1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
|
<pre>Network Working Group D. Balenson
Request for Comments: 1423 TIS
Obsoletes: <a href="./rfc1115">1115</a> IAB IRTF PSRG, IETF PEM WG
February 1993
<span class="h1">Privacy Enhancement for Internet Electronic Mail:</span>
<span class="h1">Part III: Algorithms, Modes, and Identifiers</span>
Status of This Memo
This RFC specifies an IAB standards track protocol for the Internet
community, and requests discussion and suggestions for improvements.
Please refer to the current edition of the "IAB Official Protocol
Standards" for the standardization state and status of this protocol.
Distribution of this memo is unlimited.
Abstract
This document provides definitions, formats, references, and
citations for cryptographic algorithms, usage modes, and associated
identifiers and parameters used in support of Privacy Enhanced Mail
(PEM) in the Internet community. It is intended to become one member
of the set of related PEM RFCs. This document is organized into four
primary sections, dealing with message encryption algorithms, message
integrity check algorithms, symmetric key management algorithms, and
asymmetric key management algorithms (including both asymmetric
encryption and asymmetric signature algorithms).
Some parts of this material are cited by other documents and it is
anticipated that some of the material herein may be changed, added,
or replaced without affecting the citing documents. Therefore,
algorithm-specific material has been placed into this separate
document.
Use of other algorithms and/or modes will require case-by-case study
to determine applicability and constraints. The use of additional
algorithms may be documented first in Prototype or Experimental RFCs.
As experience is gained, these protocols may be considered for
incorporation into the standard. Additional algorithms and modes
approved for use in PEM in this context will be specified in
successors to this document.
Acknowledgments
This specification was initially developed by the Internet Research
Task Force's Privacy and Security Research Group (IRTF PSRG) and
subsequently refined based on discussion in the Internet Engineering
<span class="grey">Balenson [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
Task Force's Privacy Enhanced Mail Working Group (IETF PEM WG). John
Linn contributed significantly to the predecessor of this document
(<a href="./rfc1115">RFC 1115</a>). I would like to thank the members of the PSRG and PEM
WG, as well as all participants in discussions on the "pem-
dev@tis.com" mailing list, for their contributions to this document.
Table of Contents
<a href="#section-1">1</a>. Message Encryption Algorithms ....................... <a href="#page-2">2</a>
<a href="#section-1.1">1.1</a> DES in CBC Mode (DES-CBC) .......................... <a href="#page-2">2</a>
<a href="#section-2">2</a>. Message Integrity Check Algorithms .................. <a href="#page-4">4</a>
<a href="#section-2.1">2.1</a> RSA-MD2 Message Digest Algorithm ................... <a href="#page-4">4</a>
<a href="#section-2.2">2.2</a> RSA-MD5 Message Digest Algorithm ................... <a href="#page-5">5</a>
<a href="#section-3">3</a>. Symmetric Key Management Algorithms ................. <a href="#page-6">6</a>
<a href="#section-3.1">3.1</a> DES in ECB mode (DES-ECB) .......................... <a href="#page-6">6</a>
<a href="#section-3.2">3.2</a> DES in EDE mode (DES-EDE) .......................... <a href="#page-7">7</a>
<a href="#section-4">4</a>. Asymmetric Key Management Algorithms ................ <a href="#page-7">7</a>
<a href="#section-4.1">4.1</a> Asymmetric Keys .................................... <a href="#page-7">7</a>
<a href="#section-4.1.1">4.1.1</a> RSA Keys ......................................... <a href="#page-7">7</a>
<a href="#section-4.2">4.2</a> Asymmetric Encryption Algorithms .................. <a href="#page-9">9</a>
<a href="#section-4.2.1">4.2.1</a> RSAEncryption ................................... <a href="#page-9">9</a>
<a href="#section-4.3">4.3</a> Asymmetric Signature Algorithms ................... <a href="#page-10">10</a>
<a href="#section-4.3.1">4.3.1</a> md2WithRSAEncryption ............................ <a href="#page-11">11</a>
<a href="#section-5">5</a>. Descriptive Grammar ................................ <a href="#page-11">11</a>
References ............................................. <a href="#page-12">12</a>
Patent Statement ....................................... <a href="#page-13">13</a>
Security Considerations ................................ <a href="#page-14">14</a>
Author's Address ....................................... <a href="#page-14">14</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Message Encryption Algorithms</span>
This section identifies the alternative message encryption algorithms
and modes that shall be used to encrypt message text and, when
asymmetric key management is employed in an ENCRYPTED PEM message, for
encryption of message signatures. Character string identifiers are
assigned and any parameters required by the message encryption
algorithm are defined for incorporation in an encapsulated "DEK-
Info:" header field.
