1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
|
Internet Engineering Task Force (IETF) R. Housley
Request for Comments: 8696 Vigil Security
Category: Standards Track December 2019
ISSN: 2070-1721
Using Pre-Shared Key (PSK) in the Cryptographic Message Syntax (CMS)
Abstract
The invention of a large-scale quantum computer would pose a serious
challenge for the cryptographic algorithms that are widely deployed
today. The Cryptographic Message Syntax (CMS) supports key transport
and key agreement algorithms that could be broken by the invention of
such a quantum computer. By storing communications that are
protected with the CMS today, someone could decrypt them in the
future when a large-scale quantum computer becomes available. Once
quantum-secure key management algorithms are available, the CMS will
be extended to support the new algorithms if the existing syntax does
not accommodate them. This document describes a mechanism to protect
today's communication from the future invention of a large-scale
quantum computer by mixing the output of key transport and key
agreement algorithms with a pre-shared key.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8696.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Terminology
1.2. ASN.1
1.3. Version Numbers
2. Overview
3. keyTransPSK
4. keyAgreePSK
5. Key Derivation
6. ASN.1 Module
7. Security Considerations
8. Privacy Considerations
9. IANA Considerations
10. References
10.1. Normative References
10.2. Informative References
Appendix A. Key Transport with PSK Example
A.1. Originator Processing Example
A.2. ContentInfo and AuthEnvelopedData
A.3. Recipient Processing Example
Appendix B. Key Agreement with PSK Example
B.1. Originator Processing Example
B.2. ContentInfo and AuthEnvelopedData
B.3. Recipient Processing Example
Acknowledgements
Author's Address
1. Introduction
The invention of a large-scale quantum computer would pose a serious
challenge for the cryptographic algorithms that are widely deployed
today [S1994]. It is an open question whether or not it is feasible
to build a large-scale quantum computer and, if so, when that might
happen [NAS2019]. However, if such a quantum computer is invented,
many of the cryptographic algorithms and the security protocols that
use them would become vulnerable.
The Cryptographic Message Syntax (CMS) [RFC5652][RFC5083] supports
key transport and key agreement algorithms that could be broken by
the invention of a large-scale quantum computer [C2PQ]. These
algorithms include RSA [RFC8017], Diffie-Hellman [RFC2631], and
Elliptic Curve Diffie-Hellman (ECDH) [RFC5753]. As a result, an
adversary that stores CMS-protected communications today could
decrypt those communications in the future when a large-scale quantum
computer becomes available.
Once quantum-secure key management algorithms are available, the CMS
will be extended to support them if the existing syntax does not
already accommodate the new algorithms.
In the near term, this document describes a mechanism to protect
today's communication from the future invention of a large-scale
quantum computer by mixing the output of existing key transport and
key agreement algorithms with a pre-shared key (PSK). Secure
communication can be achieved today by mixing a strong PSK with the
output of an existing key transport algorithm, like RSA [RFC8017], or
an existing key agreement algorithm, like Diffie-Hellman [RFC2631] or
Elliptic Curve Diffie-Hellman (ECDH) [RFC5753]. A security solution
that is believed to be quantum resistant can be achieved by using a
PSK with sufficient entropy along with a quantum-resistant key
derivation function (KDF), like an HMAC-based key derivation function
(HKDF) [RFC5869], and a quantum-resistant encryption algorithm, like
256-bit AES [AES]. In this way, today's CMS-protected communication
can be resistant to an attacker with a large-scale quantum computer.
In addition, there may be other reasons for including a strong PSK
besides protection against the future invention of a large-scale
quantum computer. For example, there is always the possibility of a
cryptoanalytic breakthrough on one or more classic public key
algorithms, and there are longstanding concerns about undisclosed
trapdoors in Diffie-Hellman parameters [FGHT2016]. Inclusion of a
strong PSK as part of the overall key management offers additional
protection against these concerns.
Note that the CMS also supports key management techniques based on
symmetric key-encryption keys and passwords, but they are not
discussed in this document because they are already quantum
resistant. The symmetric key-encryption key technique is quantum
resistant when used with an adequate key size. The password
technique is quantum resistant when used with a quantum-resistant key
derivation function and a sufficiently large password.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. ASN.1
CMS values are generated using ASN.1 [X680], which uses the Basic
Encoding Rules (BER) and the Distinguished Encoding Rules (DER)
[X690].
1.3. Version Numbers
The major data structures include a version number as the first item
in the data structure. The version number is intended to avoid ASN.1
decode errors. Some implementations do not check the version number
prior to attempting a decode; then, if a decode error occurs, the
version number is checked as part of the error-handling routine.
This is a reasonable approach; it places error processing outside of
the fast path. This approach is also forgiving when an incorrect
version number is used by the sender.
Whenever the structure is updated, a higher version number will be
assigned. However, to ensure maximum interoperability, the higher
version number is only used when the new syntax feature is employed.
That is, the lowest version number that supports the generated syntax
is used.
2. Overview
The CMS enveloped-data content type [RFC5652] and the CMS
authenticated-enveloped-data content type [RFC5083] support both key
transport and key agreement public key algorithms to establish the
key used to encrypt the content. No restrictions are imposed on the
key transport or key agreement public key algorithms, which means
that any key transport or key agreement algorithm can be used,
including algorithms that are specified in the future. In both
cases, the sender randomly generates the content-encryption key, and
then all recipients obtain that key. All recipients use the sender-
generated symmetric content-encryption key for decryption.
This specification defines two quantum-resistant ways to establish a
symmetric key-encryption key, which is used to encrypt the sender-
generated content-encryption key. In both cases, the PSK is used as
one of the inputs to a key-derivation function to create a quantum-
resistant key-encryption key. The PSK MUST be distributed to the
sender and all of the recipients by some out-of-band means that does
not make it vulnerable to the future invention of a large-scale
quantum computer, and an identifier MUST be assigned to the PSK. It
is best if each PSK has a unique identifier; however, if a recipient
has more than one PSK with the same identifier, the recipient can try
each of them in turn. A PSK is expected to be used with many
messages, with a lifetime of weeks or months.
The content-encryption key or content-authenticated-encryption key is
quantum resistant, and the sender establishes it using these steps:
When using a key transport algorithm:
1. The content-encryption key or the content-authenticated-
encryption key, called "CEK", is generated at random.
2. The key-derivation key, called "KDK", is generated at random.
3. For each recipient, the KDK is encrypted in the recipient's
public key, then the KDF is used to mix the PSK and the KDK to
produce the key-encryption key, called "KEK".
4. The KEK is used to encrypt the CEK.
When using a key agreement algorithm:
1. The content-encryption key or the content-authenticated-
encryption key, called "CEK", is generated at random.
2. For each recipient, a pairwise key-encryption key, called "KEK1",
is established using the recipient's public key and the sender's
private key. Note that KEK1 will be used as a key-derivation
key.
3. For each recipient, the KDF is used to mix the PSK and the
pairwise KEK1, and the result is called "KEK2".
4. For each recipient, the pairwise KEK2 is used to encrypt the CEK.
As specified in Section 6.2.5 of [RFC5652], recipient information for
additional key management techniques is represented in the
OtherRecipientInfo type. Two key management techniques are specified
in this document, and they are each identified by a unique ASN.1
object identifier.
