are always present and indicate the Key Wrap Algorithm
kaa-dhSinglePass-stdDH-sha1kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-stdDH-sha1kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-stdDH-sha1kdf-scheme
}
dhSinglePass-stdDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 2 }
kaa-dhSinglePass-stdDH-sha224kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-stdDH-sha224kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-stdDH-sha224kdf-scheme
}
dhSinglePass-stdDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 0 }
kaa-dhSinglePass-stdDH-sha256kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-stdDH-sha256kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-stdDH-sha256kdf-scheme
}
dhSinglePass-stdDH-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 1 }
kaa-dhSinglePass-stdDH-sha384kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-stdDH-sha384kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-stdDH-sha384kdf-scheme
}
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 2 }
kaa-dhSinglePass-stdDH-sha512kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-stdDH-sha512kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-stdDH-sha512kdf-scheme
}
dhSinglePass-stdDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 11 3 }
--
-- Diffie-Hellman Single Pass, Cofactor, with KDFs
--
kaa-dhSinglePass-cofactorDH-sha1kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-cofactorDH-sha1kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-cofactorDH-sha1kdf-scheme
}
dhSinglePass-cofactorDH-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 3 }
kaa-dhSinglePass-cofactorDH-sha224kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-cofactorDH-sha224kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-cofactorDH-sha224kdf-scheme
}
dhSinglePass-cofactorDH-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 0 }
kaa-dhSinglePass-cofactorDH-sha256kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-cofactorDH-sha256kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-cofactorDH-sha256kdf-scheme
}
dhSinglePass-cofactorDH-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 1 }
kaa-dhSinglePass-cofactorDH-sha384kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-cofactorDH-sha384kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-cofactorDH-sha384kdf-scheme
}
dhSinglePass-cofactorDH-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 2 }
kaa-dhSinglePass-cofactorDH-sha512kdf-scheme KEY-AGREE ::= {
IDENTIFIER dhSinglePass-cofactorDH-sha512kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-dhSinglePass-cofactorDH-sha512kdf-scheme
}
dhSinglePass-cofactorDH-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 14 3 }
--
-- MQV Single Pass, Cofactor, with KDFs
--
kaa-mqvSinglePass-sha1kdf-scheme KEY-AGREE ::= {
IDENTIFIER mqvSinglePass-sha1kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-mqvSinglePass-sha1kdf-scheme
}
mqvSinglePass-sha1kdf-scheme OBJECT IDENTIFIER ::= {
x9-63-scheme 16 }
kaa-mqvSinglePass-sha224kdf-scheme KEY-AGREE ::= {
IDENTIFIER mqvSinglePass-sha224kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-mqvSinglePass-sha224kdf-scheme
}
mqvSinglePass-sha224kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 0 }
kaa-mqvSinglePass-sha256kdf-scheme KEY-AGREE ::= {
IDENTIFIER mqvSinglePass-sha256kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-mqvSinglePass-sha256kdf-scheme
}
mqvSinglePass-sha256kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 1 }
kaa-mqvSinglePass-sha384kdf-scheme KEY-AGREE ::= {
IDENTIFIER mqvSinglePass-sha384kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-mqvSinglePass-sha384kdf-scheme
}
mqvSinglePass-sha384kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 2 }
kaa-mqvSinglePass-sha512kdf-scheme KEY-AGREE ::= {
IDENTIFIER mqvSinglePass-sha512kdf-scheme
PARAMS TYPE KeyWrapAlgorithm ARE required
UKM -- TYPE unencoded data -- ARE preferredPresent
SMIME-CAPS cap-kaa-mqvSinglePass-sha512kdf-scheme
}
mqvSinglePass-sha512kdf-scheme OBJECT IDENTIFIER ::= {
secg-scheme 15 3 }
--
-- Key Wrap Algorithms: Imported from [CMS-ASN]
--
KeyWrapAlgorithm ::= AlgorithmIdentifier { KEY-WRAP, { KeyWrapAlgs } }
KeyWrapAlgs KEY-WRAP ::= {
kwa-3DESWrap |
kwa-aes128-wrap |
kwa-aes192-wrap |
kwa-aes256-wrap,
...
}
--
-- Content Encryption Algorithms: Imported from [CMS-ASN]
--
-- Constrains the EnvelopedData EncryptedContentInfo encryptedContent
-- field and the AuthEnvelopedData EncryptedContentInfo
-- contentEncryptionAlgorithm field
-- ContentEncryptionAlgs CONTENT-ENCRYPTION ::= {
-- cea-3DES-cbc |
-- cea-aes128-cbc |
-- cea-aes192-cbc |
-- cea-aes256-cbc |
-- cea-aes128-ccm |
-- cea-aes192-ccm |
-- cea-aes256-ccm |
-- cea-aes128-gcm |
-- cea-aes192-gcm |
-- cea-aes256-gcm,
-- ...