Only one alternative is currently defined in this category.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a> DES in CBC Mode (DES-CBC)</span>
Message text and, if required, message signatures are encrypted using
the Data Encryption Standard (DES) algorithm in the Cipher Block
Chaining (CBC) mode of operation. The DES algorithm is defined in
FIPS PUB 46-1 [<a href="#ref-1" title="Data Encryption Standard">1</a>], and is equivalent to the Data Encryption Algorithm
(DEA) provided in ANSI X3.92-1981 [<a href="#ref-2" title="American National Standards Institute">2</a>]. The CBC mode of operation of
<span class="grey">Balenson [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
DES is defined in FIPS PUB 81 [<a href="#ref-3" title="DES Modes of Operation">3</a>], and is equivalent to those
provided in ANSI X3.106 [<a href="#ref-4" title=" American National Standards Institute">4</a>] and in ISO IS 8372 [<a href="#ref-5">5</a>]. The character
string "DES-CBC" within an encapsulated PEM header field indicates
the use of this algorithm/mode combination.
The input to the DES CBC encryption process shall be padded to a
multiple of 8 octets, in the following manner. Let n be the length
in octets of the input. Pad the input by appending 8-(n mod 8)
octets to the end of the message, each having the value 8-(n mod 8),
the number of octets being added. In hexadecimal, the possible
paddings are: 01, 0202, 030303, 04040404, 0505050505, 060606060606,
07070707070707, and 0808080808080808. All input is padded with 1 to
8 octets to produce a multiple of 8 octets in length. The padding
can be removed unambiguously after decryption.
The DES CBC encryption process requires a 64-bit cryptographic key.
A new, pseudorandom key shall be generated for each ENCRYPTED PEM
message. Of the 64 bits, 56 are used directly by the DES CBC
process, and 8 are odd parity bits, with one parity bit occupying the
right-most bit of each octet. When symmetric key management is
employed, the setting and checking of odd parity bits is encouraged,
since these bits could detect an error in the decryption of a DES key
encrypted under a symmetric key management algorithm (e.g., DES ECB).
When asymmetric key management is employed, the setting of odd parity
bits is encouraged, but the checking of odd parity bits is
discouraged, in order to facilitate interoperability, and since an
error in the decryption of a DES key can be detected by other means
(e.g., an incorrect PKCS #1 encryption-block format). In all cases,
the encrypted form of a DES key shall carry all 64 bits of the key,
including the 8 parity bits, though those bits may have no meaning.
The DES CBC encryption process also requires a 64-bit Initialization
Vector (IV). A new, pseudorandom IV shall be generated for each
ENCRYPTED PEM message. Section 4.3.1 of [<a href="#ref-7" title=""Security Mechanisms in High- Level Network Protocols"">7</a>] provides rationale for
this requirement, even given the fact that individual DES keys are
generated for individual messages. The IV is transmitted with the
message within an encapsulated PEM header field.
When this algorithm/mode combination is used for message text
encryption, the "DEK-Info:" header field carries exactly two
arguments. The first argument identifies the DES CBC algorithm/mode
using the character string defined above. The second argument
contains the IV, represented as a contiguous string of 16 ASCII
hexadecimal digits.
