1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
|
Internet Engineering Task Force (IETF) P. Gutmann
Request for Comments: 6476 University of Auckland
Category: Standards Track January 2012
ISSN: 2070-1721
Using Message Authentication Code (MAC) Encryption
in the Cryptographic Message Syntax (CMS)
Abstract
This document specifies the conventions for using Message
Authentication Code (MAC) encryption with the Cryptographic Message
Syntax (CMS) authenticated-enveloped-data content type. This mirrors
the use of a MAC combined with an encryption algorithm that's already
employed in IPsec, Secure Socket Layer / Transport Layer Security
(SSL/TLS) and Secure SHell (SSH), which is widely supported in
existing crypto libraries and hardware and has been extensively
analysed by the crypto community.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6476.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Gutmann Standards Track [Page 1]
^L
RFC 6476 MAC Encryption in CMS January 2012
Table of Contents
1. Introduction ....................................................2
1.1. Conventions Used in This Document ..........................2
2. Background ......................................................2
3. CMS Encrypt-and-Authenticate Overview ...........................3
3.1. Rationale ..................................................3
4. CMS Encrypt-and-Authenticate ....................................4
4.1. Encrypt-and-Authenticate Message Processing ................5
4.2. Rationale ..................................................6
4.3. Test Vectors ...............................................8
5. SMIMECapabilities Attribute ....................................12
6. Security Considerations ........................................12
7. IANA Considerations ............................................13
8. Acknowledgements ...............................................14
9. References .....................................................14
9.1. Normative References ......................................14
9.2. Informative References ....................................14
1. Introduction
This document specifies the conventions for using MAC-authenticated
encryption with the Cryptographic Message Syntax (CMS) authenticated-
enveloped-data content type. This mirrors the use of a MAC combined
with an encryption algorithm that's already employed in IPsec, SSL/
TLS and SSH, which is widely supported in existing crypto libraries
and hardware and has been extensively analysed by the crypto
community.
1.1. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Background
Integrity-protected encryption is a standard feature of session-
oriented security protocols like [IPsec], [SSH], and [TLS]. Until
recently, however, integrity-protected encryption wasn't available
for message-based security protocols like CMS, although [OpenPGP]
added a form of integrity protection by encrypting a SHA-1 hash of
the message alongside the message contents to provide authenticate-
and-encrypt protection. Usability studies have shown that users
expect encryption to provide integrity protection [Garfinkel],
creating cognitive dissonance problems when the security mechanisms
don't in fact provide this assurance.
Gutmann Standards Track [Page 2]
^L
RFC 6476 MAC Encryption in CMS January 2012
This document applies the same encrypt-and-authenticate mechanism
already employed in IPsec, SSH, and SSL/TLS to CMS (technically some
of these actually use authenticate-and-encrypt rather than encrypt-
and-authenticate, since what's authenticated is the plaintext and not
the ciphertext). This mechanism is widely supported in existing
crypto libraries and hardware and has been extensively analysed by
the crypto community [EncryptThenAuth].
3. CMS Encrypt-and-Authenticate Overview
Conventional CMS encryption uses a content-encryption key (CEK) to
encrypt a message payload, with the CEK typically being in turn
encrypted by a key-encryption key (KEK). Authenticated encryption
requires two keys: one for encryption and a second one for
authentication. Like other mechanisms that use authenticated
encryption, this document employs a pseudorandom function (PRF) to
convert a single block of keying material into the two keys required
for encryption and authentication. This converts the standard CMS
encryption operation:
KEK( CEK ) || CEK( data )
into:
KEK( master_secret ) || MAC( CEK( data ) )
where the MAC key MAC-K and encryption key CEK-K are derived from the
master_secret via:
MAC-K := PRF( master_secret, "authentication" );
CEK-K := PRF( master_secret, "encryption" );
3.1. Rationale
There are several possible means of deriving the two keys required
for the encrypt-and-authenticate process from the single key normally
provided by the key exchange or key transport mechanisms. Several of
these, however, have security or practical issues. For example, any
mechanism that uses the single exchanged key in its entirety for
encryption (using, perhaps, PRF( key ) as the MAC key) can be
converted back to unauthenticated data by removing the outer MAC
layer and rewriting the CMS envelope back to plain EnvelopedData or
EncryptedData. By applying the PRF intermediate step, any attempt at
a rollback attack will result in a decryption failure.
