Difference between revisions of "RFC8755"
Line 17: | Line 17: | ||
United States National Security Agency's CNSA Suite algorithms in | United States National Security Agency's CNSA Suite algorithms in | ||
Secure/Multipurpose Internet Mail Extensions (S/MIME) as specified in | Secure/Multipurpose Internet Mail Extensions (S/MIME) as specified in | ||
− | + | RFC 8551. It applies to the capabilities, configuration, and | |
operation of all components of US National Security Systems that | operation of all components of US National Security Systems that | ||
employ S/MIME messaging. US National Security Systems are described | employ S/MIME messaging. US National Security Systems are described | ||
Line 35: | Line 35: | ||
implementation or deployment. Documents approved for publication by | implementation or deployment. Documents approved for publication by | ||
the RFC Editor are not candidates for any level of Internet Standard; | the RFC Editor are not candidates for any level of Internet Standard; | ||
− | see Section 2 of | + | see Section 2 of RFC 7841. |
Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | ||
Line 46: | Line 46: | ||
document authors. All rights reserved. | document authors. All rights reserved. | ||
− | This document is subject to | + | This document is subject to BCP 78 and the IETF Trust's Legal |
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | ||
(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | ||
Line 79: | Line 79: | ||
National Security Agency's Commercial National Security Algorithm | National Security Agency's Commercial National Security Algorithm | ||
(CNSA) Suite algorithms [CNSA] in Secure/Multipurpose Internet Mail | (CNSA) Suite algorithms [CNSA] in Secure/Multipurpose Internet Mail | ||
− | Extensions (S/MIME) [[RFC8551]]. It applies to the capabilities, | + | Extensions (S/MIME) [[[RFC8551]]]. It applies to the capabilities, |
configuration, and operation of all components of US National | configuration, and operation of all components of US National | ||
Security Systems that employ S/MIME messaging. US National Security | Security Systems that employ S/MIME messaging. US National Security | ||
Line 88: | Line 88: | ||
deployments. | deployments. | ||
− | S/MIME makes use of the Cryptographic Message Syntax (CMS) [[RFC5652]] | + | S/MIME makes use of the Cryptographic Message Syntax (CMS) [[[RFC5652]]] |
− | [[RFC5083]]. In particular, the signed-data, enveloped-data, and | + | [[[RFC5083]]]. In particular, the signed-data, enveloped-data, and |
authenticated-enveloped-data content types are used. This document | authenticated-enveloped-data content types are used. This document | ||
only addresses CNSA Suite compliance for S/MIME. Other applications | only addresses CNSA Suite compliance for S/MIME. Other applications | ||
Line 108: | Line 108: | ||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | ||
"OPTIONAL" in this document are to be interpreted as described in | "OPTIONAL" in this document are to be interpreted as described in | ||
− | + | BCP 14 [[[RFC2119]]] [[[RFC8174]]] when, and only when, they appear in all | |
capitals, as shown here. | capitals, as shown here. | ||
Line 157: | Line 157: | ||
For CNSA Suite applications, public key certificates used to verify | For CNSA Suite applications, public key certificates used to verify | ||
S/MIME signatures MUST be compliant with the CNSA Suite Certificate | S/MIME signatures MUST be compliant with the CNSA Suite Certificate | ||
− | and Certificate Revocation List (CRL) profile specified in [[RFC8603]]. | + | and Certificate Revocation List (CRL) profile specified in [[[RFC8603]]]. |
Within the CMS signed-data content type, signature algorithm | Within the CMS signed-data content type, signature algorithm | ||
Line 185: | Line 185: | ||
RSA signature scheme for new applications is RSASSA-PSS. CNSA Suite- | RSA signature scheme for new applications is RSASSA-PSS. CNSA Suite- | ||
compliant X.509 certificates will be issued in accordance with | compliant X.509 certificates will be issued in accordance with | ||
− | [[RFC8603]], and while those certificates must be signed and validated | + | [[[RFC8603]]], and while those certificates must be signed and validated |
using RSASSA-PKCS1-v1_5, the subject's RSA key pair can be used to | using RSASSA-PKCS1-v1_5, the subject's RSA key pair can be used to | ||
generate and validate signatures appropriate for either signing | generate and validate signatures appropriate for either signing | ||
Line 200: | Line 200: | ||
== SHA-384 Message Digest Algorithm == | == SHA-384 Message Digest Algorithm == | ||
− | SHA-384 is the sole CNSA Suite message digest algorithm. [[RFC5754]] | + | SHA-384 is the sole CNSA Suite message digest algorithm. [[[RFC5754]]] |
specifies the conventions for using SHA-384 with the Cryptographic | specifies the conventions for using SHA-384 with the Cryptographic | ||
Message Syntax (CMS). CNSA Suite-compliant S/MIME implementations | Message Syntax (CMS). CNSA Suite-compliant S/MIME implementations | ||
− | MUST follow the conventions in [[RFC5754]]. | + | MUST follow the conventions in [[[RFC5754]]]. |
Within the CMS signed-data content type, message digest algorithm | Within the CMS signed-data content type, message digest algorithm | ||
Line 211: | Line 211: | ||
The SHA-384 message digest algorithm is defined in FIPS Pub 180 | The SHA-384 message digest algorithm is defined in FIPS Pub 180 | ||
[FIPS180]. The algorithm identifier for SHA-384 is defined in | [FIPS180]. The algorithm identifier for SHA-384 is defined in | ||
− | [[RFC5754]] as follows: | + | [[[RFC5754]]] as follows: |
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | ||
Line 219: | Line 219: | ||
For SHA-384, the AlgorithmIdentifier parameters field is OPTIONAL, | For SHA-384, the AlgorithmIdentifier parameters field is OPTIONAL, | ||
and if present, the parameters field MUST contain a NULL. As | and if present, the parameters field MUST contain a NULL. As | ||
− | specified in [[RFC5754]], implementations MUST generate SHA-384 | + | specified in [[[RFC5754]]], implementations MUST generate SHA-384 |
AlgorithmIdentifiers with absent parameters. Implementations MUST | AlgorithmIdentifiers with absent parameters. Implementations MUST | ||
accept SHA-384 AlgorithmIdentifiers with absent parameters or with | accept SHA-384 AlgorithmIdentifiers with absent parameters or with | ||
Line 229: | Line 229: | ||
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the CNSA | The Elliptic Curve Digital Signature Algorithm (ECDSA) is the CNSA | ||
− | Suite digital signature algorithm based on ECC. [[RFC5753]] specifies | + | Suite digital signature algorithm based on ECC. [[[RFC5753]]] specifies |
the conventions for using ECDSA with the Cryptographic Message Syntax | the conventions for using ECDSA with the Cryptographic Message Syntax | ||
(CMS). CNSA Suite-compliant S/MIME implementations MUST follow the | (CMS). CNSA Suite-compliant S/MIME implementations MUST follow the | ||
− | conventions in [[RFC5753]]. | + | conventions in [[[RFC5753]]]. |
− | [[RFC5480]] defines the signature algorithm identifier used in CMS for | + | [[[RFC5480]]] defines the signature algorithm identifier used in CMS for |
ECDSA with SHA-384 as follows: | ECDSA with SHA-384 as follows: | ||
Line 246: | Line 246: | ||
When signing, the ECDSA algorithm generates two values, commonly | When signing, the ECDSA algorithm generates two values, commonly | ||
called r and s. These two values MUST be encoded using the ECDSA- | called r and s. These two values MUST be encoded using the ECDSA- | ||
− | Sig-Value type specified in [[RFC5480]]: | + | Sig-Value type specified in [[[RFC5480]]]: |
ECDSA-Sig-Value ::= SEQUENCE { | ECDSA-Sig-Value ::= SEQUENCE { | ||
Line 256: | Line 256: | ||
The RSA signature generation process and the encoding of the result | The RSA signature generation process and the encoding of the result | ||
is either RSASSA-PKCS1-v1_5 or RSA-PSS, as described in detail in | is either RSASSA-PKCS1-v1_5 or RSA-PSS, as described in detail in | ||
− | PKCS #1 version 2.2 [[RFC8017]]. | + | PKCS #1 version 2.2 [[[RFC8017]]]. |
==== RSA-PKCS1-v1_5 ==== | ==== RSA-PKCS1-v1_5 ==== | ||
− | [[RFC5754]] defines the signature algorithm identifier used in CMS for | + | [[[RFC5754]]] defines the signature algorithm identifier used in CMS for |
an RSA signature with SHA-384 as follows: | an RSA signature with SHA-384 as follows: | ||
Line 272: | Line 272: | ||
==== RSA-PSS ==== | ==== RSA-PSS ==== | ||
− | [[RFC4056]] defines the signature algorithm identifier used in CMS for | + | [[[RFC4056]]] defines the signature algorithm identifier used in CMS for |
an RSA-PSS signature as follows (presented here in expanded form): | an RSA-PSS signature as follows (presented here in expanded form): | ||
Line 279: | Line 279: | ||
The parameters field of an AlgorithmIdentifier that identifies | The parameters field of an AlgorithmIdentifier that identifies | ||
− | RSASSA-PSS is defined in [[RFC4055]] as follows: | + | RSASSA-PSS is defined in [[[RFC4055]]] as follows: |
RSASSA-PSS-params ::= SEQUENCE { | RSASSA-PSS-params ::= SEQUENCE { | ||
Line 292: | Line 292: | ||
params with the following values: | params with the following values: | ||
− | * The hash algorithm MUST be id-sha384 as defined in [[RFC8017]]; | + | * The hash algorithm MUST be id-sha384 as defined in [[[RFC8017]]]; |
* The mask generation function MUST use the algorithm identifier | * The mask generation function MUST use the algorithm identifier | ||
− | mfg1SHA384Identifier as defined in [[RFC4055]]; | + | mfg1SHA384Identifier as defined in [[[RFC4055]]]; |
* The salt length MUST be 48 octets (the same length as the SHA-384 | * The salt length MUST be 48 octets (the same length as the SHA-384 | ||
Line 312: | Line 312: | ||
message recipient possesses a static ECDH key pair whose public key | message recipient possesses a static ECDH key pair whose public key | ||
is provided in an X.509 certificate. The certificate used to obtain | is provided in an X.509 certificate. The certificate used to obtain | ||
− | the recipient's public key MUST be compliant with [[RFC8603]]. | + | the recipient's public key MUST be compliant with [[[RFC8603]]]. |
When a key agreement algorithm is used, the following steps are | When a key agreement algorithm is used, the following steps are | ||
Line 331: | Line 331: | ||
discussed in Section 6.1.2. | discussed in Section 6.1.2. | ||
− | Section 3.1 of [[RFC5753]] specifies the conventions for using ECDH | + | Section 3.1 of [[[RFC5753]]] specifies the conventions for using ECDH |
with the CMS. CNSA Suite-compliant S/MIME implementations MUST | with the CMS. CNSA Suite-compliant S/MIME implementations MUST | ||
follow these conventions. | follow these conventions. | ||
Line 344: | Line 344: | ||
dhSinglePass-stdDH-sha384kdf-scheme. The algorithm identifier for | dhSinglePass-stdDH-sha384kdf-scheme. The algorithm identifier for | ||
the dhSinglePass-stdDH-sha384kdf-scheme, repeated from Section 7.1.4 | the dhSinglePass-stdDH-sha384kdf-scheme, repeated from Section 7.1.4 | ||
− | of [[RFC5753]], is (presented here in expanded form): | + | of [[[RFC5753]]], is (presented here in expanded form): |
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= | dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= | ||
Line 357: | Line 357: | ||
KDFs based on SHA-384 are used to derive a pairwise key-encryption | KDFs based on SHA-384 are used to derive a pairwise key-encryption | ||
key from the shared secret produced by ephemeral-static ECDH. | key from the shared secret produced by ephemeral-static ECDH. | ||
− | Sections 7.1.8 and 7.2 in [[RFC5753]] specify the CMS conventions for | + | Sections 7.1.8 and 7.2 in [[[RFC5753]]] specify the CMS conventions for |
using a KDF with the shared secret generated during ephemeral-static | using a KDF with the shared secret generated during ephemeral-static | ||
ECDH. CNSA Suite-compliant S/MIME implementations MUST follow these | ECDH. CNSA Suite-compliant S/MIME implementations MUST follow these | ||
conventions. | conventions. | ||
− | As specified in Section 7.1.8 of [[RFC5753]], the ANSI-X9.63-KDF | + | As specified in Section 7.1.8 of [[[RFC5753]]], the ANSI-X9.63-KDF |
described in Section 3.6.1 of [SEC1] and based on SHA-384 MUST be | described in Section 3.6.1 of [SEC1] and based on SHA-384 MUST be | ||
used. | used. | ||
− | As specified in Section 7.2 of [[RFC5753]], when using ECDH with the | + | As specified in Section 7.2 of [[[RFC5753]]], when using ECDH with the |
CMS enveloped-data or authenticated-enveloped-data content type, the | CMS enveloped-data or authenticated-enveloped-data content type, the | ||
derivation of key-encryption keys makes use of the ECC-CMS-SharedInfo | derivation of key-encryption keys makes use of the ECC-CMS-SharedInfo | ||
Line 392: | Line 392: | ||
* suppPubInfo contains the length of the generated key-encryption | * suppPubInfo contains the length of the generated key-encryption | ||
key in bits, represented as a 32-bit unsigned number, as described | key in bits, represented as a 32-bit unsigned number, as described | ||
− | in [[RFC2631]]. When a 256-bit AES key is used, the length MUST be | + | in [[[RFC2631]]]. When a 256-bit AES key is used, the length MUST be |
0x00000100. | 0x00000100. | ||
Line 398: | Line 398: | ||
derivation function, as specified in Section 3.6.1 of [SEC1]. Note | derivation function, as specified in Section 3.6.1 of [SEC1]. Note | ||
that ECC-CMS-SharedInfo differs from the OtherInfo specified in | that ECC-CMS-SharedInfo differs from the OtherInfo specified in | ||
− | [[RFC2631]]. Here, a counter value is not included in the keyInfo | + | [[[RFC2631]]]. Here, a counter value is not included in the keyInfo |
field because the KDF specified in [SEC1] ensures that sufficient | field because the KDF specified in [SEC1] ensures that sufficient | ||
keying data is provided. | keying data is provided. | ||
Line 445: | Line 445: | ||
The AES Key Wrap with Padding key-encryption algorithm, as specified | The AES Key Wrap with Padding key-encryption algorithm, as specified | ||
− | in [[RFC5649]] and [SP80038F], is used to encrypt the content- | + | in [[[RFC5649]]] and [SP80038F], is used to encrypt the content- |
encryption key with a pairwise key-encryption key that is generated | encryption key with a pairwise key-encryption key that is generated | ||
− | using ephemeral-static ECDH. Section 8 of [[RFC5753]] specifies the | + | using ephemeral-static ECDH. Section 8 of [[[RFC5753]]] specifies the |
CMS conventions for using AES Key Wrap with a pairwise key generated | CMS conventions for using AES Key Wrap with a pairwise key generated | ||
through ephemeral-static ECDH. CNSA Suite-compliant S/MIME | through ephemeral-static ECDH. CNSA Suite-compliant S/MIME | ||
Line 458: | Line 458: | ||
The KeyWrapAlgorithm MUST be id-aes256-wrap-pad. The required | The KeyWrapAlgorithm MUST be id-aes256-wrap-pad. The required | ||
− | algorithm identifier, specified in [[RFC5649]], is: | + | algorithm identifier, specified in [[[RFC5649]]], is: |
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | id-aes256-wrap-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) | ||
Line 468: | Line 468: | ||
RSA encryption (RSA) is the CNSA Suite key transport algorithm. The | RSA encryption (RSA) is the CNSA Suite key transport algorithm. The | ||
RSA key transport algorithm is the RSA encryption scheme defined in | RSA key transport algorithm is the RSA encryption scheme defined in | ||
− | [[RFC8017]], where the message to be encrypted is the content- | + | [[[RFC8017]]], where the message to be encrypted is the content- |
encryption key. | encryption key. | ||
Line 474: | Line 474: | ||
public key is represented by an X.509 certificate. The certificate | public key is represented by an X.509 certificate. The certificate | ||
used to obtain the recipient's public key MUST be compliant with | used to obtain the recipient's public key MUST be compliant with | ||
− | [[RFC8603]]. These certificates are suitable for use with either | + | [[[RFC8603]]]. These certificates are suitable for use with either |
RSAES-OAEP or RSAES-PKCS1-v1_5. | RSAES-OAEP or RSAES-PKCS1-v1_5. | ||
==== RSAES-PKCS1-v1_5 ==== | ==== RSAES-PKCS1-v1_5 ==== | ||
− | Section 4.2 of [[RFC3370]] specifies the conventions for using RSAES- | + | Section 4.2 of [[[RFC3370]]] specifies the conventions for using RSAES- |
PKCS1-v1_5 with the CMS. S/MIME implementations employing this form | PKCS1-v1_5 with the CMS. S/MIME implementations employing this form | ||
of key transport MUST follow these conventions. | of key transport MUST follow these conventions. | ||
Line 498: | Line 498: | ||
==== RSAES-OAEP ==== | ==== RSAES-OAEP ==== | ||
− | [[RFC3560]] specifies the conventions for using RSAES-OAEP with the | + | [[[RFC3560]]] specifies the conventions for using RSAES-OAEP with the |
CMS. CNSA Suite-compliant S/MIME implementations employing this form | CMS. CNSA Suite-compliant S/MIME implementations employing this form | ||
of key transport MUST follow these conventions. | of key transport MUST follow these conventions. | ||
Line 513: | Line 513: | ||
The parameters field of an AlgorithmIdentifier that identifies RSAES- | The parameters field of an AlgorithmIdentifier that identifies RSAES- | ||
− | OAEP is defined in [[RFC4055]] as follows: | + | OAEP is defined in [[[RFC4055]]] as follows: |
RSAES-OAEP-params ::= SEQUENCE { | RSAES-OAEP-params ::= SEQUENCE { | ||
Line 532: | Line 532: | ||
follows: | follows: | ||
− | * The hashFunc algorithm must be id-sha384 as defined in [[RFC8017]]; | + | * The hashFunc algorithm must be id-sha384 as defined in [[[RFC8017]]]; |
* The mask generation function must use the algorithm identifier | * The mask generation function must use the algorithm identifier | ||
− | mfg1SHA384Identifier as defined in [[RFC4055]]; | + | mfg1SHA384Identifier as defined in [[[RFC4055]]]; |
* The pSourceFunc field must be absent. | * The pSourceFunc field must be absent. | ||
Line 543: | Line 543: | ||
can support. If the SMIMECapabilities signed attribute is included | can support. If the SMIMECapabilities signed attribute is included | ||
to announce support for the RSAES-OAEP algorithm, it MUST be | to announce support for the RSAES-OAEP algorithm, it MUST be | ||
− | constructed as defined in Section 5 of [[RFC3560]], with the sequence | + | constructed as defined in Section 5 of [[[RFC3560]]], with the sequence |
representing the rSAES-OAEP-SHA384-Identifier. | representing the rSAES-OAEP-SHA384-Identifier. | ||
Line 555: | Line 555: | ||
CNSA Suite-compliant S/MIME implementations using the authenticated- | CNSA Suite-compliant S/MIME implementations using the authenticated- | ||
− | enveloped-data content type [[RFC5083]] MUST use AES [FIPS197] in | + | enveloped-data content type [[[RFC5083]]] MUST use AES [FIPS197] in |
Galois Counter Mode (GCM) [SP80038D] as the content-authenticated | Galois Counter Mode (GCM) [SP80038D] as the content-authenticated | ||
encryption algorithm and MUST follow the conventions for using AES- | encryption algorithm and MUST follow the conventions for using AES- | ||
− | GCM with the CMS defined in [[RFC5084]]. | + | GCM with the CMS defined in [[[RFC5084]]]. |
Within the CMS authenticated-enveloped-data content type, content- | Within the CMS authenticated-enveloped-data content type, content- | ||
Line 597: | Line 597: | ||
(CBC) mode [SP80038A] as the content-encryption algorithm and MUST | (CBC) mode [SP80038A] as the content-encryption algorithm and MUST | ||
follow the conventions for using AES with the CMS defined in | follow the conventions for using AES with the CMS defined in | ||
− | [[RFC3565]]. | + | [[[RFC3565]]]. |
Within the CMS enveloped-data content type, content-encryption | Within the CMS enveloped-data content type, content-encryption | ||
Line 618: | Line 618: | ||
The 16-octet initialization vector is generated at random by the | The 16-octet initialization vector is generated at random by the | ||
− | originator. See [[RFC4086]] for guidance on generation of random | + | originator. See [[[RFC4086]]] for guidance on generation of random |
values. | values. | ||
Line 627: | Line 627: | ||
identifiers have been specified in previous documents. | identifiers have been specified in previous documents. | ||
− | See [[RFC4086]] for guidance on generation of random values. | + | See [[[RFC4086]]] for guidance on generation of random values. |
− | The security considerations in [[RFC5652]] discuss the CMS as a method | + | The security considerations in [[[RFC5652]]] discuss the CMS as a method |
for digitally signing data and encrypting data. | for digitally signing data and encrypting data. | ||
− | The security considerations in [[RFC3370]] discuss cryptographic | + | The security considerations in [[[RFC3370]]] discuss cryptographic |
algorithm implementation concerns in the context of the CMS. | algorithm implementation concerns in the context of the CMS. | ||
− | The security considerations in [[RFC5753]] discuss the use of elliptic | + | The security considerations in [[[RFC5753]]] discuss the use of elliptic |
curve cryptography (ECC) in the CMS. | curve cryptography (ECC) in the CMS. | ||
− | The security considerations in [[RFC3565]] discuss the use of AES in | + | The security considerations in [[[RFC3565]]] discuss the use of AES in |
the CMS. | the CMS. | ||
− | The security considerations in [[RFC8551]] apply to this profile, | + | The security considerations in [[[RFC8551]]] apply to this profile, |
particularly the recommendation to use authenticated encryption modes | particularly the recommendation to use authenticated encryption modes | ||
(i.e., use authenticated-enveloped-data with AES-GCM rather than | (i.e., use authenticated-enveloped-data with AES-GCM rather than | ||
Line 677: | Line 677: | ||
final>. | final>. | ||
− | [[RFC2119]] Bradner, S., "Key words for use in RFCs to Indicate | + | [[[RFC2119]]] Bradner, S., "Key words for use in RFCs to Indicate |