When symmetric key management is employed with this algorithm/mode
combination, a symmetrically encrypted DES key will be represented in
the third argument of a "Key-Info:" header field as a contiguous
<span class="grey">Balenson [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
string of 16 ASCII hexadecimal digits (corresponding to a 64-bit
key).
To avoid any potential ambiguity regarding the ordering of the octets
of a DES key that is input as a data value to another encryption
process (e.g., RSAEncryption), the following holds true. The first
(or left-most displayed, if one thinks in terms of a key's "print"
representation) (For purposes of discussion in this document, data
values are normalized in terms of their "print" representation. For a
octet stream, the "first" octet would appear as the one on the "left",
and the "last" octet would appear on the "right".) octet of the key
(i.e., bits 1-8 per FIPS PUB 46-1), when considered as a data value,
has numerical weight 2**56. The last (or right-most displayed) octet
(i.e., bits 57-64 per FIPS PUB 46-1) has numerical weight 2**0.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Message Integrity Check Algorithms</span>
This section identifies the alternative algorithms that shall be used
to compute Message Integrity Check (MIC) values for PEM messages.
Character string identifiers and ASN.1 object identifiers are
assigned for incorporation in encapsulated "MIC-Info:" and "Key-
Info:" header fields to indicate the choice of MIC algorithm
employed.
A compliant PEM implementation shall be able to process all of the
alternative MIC algorithms defined here on incoming messages. It is
a sender option as to which alternative is employed on an outbound
message.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a> RSA-MD2 Message Digest Algorithm</span>
The RSA-MD2 message digest is computed using the algorithm defined in
<a href="./rfc1319">RFC 1319</a> [<a href="#ref-9" title=""The MD2 Message-Digest Algorithm"">9</a>]. ( An error has been identified in <a href="./rfc1319">RFC 1319</a>. The
statement in the text of <a href="#section-3.2">Section 3.2</a> which reads "Set C[j] to S[c xor
L]" should read "Set C[j] to S[c xor L] xor C[j]". Note that the C
source code in the appendix of <a href="./rfc1319">RFC 1319</a> is correct.) The character
string "RSA-MD2" within an encapsulated PEM header field indicates the
use of this algorithm. Also, as defined in <a href="./rfc1319">RFC 1319</a>, the ASN.1 object
identifier
md2 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 2
}
identifies this algorithm. When this object identifier is used with
the ASN.1 type AlgorithmIdentifier, the parameters component of that
type is the ASN.1 type NULL.
<span class="grey">Balenson [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
The RSA-MD2 message digest algorithm accepts as input a message of
any length and produces as output a 16-octet quantity. When
symmetric key management is employed, an RSA-MD2 MIC is encrypted by
splitting the MIC into two 8-octet halves, independently encrypting
each half, and concatenating the results.
When symmetric key management is employed with this MIC algorithm,
the symmetrically encrypted MD2 message digest is represented in a
the fourth argument of a "Key-Info:" header field as a contiguous
string of 32 ASCII hexadecimal digits (corresponding to a 128-bit MD2
message digest).
To avoid any potential ambiguity regarding the ordering of the octets
of an MD2 message digest that is input as a data value to another
encryption process (e.g., RSAEncryption), the following holds true.
The first (or left-most displayed, if one thinks in terms of a
digest's "print" representation) octet of the digest (i.e., digest[0]
as specified in <a href="./rfc1319">RFC 1319</a>), when considered as an RSA data value, has
numerical weight 2**120. The last (or right-most displayed) octet
(i.e., digest[15] as specified in <a href="./rfc1319">RFC 1319</a>) has numerical weight
2**0.
