Use of the CAST-128 Encryption Algorithm in CMS
RFC 2984

Document Type RFC - Proposed Standard (October 2000; No errata)
Author Carlisle Adams 
Last updated 2013-03-02
Stream IETF
Formats plain text html pdf htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2984 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                           C. Adams
Request for Comments: 2984                          Entrust Technologies
Category: Standards Track                                   October 2000

            Use of the CAST-128 Encryption Algorithm in CMS

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2000).  All Rights Reserved.


   This document specifies how to incorporate CAST-128 (RFC2144) into
   the S/MIME Cryptographic Message Syntax (CMS) as an additional
   algorithm for symmetric encryption.  The relevant OIDs and processing
   steps are provided so that CAST-128 may be included in the CMS
   specification (RFC2630) for symmetric content and key encryption.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in uppercase,
   as shown) are to be interpreted as described in [RFC2119].

1. Motivation

   S/MIME (Secure/Multipurpose Internet Mail Extensions) [SMIME2,
   SMIME3] is a set of specifications for the secure transport of MIME
   objects.  In the current (S/MIME v3) specifications the mandatory-
   to-implement symmetric algorithm for content encryption and key
   encryption is triple-DES (3DES).  While this is perfectly acceptable
   in many cases because the security of 3DES is generally considered to
   be high, for some environments 3DES may be seen to be too slow.  In
   part to help alleviate such performance concerns, S/MIME has allowed
   any number of (optional) additional algorithms to be used for
   symmetric content and key encryption.

   The CAST-128 encryption algorithm [RFC2144, Adams] is a well-studied
   symmetric cipher that has a number of appealing features, including
   relatively high performance and a variable key size (from 40 bits to
   128 bits).  It is available royalty-free and license-free for

Adams                       Standards Track                     [Page 1]
RFC 2984                    CAST-128 in CMS                 October 2000

   commercial and non-commercial uses worldwide [IPR], and therefore is
   widely used in a number of applications around the Internet.  It thus
   seems to be a suitable optional encryption algorithm for S/MIME.

   This document describes how to use CAST-128 within the S/MIME CMS

2. Specification

   This section provides the OIDs and processing information necessary
   for CAST-128 to be used for content and key encryption in CMS.

2.1 OIDs for Content and Key Encryption

   CAST-128 is added to the set of optional symmetric encryption
   algorithms in CMS by providing two unique object identifiers (OIDs).
   One OID defines the content encryption algorithm and the other
   defines the key encryption algorithm.  Thus a CMS agent can apply
   CAST-128 either for content or key encryption by selecting the
   corresponding object identifier, supplying the required parameter,
   and starting the program code.

   For content encryption the use of CAST-128 in cipher block chaining
   (CBC) mode is RECOMMENDED.  The key length is variable (from 40 to
   128 bits in 1-octet increments).

   The CAST-128 content-encryption algorithm in CBC mode has the
   following object identifier:

     cast5CBC OBJECT IDENTIFIER ::= {iso(1) member-body(2)
         us(840) nt(113533) nsn(7) algorithms(66) 10}

   The parameter associated with this object identifier contains the
   initial vector IV and the key length:

     cast5CBCParameters ::= SEQUENCE {
         iv         OCTET STRING DEFAULT 0,
         -- Initialization vector
         keyLength  INTEGER
         -- Key length, in bits

   Comments regarding the use of the IV may be found in [RFC2144].

   The key-wrap/unwrap procedures used to encrypt/decrypt a CAST-128
   content-encryption key with a CAST-128 key-encryption key are
   specified in Section 2.2.  Generation and distribution of key-
   encryption keys are beyond the scope of this document.

Adams                       Standards Track                     [Page 2]
RFC 2984                    CAST-128 in CMS                 October 2000

   The CAST-128 key-encryption algorithm has the following object

     cast5CMSkeywrap OBJECT IDENTIFIER ::= { iso(1)
         member-body(2) us(840) nt(113533) nsn(7)
         algorithms(66) 15}

   The parameter associated with this object identifier contains only
   the key length (because the key wrapping procedure itself defines how
   and when to use an IV):

     cast5CMSkeywrapParameter ::= INTEGER
       -- key length, in bits

2.2 Key Wrapping and Unwrapping
Show full document text