From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc1113.txt | 1907 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1907 insertions(+) create mode 100644 doc/rfc/rfc1113.txt (limited to 'doc/rfc/rfc1113.txt') diff --git a/doc/rfc/rfc1113.txt b/doc/rfc/rfc1113.txt new file mode 100644 index 0000000..b4301cc --- /dev/null +++ b/doc/rfc/rfc1113.txt @@ -0,0 +1,1907 @@ + + + + + + +Network Working Group J. Linn +Request for Comments: 1113 DEC +Obsoletes RFCs: 989, 1040 IAB Privacy Task Force + August 1989 + + + Privacy Enhancement for Internet Electronic Mail: + Part I -- Message Encipherment and Authentication Procedures + +STATUS OF THIS MEMO + + This RFC suggests a draft standard elective protocol for the Internet + community, and requests discussion and suggestions for improvements. + Distribution of this memo is unlimited. + +ACKNOWLEDGMENT + + This RFC is the outgrowth of a series of IAB Privacy Task Force + meetings and of internal working papers distributed for those + meetings. I would like to thank the following Privacy Task Force + members and meeting guests for their comments and contributions at + the meetings which led to the preparation of this RFC: David + Balenson, Curt Barker, Jim Bidzos, Matt Bishop, Danny Cohen, Tom + Daniel, Charles Fox, Morrie Gasser, Russ Housley, Steve Kent + (chairman), John Laws, Steve Lipner, Dan Nessett, Mike Padlipsky, Rob + Shirey, Miles Smid, Steve Walker, and Steve Wilbur. + +Table of Contents + + 1. Executive Summary 2 + 2. Terminology 3 + 3. Services, Constraints, and Implications 3 + 4. Processing of Messages 7 + 4.1 Message Processing Overview 7 + 4.1.1 Types of Keys 7 + 4.1.2 Processing Procedures 8 + 4.2 Encryption Algorithms and Modes 9 + 4.3 Privacy Enhancement Message Transformations 10 + 4.3.1 Constraints 10 + 4.3.2 Approach 11 + 4.3.2.1 Step 1: Local Form 12 + 4.3.2.2 Step 2: Canonical Form 12 + 4.3.2.3 Step 3: Authentication and Encipherment 12 + 4.3.2.4 Step 4: Printable Encoding 13 + 4.3.2.5 Summary of Transformations 15 + 4.4 Encapsulation Mechanism 15 + 4.5 Mail for Mailing Lists 17 + 4.6 Summary of Encapsulated Header Fields 18 + + + +Linn [Page 1] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + 4.6.1 Per-Message Encapsulated Header Fields 20 + 4.6.1.1 X-Proc-Type Field 20 + 4.6.1.2 X-DEK-Info Field 21 + 4.6.2 Encapsulated Header Fields Normally Per-Message 21 + 4.6.2.1 X-Sender-ID Field 22 + 4.6.2.2 X-Certificate Field 22 + 4.6.2.3 X-MIC-Info Field 23 + 4.6.3 Encapsulated Header Fields with Variable Occurrences 23 + 4.6.3.1 X-Issuer-Certificate Field 23 + 4.6.4 Per-Recipient Encapsulated Header Fields 24 + 4.6.4.1 X-Recipient-ID Field 24 + 4.6.4.2 X-Key-Info Field 24 + 4.6.4.2.1 Symmetric Key Management 24 + 4.6.4.2.2 Asymmetric Key Management 25 + 5. Key Management 26 + 5.1 Data Encrypting Keys (DEKs) 26 + 5.2 Interchange Keys (IKs) 26 + 5.2.1 Subfield Definitions 28 + 5.2.1.1 Entity Identifier Subfield 28 + 5.2.1.2 Issuing Authority Subfield 29 + 5.2.1.3 Version/Expiration Subfield 29 + 5.2.2 IK Cryptoperiod Issues 29 + 6. User Naming 29 + 6.1 Current Approach 29 + 6.2 Issues for Consideration 30 + 7. Example User Interface and Implementation 30 + 8. Areas For Further Study 31 + 9. References 32 + NOTES 32 + +1. Executive Summary + + This RFC defines message encipherment and authentication procedures, + in order to provide privacy enhancement services for electronic mail + transfer in the Internet. It is one member of a related set of four + RFCs. The procedures defined in the current RFC are intended to be + compatible with a wide range of key management approaches, including + both symmetric (secret-key) and asymmetric (public-key) approaches + for encryption of data encrypting keys. Use of symmetric + cryptography for message text encryption and/or integrity check + computation is anticipated. RFC-1114 specifies supporting key + management mechanisms based on the use of public-key certificates. + RFC-1115 specifies algorithm and related information relevant to the + current RFC and to RFC-1114. A subsequent RFC will provide details + of paper and electronic formats and procedures for the key management + infrastructure being established in support of these services. + + Privacy enhancement services (confidentiality, authentication, and + + + +Linn [Page 2] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + message integrity assurance) are offered through the use of end-to- + end cryptography between originator and recipient User Agent + processes, with no special processing requirements imposed on the + Message Transfer System at endpoints or at intermediate relay sites. + This approach allows privacy enhancement facilities to be + incorporated on a site-by-site or user-by-user basis without impact + on other Internet entities. Interoperability among heterogeneous + components and mail transport facilities is supported. + +2. Terminology + + For descriptive purposes, this RFC uses some terms defined in the OSI + X.400 Message Handling System Model per the 1984 CCITT + Recommendations. This section replicates a portion of X.400's + Section 2.2.1, "Description of the MHS Model: Overview" in order to + make the terminology clear to readers who may not be familiar with + the OSI MHS Model. + + In the MHS model, a user is a person or a computer application. A + user is referred to as either an originator (when sending a message) + or a recipient (when receiving one). MH Service elements define the + set of message types and the capabilities that enable an originator + to transfer messages of those types to one or more recipients. + + An originator prepares messages with the assistance of his or her + User Agent (UA). A UA is an application process that interacts with + the Message Transfer System (MTS) to submit messages. The MTS + delivers to one or more recipient UAs the messages submitted to it. + Functions performed solely by the UA and not standardized as part of + the MH Service elements are called local UA functions. + + The MTS is composed of a number of Message Transfer Agents (MTAs). + Operating together, the MTAs relay messages and deliver them to the + intended recipient UAs, which then make the messages available to the + intended recipients. + + The collection of UAs and MTAs is called the Message Handling System + (MHS). The MHS and all of its users are collectively referred to as + the Message Handling Environment. + +3. Services, Constraints, and Implications + + This RFC defines mechanisms to enhance privacy for electronic mail + transferred in the Internet. The facilities discussed in this RFC + provide privacy enhancement services on an end-to-end basis between + sender and recipient UAs. No privacy enhancements are offered for + message fields which are added or transformed by intermediate relay + points. + + + +Linn [Page 3] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + Authentication and integrity facilities are always applied to the + entirety of a message's text. No facility for confidentiality + without authentication is provided. Encryption facilities may be + applied selectively to portions of a message's contents; this allows + less sensitive portions of messages (e.g., descriptive fields) to be + processed by a recipient's delegate in the absence of the recipient's + personal cryptographic keys. In the limiting case, where the + entirety of message text is excluded from encryption, this feature + can be used to yield the effective combination of authentication and + integrity services without confidentiality. + + In keeping with the Internet's heterogeneous constituencies and usage + modes, the measures defined here are applicable to a broad range of + Internet hosts and usage paradigms. In particular, it is worth + noting the following attributes: + + 1. The mechanisms defined in this RFC are not restricted to a + particular host or operating system, but rather allow + interoperability among a broad range of systems. All + privacy enhancements are implemented at the application + layer, and are not dependent on any privacy features at + lower protocol layers. + + 2. The defined mechanisms are compatible with non-enhanced + Internet components. Privacy enhancements are implemented + in an end-to-end fashion which does not impact mail + processing by intermediate relay hosts which do not + incorporate privacy enhancement facilities. It is + necessary, however, for a message's sender to be cognizant + of whether a message's intended recipient implements privacy + enhancements, in order that encoding and possible + encipherment will not be performed on a message whose + destination is not equipped to perform corresponding inverse + transformations. + + 3. The defined mechanisms are compatible with a range of mail + transport facilities (MTAs). Within the Internet, + electronic mail transport is effected by a variety of SMTP + implementations. Certain sites, accessible via SMTP, + forward mail into other mail processing environments (e.g., + USENET, CSNET, BITNET). The privacy enhancements must be + able to operate across the SMTP realm; it is desirable that + they also be compatible with protection of electronic mail + sent between the SMTP environment and other connected + environments. + + 4. The defined mechanisms are compatible with a broad range of + electronic mail user agents (UAs). A large variety of + + + +Linn [Page 4] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + electronic mail user agent programs, with a corresponding + broad range of user interface paradigms, is used in the + Internet. In order that electronic mail privacy + enhancements be available to the broadest possible user + community, selected mechanisms should be usable with the + widest possible variety of existing UA programs. For + purposes of pilot implementation, it is desirable that + privacy enhancement processing be incorporable into a + separate program, applicable