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a> RSA-MD5 Message Digest Algorithm</span>
The RSA-MD5 message digest is computed using the algorithm defined in
<a href="./rfc1321">RFC 1321</a> [<a href="#ref-10" title=""The MD5 Message-Digest Algorithm"">10</a>]. The character string "RSA-MD5" within an encapsulated
PEM header field indicates the use of this algorithm. Also, as
defined in <a href="./rfc1321">RFC 1321</a>, the object identifier
md5 OBJECT IDENTIFIER ::= {
iso(1) member-body(2) US(840) rsadsi(113549)
digestAlgorithm(2) 5
}
identifies this algorithm. When this object identifier is used with
the ASN.1 type AlgorithmIdentifier, the parameters component of that
type is the ASN.1 type NULL.
The RSA-MD5 message digest algorithm accepts as input a message of
any length and produces as output a 16-octet quantity. When
symmetric key management is employed, an RSA-MD5 MIC is encrypted by
splitting the MIC into two 8-octet halves, independently encrypting
each half, and concatenating the results.
When symmetric key management is employed with this MIC algorithm,
the symmetrically encrypted MD5 message digest is represented in the
fourth argument of a "Key-Info:" header field as a contiguous string
of 32 ASCII hexadecimal digits (corresponding to a 128-bit MD5
<span class="grey">Balenson [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
message digest).
To avoid any potential ambiguity regarding the ordering of the octets
of a MD5 message digest that is input as an RSA data value to the RSA
encryption process, the following holds true. The first (or left-
most displayed, if one thinks in terms of a digest's "print"
representation) octet of the digest (i.e., the low-order octet of A
as specified in <a href="./rfc1321">RFC 1321</a>), when considered as an RSA data value, has
numerical weight 2**120. The last (or right-most displayed) octet
(i.e., the high-order octet of D as specified in <a href="./rfc1321">RFC 1321</a>) has
numerical weight 2**0.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Symmetric Key Management Algorithms</span>
This section identifies the alternative algorithms and modes that
shall be used when symmetric key management is employed, to encrypt
data encryption keys (DEKs) and message integrity check (MIC) values.
Character string identifiers are assigned for incorporation in
encapsulated "Key-Info:" header fields to indicate the choice of
algorithm employed.
All alternatives presently defined in this category correspond to
different usage modes of the DES algorithm, rather than to other
algorithms.
When symmetric key management is employed, the symmetrically
encrypted DEK and MIC, carried in the third and fourth arguments of a
"Key-Info:" header field, respectively, are each represented as a
string of contiguous ASCII hexadecimal digits. The manner in which
to use the following symmetric encryption algorithms and the length
of the symmetrically encrypted DEK and MIC may vary depending on the
length of the underlying DEK and MIC. <a href="#section-1">Section 1</a>, Message Encryption
Algorithms, and <a href="#section-2">Section 2</a>, Message Integrity Check Algorithms,
provide information on the proper manner in which a DEK and MIC,
respectively, are symmetrically encrypted when the size of the DEK or
MIC is not equal to the symmetric encryption algorithm's input block
size. These sections also provide information on the proper format
and length of the symmetrically encrypted DEK and MIC, respectively.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a> DES in ECB Mode (DES-ECB)</span>
The DES algorithm in Electronic Codebook (ECB) mode [<a href="#ref-1" title="Data Encryption Standard">1</a>][3] is used
for DEK and MIC encryption when symmetric key management is employed.
The character string "DES-ECB" within an encapsulated PEM header
field indicates use of this algorithm/mode combination.
A compliant PEM implementation supporting symmetric key management
shall support this algorithm/mode combination.
<span class="grey">Balenson [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a> DES in EDE Mode (DES-EDE)</span>
The DES algorithm in Encrypt-Decrypt-Encrypt (EDE) multiple
encryption mode, as defined by ANSI X9.17 [<a href="#ref-6" title="American National Standard">6</a>] for encryption and
decryption with pairs of 64-bit keys, may be used for DEK and MIC
encryption when symmetric key management is employed. The character
string "DES-EDE" within an encapsulated a PEM header field indicates
use of this algorithm/mode combination.
