Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)
RFC 5008
Document Type RFC - Historic (September 2007; Errata)
Obsoleted by RFC 6318
Was draft-housley-smime-suite-b (individual in sec area)
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Reviews
SECDIR Last Call Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 5008 (Historic)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Tim Polk
Send notices to (None)
Email authors IPR 4 References Referenced by Nits 
Network Working Group                                         R. Housley
Request for Comments: 5008                                Vigil Security
Category: Informational                                       J. Solinas
                                                                     NSA
                                                           September 2007

    Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME)

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Abstract

   This document specifies the conventions for using the United States
   National Security Agency's Suite B algorithms in Secure/Multipurpose
   Internet Mail Extensions (S/MIME) as specified in RFC 3851.

1.  Introduction

   This document specifies the conventions for using the United States
   National Security Agency's Suite B algorithms [SuiteB] in
   Secure/Multipurpose Internet Mail Extensions (S/MIME) [MSG].  S/MIME
   makes use of the Cryptographic Message Syntax (CMS) [CMS].  In
   particular, the signed-data and the enveloped-data content types are
   used.

   Since many of the Suite B algorithms enjoy uses in other environments
   as well, the majority of the conventions needed for the Suite B
   algorithms are already specified in other documents.  This document
   references the source of these conventions, and the relevant details
   are repeated to aid developers that choose to support Suite B.  In a
   few cases, additional algorithm identifiers are needed, and they are
   provided in this document.

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [STDWORDS].

Housley & Solinas            Informational                      [Page 1]
RFC 5008                   Suite B in S/MIME              September 2007

1.2.  ASN.1

   CMS values are generated using ASN.1 [X.208-88], the Basic Encoding
   Rules (BER) [X.209-88], and the Distinguished Encoding Rules (DER)
   [X.509-88].

1.3.  Suite B Security Levels

   Suite B offers two security levels: Level 1 and Level 2.  Security
   Level 2 offers greater cryptographic strength by using longer keys.

   For S/MIME signed messages, Suite B follows the direction set by RFC
   3278 [CMSECC], but some additional algorithm identifiers are
   assigned.  Suite B uses these algorithms:

                            Security Level 1   Security Level 2
                            ----------------   ----------------
      Message Digest:       SHA-256            SHA-384
      Signature:            ECDSA with P-256   ECDSA with P-384

   For S/MIME-encrypted messages, Suite B follows the direction set by
   RFC 3278 [CMSECC] and follows the conventions set by RFC 3565
   [CMSAES].  Again, additional algorithm identifiers are assigned.
   Suite B uses these algorithms:

                            Security Level 1   Security Level 2
                            ----------------   ----------------
      Key Agreement:        ECDH with P-256    ECDH with P-384
      Key Derivation:       SHA-256            SHA-384
      Key Wrap:             AES-128 Key Wrap   AES-256 Key Wrap
      Content Encryption:   AES-128 CBC        AES-256 CBC

2.  SHA-256 and SHA-256 Message Digest Algorithms

   This section specifies the conventions employed by implementations
   that support SHA-256 or SHA-384 [SHA2].  In Suite B, Security Level
   1, the SHA-256 message digest algorithm MUST be used.  In Suite B,
   Security Level 2, SHA-384 MUST be used.

   Within the CMS signed-data content type, message digest algorithm
   identifiers are located in the SignedData digestAlgorithms field and
   the SignerInfo digestAlgorithm field.  Also, message digest values
   are located in the Message Digest authenticated attribute.  In
   addition, message digest values are input into signature algorithms.

   The SHA-256 and SHA-384 message digest algorithms are defined in FIPS
   Pub 180-2 [SHA2, EH].  The algorithm identifier for SHA-256 is:

Housley & Solinas            Informational                      [Page 2]
RFC 5008                   Suite B in S/MIME              September 2007

      id-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistalgorithm(4) hashalgs(2) 1 }

   The algorithm identifier for SHA-384 is:

      id-sha384  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
          country(16) us(840) organization(1) gov(101) csor(3)
          nistalgorithm(4) hashalgs(2) 2 }

   There are two possible encodings for the AlgorithmIdentifier
   parameters field.  The two alternatives arise from the fact that when
   the 1988 syntax for AlgorithmIdentifier was translated into the 1997
   syntax, the OPTIONAL associated with the AlgorithmIdentifier
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools