diff options
Diffstat (limited to 'doc/rfc/rfc8696.txt')
| -rw-r--r-- | doc/rfc/rfc8696.txt | 1438 |
1 files changed, 1438 insertions, 0 deletions
diff --git a/doc/rfc/rfc8696.txt b/doc/rfc/rfc8696.txt new file mode 100644 index 0000000..71a70e8 --- /dev/null +++ b/doc/rfc/rfc8696.txt @@ -0,0 +1,1438 @@ + + + + +Internet Engineering Task Force (IETF) R. Housley +Request for Comments: 8696 Vigil Security +Category: Standards Track December 2019 +ISSN: 2070-1721 + + + Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS) + +Abstract + + The invention of a large-scale quantum computer would pose a serious + challenge for the cryptographic algorithms that are widely deployed + today. The Cryptographic Message Syntax (CMS) supports key transport + and key agreement algorithms that could be broken by the invention of + such a quantum computer. By storing communications that are + protected with the CMS today, someone could decrypt them in the + future when a large-scale quantum computer becomes available. Once + quantum-secure key management algorithms are available, the CMS will + be extended to support the new algorithms if the existing syntax does + not accommodate them. This document describes a mechanism to protect + today's communication from the future invention of a large-scale + quantum computer by mixing the output of key transport and key + agreement algorithms with a pre-shared key. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc8696. + +Copyright Notice + + Copyright (c) 2019 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction + 1.1. Terminology + 1.2. ASN.1 + 1.3. Version Numbers + 2. Overview + 3. keyTransPSK + 4. keyAgreePSK + 5. Key Derivation + 6. ASN.1 Module + 7. Security Considerations + 8. Privacy Considerations + 9. IANA Considerations + 10. References + 10.1. Normative References + 10.2. Informative References + Appendix A. Key Transport with PSK Example + A.1. Originator Processing Example + A.2. ContentInfo and AuthEnvelopedData + A.3. Recipient Processing Example + Appendix B. Key Agreement with PSK Example + B.1. Originator Processing Example + B.2. ContentInfo and AuthEnvelopedData + B.3. Recipient Processing Example + Acknowledgements + Author's Address + +1. Introduction + + The invention of a large-scale quantum computer would pose a serious + challenge for the cryptographic algorithms that are widely deployed + today [S1994]. It is an open question whether or not it is feasible + to build a large-scale quantum computer and, if so, when that might + happen [NAS2019]. However, if such a quantum computer is invented, + many of the cryptographic algorithms and the security protocols that + use them would become vulnerable. + + The Cryptographic Message Syntax (CMS) [RFC5652][RFC5083] supports + key transport and key agreement algorithms that could be broken by + the invention of a large-scale quantum computer [C2PQ]. These + algorithms include RSA [RFC8017], Diffie-Hellman [RFC2631], and + Elliptic Curve Diffie-Hellman (ECDH) [RFC5753]. As a result, an + adversary that stores CMS-protected communications today could + decrypt those communications in the future when a large-scale quantum + computer becomes available. + + Once quantum-secure key management algorithms are available, the CMS + will be extended to support them if the existing syntax does not + already accommodate the new algorithms. + + In the near term, this document describes a mechanism to protect + today's communication from the future invention of a large-scale + quantum computer by mixing the output of existing key transport and + key agreement algorithms with a pre-shared key (PSK). Secure + communication can be achieved today by mixing a strong PSK with the + output of an existing key transport algorithm, like RSA [RFC8017], or + an existing key agreement algorithm, like Diffie-Hellman [RFC2631] or + Elliptic Curve Diffie-Hellman (ECDH) [RFC5753]. A security solution + that is believed to be quantum resistant can be achieved by using a + PSK with sufficient entropy along with a quantum-resistant key + derivation function (KDF), like an HMAC-based key derivation function + (HKDF) [RFC5869], and a quantum-resistant encryption algorithm, like + 256-bit AES [AES]. In this way, today's CMS-protected communication + can be resistant to an attacker with a large-scale quantum computer. + + In addition, there may be other reasons for including a strong PSK + besides protection against the future invention of a large-scale + quantum computer. For example, there is always the possibility of a + cryptoanalytic breakthrough on one or more classic public key + algorithms, and there are longstanding concerns about undisclosed + trapdoors in Diffie-Hellman parameters [FGHT2016]. Inclusion of a + strong PSK as part of the overall key management offers additional + protection against these concerns. + + Note that the CMS also supports key management techniques based on + symmetric key-encryption keys and passwords, but they are not + discussed in this document because they are already quantum + resistant. The symmetric key-encryption key technique is quantum + resistant when used with an adequate key size. The password + technique is quantum resistant when used with a quantum-resistant key + derivation function and a sufficiently large password. + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + +1.2. ASN.1 + + CMS values are generated using ASN.1 [X680], which uses the Basic + Encoding Rules (BER) and the Distinguished Encoding Rules (DER) + [X690]. + +1.3. Version Numbers + + The major data structures include a version number as the first item + in the data structure. The version number is intended to avoid ASN.1 + decode errors. Some implementations do not check the version number + prior to attempting a decode; then, if a decode error occurs, the + version number is checked as part of the error-handling routine. + This is a reasonable approach; it places error processing outside of + the fast path. This approach is also forgiving when an incorrect + version number is used by the sender. + + Whenever the structure is updated, a higher version number will be + assigned. However, to ensure maximum interoperability, the higher + version number is only used when the new syntax feature is employed. + That is, the lowest version number that supports the generated syntax + is used. + +2. Overview + + The CMS enveloped-data content type [RFC5652] and the CMS + authenticated-enveloped-data content type [RFC5083] support both key + transport and key agreement public key algorithms to establish the + key used to encrypt the content. No restrictions are imposed on the + key transport or key agreement public key algorithms, which means + that any key transport or key agreement algorithm can be used, + including algorithms that are specified in the future. In both + cases, the sender randomly generates the content-encryption