[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00 01 02 RFC 6032

Network Working Group                                   S. Turner, IECA
Internet Draft                               R. Housley, Vigil Security
Intended Status: Standard Track                      September 08, 2009
Expires: March 08, 2010



                    Encrypted Key Package Content Type
            draft-turner-encryptedkeypackagecontenttype-00.txt


Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on March 08, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.







Turner & Housley        Expires March 08, 2010                 [Page 1]

Internet-Draft    Encrypted Key Package Content Type     September 2009


Abstract

   This document defines the encrypted key package content type, which
   can be used to encrypt a content that includes a key package, such as
   a symmetric key package or an asymmetric key package.  It is
   transport independent.  The Cryptographic Message Syntax (CMS) can be
   used to digitally sign, digest, authenticate, or further encrypt this
   content type.  It is designed to be used with the CMS Content
   Constraints extension, which does not constrain the EncryptedData,
   EnvelopedData, and AuthEnvelopedData.

1. Introduction

   The Cryptographic Message Syntax (CMS) specification [RFC3852]
   defines means to digitally sign, digest, authenticate or encrypt
   arbitrary message content.  Many specifications define content types
   intended for use with CMS. [RFCTBD1] and [RFCTBD2] define symmetric
   key package and asymmetric key package content types that can be
   signed or encrypted using CMS.  CMS allows composition of complex
   messages with an arbitrary number of layers.  CMS has been augmented
   by several specifications ([RFC3274],[RFC4073] and [RFC5083]) that
   define additional mechanisms to enable creation of messages of
   arbitrary depth and breadth using a variety of authentication,
   encryption and compression techniques.

   The CMS Content Constraints (CCC) certificate extension [CCC] defines
   an authorization mechanism that allows recipients to determine
   whether the originator of an authenticated CMS content type is
   authorized to produce messages of that type.  CCC is used to
   authorize the innermost content type within a CMS-protected message.
   CCC cannot be used to constrain the following structures that are
   used to provide layers of protection: SignedData, EnvelopedData,
   EncryptedData, DigestData, CompressedData, AuthenticatedData,
   ContentCollection, ContentWithAttributes or AuthEnvelopedData.

   Using the existing CMS mechanisms, producers of authenticated
   plaintext key packages can be authorized by including a CCC extension
   containing the appropriate content type in the producer's
   certificate.  However, these mechanisms cannot be used to authorize
   the producers of encrypted key material.  In some key management
   systems, encrypted key packages are exchanged between entities that
   cannot decrypt the key package.  The encrypted key package itself may
   be authenticated and passed to another entity.  In these cases,
   checking the authorization of the producer of the encrypted key
   package may be desired at the intermediate points.




Turner & Housley        Expires March 08, 2010                 [Page 2]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   This document defines the encrypted key package content type, which
   can be used to encrypt a content that includes a key package, such as
   a symmetric key package [RFCTBD1] or an asymmetric key package
   [RFCTBD2].  It is transport independent.  The Cryptographic Message
   Syntax (CMS) [RFC3852] can be used to digitally sign, digest,
   authenticate, or further encrypt this content type.

   The encrypted key package content type is designed for use with
   [CCC].  To authorize an originator's public key to originate an
   encrypted key package, the object identifier associated with the
   encrypted key package content type is included in the originator's
   public key certificate CCC certificate extension. For CCC to
   function, originators encapsulate the encrypted key package in a
   SignedData, EnvelopedData, or AuthEnvelopedData, and then during
   certificate path validation the recipient determines whether the
   originator is authorized to originate the encrypted key package.