− | Requirement Levels", | + | Requirement Levels", BCP 14, RFC 2119, |
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | ||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | ||
− | [[RFC2631]] Rescorla, E., "Diffie-Hellman Key Agreement Method", | + | [[[RFC2631]]] Rescorla, E., "Diffie-Hellman Key Agreement Method", |
− | + | RFC 2631, DOI 10.17487/RFC2631, June 1999, | |
<https://www.rfc-editor.org/info/rfc2631>. | <https://www.rfc-editor.org/info/rfc2631>. | ||
− | [[RFC3370]] Housley, R., "Cryptographic Message Syntax (CMS) | + | [[[RFC3370]]] Housley, R., "Cryptographic Message Syntax (CMS) |
− | Algorithms", | + | Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002, |
<https://www.rfc-editor.org/info/rfc3370>. | <https://www.rfc-editor.org/info/rfc3370>. | ||
− | [[RFC3560]] Housley, R., "Use of the RSAES-OAEP Key Transport | + | [[[RFC3560]]] Housley, R., "Use of the RSAES-OAEP Key Transport |
Algorithm in Cryptographic Message Syntax (CMS)", | Algorithm in Cryptographic Message Syntax (CMS)", | ||
− | + | RFC 3560, DOI 10.17487/RFC3560, July 2003, | |
<https://www.rfc-editor.org/info/rfc3560>. | <https://www.rfc-editor.org/info/rfc3560>. | ||
− | [[RFC3565]] Schaad, J., "Use of the Advanced Encryption Standard (AES) | + | [[[RFC3565]]] Schaad, J., "Use of the Advanced Encryption Standard (AES) |
Encryption Algorithm in Cryptographic Message Syntax | Encryption Algorithm in Cryptographic Message Syntax | ||
− | (CMS)", | + | (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, |
<https://www.rfc-editor.org/info/rfc3565>. | <https://www.rfc-editor.org/info/rfc3565>. | ||
− | [[RFC4055]] Schaad, J., Kaliski, B., and R. Housley, "Additional | + | [[[RFC4055]]] Schaad, J., Kaliski, B., and R. Housley, "Additional |
Algorithms and Identifiers for RSA Cryptography for use in | Algorithms and Identifiers for RSA Cryptography for use in | ||
the Internet X.509 Public Key Infrastructure Certificate | the Internet X.509 Public Key Infrastructure Certificate | ||
− | and Certificate Revocation List (CRL) Profile", | + | and Certificate Revocation List (CRL) Profile", RFC 4055, |
DOI 10.17487/RFC4055, June 2005, | DOI 10.17487/RFC4055, June 2005, | ||
<https://www.rfc-editor.org/info/rfc4055>. | <https://www.rfc-editor.org/info/rfc4055>. | ||
− | [[RFC4056]] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in | + | [[[RFC4056]]] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in |
− | Cryptographic Message Syntax (CMS)", | + | Cryptographic Message Syntax (CMS)", RFC 4056, |
DOI 10.17487/RFC4056, June 2005, | DOI 10.17487/RFC4056, June 2005, | ||
<https://www.rfc-editor.org/info/rfc4056>. | <https://www.rfc-editor.org/info/rfc4056>. | ||
− | [[RFC5083]] Housley, R., "Cryptographic Message Syntax (CMS) | + | [[[RFC5083]]] Housley, R., "Cryptographic Message Syntax (CMS) |
− | Authenticated-Enveloped-Data Content Type", | + | Authenticated-Enveloped-Data Content Type", RFC 5083, |
DOI 10.17487/RFC5083, November 2007, | DOI 10.17487/RFC5083, November 2007, | ||
<https://www.rfc-editor.org/info/rfc5083>. | <https://www.rfc-editor.org/info/rfc5083>. | ||
− | [[RFC5084]] Housley, R., "Using AES-CCM and AES-GCM Authenticated | + | [[[RFC5084]]] Housley, R., "Using AES-CCM and AES-GCM Authenticated |
Encryption in the Cryptographic Message Syntax (CMS)", | Encryption in the Cryptographic Message Syntax (CMS)", | ||
− | + | RFC 5084, DOI 10.17487/RFC5084, November 2007, | |
<https://www.rfc-editor.org/info/rfc5084>. | <https://www.rfc-editor.org/info/rfc5084>. | ||
− | [[RFC5480]] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, | + | [[[RFC5480]]] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, |
"Elliptic Curve Cryptography Subject Public Key | "Elliptic Curve Cryptography Subject Public Key | ||
− | Information", | + | Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, |
<https://www.rfc-editor.org/info/rfc5480>. | <https://www.rfc-editor.org/info/rfc5480>. | ||
− | [[RFC5649]] Housley, R. and M. Dworkin, "Advanced Encryption Standard | + | [[[RFC5649]]] Housley, R. and M. Dworkin, "Advanced Encryption Standard |
− | (AES) Key Wrap with Padding Algorithm", | + | (AES) Key Wrap with Padding Algorithm", RFC 5649, |
DOI 10.17487/RFC5649, September 2009, | DOI 10.17487/RFC5649, September 2009, | ||
<https://www.rfc-editor.org/info/rfc5649>. | <https://www.rfc-editor.org/info/rfc5649>. | ||
− | [[RFC5652]] Housley, R., "Cryptographic Message Syntax (CMS)", | + | [[[RFC5652]]] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, |
− | + | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |
<https://www.rfc-editor.org/info/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | ||
− | [[RFC5753]] Turner, S. and D. Brown, "Use of Elliptic Curve | + | [[[RFC5753]]] Turner, S. and D. Brown, "Use of Elliptic Curve |
Cryptography (ECC) Algorithms in Cryptographic Message | Cryptography (ECC) Algorithms in Cryptographic Message | ||
− | Syntax (CMS)", | + | Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January |
2010, <https://www.rfc-editor.org/info/rfc5753>. | 2010, <https://www.rfc-editor.org/info/rfc5753>. | ||
− | [[RFC5754]] Turner, S., "Using SHA2 Algorithms with Cryptographic | + | [[[RFC5754]]] Turner, S., "Using SHA2 Algorithms with Cryptographic |
− | Message Syntax", | + | Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January |
2010, <https://www.rfc-editor.org/info/rfc5754>. | 2010, <https://www.rfc-editor.org/info/rfc5754>. | ||
− | [[RFC8017]] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | + | [[[RFC8017]]] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, |
"PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | ||
− | + | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |
<https://www.rfc-editor.org/info/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | ||
− | [[RFC8174]] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | + | [[[RFC8174]]] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC |
− | 2119 Key Words", | + | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, |
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | ||
− | [[RFC8551]] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | + | [[[RFC8551]]] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ |
Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | ||
− | Message Specification", | + | Message Specification", RFC 8551, DOI 10.17487/RFC8551, |
April 2019, <https://www.rfc-editor.org/info/rfc8551>. | April 2019, <https://www.rfc-editor.org/info/rfc8551>. | ||
− | [[RFC8603]] Jenkins, M. and L. Zieglar, "Commercial National Security | + | [[[RFC8603]]] Jenkins, M. and L. Zieglar, "Commercial National Security |
Algorithm (CNSA) Suite Certificate and Certificate | Algorithm (CNSA) Suite Certificate and Certificate | ||
− | Revocation List (CRL) Profile", | + | Revocation List (CRL) Profile", RFC 8603, |
DOI 10.17487/RFC8603, May 2019, | DOI 10.17487/RFC8603, May 2019, | ||
<https://www.rfc-editor.org/info/rfc8603>. | <https://www.rfc-editor.org/info/rfc8603>. | ||
Line 801: | Line 801: | ||
10.2. Informative References | 10.2. Informative References | ||
− | [[RFC4086]] Eastlake 3rd, D., Schiller, J., and S. Crocker, | + | [[[RFC4086]]] Eastlake 3rd, D., Schiller, J., and S. Crocker, |
− | "Randomness Requirements for Security", | + | "Randomness Requirements for Security", BCP 106, RFC 4086, |
DOI 10.17487/RFC4086, June 2005, | DOI 10.17487/RFC4086, June 2005, | ||