Gutmann Standards Track [Page 3]
^L
RFC 6476 MAC Encryption in CMS January 2012
The option chosen here -- the use of a PRF to derive the necessary
sets of keying material from a master secret -- is well-established
through its use in IPsec, SSH, and SSL/TLS and is widely supported in
both crypto libraries and in encryption hardware.
The PRF used is Password-Based Key Derivation Function 2 (PBKDF2)
because its existing use in CMS makes it the most obvious candidate
for such a function. In the future, if a universal PRF -- for
example, [HKDF] -- is adopted, then this can be substituted for
PBKDF2 by specifying it in the prfAlgorithm field covered in
Section 4.
The resulting processing operations consist of a combination of the
operations used for the existing CMS content types EncryptedData and
AuthenticatedData, allowing them to be implemented relatively simply
using existing code.
4. CMS Encrypt-and-Authenticate
The encrypt-and-authenticate mechanism is implemented within the
existing CMS RecipientInfo framework by defining a new pseudo-
algorithm type, authEnc, which is used in place of a monolithic
encrypt and hash algorithm. The RecipientInfo is used as a key
container for the master secret used by the pseudo-algorithm from
which the encryption and authentication keys for existing single-
purpose encrypt-only and MAC-only algorithms are derived. Thus,
instead of using the RecipientInfo to communicate (for example) an
AES or HMAC-SHA1 key, it communicates a master secret from which the
required AES encryption and HMAC-SHA1 authentication keys are
derived.
The authEnc pseudo-algorithm comes in two forms: one conveying
128 bits of keying material and one conveying 256 bits:
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-alg OBJECT IDENTIFIER ::= { id-smime 3 }
id-alg-authEnc-128 OBJECT IDENTIFIER ::= { id-alg 15 }
id-alg-authEnc-256 OBJECT IDENTIFIER ::= { id-alg 16 }
Gutmann Standards Track [Page 4]
^L
RFC 6476 MAC Encryption in CMS January 2012
The algorithm parameters are as follows:
AuthEncParams ::= SEQUENCE {
prfAlgorithm [0] AlgorithmIdentifier DEFAULT PBKDF2,
encAlgorithm AlgorithmIdentifier,
macAlgorithm AlgorithmIdentifier
}
prfAlgorithm is the PRF algorithm used to convert the master
secret into the encryption and MAC keys. The default PRF is
[PBKDF2], which in turn has a default PRF algorithm of HMAC-SHA1.
When this default setting is used, the PBKDF2-params 'salt'
parameter is an empty string, and the 'iterationCount' parameter
is one, turning the KDF into a pure PRF.
encAlgorithm is the encryption algorithm and associated parameters
to be used to encrypt the content.
macAlgorithm is the MAC algorithm and associated parameters to be
used to authenticate/integrity-protect the content.
When the prfAlgorithm AlgorithmIdentifier is used in conjunction with
PBKDF2 to specify a PRF other than the default PBKDF2-with-HMAC-SHA1
one, the PBKDF2-params require that two additional algorithm
parameters be specified. The 'salt' parameter MUST be an empty
(zero-length) string, and the 'iterationCount' parameter MUST be one,
since these values aren't used in the PRF process. In their encoded
form as used for the PBKDF2-params, these two parameters have the
value 08 00 02 01 01.
As a guideline for authors specifying the use of PRFs other than
PBKDF2, any additional parameters such as salts, tags, and
identification strings SHOULD be set to empty strings, and any
iteration count SHOULD be set to one.
4.1. Encrypt-and-Authenticate Message Processing
The randomly generated master secret to be communicated via the
RecipientInfo(s) is converted to separate encryption and
authentication keys and applied to the encrypt-and-authenticate
process as follows. The notation "PRF( key, salt, iterations )" is
used to denote an application of the PRF to the given keying value
and salt, for the given number of iterations:
Gutmann Standards Track [Page 5]
^L
RFC 6476 MAC Encryption in CMS January 2012
1. The MAC algorithm key is derived from the master secret via:
MAC-K ::= PRF( master_secret, "authentication", 1 );
2. The encryption algorithm key is derived from the master
secret via:
Enc-K ::= PRF( master_secret, "encryption", 1 );
3. The data is processed as described in [AuthEnv], and specifically
since the mechanisms used are a union of EncryptedData
and AuthenticatedData, as per [CMS]. The one exception to
this is that the
EncryptedContentInfo.ContentEncryptionAlgorithmIdentifier data is
MACed before the encrypted content is MACed. The EncryptedData
processing is applied to the data first, and then the
AuthenticatedData processing is applied to the result, so that
the nesting is as follows:
MAC( contentEncrAlgoID || encrypt( content ) );
4. If authenticated attributes are present, then they are encoded as
described in [AuthEnv] and MACed after the encrypted content, so
that the processing is as follows:
MAC( contentEncrAlgoID || encrypt( content ) || authAttr );
4.2. Rationale
When choosing between encrypt-and-authenticate and authenticate-and-
encrypt, the more secure option is encrypt-and-authenticate. There
has been extensive analysis of this in the literature; the best
coverage is probably [EncryptThenAuth].