The first key management technique, called "keyTransPSK" (see
Section 3), uses a key transport algorithm to transfer the key-
derivation key from the sender to the recipient, and then the key-
derivation key is mixed with the PSK using a KDF. The output of the
KDF is the key-encryption key, which is used for the encryption of
the content-encryption key or content-authenticated-encryption key.
The second key management technique, called "keyAgreePSK" (see
Section 4), uses a key agreement algorithm to establish a pairwise
key-encryption key. This pairwise key-encryption key is then mixed
with the PSK using a KDF to produce a second pairwise key-encryption
key, which is then used to encrypt the content-encryption key or
content-authenticated-encryption key.
3. keyTransPSK
Per-recipient information using keyTransPSK is represented in the
KeyTransPSKRecipientInfo type, which is indicated by the id-ori-
keyTransPSK object identifier. Each instance of
KeyTransPSKRecipientInfo establishes the content-encryption key or
content-authenticated-encryption key for one or more recipients that
have access to the same PSK.
The id-ori-keyTransPSK object identifier is:
id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 }
id-ori-keyTransPSK OBJECT IDENTIFIER ::= { id-ori 1 }
The KeyTransPSKRecipientInfo type is:
KeyTransPSKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
pskid PreSharedKeyIdentifier,
kdfAlgorithm KeyDerivationAlgorithmIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
ktris KeyTransRecipientInfos,
encryptedKey EncryptedKey }
PreSharedKeyIdentifier ::= OCTET STRING
KeyTransRecipientInfos ::= SEQUENCE OF KeyTransRecipientInfo
The fields of the KeyTransPSKRecipientInfo type have the following
meanings:
* version is the syntax version number. The version MUST be 0. The
CMSVersion type is described in Section 10.2.5 of [RFC5652].
* pskid is the identifier of the PSK used by the sender. The
identifier is an OCTET STRING, and it need not be human readable.
* kdfAlgorithm identifies the key-derivation algorithm and any
associated parameters used by the sender to mix the key-derivation
key and the PSK to generate the key-encryption key. The
KeyDerivationAlgorithmIdentifier is described in Section 10.1.6 of
[RFC5652].
* keyEncryptionAlgorithm identifies a key-encryption algorithm used
to encrypt the content-encryption key. The
KeyEncryptionAlgorithmIdentifier is described in Section 10.1.3 of
[RFC5652].
* ktris contains one KeyTransRecipientInfo type for each recipient;
it uses a key transport algorithm to establish the key-derivation
key. That is, the encryptedKey field of KeyTransRecipientInfo
contains the key-derivation key instead of the content-encryption
key. KeyTransRecipientInfo is described in Section 6.2.1 of
[RFC5652].
* encryptedKey is the result of encrypting the content-encryption
key or the content-authenticated-encryption key with the key-
encryption key. EncryptedKey is an OCTET STRING.
4. keyAgreePSK
Per-recipient information using keyAgreePSK is represented in the
KeyAgreePSKRecipientInfo type, which is indicated by the id-ori-
keyAgreePSK object identifier. Each instance of
KeyAgreePSKRecipientInfo establishes the content-encryption key or
content-authenticated-encryption key for one or more recipients that
have access to the same PSK.
The id-ori-keyAgreePSK object identifier is:
id-ori-keyAgreePSK OBJECT IDENTIFIER ::= { id-ori 2 }
The KeyAgreePSKRecipientInfo type is:
KeyAgreePSKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
pskid PreSharedKeyIdentifier,
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
kdfAlgorithm KeyDerivationAlgorithmIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys }
The fields of the KeyAgreePSKRecipientInfo type have the following
meanings:
* version is the syntax version number. The version MUST be 0. The
CMSVersion type is described in Section 10.2.5 of [RFC5652].
* pskid is the identifier of the PSK used by the sender. The
identifier is an OCTET STRING, and it need not be human readable.
* originator is a CHOICE with three alternatives specifying the
sender's key agreement public key. Implementations MUST support
all three alternatives for specifying the sender's public key.
The sender uses their own private key and the recipient's public
key to generate a pairwise key-encryption key. A KDF is used to
mix the PSK and the pairwise key-encryption key to produce a
second key-encryption key. The OriginatorIdentifierOrKey type is
described in Section 6.2.2 of [RFC5652].
* ukm is optional. With some key agreement algorithms, the sender
provides a User Keying Material (UKM) to ensure that a different
key is generated each time the same two parties generate a
pairwise key. Implementations MUST accept a
KeyAgreePSKRecipientInfo SEQUENCE that includes a ukm field.
Implementations that do not support key agreement algorithms that
make use of UKMs MUST gracefully handle the presence of UKMs. The
UserKeyingMaterial type is described in Section 10.2.6 of
[RFC5652].
* kdfAlgorithm identifies the key-derivation algorithm and any
associated parameters used by the sender to mix the pairwise key-
encryption key and the PSK to produce a second key-encryption key
of the same length as the first one. The
KeyDerivationAlgorithmIdentifier is described in Section 10.1.6 of
[RFC5652].
* keyEncryptionAlgorithm identifies a key-encryption algorithm used
to encrypt the content-encryption key or the content-
authenticated-encryption key. The
KeyEncryptionAlgorithmIdentifier type is described in
Section 10.1.3 of [RFC5652].
* recipientEncryptedKeys includes a recipient identifier and
encrypted key for one or more recipients. The
KeyAgreeRecipientIdentifier is a CHOICE with two alternatives
specifying the recipient's certificate, and thereby the
recipient's public key, that was used by the sender to generate a
pairwise key-encryption key. The encryptedKey is the result of
encrypting the content-encryption key or the content-
authenticated-encryption key with the second pairwise key-
encryption key. EncryptedKey is an OCTET STRING. The
RecipientEncryptedKeys type is defined in Section 6.2.2 of
[RFC5652].
5. Key Derivation
Many KDFs internally employ a one-way hash function. When this is
the case, the hash function that is used is indirectly indicated by
the KeyDerivationAlgorithmIdentifier. HKDF [RFC5869] is one example
of a KDF that makes use of a hash function.
Other KDFs internally employ an encryption algorithm. When this is
the case, the encryption that is used is indirectly indicated by the
KeyDerivationAlgorithmIdentifier. For example, AES-128-CMAC can be
used for randomness extraction in a KDF as described in [NIST2018].
A KDF has several input values. This section describes the
conventions for using the KDF to compute the key-encryption key for
KeyTransPSKRecipientInfo and KeyAgreePSKRecipientInfo. For
simplicity, the terminology used in the HKDF specification [RFC5869]
is used here.
The KDF inputs are:
* IKM is the input keying material; it is the symmetric secret input
to the KDF. For KeyTransPSKRecipientInfo, it is the key-
derivation key. For KeyAgreePSKRecipientInfo, it is the pairwise
key-encryption key produced by the key agreement algorithm.
* salt is an optional non-secret random value. Many KDFs do not
require a salt, and the KeyDerivationAlgorithmIdentifier
assignments for HKDF [RFC8619] do not offer a parameter for a
salt. If a particular KDF requires a salt, then the salt value is
provided as a parameter of the KeyDerivationAlgorithmIdentifier.