<https://www.rfc-editor.org/info/rfc4086>. | <https://www.rfc-editor.org/info/rfc4086>. |
Revision as of 09:54, 25 October 2020
Independent Submission M. Jenkins Request for Comments: 8755 NSA Category: Informational March 2020 ISSN: 2070-1721
Using Commercial National Security Algorithm Suite Algorithms in Secure/Multipurpose Internet Mail Extensions
Abstract
The United States Government has published the National Security Agency (NSA) Commercial National Security Algorithm (CNSA) Suite, which defines cryptographic algorithm policy for national security applications. This document specifies the conventions for using the United States National Security Agency's CNSA Suite algorithms in Secure/Multipurpose Internet Mail Extensions (S/MIME) as specified in RFC 8551. It applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ S/MIME messaging. US National Security Systems are described in NIST Special Publication 800-59. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8755.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
1. Introduction
1.1. Terminology
2. The Commercial National Security Algorithm Suite 3. Requirements and Assumptions 4. SHA-384 Message Digest Algorithm 5. Digital Signature
5.1. ECDSA Signature 5.2. RSA Signature
6. Key Establishment
6.1. Elliptic Curve Key Agreement 6.2. RSA Key Transport
7. Content Encryption
7.1. AES-GCM Content Encryption 7.2. AES-CBC Content Encryption
8. Security Considerations 9. IANA Considerations 10. References
10.1. Normative References 10.2. Informative References
Author's Address
Contents
Introduction
This document specifies the conventions for using the United States National Security Agency's Commercial National Security Algorithm (CNSA) Suite algorithms [CNSA] in Secure/Multipurpose Internet Mail Extensions (S/MIME) [[[RFC8551]]]. It applies to the capabilities, configuration, and operation of all components of US National Security Systems that employ S/MIME messaging. US National Security Systems are described in NIST Special Publication 800-59 [SP80059]. It is also appropriate for all other US Government systems that process high-value information. It is made publicly available for use by developers and operators of these and any other system deployments.
S/MIME makes use of the Cryptographic Message Syntax (CMS) [[[RFC5652]]] [[[RFC5083]]]. In particular, the signed-data, enveloped-data, and authenticated-enveloped-data content types are used. This document only addresses CNSA Suite compliance for S/MIME. Other applications of CMS are outside the scope of this document.
This document does not define any new cryptographic algorithm suites; instead, it defines a CNSA-compliant profile of S/MIME. Since many of the CNSA Suite algorithms enjoy uses in other environments as well, the majority of the conventions needed for these algorithms are already specified in other documents. This document references the source of these conventions, with some relevant details repeated to aid developers that choose to support the CNSA Suite. Where details have been repeated, the cited documents are authoritative.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [[[RFC2119]]] [[[RFC8174]]] when, and only when, they appear in all capitals, as shown here.
The Commercial National Security Algorithm Suite
The National Security Agency (NSA) profiles commercial cryptographic algorithms and protocols as part of its mission to support secure, interoperable communications for US Government National Security Systems. To this end, it publishes guidance both to assist with the US Government transition to new algorithms and to provide vendors -- and the Internet community in general -- with information concerning their proper use and configuration.
Recently, cryptographic transition plans have become overshadowed by the prospect of the development of a cryptographically relevant quantum computer. The NSA has established the Commercial National Security Algorithm (CNSA) Suite to provide vendors and IT users near- term flexibility in meeting their cybersecurity interoperability requirements. The purpose behind this flexibility is to avoid having vendors and customers make two major transitions in a relatively short timeframe, as we anticipate a need to shift to quantum- resistant cryptography in the near future.
The NSA is authoring a set of RFCs, including this one, to provide updated guidance concerning the use of certain commonly available commercial algorithms in IETF protocols. These RFCs can be used in conjunction with other RFCs and cryptographic guidance (e.g., NIST Special Publications) to properly protect Internet traffic and data- at-rest for US Government National Security Systems.
Requirements and Assumptions
CMS values are generated using ASN.1 [X208], the Basic Encoding Rules (BER) [X209], and the Distinguished Encoding Rules (DER) [X509].
The elliptic curve used in the CNSA Suite is specified in [FIPS186] and appears in the literature under two different names. For the sake of clarity, we list both names below:
+----------+-----------+-----------+---------------+ | Curve | NIST Name | SECG Name | OID [FIPS186] | +==========+===========+===========+===============+ | nistp384 | P-384 | secp384r1 | 1.3.132.0.34 | +----------+-----------+-----------+---------------+
Table 1
For CNSA Suite applications, public key certificates used to verify S/MIME signatures MUST be compliant with the CNSA Suite Certificate and Certificate Revocation List (CRL) profile specified in [[[RFC8603]]].
Within the CMS signed-data content type, signature algorithm identifiers are located in the signatureAlgorithm field of SignerInfo structures contained within the SignedData. In addition, signature algorithm identifiers are located in the SignerInfo signatureAlgorithm field of countersignature attributes. Specific requirements for digital signatures are given in Section 5; compliant implementations MUST consider signatures not meeting these requirements as invalid.
Implementations based on Elliptic Curve Cryptography (ECC) also require specification of schemes for key derivation and key wrap. Requirements for these schemes are in Sections 6.1.1 and 6.1.2, respectively.
RSA key pairs (public, private) are identified by the modulus size expressed in bits; RSA-3072 and RSA-4096 are computed using moduli of 3072 bits and 4096 bits, respectively.
RSA signature key pairs used in CNSA Suite-compliant implementations are either RSA-3072 or RSA-4096. The RSA exponent e MUST satisfy 2^(16) < e < 2^(256) and be odd per [FIPS186].
It is recognized that, while the vast majority of RSA signatures are currently made using the RSASSA-PKCS1-v1_5 algorithm, the preferred RSA signature scheme for new applications is RSASSA-PSS. CNSA Suite- compliant X.509 certificates will be issued in accordance with [[[RFC8603]]], and while those certificates must be signed and validated using RSASSA-PKCS1-v1_5, the subject's RSA key pair can be used to generate and validate signatures appropriate for either signing scheme. Where use of RSASSA-PSS is indicated in this document, the parameters in Section 5.2.2 apply.
This document assumes that the required trust anchors have been securely provisioned to the client.
All implementations use SHA-384 for hashing and either AES-CBC or AES-GCM for encryption, the requirements for which are given in Section 4 and Section 7, respectively.