The EncryptedContentInfo.ContentEncryptionAlgorithmIdentifier is the
SEQUENCE containing the id-alg-authEnc-128/id-alg-authEnc-256 OBJECT
IDENTIFIER and its associated AuthEncParams. This data is MACed
exactly as encoded, without any attempt to re-code it into a
canonical form like DER.
The EncryptedContentInfo.ContentEncryptionAlgorithmIdentifier must be
protected alongside the encrypted content; otherwise, an attacker
could manipulate the encrypted data indirectly by manipulating the
encryption algorithm parameters, which wouldn't be detected through
MACing the encrypted content alone. For example, by changing the
encryption IV, it's possible to modify the results of the decryption
after the encrypted data has been verified via a MAC check.
Gutmann Standards Track [Page 6]
^L
RFC 6476 MAC Encryption in CMS January 2012
The authEnc pseudo-algorithm has two "key sizes" rather than the one-
size-fits-all that the PRF impedance-matching would provide. This is
done to address real-world experience in the use of AES keys, where
users demanded AES-256 alongside AES-128 because of some perception
that the former was "twice as good" as the latter. Providing an
option for keys that go to 11 avoids potential user acceptance
problems when someone notices that the authEnc pseudo-key has "only"
128 bits when they expect their AES keys to be 256 bits long.
Using a fixed-length key rather than making it a user-selectable
parameter is done for the same reason as AES's quantised key lengths:
there's no benefit to allowing, say, 137-bit keys over basic 128- and
256-bit lengths; it adds unnecessary complexity; if the lengths are
user-defined, then there'll always be someone who wants keys that go
up to 12. Providing a choice of two commonly used lengths gives
users the option of choosing a "better" key size should they feel the
need, while not overloading the system with unneeded flexibility.
The use of the PRF AlgorithmIdentifier presents some problems,
because it's usually not specified in a manner that allows it to be
easily used as a straight KDF. For example, PBKDF2 has the following
parameters:
PBKDF2-params ::= SEQUENCE {
salt OCTET STRING,
iterationCount INTEGER (1..MAX),
prf AlgorithmIdentifier {{PBKDF2-PRFs}}
DEFAULT algid-hmacWithSHA1
}
of which only the prf AlgorithmIdentifier is used here. In order to
avoid having to define new AlgorithmIdentifiers for each possible
PRF, this specification sets any parameters not required for KDF
functionality to no-op values. In the case of PBKDF2, this means
that the salt has length zero and the iteration count is set to one,
with only the prf AlgorithmIdentifier playing a part in the
processing. Although it's not possible to know what form other
PRFs-as-KDFs will take, a general note for their application within
this specification is that any non-PRF parameters should similarly be
set to no-op values.
Specifying a MAC key size gets a bit tricky; most MAC algorithms have
some de facto standard key size, and for HMAC algorithms, this is
usually the same as the hash output size. For example, for HMAC-MD5,
it's 128 bits; for HMAC-SHA1, it's 160 bits; and for HMAC-SHA256,
it's 256 bits. Other MAC algorithms also have de facto standard key
sizes. For example, for AES-based MACs, it's the AES key size --
128 bits for AES-128 and 256 bits for AES-256. This situation makes
Gutmann Standards Track [Page 7]
^L
RFC 6476 MAC Encryption in CMS January 2012
it difficult to specify the key size in a normative fashion, since
it's dependent on the algorithm type that's being used. If there is
any ambiguity over which key size should be used, then it's
RECOMMENDED that either the size be specified explicitly in the
macAlgorithm AlgorithmIdentifier or that an RFC or similar standards
document be created that makes the key sizes explicit.
As with other uses of PRFs for crypto impedance-matching in
protocols, like IPsec, SSL/TLS, and SSH, the amount of input to the
PRF generally doesn't match the amount of output. The general
philosophical implications of this are covered in various analyses of
the properties and uses of PRFs. If you're worried about this, then
you can try and approximately match the authEnc "key size" to the key
size of the encryption algorithm being used, although even there, a
perfect match for algorithms like Blowfish (448 bits) or RC5
(832 bits) is going to be difficult.