-- }
-- des-ede3-cbc and aes*-cbc are used with EnvelopedData and
-- EncryptedData
-- aes*-ccm are used with AuthEnvelopedData
-- aes*-gcm are used with AuthEnvelopedData
-- (where * is 128, 192, and 256)
--
-- Message Authentication Code Algorithms
--
-- Constrains the AuthenticatedData
-- MessageAuthenticationCodeAlgorithm field
--
MessageAuthAlgs MAC-ALGORITHM ::= {
-- maca-hMAC-SHA1 |
maca-hMAC-SHA224 |
maca-hMAC-SHA256 |
maca-hMAC-SHA384 |
maca-hMAC-SHA512,
...
}
maca-hMAC-SHA224 MAC-ALGORITHM ::= {
IDENTIFIER id-hmacWithSHA224
PARAMS ARE absent
IS-KEYED-MAC TRUE
SMIME-CAPS cap-hMAC-SHA224
}
id-hmacWithSHA224 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 8 }
maca-hMAC-SHA256 MAC-ALGORITHM ::= {
IDENTIFIER id-hmacWithSHA256
PARAMS ARE absent
IS-KEYED-MAC TRUE
SMIME-CAPS cap-hMAC-SHA256
}
id-hmacWithSHA256 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 9 }
maca-hMAC-SHA384 MAC-ALGORITHM ::= {
IDENTIFIER id-hmacWithSHA384
PARAMS ARE absent
IS-KEYED-MAC TRUE
SMIME-CAPS cap-hMAC-SHA384
}
id-hmacWithSHA384 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 10 }
maca-hMAC-SHA512 MAC-ALGORITHM ::= {
IDENTIFIER id-hmacWithSHA512
PARAMS ARE absent
IS-KEYED-MAC TRUE
SMIME-CAPS cap-hMAC-SHA512
}
id-hmacWithSHA512 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549)
digestAlgorithm(2) 11 }
--
-- Originator Public Key Algorithms
--
-- Constraints on KeyAgreeRecipientInfo OriginatorIdentifierOrKey
-- OriginatorPublicKey algorithm field
OriginatorPKAlgorithms PUBLIC-KEY ::= {
opka-ec,
...
}
opka-ec PUBLIC-KEY ::={
IDENTIFIER id-ecPublicKey
KEY ECPoint
PARAMS TYPE CHOICE { n NULL, p ECParameters } ARE preferredAbsent
}
-- Format for both ephemeral and static public keys: Imported from
-- [PKI-ALG]
-- ECPoint ::= OCTET STRING
-- ECParameters ::= CHOICE {
-- namedCurve CURVE.&id({NamedCurve})
-- commented out in [PKI-ALG] implicitCurve NULL
-- commented out in [PKI-ALG] specifiedCurve SpecifiedECDomain
-- commented out in [PKI-ALG] ...
-- }
-- implicitCurve and specifiedCurve MUST NOT be used in PKIX.
-- Details for SpecifiedECDomain can be found in [X9.62].
-- Any future additions to this CHOICE should be coordinated
-- with ANSI X.9.
-- Format of KeyAgreeRecipientInfo ukm field when used with
-- ECMQV
MQVuserKeyingMaterial ::= SEQUENCE {
ephemeralPublicKey OriginatorPublicKey,
addedukm [0] EXPLICIT UserKeyingMaterial OPTIONAL
}
-- 'SharedInfo' for input to KDF when using ECDH and ECMQV with
-- EnvelopedData, AuthenticatedData, or AuthEnvelopedData
ECC-CMS-SharedInfo ::= SEQUENCE {
keyInfo KeyWrapAlgorithm,
entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL,
suppPubInfo [2] EXPLICIT OCTET STRING
}
--
-- S/MIME CAPS for algorithms in this document
--
SMimeCAPS SMIME-CAPS ::= {
-- mda-sha1.&smimeCaps |
-- mda-sha224.&smimeCaps |
-- mda-sha256.&smimeCaps |
-- mda-sha384.&smimeCaps |
-- mda-sha512.&smimeCaps |
-- sa-ecdsaWithSHA1.&smimeCaps |
-- sa-ecdsaWithSHA224.&smimeCaps |
-- sa-ecdsaWithSHA256.&smimeCaps |
-- sa-ecdsaWithSHA384.&smimeCaps |
-- sa-ecdsaWithSHA512.&smimeCaps |
kaa-dhSinglePass-stdDH-sha1kdf-scheme.&smimeCaps |
kaa-dhSinglePass-stdDH-sha224kdf-scheme.&smimeCaps |
kaa-dhSinglePass-stdDH-sha256kdf-scheme.&smimeCaps |
kaa-dhSinglePass-stdDH-sha384kdf-scheme.&smimeCaps |
kaa-dhSinglePass-stdDH-sha512kdf-scheme.&smimeCaps |
kaa-dhSinglePass-cofactorDH-sha1kdf-scheme.&smimeCaps |
kaa-dhSinglePass-cofactorDH-sha224kdf-scheme.&smimeCaps |
kaa-dhSinglePass-cofactorDH-sha256kdf-scheme.&smimeCaps |
kaa-dhSinglePass-cofactorDH-sha384kdf-scheme.&smimeCaps |
kaa-dhSinglePass-cofactorDH-sha512kdf-scheme.&smimeCaps |
kaa-mqvSinglePass-sha1kdf-scheme.&smimeCaps |
kaa-mqvSinglePass-sha224kdf-scheme.&smimeCaps |
kaa-mqvSinglePass-sha256kdf-scheme.&smimeCaps |
kaa-mqvSinglePass-sha384kdf-scheme.&smimeCaps |