   In [CCC] terminology, the encrypted key package is a leaf node.
   Additional authorization checks may be required once the key package
   is decrypted.  For example, the key package shown below consists of a
   SignedData layer that encapsulates an encrypted key package that
   encapsulates a SignedData layer containing a symmetric key package.
   A recipient capable of decrypting the key package would perform the
   following steps prior to accepting the encapsulated symmetric key
   material:

    o Verify the signature on the SignedData layer per [RFC3852]

    o Build and validate a certification path to the signer and confirm
      the signer is authorized to produce the encrypted key package per
      [RFC5280] and [CCC]

    o Decrypt the encrypted key package

    o Verify the signature on the SignedData layer per [RFC3852]

    o Build and validate a certification path to the signer and confirm
      the signer is authorized to produce the symmetric key package per
     [RFC5280] and [CCC]

    o Use the symmetric key material








Turner & Housley        Expires March 08, 2010                 [Page 3]

Internet-Draft    Encrypted Key Package Content Type     September 2009


            +--------------------------------------+
            | ContentInfo                          |
            |                                      |
            | +----------------------------------+ |
            | | SignedData                       | |
            | |                                  | |
            | | +------------------------------+ | |
            | | | EncryptedKeyPackage          | | |
            | | |   (encrypted)                | | |
            | | |                              | | |
            | | | +-------------------------+  | | |
            | | | | SignedData              |  | | |
            | | | |                         |  | | |
            | | | | +---------------------+ |  | | |
            | | | | | SymmetricKeyPackage | |  | | |
            | | | | +---------------------+ |  | | |
            | | | +-------------------------+  | | |
            | | +------------------------------+ | |
            | +----------------------------------+ |
            +--------------------------------------+

   In the example, authorization of the SymmetricKeyPackage originator
   need not require an intermediate SignedData layer.  For example, if
   the AuthEnvelopedData option within an EncryptedKeyPackage were used,
   the second authorization check would be performed beginning with the
   authEnveloped field.

   This document also defines an unprotected attribute for use with one
   of the key management options supported by the encrypted key package
   content type.

1.1. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2. ASN.1 Syntax Notation

   The key package is defined using the ASN.1 [X.680].

2. Encrypted Key Package

   The encrypted key package content type is used to encrypt a content
   that includes a key package.  This content type is usually used to
   provide encryption of a key package or a signed key package.  This
   content type makes use of the CMS EncryptedData content type


Turner & Housley        Expires March 08, 2010                 [Page 4]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   [RFC3852], the CMS EnvelopedData content type [RFC3852], or the CMS
   AuthEnvelopedData content type [RFC5083] depending on the fields that
   are needed for key management.  The difference between the encrypted
   key package content type and these three protecting content types is
   the object identifier and one tag; otherwise, the encrypted key
   package content type is the same as the selected protecting content
   type, which is either EncryptedData, EnvelopedData, or
   AuthEnvelopedData.

   The encrypted key package content type has the following syntax:

     encrypted-key-package PKCS7-CONTENT-TYPE ::=
       { EncryptedKeyPackage IDENTIFIED BY id-ct-KP-encryptedKeyPkg }

     PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER

     id-ct-KP-encryptedKeyPkg OBJECT IDENTIFIER ::=
       { joint-iso-itu-t(2) country(16) us(840) organization(1)
         gov(101) dod(2) infosec(1) formats(2)
         key-package-content-types(78) 2 }

     EncryptedKeyPackage ::= CHOICE {
       encrypted        EncryptedData,
       enveloped        [0] EnvelopedData,
       authEnveloped    [1] AuthEnvelopedData }

   The EncryptedData structure is used for simple symmetric encryption,
   where the sender and the receiver already share the necessary
   encryption key.  The EncryptedData structure carries an encryption
   algorithm identifier, and an unprotected attribute can be used to
   carry an encryption key identifier if one is needed (see Section 3).
   See [RFC3852] for further discussion of the EncryptedData fields.

   The EnvelopedData structure is used for encryption, where transferred
   key management information enables decryption by the receiver.
   Encryption details depend on the key management algorithm used. In
   addition to the key management information, the EnvelopedData
   structure carries an encryption algorithm identifier.  See [RFC3852]
   for further discussion of the EnvelopedData fields.

