draft-ietf-smime-cms-aes-ccm-and-gcm-00.txt   draft-ietf-smime-cms-aes-ccm-and-gcm-01.txt 
INTERNET DRAFT R. Housley INTERNET DRAFT R. Housley
S/MIME Working Group Vigil Security S/MIME Working Group Vigil Security
Expires July 2007 January 2007
Using AES-CCM and AES-GCM Authenticated Encryption Using AES-CCM and AES-GCM Authenticated Encryption
in the Cryptographic Message Syntax (CMS) in the Cryptographic Message Syntax (CMS)
<draft-ietf-smime-cms-aes-ccm-and-gcm-00.txt> <draft-ietf-smime-cms-aes-ccm-and-gcm-01.txt>
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that other
other groups may also distribute working documents as Internet- groups may also distribute working documents as Internet-Drafts.
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than a "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Abstract Abstract
This document specifies the conventions for using the AES-CCM and the This document specifies the conventions for using the AES-CCM and the
skipping to change at page 2, line 47 skipping to change at page 2, line 47
suited for restricted-space environments. The AES is widely used by suited for restricted-space environments. The AES is widely used by
organizations, institutions, and individuals outside of the U.S. organizations, institutions, and individuals outside of the U.S.
Government. Government.
The AES specifies three key sizes: 128, 192, and 256 bits. The AES specifies three key sizes: 128, 192, and 256 bits.
1.4. AES-CCM 1.4. AES-CCM
The Counter with CBC-MAC (CCM) mode of operation is specified in The Counter with CBC-MAC (CCM) mode of operation is specified in
[CCM]. CCM is a generic authenticated encryption block cipher mode. [CCM]. CCM is a generic authenticated encryption block cipher mode.
CCM is only defined for use with any 128-bit block cipher, but in CCM is defined for use with any 128-bit block cipher, but in this
this document, CCM is only used with the AES block cipher. document, CCM is used with the AES block cipher.
AES-CCM has four inputs: an AES key, a nonce, a plaintext, and AES-CCM has four inputs: an AES key, a nonce, a plaintext, and
optional additional authenticated data (AAD). AES-CCM generates two optional additional authenticated data (AAD). AES-CCM generates two
outputs: a ciphertext and an authentication tag. outputs: a ciphertext and a message authentication code (also called
an authentication tag).
Within the scope of any authenticated-encryption key, the nonce value The nonce is generated by the party performing the authenticated
MUST be unique. That is, the set of nonce values used with any given encryption operation. Within the scope of any authenticated-
key MUST NOT contain any duplicate values. Using the same nonce for encryption key, the nonce value MUST be unique. That is, the set of
two different messages encrypted with the same key destroys the nonce values used with any given key MUST NOT contain any duplicate
security properties. values. Using the same nonce for two different messages encrypted
with the same key destroys the security properties.
AAD is authenticated but not encrypted. Thus, the AAD is not AAD is authenticated but not encrypted. Thus, the AAD is not
included in the AES-CCM output. It can be used to authenticate included in the AES-CCM output. It can be used to authenticate
plaintext packet headers. In CMS, authenticated attributes comprise plaintext packet headers. In the CMS authenticated-enveloped-data
the AAD. content type, authenticated attributes comprise the AAD.
1.5. AES-GCM 1.5. AES-GCM
The Galois/Counter Mode (GCM) is specified in [GCM]. GCM is a The Galois/Counter Mode (GCM) is specified in [GCM]. GCM is a
generic authenticated encryption block cipher mode. GCM is only generic authenticated encryption block cipher mode. GCM is defined
defined for use with any 128-bit block cipher, but in this document, for use with any 128-bit block cipher, but in this document, GCM is
GCM is only used with the AES block cipher. used with the AES block cipher.
AES-GCM has four inputs: an AES key, an initialization vector (IV), a AES-GCM has four inputs: an AES key, an initialization vector (IV), a
plaintext content, and optional additional authenticated data (AAD). plaintext content, and optional additional authenticated data (AAD).
AES-GCM generates two outputs: a ciphertext and an authentication AES-GCM generates two outputs: a ciphertext and message
tag. To have a common set of terms for AES-CCM and AES-GCM, the AES- authentication code (also called an authentication tag). To have a
GCM IV is referred to as a nonce in the remainder of this document. common set of terms for AES-CCM and AES-GCM, the AES-GCM IV is
referred to as a nonce in the remainder of this document.