to a range of UAs, rather than + requiring internal modifications to each UA with which + privacy-enhanced services are to be provided. + + 5. The defined mechanisms allow electronic mail privacy + enhancement processing to be performed on personal computers + (PCs) separate from the systems on which UA functions are + implemented. Given the expanding use of PCs and the limited + degree of trust which can be placed in UA implementations on + many multi-user systems, this attribute can allow many users + to process privacy-enhanced mail with a higher assurance + level than a strictly UA-based approach would allow. + + 6. The defined mechanisms support privacy protection of + electronic mail addressed to mailing lists (distribution + lists, in ISO parlance). + + 7. The mechanisms defined within this RFC are compatible with a + variety of supporting key management approaches, including + (but not limited to) manual pre-distribution, centralized + key distribution based on symmetric cryptography, and the + use of public-key certificates. Different key management + mechanisms may be used for different recipients of a + multicast message. While support for a particular key + management mechanism is not a minimum essential requirement + for compatibility with this RFC, adoption of the public-key + certificate approach defined in companion RFC-1114 is + strongly recommended. + + In order to achieve applicability to the broadest possible range of + Internet hosts and mail systems, and to facilitate pilot + implementation and testing without the need for prior modifications + throughout the Internet, three basic restrictions are imposed on the + set of measures to be considered in this RFC: + + 1. Measures will be restricted to implementation at endpoints + and will be amenable to integration at the user agent (UA) + level or above, rather than necessitating integration into + the message transport system (e.g., SMTP servers). + + + + +Linn [Page 5] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + 2. The set of supported measures enhances rather than restricts + user capabilities. Trusted implementations, incorporating + integrity features protecting software from subversion by + local users, cannot be assumed in general. In the absence + of such features, it appears more feasible to provide + facilities which enhance user services (e.g., by protecting + and authenticating inter-user traffic) than to enforce + restrictions (e.g., inter-user access control) on user + actions. + + 3. The set of supported measures focuses on a set of functional + capabilities selected to provide significant and tangible + benefits to a broad user community. By concentrating on the + most critical set of services, we aim to maximize the added + privacy value that can be provided with a modest level of + implementation effort. + + As a result of these restrictions, the following facilities can be + provided: + + 1. disclosure protection, + + 2. sender authenticity, + + 3. message integrity measures, and + + 4. (if asymmetric key management is used) non-repudiation of + origin, + + but the following privacy-relevant concerns are not addressed: + + 1. access control, + + 2. traffic flow confidentiality, + + 3. address list accuracy, + + 4. routing control, + + 5. issues relating to the casual serial reuse of PCs by + multiple users, + + 6. assurance of message receipt and non-deniability of receipt, + + 7. automatic association of acknowledgments with the messages + to which they refer, and + + 8. message duplicate detection, replay prevention, or other + + + +Linn [Page 6] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + stream-oriented services. + + A message's sender will determine whether privacy enhancements are to + be performed on a particular message. Therefore, a sender must be + able to determine whether particular recipients are equipped to + process privacy-enhanced mail. In a general architecture, these + mechanisms will be based on server queries; thus, the query function + could be integrated into a UA to avoid imposing burdens or + inconvenience on electronic mail users. + +4. Processing of Messages + +4.1 Message Processing Overview + + This subsection provides a high-level overview of the components and + processing steps involved in electronic mail privacy enhancement + processing. Subsequent subsections will define the procedures in + more detail. + +4.1.1 Types of Keys + + A two-level keying hierarchy is used to support privacy-enhanced + message transmission: + + 1. Data Encrypting Keys (DEKs) are used for encryption of + message text and (with certain choices among a set of + alternative algorithms) for computation of message integrity + check (MIC) quantities. DEKs are generated individually for + each transmitted message; no predistribution of DEKs is + needed to support privacy-enhanced message transmission. + + 2. Interchange Keys (IKs) are used to encrypt DEKs for + transmission within messages. Ordinarily, the same IK will + be used for all messages sent from a given originator to a + given recipient over a period of time. Each transmitted + message includes a representation of the DEK(s) used for + message encryption and/or MIC computation, encrypted under + an individual IK per named recipient. The representation is + associated with "X-Sender-ID:" and "X-Recipient-ID:" fields, + which allow each individual recipient to identify the IK + used to encrypt DEKs and/or MICs for that recipient's use. + Given an appropriate IK, a recipient can decrypt the + corresponding transmitted DEK representation, yielding the + DEK required for message text decryption and/or MIC + verification. The definition of an IK differs depending on + whether symmetric or asymmetric cryptography is used for DEK + encryption: + + + + +Linn [Page 7] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + 2a. When symmetric cryptography is used for DEK + encryption, an IK is a single symmetric key shared + between an originator and a recipient. In this + case, the same IK is used to encrypt MICs as well + as DEKs for transmission. Version/expiration + information and IA identification associated with + the originator and with the recipient must be + concatenated in order to fully qualify a symmetric + IK. + + 2b. When asymmetric cryptography is used, the IK + component used for DEK encryption is the public + component of the recipient. The IK component used + for MIC encryption is the private component of the + originator, and therefore only one encrypted MIC + representation need be included per message, rather than + one per recipient. Each of these IK + components can be fully qualified in an + "X-Recipient-ID:" or "X-Sender-ID:" field, + respectively. + +4.1.2 Processing Procedures + + When privacy enhancement processing is to be performed on an outgoing + message, a DEK is generated [1] for use in message encryption and (if + a chosen MIC algorithm requires a key) a variant of the DEK is formed + for use in MIC computation. DEK generation can be omitted for the + case of a message in which all contents are excluded from encryption, + unless a chosen MIC computation algorithm requires a DEK. + + An "X-Sender-ID:" field is included in the header to provide one + identification component for the IK(s) used for message processing. + IK components are selected for each individually named recipient; a + corresponding "X-Recipient-ID:" field, interpreted in the context of + a prior "X-Sender-ID:" field, serves to identify each IK. Each "X- + Recipient-ID:" field is followed by an "X-Key-Info:" field, which + transfers a DEK encrypted under the IK appropriate for the specified + recipient. When symmetric key management is used for a given + recipient, the "X-Key-Info:" field also transfers the message's + computed MIC, encrypted under the recipient's IK. When asymmetric + key management is used, a prior "X-MIC-Info:" field carries the + message's MIC encrypted under the private component of the sender. + + A four-phase transformation procedure is employed in order to + represent encrypted message text in a universally transmissible form + and to enable messages encrypted on one type of host computer to be + decrypted on a different type of host computer. A plaintext message + is accepted in local form, using the host's native character set and + + + +Linn [Page 8] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + line representation. The local form is converted to a canonical + message text representation, defined as equivalent to the inter-SMTP + representation of message text. This canonical representation forms + the input to the MIC computation and encryption processes. + + For encryption purposes, the canonical representation is padded as + required by the encryption algorithm. The padded canonical + representation is encrypted (except for any regions which are + explicitly excluded from encryption). The encrypted text (along with + the canonical representation of regions which were excluded from + encryption) is encoded into a printable form. The printable form is + composed of a restricted character set which is chosen to be + universally representable across sites, and which will not be + disrupted by processing within and between MTS entities. + + The output of the encoding procedure is combined with a set of header + fields carrying cryptographic control information. The result is + passed to the electronic mail system to be encapsulated as the text + portion of a transmitted message. + + When a privacy-enhanced message is received, the cryptographic + control fields within its text portion provide the information + required for the authorized recipient to perform MIC verification and + decryption of the received message text. First, the printable + encoding is converted to a bitstring. Encrypted portions of the + transmitted message are decrypted. The MIC is verified. The + canonical representation is converted to the recipient's local form, + which need not be the same as the sender's local form. + +4.2 Encryption Algorithms and Modes + + For purposes of this RFC, the Block Cipher Algorithm DEA-1, defined + in ANSI X3.92-1981 [2] shall be used for encryption of message text. + The DEA-1 is equivalent to the Data Encryption Standard (DES), as + defined in FIPS PUB 46 [3]. When used for encryption of text, the + DEA-1 shall be used in the Cipher Block Chaining (CBC) mode, as + defined in ISO IS 8372 [4]. The identifier string "DES-CBC", defined + in RFC-1115, signifies this algorithm/mode combination. The CBC mode + definition in IS 8372 is equivalent to that provided in FIPS PUB 81 + [5] and in ANSI X3.106-1983 [16]. Use of other algorithms and/or + modes for message text processing will require case-by-case study to + determine applicability and constraints. Additional algorithms and + modes approved for use in this context will be specified in + successors to RFC-1115. + + It is an originator's responsibility to generate a new pseudorandom + initializing vector (IV) for each privacy-enhanced electronic mail + message unless the entirety of the message is excluded from + + + +Linn [Page 9] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + encryption. Section 4.3.1 of [17] provides rationale for this + requirement, even in a context where individual DEKs are generated + for individual messages. The IV will be transmitted with the + message. + + Certain operations require that one key be encrypted under an + interchange key (IK) for purposes of transmission. A header facility + indicates the mode in which the IK is used for encryption. RFC-1115 + specifies encryption algorithm/mode identifiers, including DES-ECB, + DES-EDE, and RSA. All implementations using symmetric key management + should support DES-ECB IK use, and all implementations using + asymmetric key management should support RSA IK use. + + RFC-1114, released concurrently with this RFC, specifies asymmetric, + certificate-based key management procedures to support the message + processing procedures defined in this document. The message + processing procedures can also be used with symmetric key management, + given prior distribution of suitable symmetric IKs through out-of- + band means. Support for the asymmetric approach defined in RFC-1114 + is strongly recommended. + +4.3 Privacy Enhancement Message Transformations + +4.3.1 Constraints + + An electronic mail encryption mechanism must be compatible with the + transparency constraints of its underlying electronic mail + facilities. These constraints are generally established based on + expected user requirements and on the characteristics of anticipated + endpoint and transport facilities. An encryption mechanism must also + be compatible with the local conventions of the computer systems + which it interconnects. In our approach, a canonicalization step is + performed to abstract out local conventions and a subsequent encoding + step is performed to conform to the characteristics of the underlying + mail transport medium (SMTP). The encoding conforms to SMTP + constraints, established to support interpersonal messaging. SMTP's + rules are also used independently in the canonicalization process. + RFC-821's [7] Section 4.5 details SMTP's transparency constraints. + + To prepare a message for SMTP transmission, the following + requirements must be met: + + 1. All characters must be members of the 7-bit ASCII character + set. + + 2. Text lines, delimited by the character pair , must + be no more than 1000 characters long. + + + + +Linn [Page 10] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + 3. Since the string . indicates the end of a + message, it must not occur in text prior to the end of a + message. + + Although SMTP specifies a standard representation for line delimiters + (ASCII ), numerous systems use a different native + representation to delimit lines. For example, the sequences + delimiting lines in mail inbound to UNIX systems are transformed to + single s as mail is written into local mailbox files. Lines in + mail incoming to record-oriented systems (such as VAX VMS) may be + converted to appropriate records by the destination SMTP [8] server. + As a result, if the encryption process generated s or s, + those characters might not be accessible to a recipient UA program at + a destination which uses different line delimiting conventions. It + is also possible that conversion between tabs and spaces may be + performed in the course of mapping between inter-SMTP and local + format; this is a matter of local option. If such transformations + changed the form of transmitted ciphertext, decryption would fail to + regenerate the transmitted plaintext, and a transmitted MIC would + fail to compare with that computed at the destination. + + The conversion performed by an SMTP server at a system with EBCDIC as + a native character set has even more severe impact, since the + conversion from EBCDIC into ASCII is an information-losing + transformation. In principle, the transformation function mapping + between inter-SMTP canonical ASCII message representation and local + format could be moved from the SMTP server up to the UA, given a + means to direct that the SMTP server should no longer perform that + transformation. This approach has a major disadvantage: internal + file (e.g., mailbox) formats would be incompatible with the native + forms used on the systems where they reside. Further, it would + require modification to SMTP servers, as mail would be passed to SMTP + in a different representation than it is passed at present. + +4.3.2 Approach + + Our approach to supporting privacy-enhanced mail across an + environment in which intermediate conversions may occur encodes mail + in a fashion which is uniformly representable across the set of + privacy-enhanced UAs regardless of their systems' native character + sets. This encoded form is used to represent mail text from sender + to recipient, but the encoding is not applied to enclosing mail + transport headers or to encapsulated headers inserted to carry + control information between privacy-enhanced UAs. The encoding's + characteristics are such that the transformations anticipated between + sender and recipient UAs will not prevent an encoded message from + being decoded properly at its destination. + + + + +Linn [Page 11] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + A sender may exclude one or more portions of a message from + encryption processing, but authentication processing is always + applied to the entirety of message text. Explicit action is required + to exclude a portion of a message from encryption processing; by + default, encryption is applied to the entirety of message text. The + user-level delimiter which specifies such exclusion is a local + matter, and hence may vary between sender and recipient, but all + systems should provide a means for unambiguous identification of + areas excluded from encryption processing. + + An outbound privacy-enhanced message undergoes four transformation + steps, described in the following four subsections. + +4.3.2.1 Step 1: Local Form + + The message text is created in the system's native character set, + with lines delimited in accordance with local convention. + +4.3.2.2 Step 2: Canonical Form + + The entire message text, including both those portions subject to + encipherment processing and those portions excluded from such + processing, is converted to a universal canonical form, analogous to + the inter-SMTP representation [9] as defined in RFC-821 and RFC-822 + [10] (ASCII character set, line delimiters). The processing + required to perform this conversion is minimal on systems whose + native character set is ASCII. (Note: Since the output of the + canonical encoding process will never be submitted directly to SMTP, + but only to subsequent steps of the privacy enhancement encoding + process, the dot-stuffing transformation discussed in RFC-821, + section 4.5.2, is not required.) Since a message is converted to a + standard character set and representation before encryption, it can + be decrypted and its MIC can be verified at any type of destination + host computer. The decryption and MIC verification is performed + before any conversions which may be necessary to transform the + message into a destination-specific local form. + +4.3.2.3 Step 3: Authentication and Encipherment + + The canonical form is input to the selected MIC computation algorithm + in order to compute an integrity check quantity for the message. No + padding is added to the canonical form before submission to the MIC + computation algorithm, although certain MIC algorithms will apply + their own padding in the course of computing a MIC. + + Padding is applied to the canonical form as needed to perform + encryption in the DEA-1 CBC mode, as follows: The number of octets to + be encrypted is determined by subtracting the number of octets + + + +Linn [Page 12] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + excluded from encryption from the total length of the canonically + encoded text. Octets with the hexadecimal value FF (all ones) are + appended to the canonical form as needed so that the text octets to + be encrypted, along with the added padding octets, fill an integral + number of 8-octet encryption quanta. No padding is applied if the + number of octets to be encrypted is already an integral multiple of + 8. The use of hexadecimal FF (a value outside the 7-bit ASCII set) + as a padding value allows padding octets to be distinguished from + valid data without inclusion of an explicit padding count indicator. + + The regions of the message which have not been excluded from + encryption are encrypted. To support selective encipherment + processing, an implementation must retain internal indications of the + positions of excluded areas excluded from encryption with relation to + non-excluded areas, so that those areas can be properly delimited in + the encoding procedure defined in step 4. If a region excluded from + encryption intervenes between encrypted regions, cryptographic state + (e.g., IVs and accumulation of octets into encryption quanta) is + preserved and continued after the excluded region. + +4.3.2.4 Step 4: Printable Encoding + + Proceeding from left to right, the bit string resulting from step 3 + is encoded into characters which are universally representable at all + sites, though not necessarily with the same bit patterns (e.g., + although the character "E" is represented in an ASCII-based system as + hexadecimal 45 and as hexadecimal C5 in an EBCDIC-based system, the + local significance of the two representations is equivalent). This + encoding step is performed for all privacy-enhanced messages, even if + an entire message is excluded from encryption. + + A 64-character subset of International Alphabet IA5 is used, enabling + 6 bits to be represented per printable character. (The proposed + subset of characters is represented identically in IA5 and ASCII.) + Two additional characters, "=" and "*", are used to signify special + processing functions. The character "=" is used for padding within + the printable encoding procedure. The character "*" is used to + delimit the beginning and end of a region which has been excluded + from encipherment processing. The encoding function's output is + delimited into text lines (using local conventions), with each line + except the last containing exactly 64 printable characters and the + final line containing 64 or fewer printable characters. (This line + length is easily printable and is guaranteed to satisfy SMTP's 1000- + character transmitted line length limit.) + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right across + a 24-bit input group extracted from the output of step 3, each 6-bit + + + +Linn [Page 13] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + group is used as an index into an array of 64 printable characters. + The character referenced by the index is placed in the output string. + These characters, identified in Table 0, are selected so as to be + universally representable, and the set excludes characters with + particular significance to SMTP (e.g., ".", "", ""). + + Special processing is performed if fewer than 24 bits are available + in an input group, either at the end of a message or (when the + selective encryption facility is invoked) at the end of an encrypted + region or an excluded region. A full encoding quantum is always + completed at the end of a message and before the delimiter "*" is + output to initiate or terminate the representation of a block + excluded from encryption. When fewer than 24 input bits are + available in an input group, zero bits are added (on the right) to + form an integral number of 6-bit groups. Output character positions + which are not required to represent actual input data are set to the + character "=". Since all canonically encoded output is an integral + number of octets, only the following cases can arise: (1) the final + quantum of encoding input is an integral multiple of 24 bits; here, + the final unit of encoded output will be an integral multiple of 4 + characters with no "=" padding, (2) the final quantum of encoding + input is exactly 8 bits; here, the final unit of encoded output will + be two characters followed by two "=" padding characters, or (3) the + final quantum of encoding input is exactly 16 bits; here, the final + unit of encoded output will be three characters followed by one "=" + padding character. + + + + + + + + + + + + + + + + + + + + + + + + + +Linn [Page 14] + +RFC 1113 Mail Privacy: Procedures August 1989 + + +4.3.2.5 Summary of Transformations + + In summary, the outbound message is subjected to the following + composition of transformations: + + Transmit_Form = Encode(Encipher(Canonicalize(Local_Form))) + + The inverse transformations are performed, in reverse order, to + process inbound privacy-enhanced mail: + + + Local_Form = DeCanonicalize(Decipher(Decode(Transmit_Form))) + + Value Encoding Value Encoding Value Encoding Value Encoding + 0 A 17 R 34 i 51 z + 1 B 18 S 35 j 52 0 + 2 C 19 T 36 k 53 1 + 3 D 20 U 37 l 54 2 + 4 E 21 V 38 m 55 3 + 5 F 22 W 39 n 56 4 + 6 G 23 X 40 o 57 5 + 7 H 24 Y 41 p 58 6 + 8 I 25 Z 42 q 59 7 + 9 J 26 a 43 r 60 8 + 10 K 27 b 44 s 61 9 + 11 L 28 c 45 t 62 + + 12 M 29 d 46 u 63 / + 13 N 30 e 47 v + 14 O 31 f 48 w (pad) = + 15 P 32 g 49 x + 16 Q 33 h 50 y (1) * + + (1) The character "*" is used to enclose portions of an + encoded message to which encryption processing has not + been applied. + + + Printable Encoding Characters + Table 1 + + + Note that the local form and the functions to transform messages to + and from canonical form may vary between the sender and recipient + systems without loss of information. + +4.4 Encapsulation Mechanism + + Encapsulation of privacy-enhanced messages within an enclosing layer + + + +Linn [Page 15] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + of headers interpreted by the electronic mail transport system offers + a number of advantages in comparison to a flat approach in which + certain fields within a single header are encrypted and/or carry + cryptographic control information. Encapsulation provides generality + and segregates fields with user-to-user significance from those + transformed in transit. All fields inserted in the course of + encryption/authentication processing are placed in the encapsulated + header. This facilitates compatibility with mail handling programs + which accept only text, not header fields, from input files or from + other programs. Further, privacy enhancement processing can be + applied recursively. As far as the MTS is concerned, information + incorporated into cryptographic authentication or encryption + processing will reside in a message's text portion, not its header + portion. + + The encapsulation mechanism to be used for privacy-enhanced mail is + derived from that described in RFC-934 [11] which is, in turn, based + on precedents in the processing of message digests in the Internet + community. To prepare a user message for encrypted or authenticated + transmission, it will be transformed into the representation shown in + Figure 1. + + As a general design principle, sensitive data is protected by + incorporating the data within the encapsulated text rather than by + applying measures selectively to fields in the enclosing header. + Examples of potentially sensitive header information may include + fields such as "Subject:", with contents which are significant on an + end-to-end, inter-user basis. The (possibly empty) set of headers to + which protection is to be applied is a user option. It is strongly + recommended, however, that all implementations should replicate + copies of "X-Sender-ID:" and "X-Recipient-ID:" fields within the + encapsulated text. + + If a user wishes disclosure protection for header fields, they must + occur only in the encapsulated text and not in the enclosing or + encapsulated header. If disclosure protection is desired for a + message's subject indication, it is recommended that the enclosing + header contain a "Subject:" field indicating that "Encrypted Mail + Follows". + + If an authenticated version of header information is desired, that + data can be replicated within the encapsulated text portion in + addition to its inclusion in the enclosing header. For example, a + sender wishing to provide recipients with a protected indication of a + message's position in a series of messages could include a copy of a + timestamp or message counter field within the encapsulated text. + + A specific point regarding the integration of privacy-enhanced mail + + + +Linn [Page 16] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + facilities with the message encapsulation mechanism is worthy of + note. The subset of IA5 selected for transmission encoding + intentionally excludes the character "-", so encapsulated text can be + distinguished unambiguously from a message's closing encapsulation + boundary (Post-EB) without recourse to character stuffing. + + Enclosing Header Portion + (Contains header fields per RFC-822) + + Blank Line + (Separates Enclosing Header from Encapsulated Message) + + Encapsulated Message + + Pre-Encapsulation Boundary (Pre-EB) + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + + Encapsulated Header Portion + (Contains encryption control fields inserted in plaintext. + Examples include "X-DEK-Info:", "X-Sender-ID:", and + "X-Key-Info:". + Note that, although these control fields have line-oriented + representations similar to RFC-822 header fields, the set + of fields valid in this context is disjoint from those used + in RFC-822 processing.) + + Blank Line + (Separates Encapsulated Header from subsequent encoded + Encapsulated Text Portion) + + Encapsulated Text Portion + (Contains message data encoded as specified in Section 4.3; + may incorporate protected copies of enclosing and + encapsulated header fields such as "Subject:", etc.) + + Post-Encapsulation Boundary (Post-EB) + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + + + Message Encapsulation + Figure 1 + + +4.5 Mail for Mailing Lists + + When mail is addressed to mailing lists, two different methods of + processing can be applicable: the IK-per-list method and the IK-per- + recipient method. The choice depends on the information available to + + + +Linn [Page 17] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + the sender and on the sender's preference. + + If a message's sender addresses a message to a list name or alias, + use of an IK associated with that name or alias as a entity (IK-per- + list), rather than resolution of the name or alias to its constituent + destinations, is implied. Such an IK must, therefore, be available + to all list members. For the case of asymmetric key management, the + list's private component must be available to all list members. This + alternative will be the normal case for messages sent via remote + exploder sites, as a sender to such lists may not be cognizant of the + set of individual recipients. Unfortunately, it implies an + undesirable level of exposure for the shared IK, and makes its + revocation difficult. Moreover, use of the IK-per-list method allows + any holder of the list's IK to masquerade as another sender to the + list for authentication purposes. + + If, in contrast, a message's sender is equipped to expand the + destination mailing list into its individual constituents and elects + to do so (IK-per-recipient), the message's DEK (and, in the symmetric + key management case, MIC) will be encrypted under each per-recipient + IK and all such encrypted representations will be incorporated into + the transmitted message. Note that per-recipient encryption is + required only for the relatively small DEK and MIC quantities carried + in the "X-Key-Info:" field, not for the message text which is, in + general, much larger. Although more IKs are involved in processing + under the IK-per-recipient method, the pairwise IKs can be + individually revoked and possession of one IK does not enable a + successful masquerade of another user on the list. + +4.6 Summary of Encapsulated Header Fields + + This section summarizes the syntax and semantics of the encapsulated + header fields to be added to messages in the course of privacy + enhancement processing. The fields are presented in three groups. + Normally, the groups will appear in encapsulated headers in the order + in which they are shown, though not all fields in each group will + appear in all messages. In certain indicated cases, it is recommended + that the fields be replicated within the encapsulated text portion as + well as being included within the encapsulated header. Figures 2 and + 3 show the appearance of small example encapsulated messages. Figure + 2 assumes the use of symmetric cryptography for key management. + Figure 3 illustrates an example encapsulated message in which + asymmetric key management is used. + + Unless otherwise specified, all field arguments are processed in a + case-sensitive fashion. In most cases, numeric quantities are + represented in header fields as contiguous strings of hexadecimal + digits, where each digit is represented by a character from the + + + +Linn [Page 18] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + ranges "0"-"9" or upper case "A"-"F". Since public-key certificates + and quantities encrypted using asymmetric algorithms are large in + size, use of a more space-efficient encoding technique is appropriate + for such quantities, and the encoding mechanism defined in Section + 4.3.2.4 of this RFC, representing 6 bits per printed character, is + adopted. The example shown in Figure 3 shows asymmetrically + encrypted quantities (e.g., "X-MIC-Info:", "X-Key-Info:") with 64- + character printed representations, corresponding to 384 bits. The + fields carrying asymmetrically encrypted quantities also illustrate + the use of folding as defined in RFC-822, section 3.1.1. + + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + X-Proc-Type: 3,ENCRYPTED + X-DEK-Info: DES-CBC,F8143EDE5960C597 + X-Sender-ID: linn@ccy.bbn.com:: + X-Recipient-ID: linn@ccy.bbn.com:ptf-kmc:3 + X-Key-Info: DES-ECB,RSA-MD2,9FD3AAD2F2691B9A,B70665BB9BF7CBCD, + A60195DB94F727D3 + X-Recipient-ID: privacy-tf@venera.isi.edu:ptf-kmc:4 + X-Key-Info: DES-ECB,RSA-MD2,161A3F75DC82EF26,E2EF532C65CBCFF7, + 9F83A2658132DB47 + + LLrHB0eJzyhP+/fSStdW8okeEnv47jxe7SJ/iN72ohNcUk2jHEUSoH1nvNSIWL9M + 8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHUlBLpvXR0UrUzYbkNpk0agV2IzUpk + J6UiRRGcDSvzrsoK+oNvqu6z7Xs5Xfz5rDqUcMlK1Z6720dcBWGGsDLpTpSCnpot + dXd/H5LMDWnonNvPCwQUHt== + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + + + Example Encapsulated Message (Symmetric Case) + Figure 2 + + + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + X-Proc-Type: 3,ENCRYPTED + X-DEK-Info: DES-CBC,F8143EDE5960C597 + X-Sender-ID: linn@ccy.bbn.com:: + X-Certificate: + jHUlBLpvXR0UrUzYbkNpk0agV2IzUpk8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIk + YbkNpk0agV2IzUpk8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHUlBLpvXR0UrUz + agV2IzUpk8tEjmFjHUlBLpvXR0UrUz/zxB+bATMtPjCUWbz8Lr9wloXIkYbkNpk0 + X-Issuer-Certificate: + TMtPjCUWbz8Lr9wloXIkYbkNpk0agV2IzUpk8tEjmFjHUlBLpvXR0UrUz/zxB+bA + IkjHUlBLpvXR0UrUzYbkNpk0agV2IzUpk8tEjmF/zxB+bATMtPjCUWbz8Lr9wloX + vXR0UrUzYbkNpk0agV2IzUpk8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHUlBLp + X-MIC-Info: RSA-MD2,RSA, + 5rDqUcMlK1Z6720dcBWGGsDLpTpSCnpotJ6UiRRGcDSvzrsoK+oNvqu6z7Xs5Xfz + X-Recipient-ID: linn@ccy.bbn.com:RSADSI:3 + + + +Linn [Page 19] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + X-Key-Info: RSA, + lBLpvXR0UrUzYbkNpk0agV2IzUpk8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHU + X-Recipient-ID: privacy-tf@venera.isi.edu:RSADSI:4 + X-Key-Info: RSA, + NcUk2jHEUSoH1nvNSIWL9MLLrHB0eJzyhP+/fSStdW8okeEnv47jxe7SJ/iN72oh + + LLrHB0eJzyhP+/fSStdW8okeEnv47jxe7SJ/iN72ohNcUk2jHEUSoH1nvNSIWL9M + 8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHUlBLpvXR0UrUzYbkNpk0agV2IzUpk + J6UiRRGcDSvzrsoK+oNvqu6z7Xs5Xfz5rDqUcMlK1Z6720dcBWGGsDLpTpSCnpot + dXd/H5LMDWnonNvPCwQUHt== + -----PRIVACY-ENHANCED MESSAGE BOUNDARY----- + + Example Encapsulated Message (Asymmetric Case) + Figure 3 + + + Although the encapsulated header fields resemble RFC-822 header + fields, they are a disjoint set and will not in general be processed + by the same parser which operates on enclosing header fields. The + complexity of lexical analysis needed and appropriate for + encapsulated header field processing is significantly less than that + appropriate to RFC-822 header processing. For example, many + characters with special significance to RFC-822 at the syntactic + level have no such significance within encapsulated header fields. + + When the length of an encapsulated header field is longer than the + size conveniently printable on a line, whitespace may be used to fold + the field in the manner of RFC-822, section 3.1.1. Any such inserted + whitespace is not to be interpreted as a part of a subfield. As a + particular example, due to the length of public-key certificates and + of quantities encrypted using asymmetric algorithms, such quantities + may often need to be folded across multiple printed lines. In order + to facilitate such folding in a uniform manner, the bits representing + such a quantity are to be divided into an ordered set (with leftmost + bits first) of zero or more 384-bit groups (corresponding to 64- + character printed representations), followed by a final group of bits + which may be any length up to 384 bits. + +4.6.1 Per-Message Encapsulated Header Fields + + This group of encapsulated header fields contains fields which occur + no more than once in a privacy-enhanced message, generally preceding + all other encapsulated header fields. + +4.6.1.1 X-Proc-Type Field + + The "X-Proc-Type:" encapsulated header field, required for all + privacy-enhanced messages, identifies the type of processing + + + +Linn [Page 20] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + performed on the transmitted message. Only one "X-Proc-Type:" field + occurs in a message; the "X-Proc-Type:" field must be the first + encapsulated header field in the message. + + The "X-Proc-Type:" field has two subfields, separated by a comma. + The first subfield is a decimal number which is used to distinguish + among incompatible encapsulated header field interpretations which + may arise as changes are made to this standard. Messages processed + according to this RFC will carry the subfield value "3" to + distinguish them from messages processed in accordance with prior + RFCs 989 and 1040. + + The second subfield may assume one of two string values: "ENCRYPTED" + or "MIC-ONLY". Unless all of a message's encapsulated text is + excluded from encryption, the "X-Proc-Type:" field's second subfield + must specify "ENCRYPTED". Specification of "MIC-ONLY", when applied + in conjunction with certain combinations of key management and MIC + algorithm options, permits certain fields which are superfluous in + the absence of encryption to be omitted from the encapsulated header. + In particular, "X-Recipient-ID:" and "X-Key-Info:" fields can be + omitted for recipients for whom asymmetric cryptography is used, + assuming concurrent use of a keyless MIC computation algorithm. The + "X-DEK-Info:" field can be omitted for all "MIC-ONLY" messages. + +4.6.1.2 X-DEK-Info Field + + The "X-DEK-Info:" encapsulated header field identifies the message + text encryption algorithm and mode, and also carries the Initializing + Vector used for message encryption. No more than one "X-DEK-Info:" + field occurs in a message; the field is required except for messages + specified as "MIC-ONLY" in the "X-Proc-Type:" field. + + The "X-DEK-Info:" field carries two arguments, separated by a comma. + For purposes of this RFC, the first argument must be the string + "DES-CBC", signifying (as defined in RFC-1115) use of the DES + algorithm in the CBC mode. The second argument represents a 64-bit + Initializing Vector (IV) as a contiguous string of 16 hexadecimal + digits. Subsequent revisions of RFC-1115 will specify any additional + values which may appear as the first argument of this field. + +4.6.2 Encapsulated Header Fields Normally Per-Message + + This group of encapsulated header fields contains fields which + ordinarily occur no more than once per message. Depending on the key + management option(s) employed, some of these fields may be absent + from some messages. The "X-Sender-ID" field may occur more than once + in a message