A compliant PEM implementation supporting symmetric key management
may optionally support this algorithm/mode combination.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Asymmetric Key Management Algorithms</span>
This section identifies the alternative asymmetric keys and the
alternative asymmetric key management algorithms with which those
keys shall be used, namely the asymmetric encryption algorithms with
which DEKs and MICs are encrypted, and the asymmetric signature
algorithms with which certificates and certificate revocation lists
(CRLs) are signed.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a> Asymmetric Keys</span>
This section describes the asymmetric keys that shall be used with
the asymmetric encryption algorithms and the signature algorithms
described later. ASN.1 object identifiers are identified for
incorporation in a public-key certificate to identify the
algorithm(s) with which the accompanying public key is to be
employed.
<span class="h4"><a class="selflink" id="section-4.1.1" href="#section-4.1.1">4.1.1</a> RSA Keys</span>
An RSA asymmetric key pair is comprised of matching public and
private keys.
An RSA public key consists of an encryption exponent e and an
arithmetic modulus n, which are both public quantities typically
carried in a public-key certificate. For the value of e, Annex C to
X.509 suggests the use of Fermat's Number F4 (65537 decimal, or
1+2**16) as a value "common to the whole environment in order to
reduce transmission capacity and complexity of transformation", i.e.,
the value can be transmitted as 3 octets and at most seventeen (17)
multiplications are required to effect exponentiation. As an
alternative, the number three (3) can be employed as the value for e,
requiring even less octets for transmission and yielding even faster
exponentiation. For purposes of PEM, the value of e shall be either
F4 or the number three (3). The use of the number three (3) for the
value of e is encouraged, to permit rapid certificate validation.
<span class="grey">Balenson [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
An RSA private key consists of a decryption exponent d, which should
be kept secret, and the arithmetic modulus n. Other values may be
stored with a private key to facilitate efficient private key
operations (see PKCS #1 [<a href="#ref-11" title="June 3">11</a>]).
For purposes of PEM, the modulus n may vary in size from 508 to 1024
bits.
Two ASN.1 object identifiers have been defined to identify RSA public
keys. In Annex H of X.509 [<a href="#ref-8" title=""The Directory - Authentication Framework"">8</a>], the object identifier
rsa OBJECT IDENTIFIER ::= {
joint-iso-ccitt(2) ds(5) algorithm(8)
encryptionAlgorithm(1) 1
}
is defined to identify an RSA public key. A single parameter,
KeySize, the length of the public key modulus in bits, is defined for
use in conjunction with this object identifier. When this object
identifier is used with the ASN.1 type AlgorithmIdentifier, the
parameters component of that type is the number of bits in the
modulus, ASN.1 encoded as an INTEGER.
Alternatively, in PKCS #1 [<a href="#ref-11" title="June 3">11</a>], the ASN.1 object identifier
rsaEncryption OBJECT IDENTIFIER ::= {
iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1)
pkcs-1(1) 1
}
is defined to identify both an RSA public key and the RSAEncryption
process. There are no parameters defined in conjunction with this
object identifier, hence, when it is used with the ASN.1 type
AlgorithmIdentifier, the parameters component of that type is the
ASN.1 type NULL.
A compliant PEM implementation may optionally generate an RSA
public-key certificate that identifies the enclosed RSA public key
(within the SubjectPublicKeyInformation component) with either the
"rsa" or the "rsaEncryption" object identifier. Use of the "rsa"
object identifier is encouraged, since it is, in some sense, more
generic in its identification of a key, without indicating how the
key will be used. However, to facilitate interoperability, a
compliant PEM implementation shall accept RSA public-key certificates
that identify the enclosed RSA public key with either the "rsa" or
the "rsaEncryption" object identifier. In all cases, an RSA public
key identified in an RSA public-key certificate with either the "rsa"
or "rsaEncryption" object identifier, shall be used according to the
<span class="grey">Balenson [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
procedures defined below for asymmetric encryption algorithms and
asymmetric signature algorithms.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a> Asymmetric Encryption Algorithms</span>
This section identifies the alternative algorithms that shall be used
when asymmetric key management is employed, to encrypt DEKs and MICs.