Within the scope of any authenticated-encryption key, the nonce value The nonce is generated by the party performing the authenticated
MUST be unique. That is, the set of nonce values used with any given encryption operation. Within the scope of any authenticated-
key MUST NOT contain any duplicate values. Using the same nonce for encryption key, the nonce value MUST be unique. That is, the set of
two different messages encrypted with the same key destroys the nonce values used with any given key MUST NOT contain any duplicate
security properties. values. Using the same nonce for two different messages encrypted
with the same key destroys the security properties.
AAD is authenticated but not encrypted. Thus, the AAD is not AAD is authenticated but not encrypted. Thus, the AAD is not
included in the AES-GCM output. It can be used to authenticate included in the AES-GCM output. It can be used to authenticate
plaintext packet headers. In CMS, authenticated attributes comprise plaintext packet headers. In the CMS authenticated-enveloped-data
the AAD. content type, authenticated attributes comprise the AAD.
2. Automatic Key Management 2. Automatic Key Management
The reuse of an AES-CCM or AES-GCM nonce/key combination destroys the The reuse of an AES-CCM or AES-GCM nonce/key combination destroys the
security guarantees. As a result, it can be extremely difficult to security guarantees. As a result, it can be extremely difficult to
use AES-CCM or AES-GCM securely when using statically configured use AES-CCM or AES-GCM securely when using statically configured
keys. For safety's sake, implementations MUST use an automated key keys. For safety's sake, implementations MUST use an automated key
management system. management system.
The CMS authenticated-enveloped-data content type supports four The CMS authenticated-enveloped-data content type supports four
skipping to change at page 5, line 17 skipping to change at page 5, line 17
encryptedContent field and to provide the message authentication code encryptedContent field and to provide the message authentication code
for the AuthEnvelopedData mac field. Note that the message for the AuthEnvelopedData mac field. Note that the message
authentication code provides integrity protection for both the authentication code provides integrity protection for both the
AuthEnvelopedData authAttrs and the AuthEnvelopedData AuthEnvelopedData authAttrs and the AuthEnvelopedData
EncryptedContentInfo encryptedContent. EncryptedContentInfo encryptedContent.
3.1. AES-CCM 3.1. AES-CCM
The AES-CCM authenticated encryption algorithm is described in [CCM]. The AES-CCM authenticated encryption algorithm is described in [CCM].
A brief summary of the properties of AES-CCM is provided in Section A brief summary of the properties of AES-CCM is provided in Section
1.4. There are three algorithm identifiers for AES-CCM, one for each 1.4.
AES key size:
Neither the plaintext content nor the optional AAD inputs need to be
padded prior to invoking AES-CCM.
There are three algorithm identifiers for AES-CCM, one for each AES
key size:
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 5 } id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 25 } id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 45 } id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
With all three AES-CCM algorithm identifiers, the AlgorithmIdentifier With all three AES-CCM algorithm identifiers, the AlgorithmIdentifier
parameters field MUST be present, and the parameters field must parameters field MUST be present, and the parameters field must
contain a CCMParameter: contain a CCMParameter:
CCMParameters ::= SEQUENCE { CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)), aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
The aes-nonce parameter field contains 15-L octets, where L is the The aes-nonce parameter field contains 15-L octets, where L is the
size of the length field. With CMS, the normal situation is for the size of the length field. With the CMS, the normal situation is for
content-authenticated-encryption key to be used for a single content, the content-authenticated-encryption key to be used for a single
therefore L=8 is RECOMMENDED. See [CCM] for a discussion of the content, therefore L=8 is RECOMMENDED. See [CCM] for a discussion of
trade-off between the maximum content size and the size of the Nonce. the trade-off between the maximum content size and the size of the
Within the scope of any content-authenticated-encryption key, the Nonce. Within the scope of any content-authenticated-encryption key,
nonce value MUST be unique. That is, the set of nonce values used the nonce value MUST be unique. That is, the set of nonce values
with any given key MUST NOT contain any duplicate values. used with any given key MUST NOT contain any duplicate values.
The aes-ICVlen parameter field tells the size of the message The aes-ICVlen parameter field tells the size of the message
authentication code. It MUST match the size in octets of the value authentication code. It MUST match the size in octets of the value
in the AuthEnvelopedData mac field. A length of 12 octets is in the AuthEnvelopedData mac field. A length of 12 octets is
RECOMMENDED. RECOMMENDED.
3.2. AES-GCM 3.2. AES-GCM
The AES-GCM authenticated encryption algorithm is described in [GCM]. The AES-GCM authenticated encryption algorithm is described in [GCM].
A brief summary of the properties of AES-CCM is provided in Section A brief summary of the properties of AES-CCM is provided in Section
1.5. There are three algorithm identifiers for AES-GCM, one for each 1.5.
AES key size:
Neither the plaintext content nor the optional AAD inputs need to be
padded prior to invoking AES-GCM.
