1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
|
Network Working Group L. Martin
Request for Comments: 5409 Voltage Security
Category: Informational M. Schertler
Axway
January 2009
Using the Boneh-Franklin and Boneh-Boyen Identity-Based Encryption
Algorithms with the Cryptographic Message Syntax (CMS)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract
This document describes the conventions for using the Boneh-Franklin
(BF) and Boneh-Boyen (BB1) identity-based encryption algorithms in
the Cryptographic Message Syntax (CMS) to encrypt content-encryption
keys. Object identifiers and the convention for encoding a
recipient's identity are also defined.
Martin & Schertler Informational [Page 1]
^L
RFC 5409 Using IBE with CMS January 2009
Table of Contents
1. Introduction ....................................................2
1.1. Terminology ................................................3
1.2. IBE Overview ...............................................3
2. Using Identity-Based Encryption .................................3
3. Key Encryption Algorithm Identifiers ............................6
4. Processing by the Sender ........................................7
5. Processing by the Receiver ......................................7
6. ASN.1 Module ....................................................8
7. Security Considerations .........................................9
7.1. Attacks outside the Scope of This Document .................9
7.2. Attacks within the Scope of This Document .................10
7.3. Attacks to Which the Protocols Defined in This Document
Are Susceptible............................................11
8. References .....................................................12
8.1. Normative References ......................................12
8.2. Informative References ....................................12
1. Introduction
This document defines the way to use the Boneh-Franklin [IBCS] and
Boneh-Boyen [IBCS] identity-based encryption (IBE) public-key
algorithms in the Cryptographic Message Syntax (CMS) [CMS]. IBE is a
public-key technology for encrypting content-encryption keys (CEKs)
that can be implemented within the framework of the CMS: the
recipient's identity is incorporated into the EnvelopedData CMS
content type using the OtherRecipientInfo CHOICE in the RecipientInfo
field as defined in Section 6.2.5 of [CMS]. This document does not
describe the implementation of the BF and BB1 algorithms, which are
described in detail in [IBCS].
IBE algorithms are a type of public-key cryptographic algorithm in
which the public key is calculated directly from a user's identity
instead of being generated randomly. This requires a different set
of steps for encryption and decryption than would be used with other
public-key algorithms, and these steps are defined in Sections 4 and
5 of this document, respectively.
This document also defines the object identifiers and syntax of the
object that is used to define the identity of a message recipient.
CMS values and identity objects are defined using ASN.1 [ASN1].
Martin & Schertler Informational [Page 2]
^L
RFC 5409 Using IBE with CMS January 2009
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [KEYWORDS].
1.2. IBE Overview
In addition to the client components that are described in this
document, the following additional components are required for a
complete IBE messaging system.
o A Private-Key Generator (PKG). The PKG contains the
cryptographic material, known as a master secret, for
generating an individual's IBE private key. A PKG accepts an
IBE user's private key request and, after successfully
authenticating them in some way, returns their IBE private key.
o A Public Parameter Server (PPS). IBE system parameters include
publicly sharable cryptographic material, known as IBE public
parameters, and policy information for the PKG. A PPS provides
a well-known location for distribution of IBE public parameters
and policy information for the IBE PKG.
The interactions of senders and receivers of IBE-encrypted messages
are described in [IBE]. All communications between users of an IBE
system and the PPS or PKG MUST be protected using TLS [TLS] as
described in [IBE]. This provides confidentiality and integrity of
all information that is delivered to users as well as authentication
of the PPS and PKG.
2. Using Identity-Based Encryption
To use IBE, the ori field in RecipientInfo MUST be used. The fields
are set as follows: oriType is set to ibeORIType; oriValue is set to
ibeORIValue.
These fields have the following meanings:
ibeORIType defines the object identifier (OID) that indicates that
the subsequent ibeORIValue is the information necessary to decrypt
the message using IBE. This field MUST be set to the following:
ibeORIType OBJECT IDENTIFIER ::= {
joint-iso-itu(2) country(16) us(840)
organization(1) identicrypt(114334)
ibcs(1) cms(4) ori-oid(1) version(1)
}
Martin & Schertler Informational [Page 3]
^L
RFC 5409 Using IBE with CMS January 2009
ibeORIValue defines the identity that was used in the IBE algorithm
to encrypt the CEK. This is an IBERecipientInfo type, which is
defined as follows:
IBERecipientInfo ::= SEQUENCE {
cmsVersion INTEGER { v3(3) },
keyFetchMethod OBJECT IDENTIFIER,
recipientIdentity IBEIdentityInfo,
serverInfo SEQUENCE SIZE (1..MAX) OF
OIDValuePairs OPTIONAL,
encryptedKey EncryptedKey
}
The fields of IBERecipientInfo MUST be set as follows.
The cmsVersion MUST be set to 3.