Character string identifiers are assigned for incorporation in "MIC-
Info:" and "Key-Info:" header fields to indicate the choice of
algorithm employed.
Only one alternative is presently defined in this category.
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a> RSAEncryption</span>
The RSAEncryption public-key encryption algorithm, defined in PKCS #1
[<a href="#ref-11" title="June 3">11</a>], is used for DEK and MIC encryption when asymmetric key
management is employed. The character string "RSA" within a "MIC-
Info:" or "Key-Info:" header field indicates the use of this
algorithm.
All PEM implementations supporting asymmetric key management shall
support this algorithm.
As described in PKCS #1, all quantities input as data values to the
RSAEncryption process shall be properly justified and padded to the
length of the modulus prior to the encryption process. In general,
an RSAEncryption input value is formed by concatenating a leading
NULL octet, a block type BT, a padding string PS, a NULL octet, and
the data quantity D, that is,
RSA input value = 0x00 || BT || PS || 0x00 || D.
To prepare a DEK for RSAEncryption, the PKCS #1 "block type 02"
encryption-block formatting scheme is employed. The block type BT is
a single octet containing the value 0x02 and the padding string PS is
one or more octets (enough octets to make the length of the complete
RSA input value equal to the length of the modulus) each containing a
pseudorandomly generated, non-zero value. For multiple recipient
messages, a different, pseudorandom padding string should be used for
each recipient. The data quantity D is the DEK itself, which is
right-justified within the RSA input such that the last (or rightmost
displayed, if one thinks in terms of the "print" representation)
octet of the DEK is aligned with the right-most, or least-
significant, octet of the RSA input. Proceeding to the left, each of
the remaining octets of the DEK, up through the first (or left-most
displayed) octet, are each aligned in the next more significant octet
of the RSA input.
<span class="grey">Balenson [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
To prepare a MIC for RSAEncryption, the PKCS #1 "block type 01"
encryption-block formatting scheme is employed. The block type BT is
a single octet containing the value 0x01 and the padding string PS is
one or more octets (enough octets to make the length of the complete
RSA input value equal to the length of the modulus) each containing
the value 0xFF. The data quantity D is comprised of the MIC and the
MIC algorithm identifier which are ASN.1 encoded as the following
sequence.
SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTET STRING
}
The ASN.1 type AlgorithmIdentifier is defined in X.509 as follows.
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
}
An RSA input block is encrypted using the RSA algorithm with the
first (or left-most) octet taken as the most significant octet, and
the last (or right-most) octet taken as the least significant octet.
The resulting RSA output block is interpreted in a similar manner.
When RSAEncryption is used to encrypt a DEK, the second argument in a
"MIC-Info:" header field, an asymmetrically encrypted DEK, is
represented using the printable encoding technique defined in <a href="./rfc1421#section-4.3.2.4">Section</a>
<a href="./rfc1421#section-4.3.2.4">4.3.2.4 of RFC 1421</a> [<a href="#ref-12" title=""Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures"">12</a>].
When RSAEncryption is used to sign a MIC, the third argument in a
"MIC-Info:" header field, an asymmetrically signed MIC, is
represented using the printable encoding technique defined in <a href="./rfc1421#section-4.3.2.4">Section</a>
<a href="./rfc1421#section-4.3.2.4">4.3.2.4 of RFC 1421</a>.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a> Asymmetric Signature Algorithms</span>
This section identifies the alternative algorithms which shall be
used to asymmetrically sign certificates and certificate revocation
lists (CRLs) in accordance with the SIGNED macro defined in Annex G
of X.509. ASN.1 object identifiers are identified for incorporation
in certificates and CRLs to indicate the choice of algorithm
employed.
Only one alternative is presently defined in this category.
