Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)
RFC 3560
| Document | Type | RFC - Proposed Standard (July 2003; No errata) | |
|---|---|---|---|
| Author | Russ Housley | ||
| Last updated | 2013-03-02 | ||
| Stream | Internent Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 3560 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Steven Bellovin | ||
| Send notices to | <turners@ieca.com>, <blake@brutesquadlabs.com> | ||
Network Working Group R. Housley
Request for Comments: 3560 Vigil Security
Category: Standards Track July 2003
Use of the RSAES-OAEP Key Transport Algorithm in
the Cryptographic Message Syntax (CMS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
This document describes the conventions for using the RSAES-OAEP key
transport algorithm with the Cryptographic Message Syntax (CMS). The
CMS specifies the enveloped-data content type, which consists of an
encrypted content and encrypted content-encryption keys for one or
more recipients. The RSAES-OAEP key transport algorithm can be used
to encrypt content-encryption keys for intended recipients.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Enveloped-data Conventions . . . . . . . . . . . . . . . . . . 3
2.1. EnvelopedData Fields . . . . . . . . . . . . . . . . . . 3
2.2. KeyTransRecipientInfo Fields . . . . . . . . . . . . . . 4
3. RSAES-OAEP Algorithm Identifiers and Parameters. . . . . . . . 4
4. Certificate Conventions. . . . . . . . . . . . . . . . . . . . 6
5. SMIMECapabilities Attribute Conventions. . . . . . . . . . . . 8
6. Security Considerations. . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 11
8. Intellectual Property Rights Statement . . . . . . . . . . . . 11
9. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1. Normative References. . . . . . . . . . . . . . . . . . 11
10.2. Informative References. . . . . . . . . . . . . . . . . 12
Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 18
Housley Standards Track [Page 1]
RFC 3560 RSAES-OAEP in CMS July 2003
1. Introduction
PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant
of the RSA key transport algorithm. PKCS #1 Version 1.5 key
transport is vulnerable to adaptive chosen ciphertext attacks,
especially when it is used to for key management in interactive
applications. This attack is often referred to as the "Million
Message Attack," and it explained in [RSALABS] and [CRYPTO98].
Exploitation of this vulnerability, which reveals the result of a
particular RSA decryption, requires access to an oracle which will
respond to hundreds of thousands of ciphertexts, which are
constructed adaptively in response to previously received replies
that provide information on the successes or failures of attempted
decryption operations.
The attack is significantly less feasible in store-and-forward
environments, such as S/MIME. RFC 3218 [MMA] discussed the
countermeasures to this attack that are available when PKCS #1
Version 1.5 key transport is used in conjunction with the
Cryptographic Message Syntax (CMS) [CMS].
When PKCS #1 Version 1.5 key transport is applied as an intermediate
encryption layer within an interactive request-response
communications environment, exploitation could be more feasible.
However, Secure Sockets Layer (SSL) [SSL] and Transport Layer
Security (TLS) [TLS] protocol implementations could include
countermeasures that detect and prevent the Million Message Attack
and other chosen-ciphertext attacks. These countermeasures are
performed within the protocol level.
In the interest of long-term security assurance, it is prudent to
adopt an improved cryptographic technique rather than embedding
countermeasures within protocols. To this end, an updated version of
PKCS #1 has been published. PKCS #1 Version 2.1 [PKCS#1v2.1]
supersedes RFC 2313. It preserves support for the PKCS #1 Version
1.5 encryption padding format, and it also defines a new one. To
resolve the adaptive chosen ciphertext vulnerability, the PKCS #1
Version 2.1 specifies and recommends use of Optimal Asymmetric
Encryption Padding (OAEP) for RSA key transport.
This document specifies the use of RSAES-OAEP key transport algorithm
in the CMS. The CMS can be used in either a store-and-forward or an
interactive request-response environment.
Show full document text