The keyFetchMethod is the OID that defines the method of retrieving
the private key that the recipient MUST use. This SHOULD be set to
uriPPSOID [IBE], which is defined to be the following:
uriPPSOID OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
pps-schemas(3) ic-schemas(1) pps-uri(1) version(1)
}
The recipientIdentity is the data that the sender used to calculate
the IBE public key that the sender used to encrypt the content-
encryption key. This recipientIdentity is used to calculate IBE
public and private keys as described in [IBCS]. This MUST be a DER-
encoded [DER] IBEIdentityInfo type [IBE], which is defined as
follows:
IBEIdentityInfo ::= SEQUENCE {
district IA5String,
serial INTEGER,
identityType OBJECT IDENTIFIER,
identityData OCTET STRING
}
The identityType defines the format that is used to encode the
information that defines the identity of the recipient. This MUST be
set to cmsIdentityOID to indicate that identityData contains an
EmailIdentityData type. The value of cmsIdentityOID is the
following:
Martin & Schertler Informational [Page 4]
^L
RFC 5409 Using IBE with CMS January 2009
cmsIdentityOID OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
keyschemas(2) icschemas(1) email(1) version(1)
}
The identityData MUST be an EmailIdentityData type, which is defined
as follows:
EmailIdentityData ::= SEQUENCE {
rfc822Name IA5String,
time GeneralizedTime
}
The rfc822Name field is the email address of the recipient in the
format defined in Section 4.2.1.6 of [PKIX] for the rfc822Name
subjectAltName variant. Rules for encoding Internet mail addresses
that include internationalized domain names are specified in Section
7.5 of [PKIX].
The value of the time field is the UTC time after which the sender
wants to let the recipient decrypt the message, so it may be called
the "not-before" time. This is usually set to the time when the
message is encrypted, but MAY be set to a future time. The value of
"time" MUST be expressed in Greenwich Mean Time (Zulu), MUST include
seconds (i.e., times are always YYYYMMDDHHMMSSZ), even where the
number of seconds is equal to zero, and MUST be expressed to the
nearest second.
The sender of an IBE-encrypted message may want to express this time
rounded to a time interval to create a key lifetime. A key lifetime
reduces the number of IBE private keys that a recipient needs to
retrieve, but still forces the IBE user to periodically re-
authenticate. Based on the time interval chosen a recipient would
only have to retrieve a new IBE key once during the interval. To do
this, follow the steps below. Let "time-interval" be the number of
seconds in this larger time interval.
1. Find the GeneralizedTime for the not-before value.
2. Convert this GeneralizedTime into the number of seconds since
January 1, 1970. Call this "total-time".
3. Calculate reduced-time =
(floor (total-time / time-interval)) * time-interval.
4. Convert reduced-time to a GeneralizedTime to get the not-before
"time" value.
An example of this algorithm for computing a one-week time interval
is as follows.
Martin & Schertler Informational [Page 5]
^L
RFC 5409 Using IBE with CMS January 2009
1. Suppose that the GeneralizedTime is 20020401000000Z.
2. Then the total-time is 1017612000.
3. A time-interval of 1 week is 604800 seconds.
So the reduced-time = (floor (1017612000 / 604800)) * 604800 =
1017273600.
4. This gives the GeneralizedTime form of the reduced-time of
20020328000000Z.
When issuing IBE private keys, a PKG SHOULD NOT issue them too far
into the future. This restriction is to prevent an adversary who
obtains an IBE user's authentication credentials from requesting
private keys far into the future and therefore negating the periodic
IBE user re-authentication that key lifetime provides. For example,
if a one-week period is chosen for the key lifetime, then IBE private
keys should not be issued more than one week in advance. Otherwise,
once an adversary gains access to the PKG via the stolen IBE user
credentials, they can request all future keys and negate the IBE user
authentication restraints in place.
The serverInfo is an optional sequence of OID-value pairs that are
defined to be the following:
OIDValuePairs ::= SEQUENCE {
fieldID OBJECT IDENTIFIER,
fieldData OCTET STRING
}
These can be used to convey any other information that might be used
by a PKG. Examples of such information could include the user
interface that the recipient will experience. Differences in the
user interface could include localization information or commercial
branding information. A client MUST ignore any part of serverInfo
that it is unable to process.
The encryptedKey is the result of encrypting the CEK with an IBE
algorithm using recipientIdentity as the IBE public key.
3. Key Encryption Algorithm Identifiers
The BF and BB1 algorithms as defined in [IBCS] have the following
object identifiers. These object identifiers are also defined in the
ASN.1 module in [IBCS].
bf OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
ibcs(1) ibcs1(1) ibe-algorithms(2) bf(1)
}
Martin & Schertler Informational [Page 6]
^L
RFC 5409 Using IBE with CMS January 2009
This is the object identifier that MUST be inserted in the
keyEncryptionAlgorithm field in the CMS when the BF algorithm is used
to encrypt the CEK.
bb1 OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
ibcs(1) ibcs1(1) ibe-algorithms(2) bb1(2)
}
This is the object identifier that MUST be inserted in the
keyEncryptionAlgorithm field in the CMS when the BB1
algorithm is used to encrypt the CEK.