The term "master secret" comes from its use in SSL/TLS, which uses a
similar PRF-based mechanism to convert its master_secret value into
encryption and MAC keys (as do SSH and IPsec). The master_secret
value isn't a key in the conventional sense, but merely a secret
value that's then used to derive two (or, in the cases of SSL/TLS,
SSH, and IPsec, several) keys and related cryptovariables.
Apart from the extra step added to key management, all of the
processing is already specified as part of the definition of the
standard CMS content-types Encrypted/EnvelopedData and
AuthenticatedData. This significantly simplifies both the
specification and the implementation task, as no new content-
processing mechanisms are introduced.
4.3. Test Vectors
The following test vectors may be used to verify an implementation of
MAC-authenticated encryption. This represents a text string
encrypted and authenticated using the ever-popular password
"password" via CMS PasswordRecipientInfo. The encryption algorithm
used for the first value is triple DES, whose short block size
(compared to AES) makes it easier to corrupt arbitrary bytes for
testing purposes within the self-healing Cipher Block Chaining (CBC)
mode, which will result in correct decryption but a failed MAC check.
The encryption algorithm used for the second value is AES.
For the triple DES-encrypted data, corrupting a byte at positions
192-208 can be used to check that payload-data corruption is
detected, and corrupting a byte at positions 168-174 can be used to
Gutmann Standards Track [Page 8]
^L
RFC 6476 MAC Encryption in CMS January 2012
check that metadata corruption is detected. The corruption in these
byte ranges doesn't affect normal processing and so wouldn't normally
be detected.
The test data has the following characteristics:
version is set to 0.
originatorInfo isn't needed and is omitted.
recipientInfo uses passwordRecipientInfo to allow easy testing
with a fixed text string.
authEncryptedContentInfo uses the authEnc128 pseudo-algorithm
with a key of 128 bits used to derive triple DES/AES and
HMAC-SHA1 keys.
authAttrs aren't used and are omitted.
mac is the 20-byte HMAC-SHA1 MAC value.
unauthAttrs aren't used and are omitted.
0 227: SEQUENCE {
3 11: OBJECT IDENTIFIER id-ct-authEnvelopedData
(1 2 840 113549 1 9 16 1 23)
16 211: [0] {
19 208: SEQUENCE {
22 1: INTEGER 0
25 97: SET {
27 95: [3] {
29 1: INTEGER 0
32 27: [0] {
34 9: OBJECT IDENTIFIER pkcs5PBKDF2
(1 2 840 113549 1 5 12)
45 14: SEQUENCE {
47 8: OCTET STRING B7 EB 23 A7 6B D2 05 16
57 2: INTEGER 5000
: }
: }
61 35: SEQUENCE {
63 11: OBJECT IDENTIFIER pwriKEK
(1 2 840 113549 1 9 16 3 9)
Gutmann Standards Track [Page 9]
^L
RFC 6476 MAC Encryption in CMS January 2012
76 20: SEQUENCE {
78 8: OBJECT IDENTIFIER des-EDE3-CBC
(1 2 840 113549 3 7)
88 8: OCTET STRING 66 91 02 45 6B 73 BB 99
: }
: }
98 24: OCTET STRING
: 30 A3 7A B5 D8 F2 87 50 EC 41 04 AE 89 99 26 F0
: 2E AE 4F E3 F3 52 2B A3
: }