* L is the length of output keying material in octets; the value
depends on the key-encryption algorithm that will be used. The
algorithm is identified by the KeyEncryptionAlgorithmIdentifier.
In addition, the OBJECT IDENTIFIER portion of the
KeyEncryptionAlgorithmIdentifier is included in the next input
value, called "info".
* info is optional context and application specific information.
The DER encoding of CMSORIforPSKOtherInfo is used as the info
value, and the PSK is included in this structure. Note that
EXPLICIT tagging is used in the ASN.1 module that defines this
structure. For KeyTransPSKRecipientInfo, the ENUMERATED value of
5 is used. For KeyAgreePSKRecipientInfo, the ENUMERATED value of
10 is used. CMSORIforPSKOtherInfo is defined by the following
ASN.1 structure:
CMSORIforPSKOtherInfo ::= SEQUENCE {
psk OCTET STRING,
keyMgmtAlgType ENUMERATED {
keyTrans (5),
keyAgree (10) },
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
pskLength INTEGER (1..MAX),
kdkLength INTEGER (1..MAX) }
The fields of type CMSORIforPSKOtherInfo have the following meanings:
* psk is an OCTET STRING; it contains the PSK.
* keyMgmtAlgType is either set to 5 or 10. For
KeyTransPSKRecipientInfo, the ENUMERATED value of 5 is used. For
KeyAgreePSKRecipientInfo, the ENUMERATED value of 10 is used.
* keyEncryptionAlgorithm is the KeyEncryptionAlgorithmIdentifier,
which identifies the algorithm and provides algorithm parameters,
if any.
* pskLength is a positive integer; it contains the length of the PSK
in octets.
* kdkLength is a positive integer; it contains the length of the
key-derivation key in octets. For KeyTransPSKRecipientInfo, the
key-derivation key is generated by the sender. For
KeyAgreePSKRecipientInfo, the key-derivation key is the pairwise
key-encryption key produced by the key agreement algorithm.
The KDF output is:
* OKM is the output keying material, which is exactly L octets. The
OKM is the key-encryption key that is used to encrypt the content-
encryption key or the content-authenticated-encryption key.
An acceptable KDF MUST accept IKM, L, and info inputs; an acceptable
KDF MAY also accept salt and other inputs. All of these inputs MUST
influence the output of the KDF. If the KDF requires a salt or other
inputs, then those inputs MUST be provided as parameters of the
KeyDerivationAlgorithmIdentifier.
6. ASN.1 Module
This section contains the ASN.1 module for the two key management
techniques defined in this document. This module imports types from
other ASN.1 modules that are defined in [RFC5912] and [RFC6268].
<CODE BEGINS>
CMSORIforPSK-2019
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-cms-ori-psk-2019(69) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS All
IMPORTS
AlgorithmIdentifier{}, KEY-DERIVATION
FROM AlgorithmInformation-2009 -- [RFC5912]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) }
OTHER-RECIPIENT, OtherRecipientInfo, CMSVersion,
KeyTransRecipientInfo, OriginatorIdentifierOrKey,
UserKeyingMaterial, RecipientEncryptedKeys, EncryptedKey,
KeyDerivationAlgorithmIdentifier, KeyEncryptionAlgorithmIdentifier
FROM CryptographicMessageSyntax-2010 -- [RFC6268]
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cms-2009(58) } ;
--
-- OtherRecipientInfo Types (ori-)
--
SupportedOtherRecipInfo OTHER-RECIPIENT ::= {
ori-keyTransPSK |
ori-keyAgreePSK,
... }
--
-- Key Transport with Pre-Shared Key
--
ori-keyTransPSK OTHER-RECIPIENT ::= {
KeyTransPSKRecipientInfo IDENTIFIED BY id-ori-keyTransPSK }
id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 }
id-ori-keyTransPSK OBJECT IDENTIFIER ::= { id-ori 1 }
KeyTransPSKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
pskid PreSharedKeyIdentifier,
kdfAlgorithm KeyDerivationAlgorithmIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
ktris KeyTransRecipientInfos,
encryptedKey EncryptedKey }
PreSharedKeyIdentifier ::= OCTET STRING
KeyTransRecipientInfos ::= SEQUENCE OF KeyTransRecipientInfo
--
-- Key Agreement with Pre-Shared Key
--
ori-keyAgreePSK OTHER-RECIPIENT ::= {
KeyAgreePSKRecipientInfo IDENTIFIED BY id-ori-keyAgreePSK }
id-ori-keyAgreePSK OBJECT IDENTIFIER ::= { id-ori 2 }
KeyAgreePSKRecipientInfo ::= SEQUENCE {
version CMSVersion, -- always set to 0
pskid PreSharedKeyIdentifier,
originator [0] EXPLICIT OriginatorIdentifierOrKey,
ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL,
kdfAlgorithm KeyDerivationAlgorithmIdentifier,
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
recipientEncryptedKeys RecipientEncryptedKeys }
--
-- Structure to provide 'info' input to the KDF,
-- including the Pre-Shared Key
--
CMSORIforPSKOtherInfo ::= SEQUENCE {
psk OCTET STRING,
keyMgmtAlgType ENUMERATED {
keyTrans (5),
keyAgree (10) },
keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier,
pskLength INTEGER (1..MAX),
kdkLength INTEGER (1..MAX) }
END
<CODE ENDS>
7. Security Considerations
The security considerations related to the CMS enveloped-data content
type in [RFC5652] and the security considerations related to the CMS
authenticated-enveloped-data content type in [RFC5083] continue to
apply.
Implementations of the key derivation function must compute the
entire result, which, in this specification, is a key-encryption key,
before outputting any portion of the result. The resulting key-
encryption key must be protected. Compromise of the key-encryption
key may result in the disclosure of all content-encryption keys or
content-authenticated-encryption keys that were protected with that
keying material; this, in turn, may result in the disclosure of the
content. Note that there are two key-encryption keys when a PSK with
a key agreement algorithm is used, with similar consequences for the
compromise of either one of these keys.
Implementations must protect the PSK, key transport private key,
agreement private key, and key-derivation key. Compromise of the PSK
will make the encrypted content vulnerable to the future invention of
a large-scale quantum computer. Compromise of the PSK and either the
key transport private key or the agreement private key may result in
the disclosure of all contents protected with that combination of
keying material. Compromise of the PSK and the key-derivation key
may result in the disclosure of all contents protected with that
combination of keying material.
A large-scale quantum computer will essentially negate the security
provided by the key transport algorithm or the key agreement
algorithm, which means that the attacker with a large-scale quantum
computer can discover the key-derivation key. In addition, a large-
scale quantum computer effectively cuts the security provided by a
symmetric key algorithm in half. Therefore, the PSK needs at least
256 bits of entropy to provide 128 bits of security. To match that
same level of security, the key derivation function needs to be
quantum resistant and produce a key-encryption key that is at least
256 bits in length. Similarly, the content-encryption key or
content-authenticated-encryption key needs to be at least 256 bits in
length.