key, and + then all recipients obtain that key. All recipients use the sender- + generated symmetric content-encryption key for decryption. + + This specification defines two quantum-resistant ways to establish a + symmetric key-encryption key, which is used to encrypt the sender- + generated content-encryption key. In both cases, the PSK is used as + one of the inputs to a key-derivation function to create a quantum- + resistant key-encryption key. The PSK MUST be distributed to the + sender and all of the recipients by some out-of-band means that does + not make it vulnerable to the future invention of a large-scale + quantum computer, and an identifier MUST be assigned to the PSK. It + is best if each PSK has a unique identifier; however, if a recipient + has more than one PSK with the same identifier, the recipient can try + each of them in turn. A PSK is expected to be used with many + messages, with a lifetime of weeks or months. + + The content-encryption key or content-authenticated-encryption key is + quantum resistant, and the sender establishes it using these steps: + + When using a key transport algorithm: + + 1. The content-encryption key or the content-authenticated- + encryption key, called "CEK", is generated at random. + + 2. The key-derivation key, called "KDK", is generated at random. + + 3. For each recipient, the KDK is encrypted in the recipient's + public key, then the KDF is used to mix the PSK and the KDK to + produce the key-encryption key, called "KEK". + + 4. The KEK is used to encrypt the CEK. + + When using a key agreement algorithm: + + 1. The content-encryption key or the content-authenticated- + encryption key, called "CEK", is generated at random. + + 2. For each recipient, a pairwise key-encryption key, called "KEK1", + is established using the recipient's public key and the sender's + private key. Note that KEK1 will be used as a key-derivation + key. + + 3. For each recipient, the KDF is used to mix the PSK and the + pairwise KEK1, and the result is called "KEK2". + + 4. For each recipient, the pairwise KEK2 is used to encrypt the CEK. + + As specified in Section 6.2.5 of [RFC5652], recipient information for + additional key management techniques is represented in the + OtherRecipientInfo type. Two key management techniques are specified + in this document, and they are each identified by a unique ASN.1 + object identifier. + + The first key management technique, called "keyTransPSK" (see + Section 3), uses a key transport algorithm to transfer the key- + derivation key from the sender to the recipient, and then the key- + derivation key is mixed with the PSK using a KDF. The output of the + KDF is the key-encryption key, which is used for the encryption of + the content-encryption key or content-authenticated-encryption key. + + The second key management technique, called "keyAgreePSK" (see + Section 4), uses a key agreement algorithm to establish a pairwise + key-encryption key. This pairwise key-encryption key is then mixed + with the PSK using a KDF to produce a second pairwise key-encryption + key, which is then used to encrypt the content-encryption key or + content-authenticated-encryption key. + +3. keyTransPSK + + Per-recipient information using keyTransPSK is represented in the + KeyTransPSKRecipientInfo type, which is indicated by the id-ori- + keyTransPSK object identifier. Each instance of + KeyTransPSKRecipientInfo establishes the content-encryption key or + content-authenticated-encryption key for one or more recipients that + have access to the same PSK. + + The id-ori-keyTransPSK object identifier is: + + id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 } + + id-ori-keyTransPSK OBJECT IDENTIFIER ::= { id-ori 1 } + + The KeyTransPSKRecipientInfo type is: + + KeyTransPSKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + pskid PreSharedKeyIdentifier, + kdfAlgorithm KeyDerivationAlgorithmIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + ktris KeyTransRecipientInfos, + encryptedKey EncryptedKey } + + PreSharedKeyIdentifier ::= OCTET STRING + + KeyTransRecipientInfos ::= SEQUENCE OF KeyTransRecipientInfo + + The fields of the KeyTransPSKRecipientInfo type have the following + meanings: + + * version is the syntax version number. The version MUST be 0. The + CMSVersion type is described in Section 10.2.5 of [RFC5652]. + + * pskid is the identifier of the PSK used by the sender. The + identifier is an OCTET STRING, and it need not be human readable. + + * kdfAlgorithm identifies the key-derivation algorithm and any + associated parameters used by the sender to mix the key-derivation + key and the PSK to generate the key-encryption key. The + KeyDerivationAlgorithmIdentifier is described in Section 10.1.6 of + [RFC5652]. + + * keyEncryptionAlgorithm identifies a key-encryption algorithm used + to encrypt the content-encryption key. The + KeyEncryptionAlgorithmIdentifier is described in Section 10.1.3 of + [RFC5652]. + + * ktris contains one KeyTransRecipientInfo type for each recipient; + it uses a key transport algorithm to establish the key-derivation + key. That is, the encryptedKey field of KeyTransRecipientInfo + contains the key-derivation key instead of the content-encryption + key. KeyTransRecipientInfo is described in Section 6.2.1 of + [RFC5652]. + + * encryptedKey is the result of encrypting the content-encryption + key or the content-authenticated-encryption key with the key- + encryption key. EncryptedKey is an OCTET STRING. + +4. keyAgreePSK + + Per-recipient information using keyAgreePSK is represented in the + KeyAgreePSKRecipientInfo type, which is indicated by the id-ori- + keyAgreePSK object identifier. Each instance of + KeyAgreePSKRecipientInfo establishes the content-encryption key or + content-authenticated-encryption key for one or more recipients that + have access to the same PSK. + + The id-ori-keyAgreePSK object identifier is: + + id-ori-keyAgreePSK OBJECT IDENTIFIER ::= { id-ori 2 } + The KeyAgreePSKRecipientInfo type is: + + KeyAgreePSKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + pskid PreSharedKeyIdentifier, + originator [0] EXPLICIT OriginatorIdentifierOrKey, + ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, + kdfAlgorithm KeyDerivationAlgorithmIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + recipientEncryptedKeys RecipientEncryptedKeys } + + The fields of the KeyAgreePSKRecipientInfo type have the following + meanings: + + * version is the syntax version number. The version MUST be 0. The + CMSVersion type is described in Section 10.2.5 of [RFC5652]. + + * pskid is the identifier of the PSK used by the sender. The + identifier is an OCTET STRING, and it need not be human readable. + + * originator is a CHOICE with three alternatives specifying the + sender's key agreement public key. Implementations MUST support + all three alternatives for specifying the sender's public