if different sender-oriented IK components (perhaps + corresponding to different versions) must be used for different + + + +Linn [Page 21] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + recipients. In this case later occurrences override prior + occurrences. If a mixture of symmetric and asymmetric key + distribution is used within a single message, the recipients for each + type of key distribution technology should be grouped together to + simplify parsing. + +4.6.2.1 X-Sender-ID Field + + The "X-Sender-ID:" encapsulated header field, required for all + privacy-enhanced messages, identifies a message's sender and provides + the sender's IK identification component. It should be replicated + within the encapsulated text. The IK identification component + carried in an "X-Sender-ID:" field is used in conjunction with all + subsequent "X-Recipient-ID:" fields until another "X-Sender-ID:" + field occurs; the ordinary case will be that only a single "X- + Sender-ID:" field will occur, prior to any "X-Recipient-ID:" fields. + + The "X-Sender-ID:" field contains (in order) an Entity Identifier + subfield, an (optional) Issuing Authority subfield, and an (optional) + Version/Expiration subfield. The optional subfields are omitted if + their use is rendered redundant by information carried in subsequent + "X-Recipient-ID:" fields; this will ordinarily be the case where + symmetric cryptography is used for key management. The subfields are + delimited by the colon character (":"), optionally followed by + whitespace. + + Section 5.2, Interchange Keys, discusses the semantics of these + subfields and specifies the alphabet from which they are chosen. + Note that multiple "X-Sender-ID:" fields may occur within a single + encapsulated header. All "X-Recipient-ID:" fields are interpreted in + the context of the most recent preceding "X-Sender-ID:" field; it is + illegal for an "X-Recipient-ID:" field to occur in a header before an + "X-Sender-ID:" has been provided. + +4.6.2.2 X-Certificate Field + + The "X-Certificate:" encapsulated header field is used only when + asymmetric key management is employed for one or more of a message's + recipients. To facilitate processing by recipients (at least in + advance of general directory server availability), inclusion of this + field in all messages is strongly recommended. The field transfers a + sender's certificate as a numeric quantity, represented with the + encoding mechanism defined in Section 4.3.2.4 of this RFC. The + semantics of a certificate are discussed in RFC-1114. The + certificate carried in an "X-Certificate:" field is used in + conjunction with "X-Sender-ID:" and "X-Recipient-ID:" fields for + which asymmetric key management is employed. + + + + +Linn [Page 22] + +RFC 1113 Mail Privacy: Procedures August 1989 + + +4.6.2.3 X-MIC-Info Field + + The "X-MIC-Info:" encapsulated header field, used only when + asymmetric key management is employed for at least one recipient of a + message, carries three arguments, separated by commas. The first + argument identifies the algorithm under which the accompanying MIC is + computed; RFC-1115 specifies the acceptable set of MIC algorithm + identifiers. The second argument identifies the algorithm under + which the accompanying MIC is encrypted; for purposes of this RFC, + the string "RSA" as described in RFC-1115 must occur, identifying + use of the RSA algorithm. The third argument is a MIC, + asymmetrically encrypted using the originator's private component. + As discussed earlier in this section, the asymmetrically encrypted + MIC is represented using the technique described in Section 4.3.2.4 + of this RFC. + + The "X-MIC-Info:" field will occur immediately following the + message's "X-Sender-ID:" field and any "X-Certificate:" or "X- + Issuer-Certificate:" fields. Analogous to the "X-Sender-ID:" field, + an "X-MIC-Info:" field applies to all subsequent recipients for whom + asymmetric key management is used. + +4.6.3 Encapsulated Header Fields with Variable Occurrences + + This group of encapsulated header fields contains fields which will + normally occur variable numbers of times within a message, with + numbers of occurrences ranging from zero to non-zero values which are + independent of the number of recipients. + +4.6.3.1 X-Issuer-Certificate Field + + The "X-Issuer-Certificate:" encapsulated header field is meaningful + only when asymmetric key management is used for at least one of a + message's recipients. A typical "X-Issuer-Certificate:" field would + contain the certificate containing the public component used to sign + the certificate carried in the message's "X-Certificate:" field, for + recipients' use in chaining through that certificate's certification + path. Other "X-Issuer-Certificate:" fields, typically representing + higher points in a certification path, also may be included by a + sender. The order in which "X-Issuer-Certificate:" fields are + included need not correspond to the order of the certification path; + the order of that path may in general differ from the viewpoint of + different recipients. More information on certification paths can be + found in RFC-1114. + + The certificate is represented in the same manner as defined for the + "X-Certificate:" field, and any "X-Issuer-Certificate:" fields will + ordinarily follow the "X-Certificate:" field directly. Use of the + + + +Linn [Page 23] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + "X-Issuer-Certificate:" field is optional even when asymmetric key + management is employed, although its incorporation is strongly + recommended in the absence of alternate directory server facilities + from which recipients can access issuers' certificates. + +4.6.4 Per-Recipient Encapsulated Header Fields + + This group of encapsulated header fields normally appears once for + each of a message's named recipients. As a special case, these + fields may be omitted in the case of a "MIC-ONLY" message to + recipients for whom asymmetric key management is employed, given that + the chosen MIC algorithm is keyless. + +4.6.4.1 X-Recipient-ID Field + + The "X-Recipient-ID:" encapsulated header field identifies a + recipient and provides the recipient's IK identification component. + One "X-Recipient-ID:" field is included for each of a message's named + recipients. It should be replicated within the encapsulated text. + The field contains (in order) an Entity Identifier subfield, an + Issuing Authority subfield, and a Version/Expiration subfield. The + subfields are delimited by the colon character (":"), optionally + followed by whitespace. + + Section 5.2, Interchange Keys, discusses the semantics of the + subfields and specifies the alphabet from which they are chosen. All + "X-Recipient-ID:" fields are interpreted in the context of the most + recent preceding "X-Sender-ID:" field; it is illegal for an "X- + Recipient-ID:" field to occur in a header before an "X-Sender-ID:" + has been provided. + +4.6.4.2 X-Key-Info Field + + One "X-Key-Info:" field is included for each of a message's named + recipients. Each "X-Key-Info:" field is interpreted in the context + of the most recent preceding "X-Recipient-ID:" field; normally, an + "X-Key-Info:" field will immediately follow its associated "X- + Recipient-ID:" field. The field's argument(s) differ depending on + whether symmetric or asymmetric key management is used for a + particular recipient. + +4.6.4.2.1 Symmetric Key Management + + When symmetric key management is employed for a given recipient, the + "X-Key-Info:" encapsulated header field transfers four items, + separated by commas: an IK Use Indicator, a MIC Algorithm Indicator, + a DEK and a MIC. The IK Use Indicator identifies the algorithm and + mode in which the identified IK was used for DEK encryption for a + + + +Linn [Page 24] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + particular recipient. For recipients for whom symmetric key + management is used, it may assume the reserved string values "DES- + ECB" or "DES-EDE", as defined in RFC-1115. + + The MIC Algorithm Indicator identifies the MIC computation algorithm + used for a particular recipient; values for this subfield are defined + in RFC-1115. The DEK and MIC are encrypted under the IK identified + by a preceding "X-Recipient-ID:" field and prior "X-Sender-ID:" + field; they are represented as two strings of contiguous hexadecimal + digits, separated by a comma. + + When DEA-1 is used for message text encryption, the DEK + representation will be 16 hexadecimal digits (corresponding to a 64- + bit key); this subfield can be extended to 32 hexadecimal digits + (corresponding to a 128-bit key) if required to support other + algorithms. + + Symmetric encryption of MICs is always performed in the same + encryption mode used to encrypt the message's DEK. Encrypted MICs, + like encrypted DEKs, are represented as contiguous strings of + hexadecimal digits. The size of a MIC is dependent on the choice of + MIC algorithm as specified in the MIC Algorithm Indicator subfield. + +4.6.4.2.2 Asymmetric Key Management + + When asymmetric key management is employed for a given recipient, the + "X-Key-Info:" field transfers two quantities, separated by commas. + The first argument is an IK Use Indicator identifying the algorithm + (and mode, if applicable) in which the DEK is encrypted; for purposes + of this RFC, the IK Use Indicator subfield will always assume the + reserved string value "RSA" (as defined in RFC-1115) for recipients + for whom asymmetric key management is employed, signifying use of the + RSA algorithm. The second argument is a DEK, encrypted (using + asymmetric encryption) under the recipient's public component. + + Throughout this RFC we have adopted the terms "private component" and + "public component" to refer to the quantities which are, + respectively, kept secret and made publically available in asymmetric + cryptosystems. This convention is adopted to avoid possible + confusion arising from use of the term "secret key" to refer to + either the former quantity or to a key in a symmetric cryptosystem. + + As discussed earlier in this section, the asymmetrically encrypted + DEK is represented using the technique described in Section 4.3.2.4 + of this RFC. + + + + + + +Linn [Page 25] + +RFC 1113 Mail Privacy: Procedures August 1989 + + +5. Key Management + + Several cryptographic constructs are involved in supporting the + privacy-enhanced message processing procedure. A set of fundamental + elements is assumed. Data Encrypting Keys (DEKs) are used to encrypt + message text and (for some MIC computation algorithms) in the message + integrity check (MIC) computation process. Interchange Keys (IKs) + are used to encrypt DEKs and MICs for transmission with messages. In + a certificate-based asymmetric key management architecture, + certificates are used as a means to provide entities' public + components and other information in a fashion which is securely bound + by a central authority. The remainder of this section provides more + information about these constructs. + +5.1 Data Encrypting Keys (DEKs) + + Data Encrypting Keys (DEKs) are used for encryption of message text + and (with some MIC computation algorithms) for computation of message + integrity check quantities (MICs). It is strongly recommended that + DEKs be generated and used on a one-time, per-message, basis. A + transmitted message will incorporate a representation of the DEK + encrypted under an appropriate interchange key (IK) for each of the + named recipients. + + DEK generation can be performed either centrally by key distribution + centers (KDCs) or by endpoint systems. Dedicated KDC systems may be + able to implement stronger algorithms for random DEK generation than + can be supported in endpoint systems. On the other hand, + decentralization allows endpoints to be relatively self-sufficient, + reducing the level of trust which must be placed in components other + than a message's originator and recipient. Moreover, decentralized + DEK generation at endpoints reduces the frequency with which senders + must make real-time queries of (potentially unique) servers in order + to send mail, enhancing communications availability. + + When symmetric cryptography is used, one advantage of centralized + KDC-based generation is that DEKs can be returned to endpoints + already encrypted under the IKs of message recipients rather than + providing the IKs to the senders. This reduces IK exposure and + simplifies endpoint key management requirements. This approach has + less value if asymmetric cryptography is used for key management, + since per-recipient public IK components are assumed to be generally + available and per-sender private IK components need not necessarily + be shared with a KDC. + +5.2 Interchange Keys (IKs) + + Interchange Key (IK) components are used to encrypt DEKs and MICs. + + + +Linn [Page 26] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + In general, IK granularity is at the pairwise per-user level except + for mail sent to address lists comprising multiple users. In order + for two principals to engage in a useful exchange of privacy-enhanced + electronic mail using conventional cryptography, they must first + possess common IK components (when symmetric key management is used) + or complementary IK components (when asymmetric key management is + used). When symmetric cryptography is used, the IK consists of a + single component, used to encrypt both DEKs and MICs. When + asymmetric cryptography is used, a recipient's public component is + used as an IK to encrypt DEKs (a transformation invertible only by a + recipient possessing the corresponding private component), and the + originator's private component is used to encrypt MICs (a + transformation invertible by all recipients, since the originator's + certificate provides the necessary public component of the + originator). + + While this RFC does not prescribe the means by which interchange keys + are provided to appropriate parties, it is useful to note that such + means may be centralized (e.g., via key management servers) or + decentralized (e.g., via pairwise agreement and direct distribution + among users). In any case, any given IK component is associated with + a responsible Issuing Authority (IA). When certificate-based + asymmetric key management, as discussed in RFC-1114, is employed, the + IA function is performed by a Certification Authority (CA). + + When an IA generates and distributes an IK component, associated + control information is provided to direct how it is to be used. In + order to select the appropriate IK(s) to use in message encryption, a + sender must retain a correspondence between IK components and the + recipients with which they are associated. Expiration date + information must also be retained, in order that cached entries may + be invalidated and replaced as appropriate. + + Since a message may be sent with multiple IK components identified, + corresponding to multiple intended recipients, each recipient's UA + must be able to determine that recipient's intended IK component. + Moreover, if no corresponding IK component is available in the + recipient's database when a message arrives, the recipient must be + able to identify the required IK component and identify that IK + component's associated IA. Note that different IKs may be used for + different messages between a pair of communicants. Consider, for + example, one message sent from A to B and another message sent (using + the IK-per-list method) from A to a mailing list of which B is a + member. The first message would use IK components associated + individually with A and B, but the second would use an IK component + shared among list members. + + When a privacy-enhanced message is transmitted, an indication of the + + + +Linn [Page 27] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + IK components used for DEK and MIC encryption must be included. To + this end, the "X-Sender-ID:" and "X-Recipient-ID:" encapsulated + header fields provide the following data: + + 1. Identification of the relevant Issuing Authority (IA subfield) + + 2. Identification of an entity with which a particular IK + component is associated (Entity Identifier or EI subfield) + + 3. Version/Expiration subfield + + The colon character (":") is used to delimit the subfields within an + "X-Sender-ID:" or "X-Recipient-ID:". The IA, EI, and + version/expiration subfields are generated from a restricted + character set, as prescribed by the following BNF (using notation as + defined in RFC-822, sections 2 and 3.3): + + IKsubfld := 1*ia-char + + ia-char := DIGIT / ALPHA / "'" / "+" / "(" / ")" / + "," / "." / "/" / "=" / "?" / "-" / "@" / + "%" / "!" / '"' / "_" / "<" / ">" + An example "X-Recipient-ID:" field is as follows: + + X-Recipient-ID: linn@ccy.bbn.com:ptf-kmc:2 + + This example field indicates that IA "ptf-kmc" has issued an IK + component for use on messages sent to "linn@ccy.bbn.com", and that + the IA has provided the number 2 as a version indicator for that IK + component. + +5.2.1 Subfield Definitions + + The following subsections define the subfields of "X-Sender-ID:" and + "X-Recipient-ID:" fields. + +5.2.1.1 Entity Identifier Subfield + + An entity identifier is constructed as an IKsubfld. More + restrictively, an entity identifier subfield assumes the following + form: + + @ + + In order to support universal interoperability, it is necessary to + assume a universal form for the naming information. For the case of + installations which transform local host names before transmission + into the broader Internet, it is strongly recommended that the host + + + +Linn [Page 28] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + name as presented to the Internet be employed. + +5.2.1.2 Issuing Authority Subfield + + An IA identifier subfield is constructed as an IKsubfld. IA + identifiers must be assigned in a manner which assures uniqueness. + This can be done on a centralized or hierarchic basis. + +5.2.1.3 Version/Expiration Subfield + + A version/expiration subfield is constructed as an IKsubfld. The + version/expiration subfield format may vary among different IAs, but + must satisfy certain functional constraints. An IA's + version/expiration subfields must be sufficient to distinguish among + the set of IK components issued by that IA for a given identified + entity. Use of a monotonically increasing number is sufficient to + distinguish among the IK components provided for an entity by an IA; + use of a timestamp additionally allows an expiration time or date to + be prescribed for an IK component. + +5.2.2 IK Cryptoperiod Issues + + An IK component's cryptoperiod is dictated in part by a tradeoff + between key management overhead and revocation responsiveness. It + would be undesirable to delete an IK component permanently before + receipt of a message encrypted using that IK component, as this would + render the message permanently undecipherable. Access to an expired + IK component would be needed, for example, to process mail received + by a user (or system) which had been inactive for an extended period + of time. In order to enable very old IK components to be deleted, a + message's recipient desiring encrypted local long term storage should + transform the DEK used for message text encryption via re-encryption + under a locally maintained IK, rather than relying on IA maintenance + of old IK components for indefinite periods. + +6. User Naming + +6.1 Current Approach + + Unique naming of electronic mail users, as is needed in order to + select corresponding keys correctly, is an important topic and one + which has received significant study. Our current architecture + associates IK components with user names represented in a universal + form ("user@domain-qualified-host"), relying on the following + properties: + + 1. The universal form must be specifiable by an IA as it + distributes IK components and known to a UA as it processes + + + +Linn [Page 29] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + received IK components and IK component identifiers. If a + UA or IA uses addresses in a local form which is different + from the universal form, it must be able to perform an + unambiguous mapping from the universal form into the local + representation. + + 2. The universal form, when processed by a sender UA, must have + a recognizable correspondence with the form of a recipient + address as specified by a user (perhaps following local + transformation from an alias into a universal form). + + It is difficult to ensure these properties throughout the Internet. + For example, an MTS which transforms address representations between + the local form used within an organization and the universal form as + used for Internet mail transmission may cause property 2 to be + violated. + +6.2 Issues for Consideration + + The use of flat (non-hierarchic) electronic mail user identifiers, + which are unrelated to the hosts on which the users reside, may offer + value. As directory servers become more widespread, it may become + appropriate for would-be senders to search for desired recipients + based on such attributes. Personal characteristics, like social + security numbers, might be considered. Individually-selected + identifiers could be registered with a central authority, but a means + to resolve name conflicts would be necessary. + + A point of particular note is the desire to accommodate multiple + names for a single individual, in order to represent and allow + delegation of various roles in which that individual may act. A + naming mechanism that binds user roles to keys is needed. Bindings + cannot be immutable since roles sometimes change (e.g., the + comptroller of a corporation is fired). + + It may be appropriate to examine the prospect of extending the + DARPA/DoD domain system and its associated name servers to resolve + user names to unique user IDs. An additional issue arises with + regard to mailing list support: name servers do not currently perform + (potentially recursive) expansion of lists into users. ISO and CSNet + are working on user-level directory service mechanisms, which may + also bear consideration. + +7. Example User Interface and Implementation + + In order to place the mechanisms and approaches discussed in this RFC + into context, this section presents an overview of a prototype + implementation. This implementation is a standalone program which is + + + +Linn [Page 30] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + invoked by a user, and lies above the existing UA sublayer. In the + UNIX system, and possibly in other environments as well, such a + program can be invoked as a "filter" within an electronic mail UA or + a text editor, simplifying the sequence of operations which must be + performed by the user. This form of integration offers the advantage + that the program can be used in conjunction with a range of UA + programs, rather than being compatible only with a particular UA. + + When a user wishes to apply privacy enhancements to an outgoing + message, the user prepares the message's text and invokes the + standalone program (interacting with the program in order to provide + address information and other data required to perform privacy + enhancement processing), which in turn generates output suitable for + transmission via the UA. When a user receives a privacy-enhanced + message, the UA delivers the message in encrypted form, suitable for + decryption and associated processing by the standalone program. + + In this prototype implementation (based on symmetric key management), + a cache of IK components is maintained in a local file, with entries + managed manually based on information provided by originators and + recipients. This cache is, effectively, a simple database. IK + components are selected for transmitted messages based on the + sender's identity and on recipient names, and corresponding "X- + Sender-ID:" and "X-Recipient-ID:" fields are placed into the + message's encapsulated header. When a message is received, these + fields are used as a basis for a lookup in the database, yielding the + appropriate IK component entries. DEKs and IVs are generated + dynamically within the program. + + Options and destination addresses are selected by command line + arguments to the standalone program. The function of specifying + destination addresses to the privacy enhancement program is logically + distinct from the function of specifying the corresponding addresses + to the UA for use by the MTS. This separation results from the fact + that, in many cases, the local form of an address as specified to a + UA differs from the Internet global form as used in "X-Sender-ID:" + and "X-Recipient-ID:" fields. + +8. Areas For Further Study + + The procedures defined in this RFC are sufficient to support + implementation of privacy-enhanced electronic mail transmission among + cooperating parties in the Internet. Further effort will be needed, + however, to enhance robustness, generality, and interoperability. In + particular, further work is needed in the following areas: + + 1. User naming techniques, and their relationship to the domain + system, name servers, directory services, and key management + + + +Linn [Page 31] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + functions. + + 2. Detailed standardization of Issuing Authority and directory + service functions and interactions. + + 3. Privacy-enhanced interoperability with X.400 mail. + + We anticipate generation of subsequent RFCs which will address these + topics. + +9. References + + This section identifies background references which may be useful to + those contemplating use of the mechanisms defined in this RFC. + + ISO 7498/Part 2 - Security Architecture, prepared by ISO/TC97/SC + 21/WG 1 Ad hoc group on Security, extends the OSI Basic Reference + Model to cover security aspects which are general architectural + elements of communications protocols, and provides an annex with + tutorial and background information. + + US Federal Information Processing Standards Publication (FIPS + PUB) 46, Data Encryption Standard, 15 January 1977, defines the + encipherment algorithm used for message text encryption and + Message Authentication Code (MAC) computation. + + FIPS PUB 81, DES Modes of Operation, 2 December 1980, defines + specific modes in which the Data Encryption Standard algorithm + may to be used to perform encryption. + + FIPS PUB 113, Computer Data Authentication, May 1985, defines a + specific procedure for use of the Data Encryption Standard + algorithm to compute a MAC. + +NOTES: + + [1] Key generation for MIC computation and message text encryption + may either be performed by the sending host or by a centralized + server. This RFC does not constrain this design alternative. + Section 5.1 identifies possible advantages of a centralized + server approach if symmetric key management is employed. + + [2] American National Standard Data Encryption Algorithm (ANSI + X3.92-1981), American National Standards Institute, Approved 30 + December 1980. + + [3] Federal Information Processing Standards Publication 46, Data + Encryption Standard, 15 January 1977. + + + +Linn [Page 32] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + [4] Information Processing Systems: Data Encipherment: Modes of + Operation of a 64-bit Block Cipher. + + [5] Federal Information Processing Standards Publication 81, DES + Modes of Operation, 2 December 1980. + + [6] ANSI X9.17-1985, American National Standard, Financial + Institution Key Management (Wholesale), American Bankers + Association, April 4, 1985, Section 7.2. + + [7] Postel, J., "Simple Mail Transfer Protocol" RFC-821, + USC/Information Sciences Institute, August 1982. + + [8] This transformation should occur only at an SMTP endpoint, not at + an intervening relay, but may take place at a gateway system + linking the SMTP realm with other environments. + + [9] Use of the SMTP canonicalization procedure at this stage was + selected since it is widely used and implemented in the Internet + community, not because SMTP interoperability with this + intermediate result is required; no privacy-enhanced message will + be passed to SMTP for transmission directly from this step in the + four-phase transformation procedure. + + [10] Crocker, D., "Standard for the Format of ARPA Internet Text + Messages", RFC-822, August 1982. + + [11] Rose, M. and E. Stefferud, "Proposed Standard for Message + Encapsulation", RFC-934, January 1985. + + [12] CCITT Recommendation X.411 (1988), "Message Handling Systems: + Message Transfer System: Abstract Service Definition and + Procedures". + + [13] CCITT Recommendation X.509 (1988), "The Directory - + Authentication Framework". + + [14] Kille, S., "Mapping between X.400 and RFC-822", RFC-987, June + 1986. + + [15] Federal Information Processing Standards Publication 113, + Computer Data Authentication, May 1985. + + [16] American National Standard for Information Systems - Data + Encryption Algorithm - Modes of Operation (ANSI X3.106-1983), + American National Standards Institute - Approved 16 May 1983. + + [17] Voydock, V. and S. Kent, "Security Mechanisms in High-Level + + + +Linn [Page 33] + +RFC 1113 Mail Privacy: Procedures August 1989 + + + Network Protocols", ACM Computing Surveys, Vol. 15, No. 2, Pages + 135-171, June 1983. + +Author's Address + + John Linn + Secure Systems + Digital Equipment Corporation + 85 Swanson Road, BXB1-2/D04 + Boxborough, MA 01719-1326 + + Phone: 508-264-5491 + + EMail: Linn@ultra.enet.dec.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Linn [Page 34] + \ No newline at end of file -- cgit v1.2.3