When using a PSK with a key transport or a key agreement algorithm, a
key-encryption key is produced to encrypt the content-encryption key
or content-authenticated-encryption key. If the key-encryption
algorithm is different than the algorithm used to protect the
content, then the effective security is determined by the weaker of
the two algorithms. If, for example, content is encrypted with
256-bit AES and the key is wrapped with 128-bit AES, then, at most,
128 bits of protection are provided. Implementers must ensure that
the key-encryption algorithm is as strong or stronger than the
content-encryption algorithm or content-authenticated-encryption
algorithm.
The selection of the key-derivation function imposes an upper bound
on the strength of the resulting key-encryption key. The strength of
the selected key-derivation function should be at least as strong as
the key-encryption algorithm that is selected. NIST SP 800-56C
Revision 1 [NIST2018] offers advice on the security strength of
several popular key-derivation functions.
Implementers should not mix quantum-resistant key management
algorithms with their non-quantum-resistant counterparts. For
example, the same content should not be protected with
KeyTransRecipientInfo and KeyTransPSKRecipientInfo. Likewise, the
same content should not be protected with KeyAgreeRecipientInfo and
KeyAgreePSKRecipientInfo. Doing so would make the content vulnerable
to the future invention of a large-scale quantum computer.
Implementers should not send the same content in different messages,
one using a quantum-resistant key management algorithm and the other
using a non-quantum-resistant key management algorithm, even if the
content-encryption key is generated independently. Doing so may
allow an eavesdropper to correlate the messages, making the content
vulnerable to the future invention of a large-scale quantum computer.
This specification does not require that PSK be known only by the
sender and recipients. The PSK may be known to a group. Since
confidentiality depends on the key transport or key agreement
algorithm, knowledge of the PSK by other parties does not inherently
enable eavesdropping. However, group members can record the traffic
of other members and then decrypt it if they ever gain access to a
large-scale quantum computer. Also, when many parties know the PSK,
there are many opportunities for theft of the PSK by an attacker.
Once an attacker has the PSK, they can decrypt stored traffic if they
ever gain access to a large-scale quantum computer in the same manner
as a legitimate group member.
Sound cryptographic key hygiene is to use a key for one and only one
purpose. Use of the recipient's public key for both the traditional
CMS and the PSK-mixing variation specified in this document would be
a violation of this principle; however, there is no known way for an
attacker to take advantage of this situation. That said, an
application should enforce separation whenever possible. For
example, a purpose identifier for use in the X.509 extended key usage
certificate extension [RFC5280] could be identified in the future to
indicate that a public key should only be used in conjunction with or
without a PSK.
Implementations must randomly generate key-derivation keys as well as
content-encryption keys or content-authenticated-encryption keys.
Also, the generation of public/private key pairs for the key
transport and key agreement algorithms rely on random numbers. The
use of inadequate pseudorandom number generators (PRNGs) to generate
cryptographic keys can result in little or no security. An attacker
may find it much easier to reproduce the PRNG environment that
produced the keys, searching the resulting small set of
possibilities, rather than brute-force searching the whole key space.
The generation of quality random numbers is difficult. [RFC4086]
offers important guidance in this area.
Implementers should be aware that cryptographic algorithms become
weaker with time. As new cryptanalysis techniques are developed and
computing performance improves, the work factor to break a particular
cryptographic algorithm will be reduced. Therefore, cryptographic
algorithm implementations should be modular, allowing new algorithms
to be readily inserted. That is, implementers should be prepared for
the set of supported algorithms to change over time.
The security properties provided by the mechanisms specified in this
document can be validated using formal methods. A ProVerif proof in
[H2019] shows that an attacker with a large-scale quantum computer
that is capable of breaking the Diffie-Hellman key agreement
algorithm cannot disrupt the delivery of the content-encryption key
to the recipient and that the attacker cannot learn the content-
encryption key from the protocol exchange.
8. Privacy Considerations
An observer can see which parties are using each PSK simply by
watching the PSK key identifiers. However, the addition of these key
identifiers does not really weaken the privacy situation. When key
transport is used, the RecipientIdentifier is always present, and it
clearly identifies each recipient to an observer. When key agreement
is used, either the IssuerAndSerialNumber or the
RecipientKeyIdentifier is always present, and these clearly identify
each recipient.
9. IANA Considerations
One object identifier for the ASN.1 module in Section 6 was assigned
in the "SMI Security for S/MIME Module Identifier
(1.2.840.113549.1.9.16.0)" registry [IANA]:
id-mod-cms-ori-psk-2019 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) mod(0) 69 }
One new entry has been added in the "SMI Security for S/MIME Mail
Security (1.2.840.113549.1.9.16)" registry [IANA]:
id-ori OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) 13 }
A new registry titled "SMI Security for S/MIME Other Recipient Info
Identifiers (1.2.840.113549.1.9.16.13)" has been created.
Updates to the new registry are to be made according to the
Specification Required policy as defined in [RFC8126]. The expert is
expected to ensure that any new values identify additional
RecipientInfo structures for use with the CMS. Object identifiers
for other purposes should not be assigned in this arc.
Two assignments were made in the new "SMI Security for S/MIME Other
Recipient Info Identifiers (1.2.840.113549.1.9.16.13)" registry
[IANA] with references to this document:
id-ori-keyTransPSK OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) id-ori(13) 1 }
id-ori-keyAgreePSK OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) id-ori(13) 2 }
10. References
10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5083] Housley, R., "Cryptographic Message Syntax (CMS)
Authenticated-Enveloped-Data Content Type", RFC 5083,
DOI 10.17487/RFC5083, November 2007,
<https://www.rfc-editor.org/info/rfc5083>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>.
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
DOI 10.17487/RFC5912, June 2010,
<https://www.rfc-editor.org/info/rfc5912>.
[RFC6268] Schaad, J. and S. Turner, "Additional New ASN.1 Modules
for the Cryptographic Message Syntax (CMS) and the Public
Key Infrastructure Using X.509 (PKIX)", RFC 6268,
DOI 10.17487/RFC6268, July 2011,
<https://www.rfc-editor.org/info/rfc6268>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[X680] ITU-T, "Information technology -- Abstract Syntax Notation
One (ASN.1): Specification of basic notation",
ITU-T Recommendation X.680, August 2015.
[X690] ITU-T, "Information technology -- ASN.1 encoding rules:
Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ITU-T Recommendation X.690, August 2015.
10.2. Informative References
[AES] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", DOI 10.6028/NIST.FIPS.197,
NIST PUB 197, November 2001,
<https://doi.org/10.6028/NIST.FIPS.197>.
[C2PQ] Hoffman, P., "The Transition from Classical to Post-
Quantum Cryptography", Work in Progress, Internet-Draft,
draft-hoffman-c2pq-06, 25 November 2019,
<https://tools.ietf.org/html/draft-hoffman-c2pq-06>.
[FGHT2016] Fried, J., Gaudry, P., Heninger, N., and E. Thome, "A
kilobit hidden SNFS discrete logarithm computation",
Cryptology ePrint Archive Report 2016/961, October 2016,
<https://eprint.iacr.org/2016/961.pdf>.
[H2019] Hammell, J., "Subject: [lamps] WG Last Call for draft-
ietf-lamps-cms-mix-with-psk"", message to the IETF mailing
list, May 2019, <https://mailarchive.ietf.org/arch/msg/
spasm/_6d_4jp3sOprAnbU2fp_yp_-6-k>.