kaa-mqvSinglePass-sha512kdf-scheme.&smimeCaps |
-- kwa-3des.&smimeCaps |
-- kwa-aes128.&smimeCaps |
-- kwa-aes192.&smimeCaps |
-- kwa-aes256.&smimeCaps |
-- cea-3DES-cbc.&smimeCaps |
-- cea-aes128-cbc.&smimeCaps |
-- cea-aes192-cbc.&smimeCaps |
-- cea-aes256-cbc.&smimeCaps |
-- cea-aes128-ccm.&smimeCaps |
-- cea-aes192-ccm.&smimeCaps |
-- cea-aes256-ccm.&smimeCaps |
-- cea-aes128-gcm.&smimeCaps |
-- cea-aes192-gcm.&smimeCaps |
-- cea-aes256-gcm.&smimeCaps |
-- maca-hMAC-SHA1.&smimeCaps |
maca-hMAC-SHA224.&smimeCaps |
maca-hMAC-SHA256.&smimeCaps |
maca-hMAC-SHA384.&smimeCaps |
maca-hMAC-SHA512.&smimeCaps,
...
}
cap-kaa-dhSinglePass-stdDH-sha1kdf-scheme SMIME-CAPS ::= {
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-stdDH-sha1kdf-scheme
}
cap-kaa-dhSinglePass-stdDH-sha224kdf-scheme SMIME-CAPS ::= {
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-stdDH-sha224kdf-scheme
}
cap-kaa-dhSinglePass-stdDH-sha256kdf-scheme SMIME-CAPS ::= {
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-stdDH-sha256kdf-scheme
}
cap-kaa-dhSinglePass-stdDH-sha384kdf-scheme SMIME-CAPS ::= {
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-stdDH-sha384kdf-scheme
}
cap-kaa-dhSinglePass-stdDH-sha512kdf-scheme SMIME-CAPS ::= {
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-stdDH-sha512kdf-scheme
}
cap-kaa-dhSinglePass-cofactorDH-sha1kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-cofactorDH-sha1kdf-scheme
}
cap-kaa-dhSinglePass-cofactorDH-sha224kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-cofactorDH-sha224kdf-scheme
}
cap-kaa-dhSinglePass-cofactorDH-sha256kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-cofactorDH-sha256kdf-scheme
}
cap-kaa-dhSinglePass-cofactorDH-sha384kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-cofactorDH-sha384kdf-scheme
}
cap-kaa-dhSinglePass-cofactorDH-sha512kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY dhSinglePass-cofactorDH-sha512kdf-scheme
}
cap-kaa-mqvSinglePass-sha1kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY mqvSinglePass-sha1kdf-scheme
}
cap-kaa-mqvSinglePass-sha224kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY mqvSinglePass-sha224kdf-scheme
}
cap-kaa-mqvSinglePass-sha256kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY mqvSinglePass-sha256kdf-scheme
}
cap-kaa-mqvSinglePass-sha384kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY mqvSinglePass-sha384kdf-scheme
}
cap-kaa-mqvSinglePass-sha512kdf-scheme SMIME-CAPS ::={
TYPE KeyWrapAlgorithm
IDENTIFIED BY mqvSinglePass-sha512kdf-scheme
}
cap-hMAC-SHA224 SMIME-CAPS ::={ IDENTIFIED BY id-hmacWithSHA224 }
cap-hMAC-SHA256 SMIME-CAPS ::={ IDENTIFIED BY id-hmacWithSHA256 }
cap-hMAC-SHA384 SMIME-CAPS ::={ IDENTIFIED BY id-hmacWithSHA384 }
cap-hMAC-SHA512 SMIME-CAPS ::={ IDENTIFIED BY id-hmacWithSHA512 }
END
Appendix B. Changes since RFC 3278
The following summarizes the changes: - Abstract: The basis of the document was changed to refer to NIST FIPS 186-3 and SP800-56A. However, to maintain backwards compatibility the Key Derivation Function from ANSI/SEC1 is retained. - Section 1: A bullet was added to address AuthEnvelopedData. - Section 2.1: A sentence was added to indicate FIPS180-3 is used with ECDSA. Replaced reference to ANSI X9.62 with FIPS186-3. - Section 2.1.1: The permitted digest algorithms were expanded from SHA-1 to SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. - Section 2.1.2 and 2.1.3: The bullet addressing integer "e" was deleted. - Section 3: Added explanation of why static-static ECDH is not included. - Section 3.1: The reference for DH was changed from RFC 3852 to RFC 3370. Provided text to indicate fields of EnvelopedData are as in CMS. - Section 3.1.1: The text was updated to include description of all KeyAgreeRecipientInfo fields. Parameters for id-ecPublicKey