key. + The sender uses their own private key and the recipient's public + key to generate a pairwise key-encryption key. A KDF is used to + mix the PSK and the pairwise key-encryption key to produce a + second key-encryption key. The OriginatorIdentifierOrKey type is + described in Section 6.2.2 of [RFC5652]. + + * ukm is optional. With some key agreement algorithms, the sender + provides a User Keying Material (UKM) to ensure that a different + key is generated each time the same two parties generate a + pairwise key. Implementations MUST accept a + KeyAgreePSKRecipientInfo SEQUENCE that includes a ukm field. + Implementations that do not support key agreement algorithms that + make use of UKMs MUST gracefully handle the presence of UKMs. The + UserKeyingMaterial type is described in Section 10.2.6 of + [RFC5652]. + + * kdfAlgorithm identifies the key-derivation algorithm and any + associated parameters used by the sender to mix the pairwise key- + encryption key and the PSK to produce a second key-encryption key + of the same length as the first one. The + KeyDerivationAlgorithmIdentifier is described in Section 10.1.6 of + [RFC5652]. + + * keyEncryptionAlgorithm identifies a key-encryption algorithm used + to encrypt the content-encryption key or the content- + authenticated-encryption key. The + KeyEncryptionAlgorithmIdentifier type is described in + Section 10.1.3 of [RFC5652]. + + * recipientEncryptedKeys includes a recipient identifier and + encrypted key for one or more recipients. The + KeyAgreeRecipientIdentifier is a CHOICE with two alternatives + specifying the recipient's certificate, and thereby the + recipient's public key, that was used by the sender to generate a + pairwise key-encryption key. The encryptedKey is the result of + encrypting the content-encryption key or the content- + authenticated-encryption key with the second pairwise key- + encryption key. EncryptedKey is an OCTET STRING. The + RecipientEncryptedKeys type is defined in Section 6.2.2 of + [RFC5652]. + +5. Key Derivation + + Many KDFs internally employ a one-way hash function. When this is + the case, the hash function that is used is indirectly indicated by + the KeyDerivationAlgorithmIdentifier. HKDF [RFC5869] is one example + of a KDF that makes use of a hash function. + + Other KDFs internally employ an encryption algorithm. When this is + the case, the encryption that is used is indirectly indicated by the + KeyDerivationAlgorithmIdentifier. For example, AES-128-CMAC can be + used for randomness extraction in a KDF as described in [NIST2018]. + + A KDF has several input values. This section describes the + conventions for using the KDF to compute the key-encryption key for + KeyTransPSKRecipientInfo and KeyAgreePSKRecipientInfo. For + simplicity, the terminology used in the HKDF specification [RFC5869] + is used here. + + The KDF inputs are: + + * IKM is the input keying material; it is the symmetric secret input + to the KDF. For KeyTransPSKRecipientInfo, it is the key- + derivation key. For KeyAgreePSKRecipientInfo, it is the pairwise + key-encryption key produced by the key agreement algorithm. + + * salt is an optional non-secret random value. Many KDFs do not + require a salt, and the KeyDerivationAlgorithmIdentifier + assignments for HKDF [RFC8619] do not offer a parameter for a + salt. If a particular KDF requires a salt, then the salt value is + provided as a parameter of the KeyDerivationAlgorithmIdentifier. + + * L is the length of output keying material in octets; the value + depends on the key-encryption algorithm that will be used. The + algorithm is identified by the KeyEncryptionAlgorithmIdentifier. + In addition, the OBJECT IDENTIFIER portion of the + KeyEncryptionAlgorithmIdentifier is included in the next input + value, called "info". + + * info is optional context and application specific information. + The DER encoding of CMSORIforPSKOtherInfo is used as the info + value, and the PSK is included in this structure. Note that + EXPLICIT tagging is used in the ASN.1 module that defines this + structure. For KeyTransPSKRecipientInfo, the ENUMERATED value of + 5 is used. For KeyAgreePSKRecipientInfo, the ENUMERATED value of + 10 is used. CMSORIforPSKOtherInfo is defined by the following + ASN.1 structure: + + CMSORIforPSKOtherInfo ::= SEQUENCE { + psk OCTET STRING, + keyMgmtAlgType ENUMERATED { + keyTrans (5), + keyAgree (10) }, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + pskLength INTEGER (1..MAX), + kdkLength INTEGER (1..MAX) } + + The fields of type CMSORIforPSKOtherInfo have the following meanings: + + * psk is an OCTET STRING; it contains the PSK. + + * keyMgmtAlgType is either set to 5 or 10. For + KeyTransPSKRecipientInfo, the ENUMERATED value of 5 is used. For + KeyAgreePSKRecipientInfo, the ENUMERATED value of 10 is used. + + * keyEncryptionAlgorithm is the KeyEncryptionAlgorithmIdentifier, + which identifies the algorithm and provides algorithm parameters, + if any. + + * pskLength is a positive integer; it contains the length of the PSK + in octets. + + * kdkLength is a positive integer; it contains the length of the + key-derivation key in octets. For KeyTransPSKRecipientInfo, the + key-derivation key is generated by the sender. For + KeyAgreePSKRecipientInfo, the key-derivation key is the pairwise + key-encryption key produced by the key agreement algorithm. + + The KDF output is: + + * OKM is the output keying material, which is exactly L octets. The + OKM is the key-encryption key that is used to encrypt the content- + encryption key or the content-authenticated-encryption key. + + An acceptable KDF MUST accept IKM, L, and info inputs; an acceptable + KDF MAY also accept salt and other inputs. All of these inputs MUST + influence the output of the KDF. If the KDF requires a salt or other + inputs, then those inputs MUST be provided as parameters of the + KeyDerivationAlgorithmIdentifier. + +6. ASN.1 Module + + This section contains the ASN.1 module for the two key management + techniques defined in this document. This module imports types from + other ASN.1 modules that are defined in [RFC5912] and [RFC6268]. + + <CODE BEGINS> + CMSORIforPSK-2019 + { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) + smime(16) modules(0) id-mod-cms-ori-psk-2019(69) } + + DEFINITIONS EXPLICIT TAGS ::= + BEGIN + + -- EXPORTS All + + IMPORTS + + AlgorithmIdentifier{}, KEY-DERIVATION + FROM AlgorithmInformation-2009 -- [RFC5912] + { iso(1) identified-organization(3) dod(6) internet(1) + security(5) mechanisms(5) pkix(7) id-mod(0) + id-mod-algorithmInformation-02(58) } + + OTHER-RECIPIENT, OtherRecipientInfo, CMSVersion, + KeyTransRecipientInfo, OriginatorIdentifierOrKey, + UserKeyingMaterial, RecipientEncryptedKeys, EncryptedKey, + KeyDerivationAlgorithmIdentifier, KeyEncryptionAlgorithmIdentifier + FROM CryptographicMessageSyntax-2010 -- [RFC6268] + { iso(1) member-body(2) us(840) rsadsi(113549) + pkcs(1) pkcs-9(9) smime(16) modules(0) + id-mod-cms-2009(58) } ; + -- + -- OtherRecipientInfo Types (ori-) + -- + + SupportedOtherRecipInfo OTHER-RECIPIENT ::= { + ori-keyTransPSK | + ori-keyAgreePSK, + ... } + + -- + -- Key Transport with Pre-Shared Key + -- + + ori-keyTransPSK OTHER-RECIPIENT ::= { + KeyTransPSKRecipientInfo IDENTIFIED BY id-ori-keyTransPSK } + + id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 } + + id-ori-keyTransPSK OBJECT IDENTIFIER ::= { id-ori 1 } + + KeyTransPSKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + pskid PreSharedKeyIdentifier, + kdfAlgorithm KeyDerivationAlgorithmIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + ktris KeyTransRecipientInfos, + encryptedKey EncryptedKey } + + PreSharedKeyIdentifier ::= OCTET STRING + + KeyTransRecipientInfos ::= SEQUENCE OF KeyTransRecipientInfo + + -- + -- Key Agreement with Pre-Shared Key + -- + + ori-keyAgreePSK OTHER-RECIPIENT ::= { + KeyAgreePSKRecipientInfo IDENTIFIED BY id-ori-keyAgreePSK } + + id-ori-keyAgreePSK OBJECT IDENTIFIER ::= { id-ori 2 } + KeyAgreePSKRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + pskid PreSharedKeyIdentifier, + originator [0] EXPLICIT OriginatorIdentifierOrKey, + ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, + kdfAlgorithm KeyDerivationAlgorithmIdentifier, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + recipientEncryptedKeys RecipientEncryptedKeys } + + -- + -- Structure to provide 'info' input to the KDF, + -- including the Pre-Shared Key + -- + + CMSORIforPSKOtherInfo ::= SEQUENCE { + psk OCTET STRING, + keyMgmtAlgType ENUMERATED { + keyTrans (5), + keyAgree (10) }, + keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, + pskLength INTEGER (1..MAX), + kdkLength INTEGER (1..MAX) } + + END + <CODE ENDS> + +7. Security Considerations + + The security considerations related to the CMS enveloped-data content + type in [RFC5652] and the security considerations related to the CMS + authenticated-enveloped-data content type in [RFC5083] continue to + apply. + + Implementations of the key derivation function must compute the + entire result, which, in this specification, is a key-encryption key, + before outputting any portion of the result. The resulting key- + encryption key must be protected. Compromise of the key-encryption + key may result in the disclosure of all content-encryption keys or + content-authenticated-encryption keys that were protected with that + keying material; this, in turn, may result in the disclosure of the + content. Note that there are two key-encryption keys when a PSK with + a key agreement algorithm is used, with similar consequences for the + compromise of either one of these keys. + + Implementations must protect the PSK, key transport private key, + agreement private key, and key-derivation key. Compromise of the PSK + will make the encrypted content vulnerable to the future invention of + a large-scale quantum computer. Compromise of the PSK and either the + key transport private key or the agreement private key may result in + the disclosure of all contents protected with that combination of + keying material. Compromise of the PSK and the key-derivation key + may result in the disclosure of all contents protected with that + combination of keying material. + + A large-scale quantum computer will essentially negate the security + provided by the key transport algorithm or the key agreement + algorithm, which means that the attacker with a large-scale quantum + computer can discover the key-derivation key. In addition, a large- + scale quantum computer effectively cuts the security provided by a + symmetric key algorithm in half. Therefore, the PSK needs at least + 256 bits of entropy to provide 128 bits of security. To match that + same level of security, the key derivation function needs to be + quantum resistant and produce a key-encryption key that is at least + 256 bits in length. Similarly, the content-encryption key or + content-authenticated-encryption key needs to be at least 256 bits in + length. + + When using a PSK with a key transport or a key agreement algorithm, a + key-encryption key is produced to encrypt the content-encryption key + or content-authenticated-encryption key. If the key-encryption + algorithm is different than the algorithm used to protect the + content, then the effective security is determined by the weaker of + the two algorithms. If, for example, content is encrypted with + 256-bit AES and the key is wrapped with 128-bit AES, then, at most, + 128 bits of protection are provided. Implementers must ensure that + the key-encryption algorithm is as strong or stronger than the + content-encryption algorithm or content-authenticated-encryption + algorithm. + + The selection of the key-derivation function imposes an upper bound + on the strength of the resulting key-encryption key. The strength of + the selected key-derivation function should be at least as strong as + the key-encryption algorithm that is selected. NIST SP 800-56C + Revision 1 [NIST2018] offers advice on the security strength of + several popular key-derivation functions. + + Implementers should not mix quantum-resistant key management + algorithms with their non-quantum-resistant counterparts. For + example, the same content should not be protected with + KeyTransRecipientInfo and KeyTransPSKRecipientInfo. Likewise, the + same content should not be protected with KeyAgreeRecipientInfo and + KeyAgreePSKRecipientInfo. Doing so would make the content vulnerable + to the future invention of a large-scale quantum computer. + + Implementers should not send the same content in different messages, + one using a quantum-resistant key management algorithm and the other + using a non-quantum-resistant key management algorithm, even if the + content-encryption key is generated independently. Doing so may + allow an eavesdropper to correlate the messages, making the content + vulnerable to the future invention of a large-scale quantum computer. + + This specification does not require that PSK be known only by the + sender and recipients. The PSK may be known to a group. Since + confidentiality depends on the key transport or key agreement + algorithm, knowledge of the PSK by other parties does not inherently + enable eavesdropping. However, group members can record the traffic + of other members and then decrypt it if they ever gain access to a + large-scale quantum computer. Also, when many parties know the PSK, + there are many opportunities for theft of the PSK by an attacker. + Once an attacker has the PSK, they can decrypt stored traffic if they + ever gain access to a large-scale quantum computer in the same manner + as a legitimate group member. + + Sound cryptographic key hygiene is to use a key for one and only one + purpose. Use of the recipient's public key for both the traditional + CMS and the PSK-mixing variation specified