SHA-384 Message Digest Algorithm
SHA-384 is the sole CNSA Suite message digest algorithm. [[[RFC5754]]] specifies the conventions for using SHA-384 with the Cryptographic Message Syntax (CMS). CNSA Suite-compliant S/MIME implementations MUST follow the conventions in [[[RFC5754]]].
Within the CMS signed-data content type, message digest algorithm identifiers are located in the SignedData digestAlgorithms field and the SignerInfo digestAlgorithm field.
The SHA-384 message digest algorithm is defined in FIPS Pub 180 [FIPS180]. The algorithm identifier for SHA-384 is defined in [[[RFC5754]]] as follows:
id-sha384 OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistalgorithm(4) hashalgs(2) 2 }
For SHA-384, the AlgorithmIdentifier parameters field is OPTIONAL, and if present, the parameters field MUST contain a NULL. As specified in [[[RFC5754]]], implementations MUST generate SHA-384 AlgorithmIdentifiers with absent parameters. Implementations MUST accept SHA-384 AlgorithmIdentifiers with absent parameters or with NULL parameters.
Digital Signature
ECDSA Signature
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the CNSA Suite digital signature algorithm based on ECC. [[[RFC5753]]] specifies the conventions for using ECDSA with the Cryptographic Message Syntax (CMS). CNSA Suite-compliant S/MIME implementations MUST follow the conventions in [[[RFC5753]]].
[[[RFC5480]]] defines the signature algorithm identifier used in CMS for ECDSA with SHA-384 as follows:
ecdsa-with-SHA384 OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-sha2(3) 3 }
When the ecdsa-with-SHA384 algorithm identifier is used, the AlgorithmIdentifier parameters field MUST be absent.
When signing, the ECDSA algorithm generates two values, commonly called r and s. These two values MUST be encoded using the ECDSA- Sig-Value type specified in [[[RFC5480]]]:
ECDSA-Sig-Value ::= SEQUENCE { r INTEGER, s INTEGER }
RSA Signature
The RSA signature generation process and the encoding of the result is either RSASSA-PKCS1-v1_5 or RSA-PSS, as described in detail in PKCS #1 version 2.2 [[[RFC8017]]].
RSA-PKCS1-v1_5
[[[RFC5754]]] defines the signature algorithm identifier used in CMS for an RSA signature with SHA-384 as follows:
sha384WithRSAEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 12 }
When the sha384WithRSAEncryption algorithm identifier is used, the parameters MUST be NULL. Implementations MUST accept the parameters being absent as well as present.
RSA-PSS
[[[RFC4056]]] defines the signature algorithm identifier used in CMS for an RSA-PSS signature as follows (presented here in expanded form):
RSASSA-PSS OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10 }
The parameters field of an AlgorithmIdentifier that identifies RSASSA-PSS is defined in [[[RFC4055]]] as follows:
RSASSA-PSS-params ::= SEQUENCE { hashAlgorithm [0] HashAlgorithm DEFAULT sha1Identifier, maskGenAlgorithm [1] MaskGenAlgorithm DEFAULT mgf1SHA1Identifier, saltLength [2] INTEGER DEFAULT 20, trailerField [3] INTEGER DEFAULT 1 }
The AlgorithmIdentifier parameters field MUST contain RSASSA-PSS- params with the following values:
- The hash algorithm MUST be id-sha384 as defined in [[[RFC8017]]];
- The mask generation function MUST use the algorithm identifier
mfg1SHA384Identifier as defined in [[[RFC4055]]];
- The salt length MUST be 48 octets (the same length as the SHA-384
output); and
- The trailerField MUST have value 1.
Key Establishment
Elliptic Curve Key Agreement
Elliptic Curve Diffie-Hellman (ECDH) is the CNSA Suite key agreement algorithm. Since S/MIME is used in store-and-forward communications, ephemeral-static ECDH is always employed. This means that the message originator possesses an ephemeral ECDH key pair and that the message recipient possesses a static ECDH key pair whose public key is provided in an X.509 certificate. The certificate used to obtain the recipient's public key MUST be compliant with [[[RFC8603]]].
When a key agreement algorithm is used, the following steps are performed:
1. A content-encryption key (CEK) for a particular content-
encryption algorithm is generated at random.
2. The recipient's public key and sender's private key are used with
a key agreement scheme to generate a shared secret (Z).
3. The shared secret is used with a key derivation function (KDF) to
produce a key-encryption key (KEK).
4. The KEK is used with a key wrap algorithm to encrypt the CEK.
Key derivation is discussed in Section 6.1.1. Key wrapping is discussed in Section 6.1.2.
Section 3.1 of [[[RFC5753]]] specifies the conventions for using ECDH with the CMS. CNSA Suite-compliant S/MIME implementations MUST follow these conventions.
Within the CMS enveloped-data and authenticated-enveloped-data content types, key agreement algorithm identifiers are located in the EnvelopedData RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm field.
The keyEncryptionAlgorithm field comprises two fields, an algorithm field and a parameter field. The algorithm field MUST identify dhSinglePass-stdDH-sha384kdf-scheme. The algorithm identifier for the dhSinglePass-stdDH-sha384kdf-scheme, repeated from Section 7.1.4 of [[[RFC5753]]], is (presented here in expanded form):
dhSinglePass-stdDH-sha384kdf-scheme OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) certicom(132) schemes(1) 11 2 }
The keyEncryptionAlgorithm parameter field MUST be constructed as described in Section 6.1.2.
Key Derivation Functions
KDFs based on SHA-384 are used to derive a pairwise key-encryption key from the shared secret produced by ephemeral-static ECDH. Sections 7.1.8 and 7.2 in [[[RFC5753]]] specify the CMS conventions for using a KDF with the shared secret generated during ephemeral-static ECDH. CNSA Suite-compliant S/MIME implementations MUST follow these conventions.
As specified in Section 7.1.8 of [[[RFC5753]]], the ANSI-X9.63-KDF described in Section 3.6.1 of [SEC1] and based on SHA-384 MUST be used.
As specified in Section 7.2 of [[[RFC5753]]], when using ECDH with the CMS enveloped-data or authenticated-enveloped-data content type, the derivation of key-encryption keys makes use of the ECC-CMS-SharedInfo type:
ECC-CMS-SharedInfo ::= SEQUENCE { keyInfo AlgorithmIdentifier, entityUInfo [0] EXPLICIT OCTET STRING OPTIONAL, suppPubInfo [2] EXPLICIT OCTET STRING }
In the CNSA Suite for S/MIME, the fields of ECC-CMS-SharedInfo are used as follows:
- keyInfo contains the object identifier of the key-encryption
algorithm used to wrap the content-encryption key. If AES-256 Key Wrap is used, then the keyInfo will contain id-aes256-wrap-pad, and the parameters will be absent.
- entityUInfo optionally contains a random value provided by the
message originator. If user keying material (ukm) is included in the KeyAgreeRecipientInfo, then the entityUInfo MUST be present, and it MUST contain the ukm value. If the ukm is not present, then the entityUInfo MUST be absent.
- suppPubInfo contains the length of the generated key-encryption
key in bits, represented as a 32-bit unsigned number, as described in [[[RFC2631]]]. When a 256-bit AES key is used, the length MUST be 0x00000100.
ECC-CMS-SharedInfo is DER encoded and is used as input to the key derivation function, as specified in Section 3.6.1 of [SEC1]. Note that ECC-CMS-SharedInfo differs from the OtherInfo specified in [[[RFC2631]]]. Here, a counter value is not included in the keyInfo field because the KDF specified in [SEC1] ensures that sufficient keying data is provided.