field changed from NULL to absent or ECParameter. Additional information about ukm was added. - Section 3.2: The sentence describing the advantages of 1-Pass ECMQV was rewritten. - Section 3.2.1: The text was updated to include description of all fields. Parameters for id-ecPublicKey field changed from NULL to absent or ECParameters. - Sections 3.2.2 and 4.1.2: The re-use of ephemeral keys paragraph was reworded. - Section 4.1: The sentences describing the advantages of 1-Pass ECMQV was moved to Section 4. - Section 4.1.2: The note about the attack was moved to Section 4.
- Section 4.2: This section was added to address AuthEnvelopedData with ECMQV. - Section 5: This section was moved to Section 8. The 1st paragraph was modified to recommend both SignedData and EnvelopedData. The requirements were updated for hash algorithms and recommendations for matching curves and hash algorithms. Also, the requirements were expanded to indicate which ECDH and ECMQV variants, key wrap algorithms, and content encryption algorithms are required for each of the content types used in this document. The permitted digest algorithms used in KDFs were expanded from SHA-1 to SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. - Section 6 (formerly 7): This section was updated to allow for SMIMECapabilities to be present in certificates. The S/MIME capabilities for ECDSA with SHA-224, SHA-256, SHA-384, and SHA-512 were added to the list of S/MIME Capabilities. Also, updated to include S/MIME capabilities for ECDH and ECMQV using the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms as the KDF. - Section 7.1 (formerly 8.1): Added sub-sections for digest, signature, originator public key, key agreement, content encryption, key wrap, and message authentication code algorithms. Pointed to algorithms and parameters in appropriate documents for: SHA-224, SHA-256, SHA-384, and SHA-512 as well as SHA-224, SHA-256, SHA-384, and SHA-512 with ECDSA. Also, added algorithm identifiers for ECDH std, ECDH cofactor, and ECMQV with SHA-224, SHA-256, SHA-384, and SHA-512 algorithms as the KDF. Changed id-ecPublicKey parameters to be absent, NULL, or ECParameters, and if present the originator's ECParameters must match the recipient's ECParameters. - Section 7.2 (formerly 8.2): Updated to include AuthEnvelopedData. Also, added text to address support requirement for compressed, uncompressed, and hybrid keys; changed pointers from ANSI X9.61 to PKIX (where ECDSA-Sig-Value is imported); changed pointers from SECG to NIST specs; and updated example of suppPubInfo to be AES-256. keyInfo's parameters changed from NULL to any associated parameters (AES wraps have absent parameters). - Section 9: Replaced text, which was a summary paragraph, with an updated security considerations section. Paragraph referring to definitions of SHA-224, SHA-256, SHA-384, and SHA-512 is deleted. - Updated references. - Added ASN.1 modules. - Updated acknowledgements section.
Acknowledgements
The methods described in this document are based on work done by the ANSI X9F1 working group. The authors wish to extend their thanks to ANSI X9F1 for their assistance. The authors also wish to thank Peter de Rooij for his patient assistance. The technical comments of Francois Rousseau were valuable contributions. Many thanks go out to the other authors of RFC 3278: Simon Blake- Wilson and Paul Lambert. Without RFC 3278, this version wouldn't exist. The authors also wish to thank Alfred Hoenes, Jonathan Herzog, Paul Hoffman, Russ Housley, and Jim Schaad for their valuable input.Authors' Addresses
Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA EMail: turners@ieca.com Daniel R. L. Brown Certicom Corp 5520 Explorer Drive #400 Mississauga, ON L4W 5L1 Canada EMail: dbrown@certicom.com