There are three algorithm identifiers for AES-GCM, one for each AES
key size:
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
skipping to change at page 6, line 33 skipping to change at page 6, line 43
contain a GCMParameter: contain a GCMParameter:
GCMParameters ::= SEQUENCE { GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 } aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16) AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
The aes-nonce is the AES-GCM initialization vector. The algorithm The aes-nonce is the AES-GCM initialization vector. The algorithm
specification permits the nonce to have any number of bits between 1 specification permits the nonce to have any number of bits between 1
and 2^64. However, the use of OCTET STRING requires the nonce to be and 2^64. However, the use of OCTET STRING within GCMParameters
a multiple of 8 bits. Within the scope of any content-authenticated- requires the nonce to be a multiple of 8 bits. Within the scope of
encryption key, the nonce value MUST be unique, but need not have any content-authenticated-encryption key, the nonce value MUST be
equal lengths. A nonce value of 12 octets can be processed more unique, but need not have equal lengths. A nonce value of 12 octets
efficiently, so that length is RECOMMENDED. can be processed more efficiently, so that length is RECOMMENDED.
The aes-ICVlen parameter field tells the size of the message The aes-ICVlen parameter field tells the size of the message
authentication code. It MUST match the size in octets of the value authentication code. It MUST match the size in octets of the value
in the AuthEnvelopedData mac field. A length of 12 octets is in the AuthEnvelopedData mac field. A length of 12 octets is
RECOMMENDED. RECOMMENDED.
4. Security Considerations 4. Security Considerations
AES-CCM and AES-GCM make use of the AES block cipher in counter mode AES-CCM and AES-GCM make use of the AES block cipher in counter mode
to provide encryption. When used properly, counter mode provides to provide encryption. When used properly, counter mode provides
skipping to change at page 7, line 50 skipping to change at page 8, line 12
[AES] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)", [AES] NIST, FIPS PUB 197, "Advanced Encryption Standard (AES)",
November 2001. November 2001.
[CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter with [CCM] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003. CBC-MAC (CCM)", RFC 3610, September 2003.
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", [CMS] Housley, R., "Cryptographic Message Syntax (CMS)",
RFC 3852, July 2004. RFC 3852, July 2004.
[GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of [GCM] McGrew, D. and J. Viega, "The Galois/Counter Mode of
Operation (GCM)", Submission to NIST. January 2004. Operation (GCM)", Submission to NIST, May 2005.
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/ http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
gcm/gcm-spec.pdf. gcm/gcm-revised-spec.pdf.
[STDWORDS] S. Bradner, "Key words for use in RFCs to Indicate [STDWORDS] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
5.2. Informative References 5.2. Informative References
[BDJR] Bellare, M, Desai, A., Jokipii, E., and P. Rogaway, [BDJR] Bellare, M, Desai, A., Jokipii, E., and P. Rogaway,
"A Concrete Security Treatment of Symmetric Encryption: "A Concrete Security Treatment of Symmetric Encryption:
Analysis of the DES Modes of Operation", Proceedings Analysis of the DES Modes of Operation", Proceedings
38th Annual Symposium on Foundations of Computer 38th Annual Symposium on Foundations of Computer
skipping to change at page 8, line 34 skipping to change at page 9, line 4
Appendix: ASN.1 Module Appendix: ASN.1 Module
CMS-AES-CCM-and-AES-GCM CMS-AES-CCM-and-AES-GCM
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN DEFINITIONS IMPLICIT TAGS ::= BEGIN
-- EXPORTS All -- EXPORTS All
-- Object Identifiers -- Object Identifiers
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 5 } id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 25 } id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 45 } id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 } id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 } id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 } id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
-- Parameters for AigorithmIdentifier -- Parameters for AigorithmIdentifier
CCMParameters ::= SEQUENCE { CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)), aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 } aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16) AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE { GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets aes-nonce OCTET STRING, -- recommended size is 12 octets
skipping to change at page 10, line 7 skipping to change at page 10, line 7
Russell Housley Russell Housley
Vigil Security, LLC Vigil Security, LLC
918 Spring Knoll Drive 918 Spring Knoll Drive
Herndon, VA 20170 Herndon, VA 20170
USA USA
EMail: housley(at)vigilsec.com EMail: housley(at)vigilsec.com
Copyright and IPR Statements Copyright and IPR Statements
Copyright (C) The Internet Society (2007). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are kind, provided that the above copyright notice and this paragraph are
skipping to change at page 10, line 32 skipping to change at page 10, line 32
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, (THE IETF TRUST) OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
PURPOSE.
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
 End of changes. 28 change blocks. 
62 lines changed or deleted 72 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/