Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)
RFC 8696

Document Type RFC - Proposed Standard (December 2019; No errata)
Author Russ Housley 
Last updated 2019-12-18
Replaces draft-housley-cms-mix-with-psk
Stream IETF
Formats plain text html xml pdf htmlized bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Tim Hollebeek
Shepherd write-up Show (last changed 2019-05-16)
IESG IESG state RFC 8696 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Roman Danyliw
Send notices to Tim Hollebeek <tim.hollebeek@digicert.com>
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack


Internet Engineering Task Force (IETF)                        R. Housley
Request for Comments: 8696                                Vigil Security
Category: Standards Track                                  December 2019
ISSN: 2070-1721

  Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)

Abstract

   The invention of a large-scale quantum computer would pose a serious
   challenge for the cryptographic algorithms that are widely deployed
   today.  The Cryptographic Message Syntax (CMS) supports key transport
   and key agreement algorithms that could be broken by the invention of
   such a quantum computer.  By storing communications that are
   protected with the CMS today, someone could decrypt them in the
   future when a large-scale quantum computer becomes available.  Once
   quantum-secure key management algorithms are available, the CMS will
   be extended to support the new algorithms if the existing syntax does
   not accommodate them.  This document describes a mechanism to protect
   today's communication from the future invention of a large-scale
   quantum computer by mixing the output of key transport and key
   agreement algorithms with a pre-shared key.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8696.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction
     1.1.  Terminology
     1.2.  ASN.1
     1.3.  Version Numbers
   2.  Overview
   3.  keyTransPSK
   4.  keyAgreePSK
   5.  Key Derivation
   6.  ASN.1 Module
   7.  Security Considerations
   8.  Privacy Considerations
   9.  IANA Considerations
   10. References
     10.1.  Normative References
     10.2.  Informative References
   Appendix A.  Key Transport with PSK Example
     A.1.  Originator Processing Example
     A.2.  ContentInfo and AuthEnvelopedData
     A.3.  Recipient Processing Example
   Appendix B.  Key Agreement with PSK Example
     B.1.  Originator Processing Example
     B.2.  ContentInfo and AuthEnvelopedData
     B.3.  Recipient Processing Example
   Acknowledgements
   Author's Address

1.  Introduction

   The invention of a large-scale quantum computer would pose a serious
   challenge for the cryptographic algorithms that are widely deployed
   today [S1994].  It is an open question whether or not it is feasible
   to build a large-scale quantum computer and, if so, when that might
   happen [NAS2019].  However, if such a quantum computer is invented,
   many of the cryptographic algorithms and the security protocols that
   use them would become vulnerable.

   The Cryptographic Message Syntax (CMS) [RFC5652][RFC5083] supports
   key transport and key agreement algorithms that could be broken by
   the invention of a large-scale quantum computer [C2PQ].  These
   algorithms include RSA [RFC8017], Diffie-Hellman [RFC2631], and
   Elliptic Curve Diffie-Hellman (ECDH) [RFC5753].  As a result, an
   adversary that stores CMS-protected communications today could
   decrypt those communications in the future when a large-scale quantum
   computer becomes available.

   Once quantum-secure key management algorithms are available, the CMS
   will be extended to support them if the existing syntax does not
   already accommodate the new algorithms.

   In the near term, this document describes a mechanism to protect
   today's communication from the future invention of a large-scale
   quantum computer by mixing the output of existing key transport and
   key agreement algorithms with a pre-shared key (PSK).  Secure
   communication can be achieved today by mixing a strong PSK with the
   output of an existing key transport algorithm, like RSA [RFC8017], or
   an existing key agreement algorithm, like Diffie-Hellman [RFC2631] or
   Elliptic Curve Diffie-Hellman (ECDH) [RFC5753].  A security solution
   that is believed to be quantum resistant can be achieved by using a
Show full document text