The KDF specified in Section 3.6.1 of [SEC1] describes how to generate an essentially arbitrary amount of keying material from a shared secret, Z, produced by ephemeral-static ECDH. To generate an L-bit key-encryption key (KEK), blocks of key material (KM) are computed by incrementing Counter appropriately until enough material has been generated:
KM(Counter) = Hash ( Z || Counter || ECC-CMS-SharedInfo )
The KM blocks are concatenated left to right as they are generated, and the first (leftmost) L bits are used as the KEK:
KEK = the leftmost L bits of [KM ( counter=1 ) || KM ( counter=2 ) ...]
In the CNSA Suite for S/MIME, the elements of the KDF are defined as follows:
- Hash is a one-way hash function. The SHA-384 hash MUST be used.
- Z is the shared secret value generated during ephemeral-static
ECDH. Z MUST be exactly 384 bits, i.e., leading zero bits MUST be preserved.
- Counter is a 32-bit unsigned number represented in network byte
order. Its initial value MUST be 0x00000001 for any key derivation operation.
- ECC-CMS-SharedInfo is composed as described above. It MUST be DER
encoded.
In the CNSA Suite for S/MIME, exactly one iteration is needed; the Counter is not incremented. The key-encryption key (KEK) MUST be the first (leftmost) 256 bits of the SHA-384 output value:
KEK = the leftmost 256 bits of SHA-384 ( Z || 0x00000001 || ECC-CMS-SharedInfo )
Note that the only source of secret entropy in this computation is Z.
AES Key Wrap
The AES Key Wrap with Padding key-encryption algorithm, as specified in [[[RFC5649]]] and [SP80038F], is used to encrypt the content- encryption key with a pairwise key-encryption key that is generated using ephemeral-static ECDH. Section 8 of [[[RFC5753]]] specifies the CMS conventions for using AES Key Wrap with a pairwise key generated through ephemeral-static ECDH. CNSA Suite-compliant S/MIME implementations MUST follow these conventions.
Within the CMS enveloped-data content type, key wrap algorithm identifiers are located in the KeyWrapAlgorithm parameters within the EnvelopedData RecipientInfos KeyAgreeRecipientInfo keyEncryptionAlgorithm field.
The KeyWrapAlgorithm MUST be id-aes256-wrap-pad. The required algorithm identifier, specified in [[[RFC5649]]], is:
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) aes(1) 48 }
RSA Key Transport
RSA encryption (RSA) is the CNSA Suite key transport algorithm. The RSA key transport algorithm is the RSA encryption scheme defined in [[[RFC8017]]], where the message to be encrypted is the content- encryption key.
The recipient of an S/MIME message possesses an RSA key pair whose public key is represented by an X.509 certificate. The certificate used to obtain the recipient's public key MUST be compliant with [[[RFC8603]]]. These certificates are suitable for use with either RSAES-OAEP or RSAES-PKCS1-v1_5.
RSAES-PKCS1-v1_5
Section 4.2 of [[[RFC3370]]] specifies the conventions for using RSAES- PKCS1-v1_5 with the CMS. S/MIME implementations employing this form of key transport MUST follow these conventions.
Within the CMS enveloped-data and authenticated-enveloped-data content types, key transport algorithm identifiers are located in the EnvelopedData RecipientInfos KeyTransRecipientInfo keyEncryptionAlgorithm field.
The algorithm identifier for RSA (PKCS #1 v1.5) is:
rsaEncryption OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 1 }
The AlgorithmIdentifier parameters field MUST be present, and the parameters field MUST contain NULL.
RSAES-OAEP
[[[RFC3560]]] specifies the conventions for using RSAES-OAEP with the CMS. CNSA Suite-compliant S/MIME implementations employing this form of key transport MUST follow these conventions.
Within the CMS enveloped-data and authenticated-enveloped-data content types, key transport algorithm identifiers are located in the EnvelopedData RecipientInfos KeyTransRecipientInfo keyEncryptionAlgorithm field.
The algorithm identifier for RSA (OAEP) is:
id-RSAES-OAEP OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 7 }
The parameters field of an AlgorithmIdentifier that identifies RSAES- OAEP is defined in [[[RFC4055]]] as follows:
RSAES-OAEP-params ::= SEQUENCE { hashFunc [0] AlgorithmIdentifier DEFAULT sha1Identifier, maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier, pSourceFunc [2] AlgorithmIdentifier DEFAULT pSpecifiedEmptyIdentifier }
pSpecifiedEmptyIdentifier AlgorithmIdentifier ::= { id-pSpecified, nullOctetString }
nullOctetString OCTET STRING (SIZE (0)) ::= { H }
The AlgorithmIdentifier parameters field MUST be present, and the parameters field MUST contain RSAES-OAEP-params with values as follows:
- The hashFunc algorithm must be id-sha384 as defined in [[[RFC8017]]];
- The mask generation function must use the algorithm identifier
mfg1SHA384Identifier as defined in [[[RFC4055]]];
- The pSourceFunc field must be absent.
The SMIMECapabilities signed attribute is used to specify a partial list of algorithms that the software announcing the SMIMECapabilities can support. If the SMIMECapabilities signed attribute is included to announce support for the RSAES-OAEP algorithm, it MUST be constructed as defined in Section 5 of [[[RFC3560]]], with the sequence representing the rSAES-OAEP-SHA384-Identifier.
Content Encryption
AES-GCM is the preferred mode for CNSA Suite applications, as described in the Security Considerations (Section 8). AES-CBC is acceptable where AES-GCM is not yet available.
AES-GCM Content Encryption
CNSA Suite-compliant S/MIME implementations using the authenticated- enveloped-data content type [[[RFC5083]]] MUST use AES [FIPS197] in Galois Counter Mode (GCM) [SP80038D] as the content-authenticated encryption algorithm and MUST follow the conventions for using AES- GCM with the CMS defined in [[[RFC5084]]].
Within the CMS authenticated-enveloped-data content type, content- authenticated encryption algorithm identifiers are located in the AuthEnvelopedData EncryptedContentInfo contentEncryptionAlgorithm field. The content-authenticated encryption algorithm is used to encipher the content located in the AuthEnvelopedData EncryptedContentInfo encryptedContent field.
The AES-GCM content-authenticated encryption algorithm is described in [FIPS197] and [SP80038D]. The algorithm identifier for AES-256 in GCM mode is:
id-aes256-GCM OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) aes(1) 46 }
The AlgorithmIdentifier parameters field MUST be present, and the parameters field must contain GCMParameters:
GCMParameters ::= SEQUENCE { aes-nonce OCTET STRING, aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
The authentication tag length (aes-ICVlen) SHALL be 16 (indicating a tag length of 128 bits).
The initialization vector (aes-nonce) MUST be generated in accordance with Section 8.2 of [SP80038D]. AES-GCM loses security catastrophically if a nonce is reused with a given key on more than one distinct set of input data. Therefore, a fresh content- authenticated encryption key MUST be generated for each message.
AES-CBC Content Encryption
CNSA Suite-compliant S/MIME implementations using the enveloped-data content type MUST use AES-256 [FIPS197] in Cipher Block Chaining (CBC) mode [SP80038A] as the content-encryption algorithm and MUST follow the conventions for using AES with the CMS defined in [[[RFC3565]]].