: }
124 82: SEQUENCE {
126 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
137 51: SEQUENCE {
139 11: OBJECT IDENTIFIER authEnc128
(1 2 840 113549 1 9 16 3 15)
152 36: SEQUENCE {
154 20: SEQUENCE {
156 8: OBJECT IDENTIFIER des-EDE3-CBC
(1 2 840 113549 3 7)
166 8: OCTET STRING D2 D0 81 71 4D 3D 9F 11
: }
176 12: SEQUENCE {
178 8: OBJECT IDENTIFIER hmacSHA (1 3 6 1 5 5 8 1 2)
188 0: NULL
: }
: }
: }
190 16: [0] 3A C6 06 61 41 5D 00 7D 11 35 CD 69 E1 56 CA 10
: }
208 20: OCTET STRING
: 33 65 E8 F0 F3 07 06 86 1D A8 47 2C 6D 3A 1D 94
: 21 40 64 7E
: }
: }
: }
-----BEGIN PKCS7-----
MIHjBgsqhkiG9w0BCRABF6CB0zCB0AIBADFho18CAQCgGwYJKoZIhvcNAQUMMA4E
CLfrI6dr0gUWAgITiDAjBgsqhkiG9w0BCRADCTAUBggqhkiG9w0DBwQIZpECRWtz
u5kEGDCjerXY8odQ7EEEromZJvAurk/j81IrozBSBgkqhkiG9w0BBwEwMwYLKoZI
hvcNAQkQAw8wJDAUBggqhkiG9w0DBwQI0tCBcU09nxEwDAYIKwYBBQUIAQIFAIAQ
OsYGYUFdAH0RNc1p4VbKEAQUM2Xo8PMHBoYdqEcsbTodlCFAZH4=
-----END PKCS7-----
Gutmann Standards Track [Page 10]
^L
RFC 6476 MAC Encryption in CMS January 2012
0 253: SEQUENCE {
3 11: OBJECT IDENTIFIER id-ct-authEnvelopedData
(1 2 840 113549 1 9 16 1 23)
16 237: [0] {
19 234: SEQUENCE {
22 1: INTEGER 0
25 114: SET {
27 112: [3] {
29 1: INTEGER 0
32 27: [0] {
34 9: OBJECT IDENTIFIER pkcs5PBKDF2
(1 2 840 113549 1 5 12)
45 14: SEQUENCE {
47 8: OCTET STRING E7 B7 87 DF 82 1D 12 CC
57 2: INTEGER 5000
: }
: }
61 44: SEQUENCE {
63 11: OBJECT IDENTIFIER pwriKEK
(1 2 840 113549 1 9 16 3 9)
76 29: SEQUENCE {
78 9: OBJECT IDENTIFIER aes128-CBC
(2 16 840 1 101 3 4 1 2)
89 16: OCTET STRING
: 11 D9 5C 52 0A 3A BF 22 B2 30 70 EF F4 7D 6E F6
: }
: }
107 32: OCTET STRING
: 18 39 22 27 C3 C2 2C 2A A6 9F 2A B0 77 24 75 AA
: D8 58 9C CD BB 4C AE D3 0D C2 CB 1D 83 94 6C 37
: }
: }
141 91: SEQUENCE {
143 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
154 60: SEQUENCE {
156 11: OBJECT IDENTIFIER authEnc128
(1 2 840 113549 1 9 16 3 15)
169 45: SEQUENCE {
171 29: SEQUENCE {
173 9: OBJECT IDENTIFIER aes128-CBC
(2 16 840 1 101 3 4 1 2)
184 16: OCTET STRING
: B7 25 02 76 84 3C 58 1B A5 30 E2 40 27 EE C3 06
: }
Gutmann Standards Track [Page 11]
^L
RFC 6476 MAC Encryption in CMS January 2012
202 12: SEQUENCE {
204 8: OBJECT IDENTIFIER hmacSHA (1 3 6 1 5 5 8 1 2)
214 0: NULL
: }
: }
: }
216 16: [0] 98 36 0F 0C 79 62 36 B5 2D 2D 9E 1C 62 85 1E 10
: }
234 20: OCTET STRING
: 88 A4 C1 B2 BA 78 1B CA F9 14 B0 E5 FC D1 8D F8
: 02 E2 B2 9E
: }
: }
: }
-----BEGIN PKCS7-----
MIH9BgsqhkiG9w0BCRABF6CB7TCB6gIBADFyo3ACAQCgGwYJKoZIhvcNAQUMMA4E
COe3h9+CHRLMAgITiDAsBgsqhkiG9w0BCRADCTAdBglghkgBZQMEAQIEEBHZXFIK
Or8isjBw7/R9bvYEIBg5IifDwiwqpp8qsHckdarYWJzNu0yu0w3Cyx2DlGw3MFsG
CSqGSIb3DQEHATA8BgsqhkiG9w0BCRADDzAtMB0GCWCGSAFlAwQBAgQQtyUCdoQ8
WBulMOJAJ+7DBjAMBggrBgEFBQgBAgUAgBCYNg8MeWI2tS0tnhxihR4QBBSIpMGy
ungbyvkUsOX80Y34AuKyng==
-----END PKCS7-----
5. SMIMECapabilities Attribute
An S/MIME client SHOULD announce the set of cryptographic functions
that it supports by using the SMIMECapabilities attribute [SMIME].
