[Docs] [txt|pdf] [Tracker] [WG] [Email] [Nits]

Versions: 00 01 02 03 04 05 RFC 3657

S/MIME Working Group                                           S. Moriai
Internet Draft                Nippon Telegraph and Telephone Corporation
Expiration Date: April 2003                                      A. Kato
                                                NTT Software Corporation
                                                            October 2002


            Use of the Camellia Encryption Algorithm in CMS

                   <draft-ietf-smime-camellia-00.txt>

Status of this Memo

    This document is an Internet-Draft and is in full conformance with
    all provisions of Section 10 of RFC2026.

    Internet-Drafts are working documents of the Internet Engineering
    Task Force (IETF), its areas, and its working groups.  Note that
    other groups may also distribute working documents as Internet-
    Drafts.

    Internet-Drafts are draft documents valid for a maximum of six
    months and may be updated, replaced, or obsoleted by other documents
    at any time.  It is inappropriate to use Internet-Drafts as
    reference material or to cite them other than as "work in progress."

    The list of current Internet-Drafts can be accessed at
    http://www.ietf.org/ietf/1id-abstracts.txt

    The list of Internet-Draft Shadow Directories can be accessed at
    http://www.ietf.org/shadow.html.

    Comments or suggestions for improvement may be made on the
    "ietf-smime" mailing list, or directly to the author.

Abstract

    This document specifies how to incorporate the Camellia encryption
    algorithm into the S/MIME Cryptographic Message Syntax (CMS) as an
    additional algorithm for symmetric encryption.  The relevant OIDs
    and processing steps are provided so that Camellia may be included
    in the CMS specification (RFC 3369, RFC 3370) for content and key
    encryption.


1. Introduction

    This document specifies the conventions for using the Camellia
    encryption algorithm [CamelliaSpec][CamelliaID] for encryption with
    the Cryptographic Message Syntax (CMS) [CMS].

MORIAI                                                          [Page 1]

Internet-Draft            Use of Camellia in CMS            October 2002


    Camellia is a block cipher with 128-bit block size and 128-, 192-,
    and 256-bit keys, i.e. the same interface as the Advanced Encryption
    Standard (AES).  Camellia offers excellent efficiency on both
    software and hardware platforms in addition to a high level of
    security [CamelliaTech].

    CMS values are generated using ASN.1 (X.208-88), using the Basic
    Encoding Rules (BER) (X.209-88) and the Distinguished Encoding Rules
    (DER) (X.509-88).

    The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
    NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in
    uppercase, as shown) are to be interpreted as described in
    [RFC2119].


2. Object Identifiers for Content and Key Encryption

    This section provides the OIDs and processing information necessary
    for Camellia to be used for content and key encryption in CMS.

    Camellia is added to the set of optional symmetric encryption
    algorithms in CMS by providing two classes of unique object
    identifiers (OIDs).  One OID class defines the content encryption
    algorithms and the other defines the key encryption algorithms.
    Thus a CMS agent can apply Camellia either for content or key
    encryption by selecting the corresponding object identifier,
    supplying the required parameter, and starting the program code.

2.1 OIDs for Content Encryption

    For content encryption the use of Camellia in cipher block chaining
    (CBC) mode is RECOMMENDED.  The Camellia content-encryption
    algorithm, in CBC mode, for the three different key sizes are
    identified by the following object identifiers:

       id-camellia128-cbc OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) symmetric-encryption-algorithm(1)
             camellia128-cbc(2) }

       id-camellia192-cbc OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) symmetric-encryption-algorithm(1)
             camellia192-cbc(3) }

       id-camellia256-cbc OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) symmetric-encryption-algorithm(1)
             camellia256-cbc(4) }

    To determine the value of IV, the above algorithms take parameter
    as:

MORIAI                                                          [Page 2]

Internet-Draft            Use of Camellia in CMS            October 2002


       CamelliaCBCParameter ::= CamelliaIV  --  Initialization Vector

       CamelliaIV ::= OCTET STRING (SIZE(16))

    When these object identifiers are used, plaintext is padded before
    encrypt it.  At least 1 padding octet is appended at the end of the
    plaintext to make the length of the plaintext to the multiple of 16
    octets.  The value of these octets is as same as the number of
    appended octets.  (e.g., If 10 octets are needed to pad, the value
    is 0x0a.)


2.2 OIDs for Key Encryption

    The key-wrap/unwrap procedures used to encrypt/decrypt a Camellia
    content-encryption key (CEK) with a Camellia key-encryption key
    (KEK) are specified in Section 3.  Generation and distribution of
    key-encryption keys are beyond the scope of this document.