<span class="grey">Balenson [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
<span class="h4"><a class="selflink" id="section-4.3.1" href="#section-4.3.1">4.3.1</a> md2WithRSAEncryption</span>
The md2WithRSAEncryption signature algorithm is used to sign
certificates and CRLs. The algorithm is defined in PKCS #1 [<a href="#ref-11" title="June 3">11</a>]. It
combines the RSA-MD2 message digest algorithm described here in
<a href="#section-2.2">Section 2.2</a> with the RSAEncryption asymmetric encryption algorithm
described here in <a href="#section-4.2.1">Section 4.2.1</a>. As defined in PKCS #1, the ASN.1
object identifier
md2WithRSAEncryption OBJECT IDENTIFIER ::= {
iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1)
pkcs-1(1) 2
}
identifies this algorithm. When this object identifier is used with
the ASN.1 type AlgorithmIdentifier, the parameters component of that
type is the ASN.1 type NULL.
There is some ambiguity in X.509 regarding the definition of the
SIGNED macro and, in particular, the representation of a signature in
a certificate or a CRL. The interpretation selected for PEM requires
that the data to be signed (in our case, an MD2 message digest) is
first ASN.1 encoded as an OCTET STRING and the result is encrypted
(in our case, using RSAEncryption) to form the signed quantity, which
is then ASN.1 encoded as a BIT STRING.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Descriptive Grammar</span>
; Addendum to PEM BNF representation, using <a href="./rfc822">RFC 822</a> notation
; Provides specification for official PEM cryptographic algorithms,
; modes, identifiers and formats.
; Imports <hexchar> and <encbin> from RFC [1421]
<dekalgid> ::= "DES-CBC"
<ikalgid> ::= "DES-EDE" / "DES-ECB" / "RSA"
<sigalgid> ::= "RSA"
<micalgid> ::= "RSA-MD2" / "RSA-MD5"
<dekparameters> ::= <DESCBCparameters>
<DESCBCparameters> ::= <IV>
<IV> ::= <hexchar16>
<symencdek> ::= <DESECBencDESCBC> / <DESEDEencDESCBC>
<DESECBencDESCBC> ::= <hexchar16>
<DESEDEencDESCBC> ::= <hexchar16>
<symencmic> ::= <DESECBencRSAMD2> / <DESECBencRSAMD5>
<span class="grey">Balenson [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
<DESECBencRSAMD2> ::= 2*2<hexchar16>
<DESECBencRSAMD5> ::= 2*2<hexchar16>
<asymsignmic> ::= <RSAsignmic>
<RSAsignmic> ::= <encbin>
<asymencdek> ::= <RSAencdek>
<RSAencdek> ::= <encbin>
<hexchar16> ::= 16*16<hexchar>
References
[<a id="ref-1">1</a>] Federal Information Processing Standards Publication (FIPS PUB)
46-1, Data Encryption Standard, Reaffirmed 1988 January 22
(supersedes FIPS PUB 46, 1977 January 15).
[<a id="ref-2">2</a>] ANSI X3.92-1981, American National Standard Data Encryption
Algorithm, American National Standards Institute, Approved 30
December 1980.
[<a id="ref-3">3</a>] Federal Information Processing Standards Publication (FIPS PUB)
81, DES Modes of Operation, 1980 December 2.
[<a id="ref-4">4</a>] ANSI X3.106-1983, American National Standard for Information
Systems - Data Encryption Algorithm - Modes of Operation,
American National Standards Institute, Approved 16 May 1983.
[<a id="ref-5">5</a>] ISO 8372, Information Processing Systems: Data Encipherment:
Modes of Operation of a 64-bit Block Cipher.
[<a id="ref-6">6</a>] ANSI X9.17-1985, American National Standard, Financial
Institution Key Management (Wholesale), American Bankers
Association, April 4, 1985, <a href="#section-7.2">Section 7.2</a>.
[<a id="ref-7">7</a>] Voydock, V. L. and Kent, S. T., "Security Mechanisms in High-
Level Network Protocols", ACM Computing Surveys, Vol. 15, No. 2,
June 1983, pp. 135-171.
