Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)
RFC 3560
Document | Type | RFC - Proposed Standard (July 2003; No errata) | |
---|---|---|---|
Author | Russ Housley | ||
Last updated | 2013-03-02 | ||
Stream | Internent Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3560 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Steven Bellovin | ||
Send notices to | <turners@ieca.com>, <blake@brutesquadlabs.com> |
Network Working Group R. Housley Request for Comments: 3560 Vigil Security Category: Standards Track July 2003 Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS) Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This document describes the conventions for using the RSAES-OAEP key transport algorithm with the Cryptographic Message Syntax (CMS). The CMS specifies the enveloped-data content type, which consists of an encrypted content and encrypted content-encryption keys for one or more recipients. The RSAES-OAEP key transport algorithm can be used to encrypt content-encryption keys for intended recipients. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Enveloped-data Conventions . . . . . . . . . . . . . . . . . . 3 2.1. EnvelopedData Fields . . . . . . . . . . . . . . . . . . 3 2.2. KeyTransRecipientInfo Fields . . . . . . . . . . . . . . 4 3. RSAES-OAEP Algorithm Identifiers and Parameters. . . . . . . . 4 4. Certificate Conventions. . . . . . . . . . . . . . . . . . . . 6 5. SMIMECapabilities Attribute Conventions. . . . . . . . . . . . 8 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 11 8. Intellectual Property Rights Statement . . . . . . . . . . . . 11 9. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 11 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 10.1. Normative References. . . . . . . . . . . . . . . . . . 11 10.2. Informative References. . . . . . . . . . . . . . . . . 12 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 18 Housley Standards Track [Page 1] RFC 3560 RSAES-OAEP in CMS July 2003 1. Introduction PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant of the RSA key transport algorithm. PKCS #1 Version 1.5 key transport is vulnerable to adaptive chosen ciphertext attacks, especially when it is used to for key management in interactive applications. This attack is often referred to as the "Million Message Attack," and it explained in [RSALABS] and [CRYPTO98]. Exploitation of this vulnerability, which reveals the result of a particular RSA decryption, requires access to an oracle which will respond to hundreds of thousands of ciphertexts, which are constructed adaptively in response to previously received replies that provide information on the successes or failures of attempted decryption operations. The attack is significantly less feasible in store-and-forward environments, such as S/MIME. RFC 3218 [MMA] discussed the countermeasures to this attack that are available when PKCS #1 Version 1.5 key transport is used in conjunction with the Cryptographic Message Syntax (CMS) [CMS]. When PKCS #1 Version 1.5 key transport is applied as an intermediate encryption layer within an interactive request-response communications environment, exploitation could be more feasible. However, Secure Sockets Layer (SSL) [SSL] and Transport Layer Security (TLS) [TLS] protocol implementations could include countermeasures that detect and prevent the Million Message Attack and other chosen-ciphertext attacks. These countermeasures are performed within the protocol level. In the interest of long-term security assurance, it is prudent to adopt an improved cryptographic technique rather than embedding countermeasures within protocols. To this end, an updated version of PKCS #1 has been published. PKCS #1 Version 2.1 [PKCS#1v2.1] supersedes RFC 2313. It preserves support for the PKCS #1 Version 1.5 encryption padding format, and it also defines a new one. To resolve the adaptive chosen ciphertext vulnerability, the PKCS #1 Version 2.1 specifies and recommends use of Optimal Asymmetric Encryption Padding (OAEP) for RSA key transport. This document specifies the use of RSAES-OAEP key transport algorithm in the CMS. The CMS can be used in either a store-and-forward or an interactive request-response environment.Show full document text