    The Camellia key-encryption algorithm has the following object
    identifier:

   id-camellia128-wrap OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) key-wrap-algorithm(3)
             camellia128-wrap(2) }

   id-camellia192-wrap OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) key-wrap-algorithm(3)
             camellia192-wrap(3) }

   id-camellia256-wrap OBJECT IDENTIFIER ::=
           { iso(1) member-body(2) 392 200011 61 security(1)
             algorithm(1) key-wrap-algorithm(3)
             camellia256-wrap(4) }

    In all cases the parameters field of AlgorithmIdentifier MUST be
    NULL.  The OID gives the KEK key size, but does not make any
    statements as to the size of the wrapped Camellia CEK.
    Implementations MAY use different KEK and CEK sizes.  Implements
    MUST support the CEK and the KEK having the same length.  If
    different lengths are supported, the KEK MUST be of equal or greater
    length than the CEK.

    We don't need additional parameter information associated with this
    object identifier contains, because the key wrapping procedure
    itself defines how and when to use an IV.


3. Key Wrap Algorithm

    Camellia key wrapping and unwrapping is done in conformance with the

MORIAI                                                          [Page 3]

Internet-Draft            Use of Camellia in CMS            October 2002

    AES key wrap algorithm [AES-WRAP][RFC3394], because Camellia and AES
    have the same block and key sizes, i.e. the block size of 128 bits
    and key sizes of 128, 192, and 256 bits.


3.1 Camellia Key Wrap

    Key wrapping with Camellia is identical to [RFC3394], Section 2.2.1,
    with "AES" replaced by "Camellia".

3.2 Camellia Key Unwrap

    Key unwrapping with Camellia is identical to [RFC3394], Section
    2.2.2, with "AES" replaced by "Camellia".


4. Security Considerations

    This document specifies the use of Camellia for encrypting the
    content of a CMS message and for encrypting the symmetric key used
    to encrypt the content of a CMS message.  Since Camellia supports
    the key length of 128, 192 and 256 bits, it provides enough security
    against exhaustive key attacks.  Against other attacks Camellia is
    believed to be secure, and it has withstood extensive cryptanalytic
    efforts in several open, worldwide cryptographic evaluation
    projects.

    For other security considerations, please refer to the security
    considerations of the CMS specifications [CMS][CMSALG] and the AES
    key wrap algorithm [AES-WRAP][RFC3394].


5. Intellectual Property Statement

    Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon
    Telegraph and Telephone Corporation (NTT) have pending applications
    or filed patents which are essential to Camellia.  License policy
    for these essential patents will be available on the IETF page of
    Intellectual Property Rights Notices.


References

    [AES-WRAP] National Institute of Standards and Technology. AES Key
        Wrap Specification. 17 November 2001.
        http://csrc.nist.gov/encryption/kms/key-wrap.pdf

    [CamelliaID] J. Nakajima and S. Moriai, "A Description of the
        Camellia Encryption Algorithm", Internet-Draft, July 2001.
        draft-nakajima-camellia-02.txt

    [CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
        J. Nakajima, and T. Tokita ``Specification of Camellia - a
        128-bit Block Cipher''.  http://info.isl.ntt.co.jp/camellia/

MORIAI                                                          [Page 4]

Internet-Draft            Use of Camellia in CMS            October 2002


    [CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
        J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher
        Suitable for Multiple Platforms - Design and Analysis -'', In
        Selected Areas in Cryptography, 7th Annual International
        Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in
        Computer Science 2012, pp.39--56, Springer-Verlag, 2001.

    [CMS] R. Housley, "Cryptographic Message Syntax", RFC 3369, August
        2002.

    [CMSALG] R. Housley, "Cryptographic Message Syntax (CMS)
        Algorithms", RFC 3370, August 2002.

    [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
        Requirement Levels", BCP 14, RFC 2119, March 1997.

    [RFC3394] J. Schaad and R. Housley, "Advanced Encryption Standard
        (AES) Key Wrap Algorithm", RFC 3394, September 2002.


Authors' Address

    Shiho Moriai
    Nippon Telegraph and Telephone Corporation
    Phone: +81-468-59-2007
    FAX:   +81-468-59-3858
    Email: shiho@isl.ntt.co.jp

    Akihiro Kato
    NTT Software Corporation
    Phone: +81-45-212-7404
    FAX:   +81-45-212-7410
    Email: akato@po.ntts.co.jp





















MORIAI                                                          [Page 5]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/