   The AuthEnvelopedData structure is used for authenticated encryption,
   and it includes key management information in a manner similar to
   EnvelopedData.  Encryption details depend on the key management
   algorithm used. In addition to the key management information, the
   AuthEnvelopedData structure carries a message authentication code
   that covers the content as well as authenticated attributes.  See
   [RFC5083] for further discussion of the AuthEnvelopedData fields.


Turner & Housley        Expires March 08, 2010                 [Page 5]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   Implementations of this document MUST support the EnvelopedData
   choice, SHOULD support the EncryptedData choice, and MAY support the
   AuthEnvelopedData.

   Implementations that encrypt data to encapsulate with this content
   type MUST support an EncryptedKeyPackage that encapsulates either a
   SignedData [RFC3852] that further encapsulates a SymmetricKeyPackage
   [RFCTBD1] or a SignedData that further encapsulates an
   AsymmetricKeyPackage [RFCTBD2].  Likewise, implementations that
   process this content type to decrypt the encapsulated data MUST
   support an EncryptedKeyPackage that encapsulates either a SignedData
   that further encapsulates a SymmetricKeyPackage or a SignedData that
   further encapsulates an AsymmetricKeyPackage.  An EncryptedKeyPackage
   content type MUST contain at least one SymmetricKeyPackage or
   AsymmetricKeyPackage. Implementations MAY support additional
   encapsulating layers.

   Note that interoperability between an originator and a recipient that
   do not support the same inner-most content (e.g., originator supports
   AsymmetricKeyPackage while recipient supports SymmetricKeyPackage) is
   not a concern as originators should be aware of the recipient's
   capabilities; however, the mechanism for the exchange of the
   recipient's capabilities is beyond the scope of this document.

3. Content Decryption Key Identifier

   The content-decryption-key-identifier attribute can be used to
   identify the symmetric keying material that is needed for decryption
   of the EncryptedData content if there is any ambiguity.  The
   ATTRIBUTE definition is taken from [RFCTBD3].

   The content-decryption-key-identifier attribute has the following
   syntax:

     content-decrypt-key-identifier ATTRIBUTE ::= {
       WITH SYNTAX ContentDecryptKeyID
       ID id-aa-KP-contentDecryptKeyID }

     id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= {
       joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
       dod(2) infosec(1) attributes(5) 66 }

     ContentDecryptKeyID ::= OCTET STRING

   The content decryption key identifier contains an octet string, and
   this syntax does not impose any particular structure on the
   identifier value.


Turner & Housley        Expires March 08, 2010                 [Page 6]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   Due to multiple layers of encryption, the content-decryption-key-
   identifier attribute can appear in more than one location in the
   overall key package.  When there are multiple occurrences of the
   content-decryption-key-identifier attribute, each occurrence is
   evaluated independently.  Each one is used to identify the needed
   keying material for that layer of encryption.

4. Security Considerations

   The security considerations from [RFC3852], [RFC4073], [RFC5083],
   [RFCTBD1], [RFCTBD2], and [CCC] apply.

   The encrypted key package content type might not provide proof of
   origin if the content encryption algorithm does not support
   authenticated key exchange.  To provide proof of origin for this
   content, another security protocol needs to be used.  This is the
   reason that support for encapsulating the EncryptedKeyPackage with a
   SignedData content type from [RFC3852] is required.

5. IANA Considerations

   None.  Please remove this section prior to publication as an RFC.

6. References

6.1. Normative References

   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3852]   Housley, R., "Cryptographic Message Syntax (CMS)", RFC
               3852, July 2004.

   [RFC5083]   Housley, R., "Cryptographic Message Syntax (CMS)
               Authenticated-Enveloped-Data Content Type", RFC 5083,
               November 2007.

   [RFC5280]   Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
               Housley, R., and W. Polk, "Internet X.509 Public Key
               Infrastructure Certificate and Certificate Revocation
               List (CRL) Profile", RFC 5280, May 2008.

   [RFCTBD1]   Housley, R. and S. Turner, "Symmetric Key package Content
               Type", draft-ietf-keyprov-symmetrickeyformat-05.txt,
               work-in-progress.