in this document would be + a violation of this principle; however, there is no known way for an + attacker to take advantage of this situation. That said, an + application should enforce separation whenever possible. For + example, a purpose identifier for use in the X.509 extended key usage + certificate extension [RFC5280] could be identified in the future to + indicate that a public key should only be used in conjunction with or + without a PSK. + + Implementations must randomly generate key-derivation keys as well as + content-encryption keys or content-authenticated-encryption keys. + Also, the generation of public/private key pairs for the key + transport and key agreement algorithms rely on random numbers. The + use of inadequate pseudorandom number generators (PRNGs) to generate + cryptographic keys can result in little or no security. An attacker + may find it much easier to reproduce the PRNG environment that + produced the keys, searching the resulting small set of + possibilities, rather than brute-force searching the whole key space. + The generation of quality random numbers is difficult. [RFC4086] + offers important guidance in this area. + + Implementers should be aware that cryptographic algorithms become + weaker with time. As new cryptanalysis techniques are developed and + computing performance improves, the work factor to break a particular + cryptographic algorithm will be reduced. Therefore, cryptographic + algorithm implementations should be modular, allowing new algorithms + to be readily inserted. That is, implementers should be prepared for + the set of supported algorithms to change over time. + + The security properties provided by the mechanisms specified in this + document can be validated using formal methods. A ProVerif proof in + [H2019] shows that an attacker with a large-scale quantum computer + that is capable of breaking the Diffie-Hellman key agreement + algorithm cannot disrupt the delivery of the content-encryption key + to the recipient and that the attacker cannot learn the content- + encryption key from the protocol exchange. + +8. Privacy Considerations + + An observer can see which parties are using each PSK simply by + watching the PSK key identifiers. However, the addition of these key + identifiers does not really weaken the privacy situation. When key + transport is used, the RecipientIdentifier is always present, and it + clearly identifies each recipient to an observer. When key agreement + is used, either the IssuerAndSerialNumber or the + RecipientKeyIdentifier is always present, and these clearly identify + each recipient. + +9. IANA Considerations + + One object identifier for the ASN.1 module in Section 6 was assigned + in the "SMI Security for S/MIME Module Identifier + (1.2.840.113549.1.9.16.0)" registry [IANA]: + + id-mod-cms-ori-psk-2019 OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) mod(0) 69 } + + One new entry has been added in the "SMI Security for S/MIME Mail + Security (1.2.840.113549.1.9.16)" registry [IANA]: + + id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) + rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 } + + A new registry titled "SMI Security for S/MIME Other Recipient Info + Identifiers (1.2.840.113549.1.9.16.13)" has been created. + + Updates to the new registry are to be made according to the + Specification Required policy as defined in [RFC8126]. The expert is + expected to ensure that any new values identify additional + RecipientInfo structures for use with the CMS. Object identifiers + for other purposes should not be assigned in this arc. + + Two assignments were made in the new "SMI Security for S/MIME Other + Recipient Info Identifiers (1.2.840.113549.1.9.16.13)" registry + [IANA] with references to this document: + + id-ori-keyTransPSK OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) id-ori(13) 1 } + + id-ori-keyAgreePSK OBJECT IDENTIFIER ::= { + iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) + pkcs-9(9) smime(16) id-ori(13) 2 } + +10. References + +10.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC5083] Housley, R., "Cryptographic Message Syntax (CMS) + Authenticated-Enveloped-Data Content Type", RFC 5083, + DOI 10.17487/RFC5083, November 2007, + <https://www.rfc-editor.org/info/rfc5083>. + + [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, + RFC 5652, DOI 10.17487/RFC5652, September 2009, + <https://www.rfc-editor.org/info/rfc5652>. + + [RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the + Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, + DOI 10.17487/RFC5912, June 2010, + <https://www.rfc-editor.org/info/rfc5912>. + + [RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules + for the Cryptographic Message Syntax (CMS) and the Public + Key Infrastructure Using X.509 (PKIX)", RFC 6268, + DOI 10.17487/RFC6268, July 2011, + <https://www.rfc-editor.org/info/rfc6268>. + + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for + Writing an IANA Considerations Section in RFCs", BCP 26, + RFC 8126, DOI 10.17487/RFC8126, June 2017, + <https://www.rfc-editor.org/info/rfc8126>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [X680] ITU-T, "Information technology -- Abstract Syntax Notation + One (ASN.1): Specification of basic notation", + ITU-T Recommendation X.680, August 2015. + + [X690] ITU-T, "Information technology -- ASN.1 encoding rules: + Specification of Basic Encoding Rules (BER), Canonical + Encoding Rules (CER) and Distinguished Encoding Rules + (DER)", ITU-T Recommendation X.690, August 2015. + +10.2. Informative References + + [AES] National Institute of Standards and Technology, "Advanced + Encryption Standard (AES)", DOI 10.6028/NIST.FIPS.197, + NIST PUB 197, November 2001, + <https://doi.org/10.6028/NIST.FIPS.197>. + + [C2PQ] Hoffman, P., "The Transition from Classical to Post- + Quantum Cryptography", Work in Progress, Internet-Draft, + draft-hoffman-c2pq-06, 25 November 2019, + <https://tools.ietf.org/html/draft-hoffman-c2pq-06>. + + [FGHT2016] Fried, J., Gaudry, P., Heninger, N., and E. Thome, "A + kilobit hidden SNFS discrete logarithm computation", + Cryptology ePrint Archive Report 2016/961, October 2016, + <https://eprint.iacr.org/2016/961.pdf>. + + [H2019] Hammell, J., "Subject: [lamps] WG Last Call for draft- + ietf-lamps-cms-mix-with-psk"", message to the IETF mailing + list, May 2019, <https://mailarchive.ietf.org/arch/msg/ + spasm/_6d_4jp3sOprAnbU2fp_yp_-6-k>. + + [IANA] IANA, "Structure of Management Information (SMI) Numbers + (MIB Module Registrations)", + <https://www.iana.org/assignments/smi-numbers>. + + [NAS2019] National Academies of Sciences, Engineering, and Medicine, + "Quantum Computing: Progress and Prospects", + DOI 10.17226/25196, 2019, + <https://doi.org/10.17226/25196>. + + [NIST2018] Barker, E., Chen, L., and R. Davis, "Recommendation for + Key-Derivation Methods in Key-Establishment Schemes", NIST + Special Publication 800-56C Revision 1, April 2018, + <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ + NIST.SP.800-56Cr1.pdf>. + + [RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method", + RFC 2631, DOI 10.17487/RFC2631, June 1999, + <https://www.rfc-editor.org/info/rfc2631>. + + [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC 4086, + DOI 10.17487/RFC4086, June 2005, + <https://www.rfc-editor.org/info/rfc4086>. + + [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., + Housley, R., and W. Polk, "Internet X.509 Public Key + Infrastructure Certificate and Certificate Revocation List + (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, + <https://www.rfc-editor.org/info/rfc5280>. + + [RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve + Cryptography (ECC) Algorithms in Cryptographic Message + Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January + 2010, <https://www.rfc-editor.org/info/rfc5753>. + + [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand + Key Derivation Function (HKDF)", RFC 5869, + DOI 10.17487/RFC5869, May 2010, + <https://www.rfc-editor.org/info/rfc5869>. + + [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, + "PKCS #1: RSA Cryptography Specifications Version 2.2", + RFC 8017, DOI 10.17487/RFC8017, November 2016, + <https://www.rfc-editor.org/info/rfc8017>. + + [RFC8619] Housley, R., "Algorithm Identifiers for the HMAC-based + Extract-and-Expand Key Derivation Function (HKDF)", + RFC 8619, DOI 10.17487/RFC8619, June 2019, + <https://www.rfc-editor.org/info/rfc8619>. + + [S1994] Shor, P., "Algorithms for Quantum Computation: Discrete + Logarithms and Factoring", Proceedings of the 35th Annual + Symposium on Foundations of Computer Science, pp. + 124-134", November 1994. + +Appendix A. Key Transport with PSK Example + + This example shows the establishment of an AES-256 content-encryption + key using: + + * a pre-shared key of 256 bits; + + * key transport using RSA PKCS#1 v1.5 with a 3072-bit key; + + * key derivation using HKDF with SHA-384; and + + * key wrap using AES-256-KEYWRAP. + + In real-world use, the originator would encrypt the key-derivation + key in their own RSA public key as well as the recipient's public + key. This is omitted in an attempt to simplify the example. + +A.1. Originator Processing Example + + The pre-shared key known to Alice and Bob, in hexadecimal, is: + + c244cdd11a0d1f39d9b61282770244fb0f6befb91ab7f96cb05213365cf95b15 + + The identifier assigned to the pre-shared key is: + + ptf-kmc:13614122112 + + Alice obtains Bob's public key: + + -----BEGIN PUBLIC KEY----- + MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3ocW14cxncPJ47fnEjBZ + AyfC2lqapL3ET4jvV6C7gGeVrRQxWPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JH + Keeza+itfuhsz3yifgeEpeK8T+SusHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqq + vS3jg/VO+OPnZbofoHOOevt8Q/roahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx + 2AHHZJevo3nmRnlgJXo6mE00E/6qkhjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0v + SH7qUl8/vN13y4UOFkn8hM4kmZ6bJqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39a + uLNnH3EXdXaV1tk75H3qC7zJaeGWMJyQfOE3YfEGRKn8fxubji716D8UecAxAzFy + FL6m1JiOyV5acAiOpxN14qRYZdHnXOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fS + whSZG7VNf+vgNWTLNYSYLI04KiMdulnvU6ds+QPz+KKtAgMBAAE= + -----END PUBLIC KEY----- + + Bob's RSA public key has the following key identifier: + + 9eeb67c9b95a74d44d2f16396680e801b5cba49c + + Alice randomly generates a content-encryption key: + + c8adc30f4a3e20ac420caa76a68f5787c02ab42afea20d19672fd963a5338e83 + + Alice randomly generates a key-derivation key: + + df85af9e3cebffde6e9b9d24263db31114d0a8e33a0d50e05eb64578ccde81eb + + Alice encrypts the key-derivation key in Bob's public key: + + 52693f12140c91dea2b44c0b7936f6be46de8a7bfab072bcb6ecfd56b06a9f65 + 1bd4669d336aef7b449e5cd9b151893b7c7a3b8e364394840b0a5434cbf10e1b + 5670aefd074faf380665d204fb95153543346f36c2125dba6f4d23d2bc61434b + 5e36ff72b3eafe57c6cf7f74924c309f174b0b8753554b58ed33a8848d707a98 + c0c2b1ddcfd09e31fe213ca0a48dd157bd7d842e85cc76f77710d58efeaa0525 + c651bcd1410fb47534ecabaf5ab7daabed809d4b97220caf6d4929c5fb684f7b + b8692e6e70332ff9b3f7c11d6cac51d4a35593173d48f80ca843b89789d625e7 + 997ad7d674d25a2a7d165a5f39b3cb6358e937bdb02ac8a524ac93113cedd9ad + c68263025c0bb0997d716e58d4d7b69739bf591f3e71c7678dc0df96f3df9e8a + a5738f4f9ce21489f300e040891b20b2ab6d9051b3c2e68efa2fa9799a706878 + d5f462018c021d6669ed649f9acdf78476810198bfb8bd41ffedc585eafa957e + ea1d3625e4bed376e7ae49718aee2f575c401a26a29941d8da5b7ee9aca36471 + + Alice produces a 256-bit key-encryption key with HKDF using SHA-384; + the secret value is the key-derivation key; and the 'info' is the + DER-encoded CMSORIforPSKOtherInfo structure with the following + values: + + 0 56: SEQUENCE { + 2 32: OCTET STRING + : C2 44 CD D1 1A 0D 1F 39 D9 B6 12 82 77 02 44 FB + : 0F 6B EF B9 1A B7 F9 6C B0 52 13 36 5C F9 5B 15 + 36 1: ENUMERATED 5 + 39 11: SEQUENCE { + 41 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 52 1: INTEGER 32 + 55 1: INTEGER 32 + : } + + The DER encoding of CMSORIforPSKOtherInfo produces 58 octets: + + 30380420c244cdd11a0d1f39d9b61282770244fb0f6befb91ab7f96cb0521336 + 5cf95b150a0105300b060960864801650304012d020120020120 + + The HKDF output is 256 bits: + + f319e9cebb35f1c6a7a9709b8760b9d0d3e30e16c5b2b69347e9f00ca540a232 + + Alice uses AES-KEY-WRAP to encrypt the 256-bit content-encryption key + with the key-encryption key: + + ea0947250fa66cd525595e52a69aaade88efcf1b0f108abe291060391b1cdf59 + 07f36b4067e45342 + + Alice encrypts the content using AES-256-GCM with the content- + encryption key. The 12-octet nonce used is: + + cafebabefacedbaddecaf888 + + The content plaintext is: + + 48656c6c6f2c20776f726c6421 + + The resulting ciphertext is: + + 9af2d16f21547fcefed9b3ef2d + + The resulting 12-octet authentication tag is: + + a0e5925cc184e0172463c44c + +A.2. ContentInfo and AuthEnvelopedData + + Alice encodes the AuthEnvelopedData and the ContentInfo and sends the + result to Bob. The resulting structure is: + + 0 650: SEQUENCE { + 4 11: OBJECT IDENTIFIER + : authEnvelopedData (1 2 840 113549 1 9 16 1 23) + 17 633: [0] { + 21 629: SEQUENCE { + 25 1: INTEGER 0 + 28 551: SET { + 32 547: [4] { + 36 11: OBJECT IDENTIFIER + : keyTransPSK (1 2 840 113549 1 9 16 13 1) + 49 530: SEQUENCE { + 53 1: INTEGER 0 + 56 19: OCTET STRING 'ptf-kmc:13614122112' + 77 13: SEQUENCE { + 79 11: OBJECT IDENTIFIER + : hkdf-with-sha384 (1 2 840 113549 1 9 16 3 29) + : } + 92 11: SEQUENCE { + 94 9: OBJECT IDENTIFIER + : aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 105 432: SEQUENCE { + 109 428: SEQUENCE { + 113 1: INTEGER 2 + 116 20: [0] + : 9E EB 67 C9 B9 5A 74 D4 4D 2F 16 39 66 80 E8 01 + : B5 CB A4 9C + 138 13: SEQUENCE { + 140 9: OBJECT IDENTIFIER + : rsaEncryption (1 2 840 113549 1 1 1) + 151 0: NULL + : } + 153 384: OCTET STRING + : 52 69 3F 12 14 0C 91 DE