[<a id="ref-8">8</a>] CCITT Recommendation X.509, "The Directory - Authentication
Framework", November 1988, (Developed in collaboration, and
technically aligned, with ISO 9594-8).
[<a id="ref-9">9</a>] Kaliski, B., "The MD2 Message-Digest Algorithm", <a href="./rfc1319">RFC 1319</a>, RSA
Laboratories, April 1992.
[<a id="ref-10">10</a>] Rivest, R., "The MD5 Message-Digest Algorithm", <a href="./rfc1321">RFC 1321</a>, MIT
Laboratory for Computer Science and RSA Data Security, Inc.,
<span class="grey">Balenson [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
April 1992.
[<a id="ref-11">11</a>] PKCS #1: RSA Encryption Standard, Version 1.4, RSA Data Security,
Inc., June 3, 1991.
[<a id="ref-12">12</a>] Linn, J., "Privacy Enhancement for Internet Electronic Mail: Part
I: Message Encryption and Authentication Procedures", <a href="./rfc1421">RFC 1421</a>,
DEC, February 1993.
[<a id="ref-13">13</a>] Kent, S., "Privacy Enhancement for Internet Electronic Mail: Part
II: Certificate-Based Key Management", <a href="./rfc1422">RFC 1422</a>, BBN, February
1993.
[<a id="ref-14">14</a>] Kaliski, B., "Privacy Enhancement for Internet Electronic Mail:
Part IV: Key Certification and Related Services", <a href="./rfc1424">RFC 1424</a>, RSA
Laboratories, February 1993.
Patent Statement
This version of Privacy Enhanced Mail (PEM) relies on the use of
patented public key encryption technology for authentication and
encryption. The Internet Standards Process as defined in <a href="./rfc1310">RFC 1310</a>
requires a written statement from the Patent holder that a license
will be made available to applicants under reasonable terms and
conditions prior to approving a specification as a Proposed, Draft or
Internet Standard.
The Massachusetts Institute of Technology and the Board of Trustees
of the Leland Stanford Junior University have granted Public Key
Partners (PKP) exclusive sub-licensing rights to the following
patents issued in the United States, and all of their corresponding
foreign patents:
Cryptographic Apparatus and Method
("Diffie-Hellman")............................... No. 4,200,770
Public Key Cryptographic Apparatus
and Method ("Hellman-Merkle").................... No. 4,218,582
Cryptographic Communications System and
Method ("RSA")................................... No. 4,405,829
Exponential Cryptographic Apparatus
and Method ("Hellman-Pohlig").................... No. 4,424,414
These patents are stated by PKP to cover all known methods of
practicing the art of Public Key encryption, including the variations
collectively known as El Gamal.
<span class="grey">Balenson [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc1423">RFC 1423</a> PEM: Algorithms, Modes and Identifiers February 1993</span>
Public Key Partners has provided written assurance to the Internet
Society that parties will be able to obtain, under reasonable,
nondiscriminatory terms, the right to use the technology covered by
these patents. This assurance is documented in <a href="./rfc1170">RFC 1170</a> titled
"Public Key Standards and Licenses". A copy of the written assurance
dated April 20, 1990, may be obtained from the Internet Assigned
Number Authority (IANA).
The Internet Society, Internet Architecture Board, Internet
Engineering Steering Group and the Corporation for National Research
Initiatives take no position on the validity or scope of the patents
and patent applications, nor on the appropriateness of the terms of
the assurance. The Internet Society and other groups mentioned above
have not made any determination as to any other intellectual property
rights which may apply to the practice of this standard. Any further
consideration of these matters is the user's own responsibility.
Security Considerations
This entire document is about security.
Author's Address
David Balenson
Trusted Information Systems
3060 Washington Road
Glenwood, Maryland 21738
Phone: 301-854-6889
EMail: balenson@tis.com
Balenson [Page 14]
</pre>
|