[IANA] IANA, "Structure of Management Information (SMI) Numbers
(MIB Module Registrations)",
<https://www.iana.org/assignments/smi-numbers>.
[NAS2019] National Academies of Sciences, Engineering, and Medicine,
"Quantum Computing: Progress and Prospects",
DOI 10.17226/25196, 2019,
<https://doi.org/10.17226/25196>.
[NIST2018] Barker, E., Chen, L., and R. Davis, "Recommendation for
Key-Derivation Methods in Key-Establishment Schemes", NIST
Special Publication 800-56C Revision 1, April 2018,
<https://nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-56Cr1.pdf>.
[RFC2631] Rescorla, E., "Diffie-Hellman Key Agreement Method",
RFC 2631, DOI 10.17487/RFC2631, June 1999,
<https://www.rfc-editor.org/info/rfc2631>.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086,
DOI 10.17487/RFC4086, June 2005,
<https://www.rfc-editor.org/info/rfc4086>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC5753] Turner, S. and D. Brown, "Use of Elliptic Curve
Cryptography (ECC) Algorithms in Cryptographic Message
Syntax (CMS)", RFC 5753, DOI 10.17487/RFC5753, January
2010, <https://www.rfc-editor.org/info/rfc5753>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/info/rfc8017>.
[RFC8619] Housley, R., "Algorithm Identifiers for the HMAC-based
Extract-and-Expand Key Derivation Function (HKDF)",
RFC 8619, DOI 10.17487/RFC8619, June 2019,
<https://www.rfc-editor.org/info/rfc8619>.
[S1994] Shor, P., "Algorithms for Quantum Computation: Discrete
Logarithms and Factoring", Proceedings of the 35th Annual
Symposium on Foundations of Computer Science, pp.
124-134", November 1994.
Appendix A. Key Transport with PSK Example
This example shows the establishment of an AES-256 content-encryption
key using:
* a pre-shared key of 256 bits;
* key transport using RSA PKCS#1 v1.5 with a 3072-bit key;
* key derivation using HKDF with SHA-384; and
* key wrap using AES-256-KEYWRAP.
In real-world use, the originator would encrypt the key-derivation
key in their own RSA public key as well as the recipient's public
key. This is omitted in an attempt to simplify the example.
A.1. Originator Processing Example
The pre-shared key known to Alice and Bob, in hexadecimal, is:
c244cdd11a0d1f39d9b61282770244fb0f6befb91ab7f96cb05213365cf95b15
The identifier assigned to the pre-shared key is:
ptf-kmc:13614122112
Alice obtains Bob's public key:
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA3ocW14cxncPJ47fnEjBZ
AyfC2lqapL3ET4jvV6C7gGeVrRQxWPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JH
Keeza+itfuhsz3yifgeEpeK8T+SusHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqq
vS3jg/VO+OPnZbofoHOOevt8Q/roahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx
2AHHZJevo3nmRnlgJXo6mE00E/6qkhjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0v
SH7qUl8/vN13y4UOFkn8hM4kmZ6bJqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39a
uLNnH3EXdXaV1tk75H3qC7zJaeGWMJyQfOE3YfEGRKn8fxubji716D8UecAxAzFy
FL6m1JiOyV5acAiOpxN14qRYZdHnXOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fS
whSZG7VNf+vgNWTLNYSYLI04KiMdulnvU6ds+QPz+KKtAgMBAAE=
-----END PUBLIC KEY-----
Bob's RSA public key has the following key identifier:
9eeb67c9b95a74d44d2f16396680e801b5cba49c
Alice randomly generates a content-encryption key:
c8adc30f4a3e20ac420caa76a68f5787c02ab42afea20d19672fd963a5338e83
Alice randomly generates a key-derivation key:
df85af9e3cebffde6e9b9d24263db31114d0a8e33a0d50e05eb64578ccde81eb
Alice encrypts the key-derivation key in Bob's public key:
52693f12140c91dea2b44c0b7936f6be46de8a7bfab072bcb6ecfd56b06a9f65
1bd4669d336aef7b449e5cd9b151893b7c7a3b8e364394840b0a5434cbf10e1b
5670aefd074faf380665d204fb95153543346f36c2125dba6f4d23d2bc61434b
5e36ff72b3eafe57c6cf7f74924c309f174b0b8753554b58ed33a8848d707a98
c0c2b1ddcfd09e31fe213ca0a48dd157bd7d842e85cc76f77710d58efeaa0525
c651bcd1410fb47534ecabaf5ab7daabed809d4b97220caf6d4929c5fb684f7b
b8692e6e70332ff9b3f7c11d6cac51d4a35593173d48f80ca843b89789d625e7
997ad7d674d25a2a7d165a5f39b3cb6358e937bdb02ac8a524ac93113cedd9ad
c68263025c0bb0997d716e58d4d7b69739bf591f3e71c7678dc0df96f3df9e8a
a5738f4f9ce21489f300e040891b20b2ab6d9051b3c2e68efa2fa9799a706878
d5f462018c021d6669ed649f9acdf78476810198bfb8bd41ffedc585eafa957e
ea1d3625e4bed376e7ae49718aee2f575c401a26a29941d8da5b7ee9aca36471
Alice produces a 256-bit key-encryption key with HKDF using SHA-384;
the secret value is the key-derivation key; and the 'info' is the
DER-encoded CMSORIforPSKOtherInfo structure with the following
values:
0 56: SEQUENCE {
2 32: OCTET STRING
: C2 44 CD D1 1A 0D 1F 39 D9 B6 12 82 77 02 44 FB
: 0F 6B EF B9 1A B7 F9 6C B0 52 13 36 5C F9 5B 15
36 1: ENUMERATED 5
39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
52 1: INTEGER 32
55 1: INTEGER 32
: }
The DER encoding of CMSORIforPSKOtherInfo produces 58 octets:
30380420c244cdd11a0d1f39d9b61282770244fb0f6befb91ab7f96cb0521336