A2 B4 4C 0B 79 36 F6 BE + : 46 DE 8A 7B FA B0 72 BC B6 EC FD 56 B0 6A 9F 65 + : 1B D4 66 9D 33 6A EF 7B 44 9E 5C D9 B1 51 89 3B + : 7C 7A 3B 8E 36 43 94 84 0B 0A 54 34 CB F1 0E 1B + : 56 70 AE FD 07 4F AF 38 06 65 D2 04 FB 95 15 35 + : 43 34 6F 36 C2 12 5D BA 6F 4D 23 D2 BC 61 43 4B + : 5E 36 FF 72 B3 EA FE 57 C6 CF 7F 74 92 4C 30 9F + : 17 4B 0B 87 53 55 4B 58 ED 33 A8 84 8D 70 7A 98 + : C0 C2 B1 DD CF D0 9E 31 FE 21 3C A0 A4 8D D1 57 + : BD 7D 84 2E 85 CC 76 F7 77 10 D5 8E FE AA 05 25 + : C6 51 BC D1 41 0F B4 75 34 EC AB AF 5A B7 DA AB + : ED 80 9D 4B 97 22 0C AF 6D 49 29 C5 FB 68 4F 7B + : B8 69 2E 6E 70 33 2F F9 B3 F7 C1 1D 6C AC 51 D4 + : A3 55 93 17 3D 48 F8 0C A8 43 B8 97 89 D6 25 E7 + : 99 7A D7 D6 74 D2 5A 2A 7D 16 5A 5F 39 B3 CB 63 + : 58 E9 37 BD B0 2A C8 A5 24 AC 93 11 3C ED D9 AD + : C6 82 63 02 5C 0B B0 99 7D 71 6E 58 D4 D7 B6 97 + : 39 BF 59 1F 3E 71 C7 67 8D C0 DF 96 F3 DF 9E 8A + : A5 73 8F 4F 9C E2 14 89 F3 00 E0 40 89 1B 20 B2 + : AB 6D 90 51 B3 C2 E6 8E FA 2F A9 79 9A 70 68 78 + : D5 F4 62 01 8C 02 1D 66 69 ED 64 9F 9A CD F7 84 + : 76 81 01 98 BF B8 BD 41 FF ED C5 85 EA FA 95 7E + : EA 1D 36 25 E4 BE D3 76 E7 AE 49 71 8A EE 2F 57 + : 5C 40 1A 26 A2 99 41 D8 DA 5B 7E E9 AC A3 64 71 + : } + : } + 541 40: OCTET STRING + : EA 09 47 25 0F A6 6C D5 25 59 5E 52 A6 9A AA DE + : 88 EF CF 1B 0F 10 8A BE 29 10 60 39 1B 1C DF 59 + : 07 F3 6B 40 67 E4 53 42 + : } + : } + : } + 583 55: SEQUENCE { + 585 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) + 596 27: SEQUENCE { + 598 9: OBJECT IDENTIFIER + : aes256-GCM (2 16 840 1 101 3 4 1 46) + 609 14: SEQUENCE { + 611 12: OCTET STRING + : CA FE BA BE FA CE DB AD DE CA F8 88 + : } + : } + 625 13: [0] + : 9A F2 D1 6F 21 54 7F CE FE D9 B3 EF 2D + : } + 640 12: OCTET STRING A0 E5 92 5C C1 84 E0 17 24 63 C4 4C + : } + : } + : } + +A.3. Recipient Processing Example + + Bob's private key is: + + -----BEGIN RSA PRIVATE KEY----- + MIIG5AIBAAKCAYEA3ocW14cxncPJ47fnEjBZAyfC2lqapL3ET4jvV6C7gGeVrRQx + WPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JHKeeza+itfuhsz3yifgeEpeK8T+Su + sHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqqvS3jg/VO+OPnZbofoHOOevt8Q/ro + ahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx2AHHZJevo3nmRnlgJXo6mE00E/6q + khjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0vSH7qUl8/vN13y4UOFkn8hM4kmZ6b + JqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39auLNnH3EXdXaV1tk75H3qC7zJaeGW + MJyQfOE3YfEGRKn8fxubji716D8UecAxAzFyFL6m1JiOyV5acAiOpxN14qRYZdHn + XOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fSwhSZG7VNf+vgNWTLNYSYLI04KiMd + ulnvU6ds+QPz+KKtAgMBAAECggGATFfkSkUjjJCjLvDk4aScpSx6+Rakf2hrdS3x + jwqhyUfAXgTTeUQQBs1HVtHCgxQd+qlXYn3/qu8TeZVwG4NPztyi/Z5yB1wOGJEV + 3k8N/ytul6pJFFn6p48VM01bUdTrkMJbXERe6g/rr6dBQeeItCaOK7N5SIJH3Oqh + 9xYuB5tH4rquCdYLmt17Tx8CaVqU9qPY3vOdQEOwIjjMV8uQUR8rHSO9KkSj8AGs + Lq9kcuPpvgJc2oqMRcNePS2WVh8xPFktRLLRazgLP8STHAtjT6SlJ2UzkUqfDHGK + q/BoXxBDu6L1VDwdnIS5HXtL54ElcXWsoOyKF8/ilmhRUIUWRZFmlS1ok8IC5IgX + UdL9rJVZFTRLyAwmcCEvRM1asbBrhyEyshSOuN5nHJi2WVJ+wSHijeKl1qeLlpMk + HrdIYBq4Nz7/zXmiQphpAy+yQeanhP8O4O6C8e7RwKdpxe44su4Z8fEgA5yQx0u7 + 8yR1EhGKydX5bhBLR5Cm1VM7rT2BAoHBAP/+e5gZLNf/ECtEBZjeiJ0VshszOoUq + haUQPA+9Bx9pytsoKm5oQhB7QDaxAvrn8/FUW2aAkaXsaj9F+/q30AYSQtExai9J + fdKKook3oimN8/yNRsKmhfjGOj8hd4+GjX0qoMSBCEVdT+bAjjry8wgQrqReuZnu + oXU85dmb3jvv0uIczIKvTIeyjXE5afjQIJLmZFXsBm09BG87Ia5EFUKly96BOMJh + /QWEzuYYXDqOFfzQtkAefXNFW21Kz4Hw2QKBwQDeiGh4lxCGTjECvG7fauMGlu+q + DSdYyMHif6t6mx57eS16EjvOrlXKItYhIyzW8Kw0rf/CSB2j8ig1GkMLTOgrGIJ1 + 0322o50FOr5oOmZPueeR4pOyAP0fgQ8DD1L3JBpY68/8MhYbsizVrR+Ar4jM0f96 + W2bF5Xj3h+fQTDMkx6VrCCQ6miRmBUzH+ZPs5n/lYOzAYrqiKOanaiHy4mjRvlsy + mjZ6z5CG8sISqcLQ/k3Qli5pOY/v0rdBjgwAW/UCgcEAqGVYGjKdXCzuDvf9EpV4 + mpTWB6yIV2ckaPOn/tZi5BgsmEPwvZYZt0vMbu28Px7sSpkqUuBKbzJ4pcy8uC3I + SuYiTAhMiHS4rxIBX3BYXSuDD2RD4vG1+XM0h6jVRHXHh0nOXdVfgnmigPGz3jVJ + B8oph/jD8O2YCk4YCTDOXPEi8Rjusxzro+whvRR+kG0gsGGcKSVNCPj1fNISEte4 + gJId7O1mUAAzeDjn/VaS/PXQovEMolssPPKn9NocbKbpAoHBAJnFHJunl22W/lrr + ppmPnIzjI30YVcYOA5vlqLKyGaAsnfYqP1WUNgfVhq2jRsrHx9cnHQI9Hu442PvI + x+c5H30YFJ4ipE3eRRRmAUi4ghY5WgD+1hw8fqyUW7E7l5LbSbGEUVXtrkU5G64T + UR91LEyMF8OPATdiV/KD4PWYkgaqRm3tVEuCVACDTQkqNsOOi3YPQcm270w6gxfQ + SOEy/kdhCFexJFA8uZvmh6Cp2crczxyBilR/yCxqKOONqlFdOQKBwFbJk5eHPjJz + AYueKMQESPGYCrwIqxgZGCxaqeVArHvKsEDx5whI6JWoFYVkFA8F0MyhukoEb/2x + 2qB5T88Dg3EbqjTiLg3qxrWJ2OxtUo8pBP2I2wbl2NOwzcbrlYhzEZ8bJyxZu5i1 + sYILC8PJ4Qzw6jS4Qpm4y1WHz8e/ElW6VyfmljZYA7f9WMntdfeQVqCVzNTvKn6f + hg6GSpJTzp4LV3ougi9nQuWXZF2wInsXkLYpsiMbL6Fz34RwohJtYA== + -----END RSA PRIVATE KEY----- + + Bob decrypts the key-derivation key with his RSA private key: + + df85af9e3cebffde6e9b9d24263db31114d0a8e33a0d50e05eb64578ccde81eb + + Bob produces a 256-bit key-encryption key with HKDF using SHA-384; + the secret value is the key-derivation key; and the 'info' is the + DER-encoded CMSORIforPSKOtherInfo structure with the same values as + shown in Appendix A.1. The HKDF output is 256 bits: + + f319e9cebb35f1c6a7a9709b8760b9d0d3e30e16c5b2b69347e9f00ca540a232 + + Bob uses AES-KEY-WRAP to decrypt the content-encryption key with the + key-encryption key; the content-encryption key is: + + c8adc30f4a3e20ac420caa76a68f5787c02ab42afea20d19672fd963a5338e83 + + Bob decrypts the content using AES-256-GCM with the content- + encryption key and checks the received authentication tag. The + 12-octet nonce used is: + + cafebabefacedbaddecaf888 + + The 12-octet authentication tag is: + + a0e5925cc184e0172463c44c + + The received ciphertext content is: + + 9af2d16f21547fcefed9b3ef2d + + The resulting plaintext content is: + + 48656c6c6f2c20776f726c6421 + +Appendix B. Key Agreement with PSK Example + + This example shows the establishment of an AES-256 content-encryption + key using: + + * a pre-shared key of 256 bits; + + * key agreement using ECDH on curve P-384 and X9.63 KDF with SHA- + 384; + + * key derivation using HKDF with SHA-384; and + + * key wrap using AES-256-KEYWRAP. + + In real-world use, the originator would treat themselves as an + additional recipient by performing key agreement with their own + static public key and the ephemeral private key generated for this + message. This is omitted in an attempt to simplify the example. + +B.1. Originator Processing Example + + The pre-shared key known to Alice and Bob, in hexadecimal, is: + + 4aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c078660214e2d83e4 + + The identifier assigned to the pre-shared key is: + + ptf-kmc:216840110121 + + Alice randomly generates a content-encryption key: + + 937b1219a64d57ad81c05cc86075e86017848c824d4e85800c731c5b7b091033 + + Alice obtains Bob's static ECDH public key: + + -----BEGIN PUBLIC KEY----- + MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEScGPBO9nmUwGrgbGEoFY9HR/bCo0WyeY + /dePQVrwZmwN2yMJmO2d1kWCvLTz8U7atinxyIRe9CV54yau1KWU/wbkhPDnzuSM + YkcpxMGo32z3JetEloW5aFOja13vv/W5 + -----END PUBLIC KEY----- + + It has a key identifier of: + + e8218b98b8b7d86b5e9ebdc8aeb8c4ecdc05c529 + + Alice generates an ephemeral ECDH key pair on the same curve: + + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDCMiWLG44ik+L8cYVvJrQdLcFA+PwlgRF+Wt1Ab25qUh8OB7OePWjxp + /b8P6IOuI6GgBwYFK4EEACKhZANiAAQ5G0EmJk/2ks8sXY1kzbuG3Uu3ttWwQRXA + LFDJICjvYfr+yTpOQVkchm88FAh9MEkw4NKctokKNgpsqXyrT3DtOg76oIYENpPb + GE5lJdjPx9sBsZQdABwlsU0Zb7P/7i8= + -----END EC PRIVATE KEY----- + + Alice computes a shared secret called "Z" using Bob's static ECDH + public key and her ephemeral ECDH private key; Z is: + + 3f015ed0ff4b99523a95157bbe77e9cc0ee52fcffeb7e41eac79d1c11b6cc556 + 19cf8807e6d800c2de40240fe0e26adc + + Alice computes the pairwise key-encryption key, called "KEK1", from Z + using the X9.63 KDF with the ECC-CMS-SharedInfo structure with the + following values: + + 0 21: SEQUENCE { + 2 11: SEQUENCE { + 4 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 15 6: [2] { + 17 4: OCTET STRING 00 00 00 20 + : } + : } + + The DER encoding of ECC-CMS-SharedInfo produces 23 octets: + + 3015300b060960864801650304012da206040400000020 + + The X9.63 KDF output is the 256-bit KEK1: + + 27dc25ddb0b425f7a968ceada80a8f73c6ccaab115baafcce4a22a45d6b8f3da + + Alice produces the 256-bit KEK2 with HKDF using SHA-384; the secret + value is KEK1; and the 'info' is the DER-encoded + CMSORIforPSKOtherInfo structure with the following values: + + 0 56: SEQUENCE { + 2 32: OCTET STRING + : 4A A5 3C BF 50 08 50 DD 58 3A 5D 98 21 60 5C 6F + : A2 28 FB 59 17 F8 7C 1C 07 86 60 21 4E 2D 83 E4 + 36 1: ENUMERATED 10 + 39 11: SEQUENCE { + 41 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 52 1: INTEGER 32 + 55 1: INTEGER 32 + : } + + The DER encoding of CMSORIforPSKOtherInfo produces 58 octets: + + 303804204aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c07866021 + 4e2d83e40a010a300b060960864801650304012d020120020120 + + The HKDF output is the 256-bit KEK2: + + 7de693ee30ae22b5f8f6cd026c2164103f4e1430f1ab135dc1fb98954f9830bb + + Alice uses AES-KEY-WRAP to encrypt the content-encryption key with + the KEK2; the wrapped key is: + + 229fe0b45e40003e7d8244ec1b7e7ffb2c8dca16c36f5737222553a71263a92b + de08866a602d63f4 + + Alice encrypts the content using AES-256-GCM with the content- + encryption key. The 12-octet nonce used is: + + dbaddecaf888cafebabeface + + The plaintext is: + + 48656c6c6f2c20776f726c6421 + + The resulting ciphertext is: + + fc6d6f823e3ed2d209d0c6ffcf + + The resulting 12-octet authentication tag is: + + 550260c42e5b29719426c1ff + +B.2. ContentInfo and AuthEnvelopedData + + Alice encodes the AuthEnvelopedData and the ContentInfo and sends the + result to Bob. The resulting structure is: + + 0 327: SEQUENCE { + 4 11: OBJECT IDENTIFIER + : authEnvelopedData (1 2 840 113549 1 9 16 1 23) + 17 310: [0] { + 21 306: SEQUENCE { + 25 1: INTEGER 0 + 28 229: SET { + 31 226: [4] { + 34 11: OBJECT IDENTIFIER + : keyAgreePSK (1 2 840 113549 1 9 16 13 2) + 47 210: SEQUENCE { + 50 1: INTEGER 0 + 53 20: OCTET STRING 'ptf-kmc:216840110121' + 75 85: [0] { + 77 83: [1] { + 79 19: SEQUENCE { + 81 6: OBJECT IDENTIFIER + : ecdhX963KDF-SHA256 (1 3 132 1 11 1) + 89 9: OBJECT IDENTIFIER + : aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 100 60: BIT STRING, encapsulates { + 103 57: OCTET STRING + : 1B 41 26 26 4F F6 92 CF 2C 5D 8D 64 CD BB 86 DD + : 4B B7 B6 D5 B0 41 15 C0 2C 50 C9 20 28 EF 61 FA + : FE C9 3A 4E 41 59 1C 86 6F 3C 14 08 7D 30 49 30 + : E0 D2 9C B6 89 0A 36 0A 6C + : } + : } + : } + 162 13: SEQUENCE { + 164 11: OBJECT IDENTIFIER + : hkdf-with-sha384 (1 2 840 113549 1 9 16 3 29) + : } + 177 11: SEQUENCE { + 179 9: OBJECT IDENTIFIER + : aes256-wrap (2 16 840 1 101 3 4 1 45) + : } + 190 68: SEQUENCE { + 192 66: SEQUENCE { + 194 22: [0] { + 196 20: OCTET STRING + : E8 21 8B 98 B8 B7 D8 6B 5E 9E BD C8 AE B8 C4 EC + : DC 05 C5 29 + : } + 218 40: OCTET STRING + : 22 9F E0 B4 5E 40 00 3E 7D 82 44 EC 1B 7E 7F FB + : 2C 8D CA 16 C3 6F 57 37 22 25 53 A7 12 63 A9 2B + : DE 08 86 6A 60 2D 63 F4 + : } + : } + : } + : } + : } + 260 55: SEQUENCE { + 262 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) + 273 27: SEQUENCE { + 275 9: OBJECT IDENTIFIER + : aes256-GCM (2 16 840 1 101 3 4 1 46) + 286 14: SEQUENCE { + 288 12: OCTET STRING + : DB AD DE CA F8 88 CA FE BA BE FA CE + : } + : } + 302 13: [0] + : FC 6D 6F 82 3E 3E D2 D2 09 D0 C6 FF CF + : } + 317 12: OCTET STRING 55 02 60 C4 2E 5B 29 71 94 26 C1 FF + : } + : } + : } + +B.3. Recipient Processing Example + + Bob obtains Alice's ephemeral ECDH public key from the message: + + -----BEGIN PUBLIC KEY----- + MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEORtBJiZP9pLPLF2NZM27ht1Lt7bVsEEV + wCxQySAo72H6/sk6TkFZHIZvPBQIfTBJMODSnLaJCjYKbKl8q09w7ToO+qCGBDaT + 2xhOZSXYz8fbAbGUHQAcJbFNGW+z/+4v + -----END PUBLIC KEY----- + + Bob's static ECDH private key is: + + -----BEGIN EC PRIVATE KEY----- + MIGkAgEBBDAnJ4hB+tTUN9X03/W0RsrYy+qcptlRSYkhaDIsQYPXfTU0ugjJEmRk + NTPj4y1IRjegBwYFK4EEACKhZANiAARJwY8E72eZTAauBsYSgVj0dH9sKjRbJ5j9 + 149BWvBmbA3bIwmY7Z3WRYK8tPPxTtq2KfHIhF70JXnjJq7UpZT/BuSE8OfO5Ixi + RynEwajfbPcl60SWhbloU6NrXe+/9bk= + -----END EC PRIVATE KEY----- + + Bob computes a shared secret called "Z" using Alice's ephemeral ECDH + public key and his static ECDH private key; Z is: + + 3f015ed0ff4b99523a95157bbe77e9cc0ee52fcffeb7e41eac79d1c11b6cc556 + 19cf8807e6d800c2de40240fe0e26adc + + Bob computes the pairwise key-encryption key, KEK1, from Z using the + X9.63 KDF with the ECC-CMS-SharedInfo structure with the values shown + in Appendix B.1. The X9.63 KDF output is the 256-bit KEK1: + + 27dc25ddb0b425f7a968ceada80a8f73c6ccaab115baafcce4a22a45d6b8f3da + + Bob produces the 256-bit KEK2 with HKDF using SHA-384; the secret + value is KEK1; and the 'info' is the DER-encoded + CMSORIforPSKOtherInfo structure with the values shown in + Appendix B.1. The HKDF output is the 256-bit KEK2: + + 7de693ee30ae22b5f8f6cd026c2164103f4e1430f1ab135dc1fb98954f9830bb + + Bob uses AES-KEY-WRAP to decrypt the content-encryption key with the + KEK2; the content-encryption key is: + + 937b1219a64d57ad81c05cc86075e86017848c824d4e85800c731c5b7b091033 + + Bob decrypts the content using AES-256-GCM with the content- + encryption key and checks the received authentication tag. The + 12-octet nonce used is: + + dbaddecaf888cafebabeface + + The 12-octet authentication tag is: + + 550260c42e5b29719426c1ff + + The received ciphertext content is: + + fc6d6f823e3ed2d209d0c6ffcf + + The resulting plaintext content is: + + 48656c6c6f2c20776f726c6421 + +Acknowledgements + + Many thanks to Roman Danyliw, Ben Kaduk, Burt Kaliski, Panos + Kampanakis, Jim Schaad, Robert Sparks, Sean Turner, and Daniel Van + Geest for their review and insightful comments. They have greatly + improved the design, clarity, and implementation guidance. + +Author's Address + + Russ Housley + Vigil Security, LLC + 516 Dranesville Road + Herndon, VA 20170 + United States of America + + Email: housley@vigilsec.com |