4. Processing by the Sender
The sender of a message that uses IBE to encrypt content-
encryption keys performs the following steps:
1. Selects a set of IBE public parameters to use in the
subsequent steps in accordance with his local security
policy. He then determines the URI where the public
parameters can be obtained using the process described in
[IBE]. This information MUST be encoded in the
IBEIdentityInfo as described in Section 2.
2. Sets the fields of an OtherRecipientInfo object to
their appropriate values as described in Section 2.
3. Calculates an IBE public key as defined in [IBCS]
using this IBEIdentityInfo as the identity information.
4. This IBE public key is then used to encrypt the
content-encryption key (CEK), using the algorithms that are
defined in [IBCS].
5. Sets encryptedKey to the IBE-encrypted CEK.
6. Within the CMS, keyEncryptionAlgorithm MUST then be
set to the appropriate OID for the IBE algorithm that was
used (see Section 3).
5. Processing by the Receiver
Upon receiving a message that has a CEK encrypted with IBE,
the recipient performs the following steps to decrypt the
CEK:
Martin & Schertler Informational [Page 7]
^L
RFC 5409 Using IBE with CMS January 2009
1. Determines that the CEK is IBE-encrypted by noting that
the oriType of the OtherRecipientInfo type is set to
ibeORIType.
2. Determines that the recipientIdentity was used as the
identity in IBE encryption of the CEK.
3. Determines the location of the IBE public parameters
and the IBE Private Key Generator as described in
[IBE].
4. Obtains the IBE public parameters from the location
determined in Step 3 using the process defined in
[IBE].
5. Obtains the IBE private key needed to decrypt the
encrypted CEK using the process defined in [IBE].
6. Decrypts the CEK using the IBE private key obtained in
Step 4 using the algorithms described in [IBCS].
6. ASN.1 Module
The following ASN.1 module summarizes the ASN.1 definitions
defined by this document.
IBECMS-module {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
ibcs(1) cms(4) module(5) version(1)
}
DEFINITIONS IMPLICIT TAGS ::= BEGIN
IMPORTS IBEIdentityInfo, uriPPSOID FROM
IBEARCH-module { joint-iso-itu-t(2) country(16)
us(840) organization(1) identicrypt(114334) ibcs(1)
ibearch(5) module(5) version(1)
};
IBEOtherRecipientInfo ::= SEQUENCE {
oriType OBJECT IDENTIFIER,
oriValue IBERecipientInfo
}
Martin & Schertler Informational [Page 8]
^L
RFC 5409 Using IBE with CMS January 2009
ibeORIType OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
ibcs(1) cms(4) ori-oid(1) version(1)
}
IBERecipientInfo ::= SEQUENCE {
cmsVersion INTEGER { v3(3) },
keyFetchMethod OBJECT IDENTIFIER,
recipientIdentity IBEIdentityInfo,
serverInfo SEQUENCE SIZE (1..MAX) OF
OIDValuePairs OPTIONAL,
encryptedKey EncryptedKey
}
OIDValuePairs ::= SEQUENCE {
fieldID OBJECT IDENTIFIER,
fieldData OCTET STRING
}
EncryptedKey ::= OCTET STRING
EmailIdentityData ::= SEQUENCE {
rfc822Name IA5String,
time GeneralizedTime
}
cmsIdentityOID OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840)
organization(1) identicrypt(114334)
keyschemas(2) icschemas(1) email(1) version(1)
}
END
7. Security Considerations
This document is based on [CMS], [IBCS], and [IBE], and the relevant
security considerations of those documents apply.
7.1. Attacks outside the Scope of This Document
Attacks on the cryptographic algorithms that are used to implement
IBE are outside the scope of this document. Such attacks are
detailed in [IBCS], which defines parameters that give 80-bit,
Martin & Schertler Informational [Page 9]
^L
RFC 5409 Using IBE with CMS January 2009
112-bit, 128-bit, and 256-bit encryption strength. We assume that
capable administrators of an IBE system will select parameters that
provide a sufficient resistance to cryptanalytic attacks by
adversaries.
Attacks that give an adversary the ability to access or change the
information on a PPS or PKG, especially the cryptographic material
(referred to in this document as the master secret), will defeat the
security of an IBE system. In particular, if the cryptographic
material is compromised, the adversary will have the ability to
recreate any user's private key and therefore decrypt all messages
protected with the corresponding public key. To address this
concern, it is highly RECOMMENDED that best practices for physical
and operational security for PPS and PKG servers be followed and that
these servers be configured (sometimes known as hardened) in
accordance with best current practices [NIST]. An IBE system SHOULD
be operated in an environment where illicit access to the PKG or the
ability to modify the information distributed by the PPS is
infeasible for attackers to obtain.