5cf95b150a0105300b060960864801650304012d020120020120
The HKDF output is 256 bits:
f319e9cebb35f1c6a7a9709b8760b9d0d3e30e16c5b2b69347e9f00ca540a232
Alice uses AES-KEY-WRAP to encrypt the 256-bit content-encryption key
with the key-encryption key:
ea0947250fa66cd525595e52a69aaade88efcf1b0f108abe291060391b1cdf59
07f36b4067e45342
Alice encrypts the content using AES-256-GCM with the content-
encryption key. The 12-octet nonce used is:
cafebabefacedbaddecaf888
The content plaintext is:
48656c6c6f2c20776f726c6421
The resulting ciphertext is:
9af2d16f21547fcefed9b3ef2d
The resulting 12-octet authentication tag is:
a0e5925cc184e0172463c44c
A.2. ContentInfo and AuthEnvelopedData
Alice encodes the AuthEnvelopedData and the ContentInfo and sends the
result to Bob. The resulting structure is:
0 650: SEQUENCE {
4 11: OBJECT IDENTIFIER
: authEnvelopedData (1 2 840 113549 1 9 16 1 23)
17 633: [0] {
21 629: SEQUENCE {
25 1: INTEGER 0
28 551: SET {
32 547: [4] {
36 11: OBJECT IDENTIFIER
: keyTransPSK (1 2 840 113549 1 9 16 13 1)
49 530: SEQUENCE {
53 1: INTEGER 0
56 19: OCTET STRING 'ptf-kmc:13614122112'
77 13: SEQUENCE {
79 11: OBJECT IDENTIFIER
: hkdf-with-sha384 (1 2 840 113549 1 9 16 3 29)
: }
92 11: SEQUENCE {
94 9: OBJECT IDENTIFIER
: aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
105 432: SEQUENCE {
109 428: SEQUENCE {
113 1: INTEGER 2
116 20: [0]
: 9E EB 67 C9 B9 5A 74 D4 4D 2F 16 39 66 80 E8 01
: B5 CB A4 9C
138 13: SEQUENCE {
140 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
151 0: NULL
: }
153 384: OCTET STRING
: 52 69 3F 12 14 0C 91 DE A2 B4 4C 0B 79 36 F6 BE
: 46 DE 8A 7B FA B0 72 BC B6 EC FD 56 B0 6A 9F 65
: 1B D4 66 9D 33 6A EF 7B 44 9E 5C D9 B1 51 89 3B
: 7C 7A 3B 8E 36 43 94 84 0B 0A 54 34 CB F1 0E 1B
: 56 70 AE FD 07 4F AF 38 06 65 D2 04 FB 95 15 35
: 43 34 6F 36 C2 12 5D BA 6F 4D 23 D2 BC 61 43 4B
: 5E 36 FF 72 B3 EA FE 57 C6 CF 7F 74 92 4C 30 9F
: 17 4B 0B 87 53 55 4B 58 ED 33 A8 84 8D 70 7A 98
: C0 C2 B1 DD CF D0 9E 31 FE 21 3C A0 A4 8D D1 57
: BD 7D 84 2E 85 CC 76 F7 77 10 D5 8E FE AA 05 25
: C6 51 BC D1 41 0F B4 75 34 EC AB AF 5A B7 DA AB
: ED 80 9D 4B 97 22 0C AF 6D 49 29 C5 FB 68 4F 7B
: B8 69 2E 6E 70 33 2F F9 B3 F7 C1 1D 6C AC 51 D4
: A3 55 93 17 3D 48 F8 0C A8 43 B8 97 89 D6 25 E7
: 99 7A D7 D6 74 D2 5A 2A 7D 16 5A 5F 39 B3 CB 63
: 58 E9 37 BD B0 2A C8 A5 24 AC 93 11 3C ED D9 AD
: C6 82 63 02 5C 0B B0 99 7D 71 6E 58 D4 D7 B6 97
: 39 BF 59 1F 3E 71 C7 67 8D C0 DF 96 F3 DF 9E 8A
: A5 73 8F 4F 9C E2 14 89 F3 00 E0 40 89 1B 20 B2
: AB 6D 90 51 B3 C2 E6 8E FA 2F A9 79 9A 70 68 78
: D5 F4 62 01 8C 02 1D 66 69 ED 64 9F 9A CD F7 84
: 76 81 01 98 BF B8 BD 41 FF ED C5 85 EA FA 95 7E
: EA 1D 36 25 E4 BE D3 76 E7 AE 49 71 8A EE 2F 57
: 5C 40 1A 26 A2 99 41 D8 DA 5B 7E E9 AC A3 64 71
: }
: }
541 40: OCTET STRING
: EA 09 47 25 0F A6 6C D5 25 59 5E 52 A6 9A AA DE
: 88 EF CF 1B 0F 10 8A BE 29 10 60 39 1B 1C DF 59
: 07 F3 6B 40 67 E4 53 42
: }
: }
: }
583 55: SEQUENCE {
585 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
596 27: SEQUENCE {
598 9: OBJECT IDENTIFIER
: aes256-GCM (2 16 840 1 101 3 4 1 46)
609 14: SEQUENCE {
611 12: OCTET STRING
: CA FE BA BE FA CE DB AD DE CA F8 88
: }
: }
625 13: [0]
: 9A F2 D1 6F 21 54 7F CE FE D9 B3 EF 2D
: }
640 12: OCTET STRING A0 E5 92 5C C1 84 E0 17 24 63 C4 4C
: }
: }
: }
A.3. Recipient Processing Example
Bob's private key is:
-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEA3ocW14cxncPJ47fnEjBZAyfC2lqapL3ET4jvV6C7gGeVrRQx
WPDwl+cFYBBR2ej3j3/0ecDmu+XuVi2+s5JHKeeza+itfuhsz3yifgeEpeK8T+Su
sHhn20/NBLhYKbh3kiAcCgQ56dpDrDvDcLqqvS3jg/VO+OPnZbofoHOOevt8Q/ro
ahJe1PlIyQ4udWB8zZezJ4mLLfbOA9YVaYXx2AHHZJevo3nmRnlgJXo6mE00E/6q
khjDHKSMdl2WG6mO9TCDZc9qY3cAJDU6Ir0vSH7qUl8/vN13y4UOFkn8hM4kmZ6b
JqbZt5NbjHtY4uQ0VMW3RyESzhrO02mrp39auLNnH3EXdXaV1tk75H3qC7zJaeGW
MJyQfOE3YfEGRKn8fxubji716D8UecAxAzFyFL6m1JiOyV5acAiOpxN14qRYZdHn
XOM9DqGIGpoeY1UuD4Mo05osOqOUpBJHA9fSwhSZG7VNf+vgNWTLNYSYLI04KiMd
ulnvU6ds+QPz+KKtAgMBAAECggGATFfkSkUjjJCjLvDk4aScpSx6+Rakf2hrdS3x
jwqhyUfAXgTTeUQQBs1HVtHCgxQd+qlXYn3/qu8TeZVwG4NPztyi/Z5yB1wOGJEV
3k8N/ytul6pJFFn6p48VM01bUdTrkMJbXERe6g/rr6dBQeeItCaOK7N5SIJH3Oqh
9xYuB5tH4rquCdYLmt17Tx8CaVqU9qPY3vOdQEOwIjjMV8uQUR8rHSO9KkSj8AGs
Lq9kcuPpvgJc2oqMRcNePS2WVh8xPFktRLLRazgLP8STHAtjT6SlJ2UzkUqfDHGK
q/BoXxBDu6L1VDwdnIS5HXtL54ElcXWsoOyKF8/ilmhRUIUWRZFmlS1ok8IC5IgX
UdL9rJVZFTRLyAwmcCEvRM1asbBrhyEyshSOuN5nHJi2WVJ+wSHijeKl1qeLlpMk
HrdIYBq4Nz7/zXmiQphpAy+yQeanhP8O4O6C8e7RwKdpxe44su4Z8fEgA5yQx0u7
8yR1EhGKydX5bhBLR5Cm1VM7rT2BAoHBAP/+e5gZLNf/ECtEBZjeiJ0VshszOoUq
haUQPA+9Bx9pytsoKm5oQhB7QDaxAvrn8/FUW2aAkaXsaj9F+/q30AYSQtExai9J
fdKKook3oimN8/yNRsKmhfjGOj8hd4+GjX0qoMSBCEVdT+bAjjry8wgQrqReuZnu
oXU85dmb3jvv0uIczIKvTIeyjXE5afjQIJLmZFXsBm09BG87Ia5EFUKly96BOMJh
/QWEzuYYXDqOFfzQtkAefXNFW21Kz4Hw2QKBwQDeiGh4lxCGTjECvG7fauMGlu+q
DSdYyMHif6t6mx57eS16EjvOrlXKItYhIyzW8Kw0rf/CSB2j8ig1GkMLTOgrGIJ1