Within the CMS enveloped-data content type, content-encryption algorithm identifiers are located in the EnvelopedData EncryptedContentInfo contentEncryptionAlgorithm field. The content- encryption algorithm is used to encipher the content located in the EnvelopedData EncryptedContentInfo encryptedContent field.
The AES-CBC content-encryption algorithm is described in [FIPS197] and [SP80038A]. The algorithm identifier for AES-256 in CBC mode is:
id-aes256-CBC OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) aes(1) 42 }
The AlgorithmIdentifier parameters field MUST be present, and the parameters field must contain AES-IV:
AES-IV ::= OCTET STRING (SIZE(16))
The 16-octet initialization vector is generated at random by the originator. See [[[RFC4086]]] for guidance on generation of random values.
Security Considerations
This document specifies the conventions for using the NSA's CNSA Suite algorithms in S/MIME. All of the algorithms and algorithm identifiers have been specified in previous documents.
See [[[RFC4086]]] for guidance on generation of random values.
The security considerations in [[[RFC5652]]] discuss the CMS as a method for digitally signing data and encrypting data.
The security considerations in [[[RFC3370]]] discuss cryptographic algorithm implementation concerns in the context of the CMS.
The security considerations in [[[RFC5753]]] discuss the use of elliptic curve cryptography (ECC) in the CMS.
The security considerations in [[[RFC3565]]] discuss the use of AES in the CMS.
The security considerations in [[[RFC8551]]] apply to this profile, particularly the recommendation to use authenticated encryption modes (i.e., use authenticated-enveloped-data with AES-GCM rather than enveloped-data with AES-CBC).
IANA Considerations
This document has no IANA actions.
10. References
10.1. Normative References
[CNSA] Committee for National Security Systems, "Use of Public
Standards for Secure Information Sharing", CNSS Policy 15, October 2016, <https://www.cnss.gov/CNSS/Issuances/Policies.cfm>.
[FIPS180] National Institute of Standards and Technology, "Secure
Hash Standard (SHS)", Federal Information Processing Standard 180-4, August 2015, <https://csrc.nist.gov/publications/detail/fips/180/4/ final>.
[FIPS186] National Institute of Standards and Technology, "Digital
Signature Standard (DSS)", DOI 10.6028/NIST.FIPS.186-4, FIPS PUB 186-4, July 2013, <https://csrc.nist.gov/publications/detail/fips/186/4/ final>.
[FIPS197] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", DOI 10.6028/NIST.FIPS.197, FIPS PUB 197, November 2001, <https://csrc.nist.gov/publications/detail/fips/197/ final>.
[[[RFC2119]]] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.
[[[RFC2631]]] Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, DOI 10.17487/RFC2631, June 1999, <https://www.rfc-editor.org/info/rfc2631>.
[[[RFC3370]]] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, DOI 10.17487/RFC3370, August 2002, <https://www.rfc-editor.org/info/rfc3370>.
[[[RFC3560]]] Housley, R., "Use of the RSAES-OAEP Key Transport
Algorithm in Cryptographic Message Syntax (CMS)", RFC 3560, DOI 10.17487/RFC3560, July 2003, <https://www.rfc-editor.org/info/rfc3560>.
[[[RFC3565]]] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, DOI 10.17487/RFC3565, July 2003, <https://www.rfc-editor.org/info/rfc3565>.
[[[RFC4055]]] Schaad, J., Kaliski, B., and R. Housley, "Additional
Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, DOI 10.17487/RFC4055, June 2005, <https://www.rfc-editor.org/info/rfc4055>.
[[[RFC4056]]] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in
Cryptographic Message Syntax (CMS)", RFC 4056, DOI 10.17487/RFC4056, June 2005, <https://www.rfc-editor.org/info/rfc4056>.
[[[RFC5083]]] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083, DOI 10.17487/RFC5083, November 2007, <https://www.rfc-editor.org/info/rfc5083>.
[[[RFC5084]]] Housley, R., "Using AES-CCM and AES-GCM Authenticated
Encryption in the Cryptographic Message Syntax (CMS)", RFC 5084, DOI 10.17487/RFC5084, November 2007, <https://www.rfc-editor.org/info/rfc5084>.
[[[RFC5480]]] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
"Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, <https://www.rfc-editor.org/info/rfc5480>.
[[[RFC5649]]] Housley, R. and M. Dworkin, "Advanced Encryption Standard
(AES) Key Wrap with Padding Algorithm", RFC 5649, DOI 10.17487/RFC5649, September 2009, <https://www.rfc-editor.org/info/rfc5649>.
[[[RFC5652]]] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, <https://www.rfc-editor.org/info/rfc5652>.
[[[RFC5753]]] Turner, S. and D. Brown, "Use of Elliptic Curve
Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January 2010, <https://www.rfc-editor.org/info/rfc5753>.
[[[RFC5754]]] Turner, S., "Using SHA2 Algorithms with Cryptographic
Message Syntax", RFC 5754, DOI 10.17487/RFC5754, January 2010, <https://www.rfc-editor.org/info/rfc5754>.
[[[RFC8017]]] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2", RFC 8017, DOI 10.17487/RFC8017, November 2016, <https://www.rfc-editor.org/info/rfc8017>.
[[[RFC8174]]] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[[[RFC8551]]] Schaad, J., Ramsdell, B., and S. Turner, "Secure/
Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification", RFC 8551, DOI 10.17487/RFC8551, April 2019, <https://www.rfc-editor.org/info/rfc8551>.
[[[RFC8603]]] Jenkins, M. and L. Zieglar, "Commercial National Security
Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile", RFC 8603, DOI 10.17487/RFC8603, May 2019, <https://www.rfc-editor.org/info/rfc8603>.
[SEC1] Standards for Efficient Cryptography Group, "SEC1:
Elliptic Curve Cryptography", May 2009, <https://www.secg.org/sec1-v2.pdf>.
[SP80038A] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods and Techniques", DOI 10.6028/NIST.SP.800-38A, Special Publication 800-38A, December 2001, <https://csrc.nist.gov/publications/detail/ sp/800-38a/final>.
[SP80038D] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Galois/Counter Mode (GCM) and GMAC", DOI 10.6028/NIST.SP.800-38D, Special Publication 800-38D, November 2007, <https://csrc.nist.gov/publications/detail/ sp/800-38d/final>.
[SP80038F] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation: Methods for Key Wrapping", DOI 10.6028/NIST.SP.800-38F, Special Publication 800-38F, December 2012, <https://csrc.nist.gov/publications/detail/ sp/800-38f/final>.
[X208] CCITT, "Specification of Abstract Syntax Notation One
(ASN.1)", CCITT Recommendation X.208, 1988, <https://www.itu.int/rec/T-REC-X.208-198811-W/en>.
[X209] CCITT, "Specification of Basic Encoding Rules for Abstract
Syntax Notation One (ASN.1)", CCITT Recommendation X.209, 1988, <https://www.itu.int/rec/T-REC-X.209-198811-W/en>.
[X509] CCITT, "The Directory - Authentication Framework", CCITT
Recommendation X.509, 1988, <https://www.itu.int/rec/T-REC-X.509-198811-S>.
10.2. Informative References
[[[RFC4086]]] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, <https://www.rfc-editor.org/info/rfc4086>.
[SP80059] Barker, W., "Guideline for Identifying an Information
System as a National Security System", DOI 10.6028/NIST.SP.800-59, Special Publication 800-59, August 2003, <https://csrc.nist.gov/publications/detail/ sp/800-59/final>.
Author's Address
Michael Jenkins National Security Agency
Email: [email protected]