Turner & Housley        Expires March 08, 2010                 [Page 7]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   [RFCTBD2]   Turner, S., "Asymmetric Key Packages", draft-turner-
               asymmetrickeyformat-01.txt, work-in-progress.

   [RFCTBD3]   Schaad, J., and P. Hoffman, "New ASN.1 Modules for PKIX",
               draft-ietf-pkix-new-asn1-07.txt, work-in-progress.

   [X.680]     ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002.
               Information Technology - Abstract Syntax Notation One.

6.2. Informative References

   [RFC3274]   Gutmann, P., "Compressed Data Content Type for
               Cryptographic Message Syntax (CMS)", RFC 3274, June 2002.

   [RFC4073]   Housley, R., "Protecting Multiple Contents with the
               Cryptographic Message Syntax (CMS)", RFC 4073, May 2005.

   [CCC]       Wallace, C., and R. Housley, "Cryptographic Message
               Syntax (CMS) Content Constraints X.509 Certificate
               Extension", draft-housley-cms-content-constraints-extn-
               01.txt, work-in-progress.

Appendix A. ASN.1 Module

   This appendix provides the normative ASN.1 definitions for the
   structures described in this specification using ASN.1 as defined in
   X.680.

   EncryptedKeyPackage { id-TBSL }

   DEFINITIONS EXPLICIT TAGS ::=

   BEGIN

   -- EXPORTS ALL --

   IMPORTS

   -- IMPORTS from CMS [RFC3852]

   EncryptedData, EnvelopedData
     FROM CryptographicMessageSyntax
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
         smime(16) modules(0) cms-2004(24) }

   -- IMPORTS from CMS AuthEnvelopedData [RFC5083]



Turner & Housley        Expires March 08, 2010                 [Page 8]

Internet-Draft    Encrypted Key Package Content Type     September 2009


   AuthEnvelopedData
     FROM CMS-AuthEnvelopedData-2007
        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
          pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) }

   -- IMPORTS from PKIX ASN.1 [RFCTBD3]

     ATTRIBUTE
       FROM PKIX-CommonTypes-2009
         { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) id-mod(0)
           id-mod-pkixCommon-02(57) }

   ;

   PKCS7-CONTENT-TYPE ::= TYPE-IDENTIFIER

   KeyPackageContentTypes PKCS7-CONTENT-TYPE ::= {
     encrypted-key-package,
     ... -- Expect additional content types --
   }

   encrypted-key-package PKCS7-CONTENT-TYPE ::=
       { EncryptedKeyPackage IDENTIFIED BY id-ct-KP-encryptedKeyPkg }

   id-ct-KP-encryptedKeyPkg OBJECT IDENTIFIER ::=
     { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
       dod(2) infosec(1) formats(2) key-package-content-types(78) 2 }

   EncryptedKeyPackage ::= CHOICE {
       encrypted        EncryptedData,
       enveloped        [0] EnvelopedData,
       authEnveloped    [1] AuthEnvelopedData }

   content-decrypt-key-identifier ATTRIBUTE ::= {
       WITH SYNTAX ContentDecryptKeyID
       ID id-aa-KP-contentDecryptKeyID }

   id-aa-KP-contentDecryptKeyID OBJECT IDENTIFIER ::= {
     joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
     dod(2) infosec(1) attributes(5) 66 }

   ContentDecryptKeyID ::= OCTET STRING

   END




Turner & Housley        Expires March 08, 2010                 [Page 9]

Internet-Draft    Encrypted Key Package Content Type     September 2009


Authors' Addresses

   Sean Turner
   IECA, Inc.
   3057 Nutley Street, Suite 106
   Fairfax, VA 22031
   USA

   EMail: turners@ieca.com

   Russ Housley
   Vigil Security, LLC
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA

   EMail: housley@vigilsec.com
































Turner & Housley        Expires March 08, 2010                [Page 10]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/