0322o50FOr5oOmZPueeR4pOyAP0fgQ8DD1L3JBpY68/8MhYbsizVrR+Ar4jM0f96
W2bF5Xj3h+fQTDMkx6VrCCQ6miRmBUzH+ZPs5n/lYOzAYrqiKOanaiHy4mjRvlsy
mjZ6z5CG8sISqcLQ/k3Qli5pOY/v0rdBjgwAW/UCgcEAqGVYGjKdXCzuDvf9EpV4
mpTWB6yIV2ckaPOn/tZi5BgsmEPwvZYZt0vMbu28Px7sSpkqUuBKbzJ4pcy8uC3I
SuYiTAhMiHS4rxIBX3BYXSuDD2RD4vG1+XM0h6jVRHXHh0nOXdVfgnmigPGz3jVJ
B8oph/jD8O2YCk4YCTDOXPEi8Rjusxzro+whvRR+kG0gsGGcKSVNCPj1fNISEte4
gJId7O1mUAAzeDjn/VaS/PXQovEMolssPPKn9NocbKbpAoHBAJnFHJunl22W/lrr
ppmPnIzjI30YVcYOA5vlqLKyGaAsnfYqP1WUNgfVhq2jRsrHx9cnHQI9Hu442PvI
x+c5H30YFJ4ipE3eRRRmAUi4ghY5WgD+1hw8fqyUW7E7l5LbSbGEUVXtrkU5G64T
UR91LEyMF8OPATdiV/KD4PWYkgaqRm3tVEuCVACDTQkqNsOOi3YPQcm270w6gxfQ
SOEy/kdhCFexJFA8uZvmh6Cp2crczxyBilR/yCxqKOONqlFdOQKBwFbJk5eHPjJz
AYueKMQESPGYCrwIqxgZGCxaqeVArHvKsEDx5whI6JWoFYVkFA8F0MyhukoEb/2x
2qB5T88Dg3EbqjTiLg3qxrWJ2OxtUo8pBP2I2wbl2NOwzcbrlYhzEZ8bJyxZu5i1
sYILC8PJ4Qzw6jS4Qpm4y1WHz8e/ElW6VyfmljZYA7f9WMntdfeQVqCVzNTvKn6f
hg6GSpJTzp4LV3ougi9nQuWXZF2wInsXkLYpsiMbL6Fz34RwohJtYA==
-----END RSA PRIVATE KEY-----
Bob decrypts the key-derivation key with his RSA private key:
df85af9e3cebffde6e9b9d24263db31114d0a8e33a0d50e05eb64578ccde81eb
Bob produces a 256-bit key-encryption key with HKDF using SHA-384;
the secret value is the key-derivation key; and the 'info' is the
DER-encoded CMSORIforPSKOtherInfo structure with the same values as
shown in Appendix A.1. The HKDF output is 256 bits:
f319e9cebb35f1c6a7a9709b8760b9d0d3e30e16c5b2b69347e9f00ca540a232
Bob uses AES-KEY-WRAP to decrypt the content-encryption key with the
key-encryption key; the content-encryption key is:
c8adc30f4a3e20ac420caa76a68f5787c02ab42afea20d19672fd963a5338e83
Bob decrypts the content using AES-256-GCM with the content-
encryption key and checks the received authentication tag. The
12-octet nonce used is:
cafebabefacedbaddecaf888
The 12-octet authentication tag is:
a0e5925cc184e0172463c44c
The received ciphertext content is:
9af2d16f21547fcefed9b3ef2d
The resulting plaintext content is:
48656c6c6f2c20776f726c6421
Appendix B. Key Agreement with PSK Example
This example shows the establishment of an AES-256 content-encryption
key using:
* a pre-shared key of 256 bits;
* key agreement using ECDH on curve P-384 and X9.63 KDF with SHA-
384;
* key derivation using HKDF with SHA-384; and
* key wrap using AES-256-KEYWRAP.
In real-world use, the originator would treat themselves as an
additional recipient by performing key agreement with their own
static public key and the ephemeral private key generated for this
message. This is omitted in an attempt to simplify the example.
B.1. Originator Processing Example
The pre-shared key known to Alice and Bob, in hexadecimal, is:
4aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c078660214e2d83e4
The identifier assigned to the pre-shared key is:
ptf-kmc:216840110121
Alice randomly generates a content-encryption key:
937b1219a64d57ad81c05cc86075e86017848c824d4e85800c731c5b7b091033
Alice obtains Bob's static ECDH public key:
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEScGPBO9nmUwGrgbGEoFY9HR/bCo0WyeY
/dePQVrwZmwN2yMJmO2d1kWCvLTz8U7atinxyIRe9CV54yau1KWU/wbkhPDnzuSM
YkcpxMGo32z3JetEloW5aFOja13vv/W5
-----END PUBLIC KEY-----
It has a key identifier of:
e8218b98b8b7d86b5e9ebdc8aeb8c4ecdc05c529
Alice generates an ephemeral ECDH key pair on the same curve:
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDCMiWLG44ik+L8cYVvJrQdLcFA+PwlgRF+Wt1Ab25qUh8OB7OePWjxp
/b8P6IOuI6GgBwYFK4EEACKhZANiAAQ5G0EmJk/2ks8sXY1kzbuG3Uu3ttWwQRXA
LFDJICjvYfr+yTpOQVkchm88FAh9MEkw4NKctokKNgpsqXyrT3DtOg76oIYENpPb
GE5lJdjPx9sBsZQdABwlsU0Zb7P/7i8=
-----END EC PRIVATE KEY-----
Alice computes a shared secret called "Z" using Bob's static ECDH
public key and her ephemeral ECDH private key; Z is:
3f015ed0ff4b99523a95157bbe77e9cc0ee52fcffeb7e41eac79d1c11b6cc556
19cf8807e6d800c2de40240fe0e26adc
Alice computes the pairwise key-encryption key, called "KEK1", from Z
using the X9.63 KDF with the ECC-CMS-SharedInfo structure with the
following values:
0 21: SEQUENCE {
2 11: SEQUENCE {
4 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
15 6: [2] {
17 4: OCTET STRING 00 00 00 20
: }
: }
The DER encoding of ECC-CMS-SharedInfo produces 23 octets:
3015300b060960864801650304012da206040400000020
The X9.63 KDF output is the 256-bit KEK1:
27dc25ddb0b425f7a968ceada80a8f73c6ccaab115baafcce4a22a45d6b8f3da
Alice produces the 256-bit KEK2 with HKDF using SHA-384; the secret
value is KEK1; and the 'info' is the DER-encoded
CMSORIforPSKOtherInfo structure with the following values:
0 56: SEQUENCE {
2 32: OCTET STRING
: 4A A5 3C BF 50 08 50 DD 58 3A 5D 98 21 60 5C 6F
: A2 28 FB 59 17 F8 7C 1C 07 86 60 21 4E 2D 83 E4
36 1: ENUMERATED 10
39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
52 1: INTEGER 32
55 1: INTEGER 32
: }
The DER encoding of CMSORIforPSKOtherInfo produces 58 octets:
303804204aa53cbf500850dd583a5d9821605c6fa228fb5917f87c1c07866021
4e2d83e40a010a300b060960864801650304012d020120020120
The HKDF output is the 256-bit KEK2:
7de693ee30ae22b5f8f6cd026c2164103f4e1430f1ab135dc1fb98954f9830bb
Alice uses AES-KEY-WRAP to encrypt the content-encryption key with
the KEK2; the wrapped key is:
229fe0b45e40003e7d8244ec1b7e7ffb2c8dca16c36f5737222553a71263a92b
de08866a602d63f4
Alice encrypts the content using AES-256-GCM with the content-
encryption key. The 12-octet nonce used is:
dbaddecaf888cafebabeface
The plaintext is:
48656c6c6f2c20776f726c6421
The resulting ciphertext is:
fc6d6f823e3ed2d209d0c6ffcf
The resulting 12-octet authentication tag is:
550260c42e5b29719426c1ff
B.2. ContentInfo and AuthEnvelopedData
Alice encodes the AuthEnvelopedData and the ContentInfo and sends the
result to Bob. The resulting structure is:
0 327: SEQUENCE {
4 11: OBJECT IDENTIFIER
: authEnvelopedData (1 2 840 113549 1 9 16 1 23)
17 310: [0] {
21 306: SEQUENCE {
25 1: INTEGER 0
28 229: SET {
31 226: [4] {
34 11: OBJECT IDENTIFIER
: keyAgreePSK (1 2 840 113549 1 9 16 13 2)
47 210: SEQUENCE {
50 1: INTEGER 0
53 20: OCTET STRING 'ptf-kmc:216840110121'
75 85: [0] {
77 83: [1] {
79 19: SEQUENCE {
81 6: OBJECT IDENTIFIER
: ecdhX963KDF-SHA256 (1 3 132 1 11 1)
89 9: OBJECT IDENTIFIER
: aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
100 60: BIT STRING, encapsulates {
103 57: OCTET STRING
: 1B 41 26 26 4F F6 92 CF 2C 5D 8D 64 CD BB 86 DD
: 4B B7 B6 D5 B0 41 15 C0 2C 50 C9 20 28 EF 61 FA
: FE C9 3A 4E 41 59 1C 86 6F 3C 14 08 7D 30 49 30
: E0 D2 9C B6 89 0A 36 0A 6C
: }
: }
: }
162 13: SEQUENCE {
164 11: OBJECT IDENTIFIER
: hkdf-with-sha384 (1 2 840 113549 1 9 16 3 29)
: }
177 11: SEQUENCE {
179 9: OBJECT IDENTIFIER
: aes256-wrap (2 16 840 1 101 3 4 1 45)
: }
190 68: SEQUENCE {
192 66: SEQUENCE {
194 22: [0] {
196 20: OCTET STRING
: E8 21 8B 98 B8 B7 D8 6B 5E 9E BD C8 AE B8 C4 EC
: DC 05 C5 29
: }
218 40: OCTET STRING
: 22 9F E0 B4 5E 40 00 3E 7D 82 44 EC 1B 7E 7F FB
: 2C 8D CA 16 C3 6F 57 37 22 25 53 A7 12 63 A9 2B
: DE 08 86 6A 60 2D 63 F4
: }
: }
: }
: }
: }
260 55: SEQUENCE {
262 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
273 27: SEQUENCE {
275 9: OBJECT IDENTIFIER
: aes256-GCM (2 16 840 1 101 3 4 1 46)
286 14: SEQUENCE {
288 12: OCTET STRING
: DB AD DE CA F8 88 CA FE BA BE FA CE
: }
: }
302 13: [0]
: FC 6D 6F 82 3E 3E D2 D2 09 D0 C6 FF CF
: }
317 12: OCTET STRING 55 02 60 C4 2E 5B 29 71 94 26 C1 FF
: }
: }
: }
B.3. Recipient Processing Example
Bob obtains Alice's ephemeral ECDH public key from the message:
-----BEGIN PUBLIC KEY-----
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEORtBJiZP9pLPLF2NZM27ht1Lt7bVsEEV
wCxQySAo72H6/sk6TkFZHIZvPBQIfTBJMODSnLaJCjYKbKl8q09w7ToO+qCGBDaT
2xhOZSXYz8fbAbGUHQAcJbFNGW+z/+4v
-----END PUBLIC KEY-----
Bob's static ECDH private key is:
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDAnJ4hB+tTUN9X03/W0RsrYy+qcptlRSYkhaDIsQYPXfTU0ugjJEmRk
NTPj4y1IRjegBwYFK4EEACKhZANiAARJwY8E72eZTAauBsYSgVj0dH9sKjRbJ5j9
149BWvBmbA3bIwmY7Z3WRYK8tPPxTtq2KfHIhF70JXnjJq7UpZT/BuSE8OfO5Ixi
RynEwajfbPcl60SWhbloU6NrXe+/9bk=
-----END EC PRIVATE KEY-----
Bob computes a shared secret called "Z" using Alice's ephemeral ECDH
public key and his static ECDH private key; Z is:
3f015ed0ff4b99523a95157bbe77e9cc0ee52fcffeb7e41eac79d1c11b6cc556
19cf8807e6d800c2de40240fe0e26adc
Bob computes the pairwise key-encryption key, KEK1, from Z using the
X9.63 KDF with the ECC-CMS-SharedInfo structure with the values shown
in Appendix B.1. The X9.63 KDF output is the 256-bit KEK1:
27dc25ddb0b425f7a968ceada80a8f73c6ccaab115baafcce4a22a45d6b8f3da
Bob produces the 256-bit KEK2 with HKDF using SHA-384; the secret
value is KEK1; and the 'info' is the DER-encoded
CMSORIforPSKOtherInfo structure with the values shown in
Appendix B.1. The HKDF output is the 256-bit KEK2:
7de693ee30ae22b5f8f6cd026c2164103f4e1430f1ab135dc1fb98954f9830bb
Bob uses AES-KEY-WRAP to decrypt the content-encryption key with the
KEK2; the content-encryption key is:
937b1219a64d57ad81c05cc86075e86017848c824d4e85800c731c5b7b091033
Bob decrypts the content using AES-256-GCM with the content-
encryption key and checks the received authentication tag. The
12-octet nonce used is:
dbaddecaf888cafebabeface
The 12-octet authentication tag is:
550260c42e5b29719426c1ff
The received ciphertext content is:
fc6d6f823e3ed2d209d0c6ffcf
The resulting plaintext content is:
48656c6c6f2c20776f726c6421
Acknowledgements
Many thanks to Roman Danyliw, Ben Kaduk, Burt Kaliski, Panos
Kampanakis, Jim Schaad, Robert Sparks, Sean Turner, and Daniel Van
Geest for their review and insightful comments. They have greatly
improved the design, clarity, and implementation guidance.
Author's Address
Russ Housley
Vigil Security, LLC
516 Dranesville Road
Herndon, VA 20170
United States of America
Email: housley@vigilsec.com
|