Attacks that require administrative access or IBE-user-equivalent
access to machines used by either the client or the server components
defined in this document are also outside the scope of this document.
We also assume that all administrators of a system implementing the
protocols that are defined in this document are trustworthy and will
not abuse their authority to bypass the security provided by an IBE
system. This is of particular importance with an IBE system, for an
administrator of a PKG could potentially abuse his authority and
configure the PKG to grant him any IBE private key that the PKG is
capable of calculating. To minimize the possibility of
administrators doing this, a system implementing IBE SHOULD implement
n-out-of-m control for critical administrative functions and SHOULD
maintain auditable logs of all security-critical events that occur in
an operating IBE system.
Similarly, we assume that users of an IBE system will behave
responsibly, not sharing their authentication credentials with
others. Thus, attacks that require such assumptions are outside the
scope of this document.
7.2. Attacks within the Scope of This Document
Attacks within the scope of this document are those that allow an
adversary to:
o passively monitor information transmitted between users of an
IBE system and the PPS and PKG
Martin & Schertler Informational [Page 10]
^L
RFC 5409 Using IBE with CMS January 2009
o masquerade as a PPS or PKG
o perform a denial-of-service (DoS) attack on a PPS or PKG
o easily guess an IBE user's authentication credential
7.3. Attacks to Which the Protocols Defined in This Document
Are Susceptible
All communications between users of an IBE system and the PPS or PKG
are protected using TLS [TLS]. The IBE system defined in this
document provides no additional security for the communications
between IBE users and the PPS or PKG. Therefore, the described IBE
system is completely dependent on the TLS security mechanisms for
authentication of the PKG or PPS server and for confidentiality and
integrity of the communications. Should there be a compromise of the
TLS security mechanisms, the integrity of all communications between
an IBE user and the PPS or PKG will be suspect.
The protocols defined in this document do not explicitly defend
against an attacker masquerading as a legitimate IBE PPS or PKG. The
protocols rely on the server authentication mechanism of TLS [TLS].
In addition to the TLS server authentication mechanism, IBE client
software can provide protection against this possibility by providing
user interface capabilities that allows users to visually determine
that a connection to PPS and PKG servers is legitimate. This
additional capability can help ensure that users cannot easily be
tricked into providing valid authorization credentials to an
attacker.
The protocols defined in this document are also vulnerable to attacks
against an IBE PPS or PKG. Denial-of-service attacks against either
component can result in users unable to encrypt or decrypt using IBE,
and users of an IBE system SHOULD take the appropriate
countermeasures [DOS, BGPDOS] that their use of IBE requires.
The IBE user authentication method used by an IBE PKG SHOULD be of
sufficient strength to prevent attackers from easily guessing the IBE
user's authentication credentials through trial and error.
Martin & Schertler Informational [Page 11]
^L
RFC 5409 Using IBE with CMS January 2009
8. References
8.1. Normative References
[ASN1] ITU-T Recommendation X.680: Information Technology -
"Abstract Syntax Notation One (ASN.1): Specification of
Basic Notation", July 2002.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC
3852, July 2004.
[DER] ITU-T Recommendation X.690: OSI Networking and System
Aspects: Abstract Syntax Notation One (ASN.1), July 2002.
[DOS] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, May 2000.
[IBCS] Boyen, X. and L. Martin, "Identity-Based Cryptography
Standard (IBCS) #1: Supersingular Curve Implementations of
the BF and BB1 Cryptosystems", RFC 5091, December 2007.
[IBE] Appenzeller, G., Martin, L., and M. Schertler, "Identity-
Based Encryption Architecture and Supporting Data
Structures", RFC 5408, January 2009.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[PKIX] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
8.2. Informative References
[BGPDOS] Turk, D., "Configuring BGP to Block Denial-of-Service
Attacks", RFC 3882, September 2004.
[NIST] M. Souppaya, J. Wack and K. Kent, "Security Configuration
Checklist Program for IT Products - Guidance for Checklist
Users and Developers", NIST Special Publication SP 800-70,
May 2005.
Martin & Schertler Informational [Page 12]
^L
RFC 5409 Using IBE with CMS January 2009
Authors' Addresses
Luther Martin
Voltage Security
1070 Arastradero Rd, Suite 100
Palo Alto, CA 94304
USA
Phone: +1 650 543 1280
EMail: martin@voltage.com
Mark Schertler
Axway
1600 Seaport Blvd, Suite 400
Redwood City, CA 94063
USA
Phone: +1 650 216 2039
EMail: mschertler@us.axway.com
Martin & Schertler Informational [Page 13]
^L
|