If the client wishes to indicate support for MAC-authenticated
encryption, the capabilities attribute MUST contain the authEnc128
and/or authEnc256 OID specified above with algorithm parameters
ABSENT. The other algorithms used in the authEnc algorithm, such as
the MAC and encryption algorithm, are selected based on the presence
of these algorithms in the SMIMECapabilities attribute or by mutual
agreement.
6. Security Considerations
Unlike other CMS authenticated-data mechanisms, such as SignedData
and AuthenticatedData, AuthEnv's primary transformation isn't
authentication but encryption; so AuthEnvData may decrypt
successfully (in other words, the primary data transformation present
in the mechanism will succeed), but the secondary function of
authentication using the MAC value that follows the encrypted data
could still fail. This can lead to a situation in which an
implementation might output decrypted data before it reaches and
verifies the MAC value. In other words, decryption is performed
inline and the result is available immediately, while the
Gutmann Standards Track [Page 12]
^L
RFC 6476 MAC Encryption in CMS January 2012
authentication result isn't available until all of the content has
been processed. If the implementation prematurely provides data to
the user and later comes back to inform them that the earlier data
was, in retrospect, tainted, this may cause users to act prematurely
on the tainted data.
This situation could occur in a streaming implementation where data
has to be made available as soon as possible (so that the initial
plaintext is emitted before the final ciphertext and MAC value are
read), or one where the quantity of data involved rules out buffering
the recovered plaintext until the MAC value can be read and verified.
In addition, an implementation that tries to be overly helpful may
treat missing non-payload trailing data as non-fatal, allowing an
attacker to truncate the data somewhere before the MAC value and
thereby defeat the data authentication. This is complicated even
further by the fact that an implementation may not be able to
determine, when it encounters truncated data, whether the remainder
(including the MAC value) will arrive presently (a non-failure) or
whether it's been truncated by an attacker and should therefore be
treated as a MAC failure. (Note that this same issue affects other
types of data authentication like signed and MACed data as well,
since an over-optimistic implementation may return data to the user
before checking for a verification failure is possible.)
The exact solution to these issues is somewhat implementation-
specific, with some suggested mitigations being as follows:
implementations should buffer the entire message if possible and
verify the MAC before performing any decryption. If this isn't
possible due to streaming or message-size constraints, then
implementations should consider breaking long messages into a
sequence of smaller ones, each of which can be processed atomically
as above. If even this isn't possible, then implementations should
make obvious to the caller or user that an authentication failure has
occurred and that the previously returned or output data shouldn't be
used. Finally, any data-formatting problem, such as obviously
truncated data or missing trailing data, should be treated as a MAC
verification failure even if the rest of the data was processed
correctly.
7. IANA Considerations
This document contains two algorithm identifiers defined by the
S/MIME Working Group Registrar in an arc delegated by RSA to the
S/MIME Working Group: iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0).
Gutmann Standards Track [Page 13]
^L
RFC 6476 MAC Encryption in CMS January 2012
8. Acknowledgements
The author would like to thank Jim Schaad and the members of the
S/MIME mailing list for their feedback on this document, and David
Ireland for help with the test vectors.
9. References
9.1. Normative References
[AuthEnv] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083,
November 2007.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)",
STD 70, RFC 5652, September 2009.
[PBKDF2] Kaliski, B., "PKCS #5: Password-Based Cryptography
Specification Version 2", RFC 2898, September 2000.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SMIME] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Message
Specification", RFC 5751, January 2010.
9.2. Informative References
[EncryptThenAuth]
Krawczyk, H., "The Order of Encryption and Authentication
for Protecting Communications (or: How Secure Is SSL?)",
Springer-Verlag LNCS 2139, August 2001.
[Garfinkel] Garfinkel, S., "Design Principles and Patterns for
Computer Systems That Are Simultaneously Secure and
Usable", May 2005.
[HKDF] Krawczyk, H. and P. Eronen, "HMAC-based
Extract-and-Expand Key Derivation Function (HKDF)",
RFC 5869, May 2010.
[IPsec] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[OpenPGP] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880,
November 2007.
Gutmann Standards Track [Page 14]
^L
RFC 6476 MAC Encryption in CMS January 2012
[SSH] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006.
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
Author's Address
Peter Gutmann
University of Auckland
Department of Computer Science
New Zealand
EMail: pgut001@cs.auckland.ac.nz
Gutmann Standards Track [Page 15]
^L
|
