Skip to main content

The With-MAC key-wrapping algorithm for Cryptographic Message Syntax
draft-herzog-withmac-keywrap-01

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Authors Jonathan Herzog , Roger Khazan
Last updated 2012-03-02
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-herzog-withmac-keywrap-01
Network Working Group                                          J. Herzog
Internet-Draft                                                 R. Khazan
Intended status: Standards Track                  MIT Lincoln Laboratory
Expires: September 2, 2012                                 March 1, 2012

  The With-MAC key-wrapping algorithm for Cryptographic Message Syntax
                    draft-herzog-withmac-keywrap-01

Abstract

   This document describes a new key-wrapping algorithm to be used in
   the EnvelopedData, AuthenticatedData and AuthEnvelopedData structures
   of the Cryptographic Message Syntax.  Because these structures do not
   provide data-origin authentication, a recipient cannot
   cryptographically verify that the plaintext received was the
   plaintext encapsulated by the message's original sender.  The With-
   MAC key-wrapping algorithm allows an EncryptedKey value to hold both
   a wrapped symmetric key and a MAC value on the data to be
   authenticated.  When used in EnvelopedData, AuthenticatedData and
   AuthEnvelopedData structures, therefore, these structures can achieve
   data-origin authentication (in some circumstances) using only
   symmetric-key algorithms.  This is useful in cases where the
   structures must be generated by entities without certified digital-
   signature keys.

Disclaimer

   This work is sponsored by the United States Air Force under Air Force
   Contract FA8721-05-C-0002.  Opinions, interpretations, conclusions
   and recommendations are those of the authors and are not necessarily
   endorsed by the United States Government.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

Herzog & Khazan         Expires September 2, 2012               [Page 1]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   This Internet-Draft will expire on September 2, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Herzog & Khazan         Expires September 2, 2012               [Page 2]
Internet-Draft         With-MAC keywrap algorithm             March 2012

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Requirements Terminology . . . . . . . . . . . . . . . . . . .  8
   3.  Structures of the With-MAC key-wrap algorithm  . . . . . . . .  8
   4.  Actions of the sender  . . . . . . . . . . . . . . . . . . . . 10
   5.  Actions of the receiver  . . . . . . . . . . . . . . . . . . . 13
   6.  Requirements and Recommendations . . . . . . . . . . . . . . . 14
   7.  Security considerations  . . . . . . . . . . . . . . . . . . . 15
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
     10.1.  Normative References  . . . . . . . . . . . . . . . . . . 16
     10.2.  Informative References  . . . . . . . . . . . . . . . . . 17
   Appendix A.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . 17
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 19

Herzog & Khazan         Expires September 2, 2012               [Page 3]
Internet-Draft         With-MAC keywrap algorithm             March 2012

1.  Introduction

   This document extends the Cryptographic Message Syntax (CMS)
   [RFC5652] so as to allow EncryptedKey values to contain both an
   encrypted key and a message authentication code (MAC) value.  CMS is
   a standard notation and representation for cryptographic messages.
   Specifically, CMS uses ASN.1 notation [X.680] [X.681] [X.682] [X.683]
   to define a number of structures for encrypted data, signed data,
   authenticated data, and so on.  Such structures carry both:

   o  The cryptographically-protected information, and

   o  Key-management information regarding the keys used.

   Of particular interest here are three 'top-level' structures:

   o  EnvelopedData, which holds encrypted (but not necessarily
      authenticated) information [RFC5652],

   o  AuthenticatedData, which holds authenticated (MACed) information
      [RFC5652], and

   o  AuthEnvelopedData, which holds information protected by
      authenticated encryption: a cryptographic scheme that combines
      encryption and authentication [RFC5083].

   All three of these structures are constructed in the same basic way.

   o  First, the message-creator generates a fresh symmetric key.  In
      context of EnvelopedData structures, AuthenticatedData structures
      and AuthEnvelopedData structures, this key is called the content-
      encryption key, the authentication key, and the content-
      authenticated-encryption key respectively.  We will use the term
      CPK as a generic term when speaking of all three of these
      structures in the aggregate.

   o  Next, the creator uses the CPK to cryptographically protect the
      content.

   o  Lastly, the CPK is then wrapped for each recipient.  That is,
      copies of the CPK are encrypted in a sequence of 'wrap keys' (one
      copy per wrap-key) such that every recipient knows or can compute
      at least one wrap-key.

   A recipient, upon receiving the message, decrypts one of the wraps to
   retrieve the CPK and then uses the CPK to decrypt or verify the
   content.

Herzog & Khazan         Expires September 2, 2012               [Page 4]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   CMS supports several different types of wrap-keys, including:

   o  Key transport: the wrap key is the public encryption key of some
      recipient.

   o  Key agreement: the wrap key is a key-encryption key (KEK) created
      using a key-agreement scheme (such as Diffie-Hellman [RFC3370])
      and a key-derivation function (KDF).

   o  Key-encryption key: the wrap key is a previously-distributed
      symmetric key-encrypting key known to the recipient.

   o  Password: the wrap key is a key-encryption key derived from a
      password.

   Each of these methods is represented by a different 'key wrap'
   structure, called the KeyTransRecipientInfo, KeyAgreeRecipientInfo,
   KEKRecipientInfo and PasswordRecipientInfo structures, respectively.
   Each such structure is an instance of the RecipientInfo type, which
   can be embedded in each of EnvelopedData, AuthenticatedData and
   AuthEnvelopedData, respectively.  Thus, each key-wrap method can be
   used in each top-level structure mentioned above.

   Furthermore, a single top-level structure can hold multiple key-wrap
   structures, as might be the case when a single message has multiple
   distinct receivers.  In this case, every wrap-structure in the
   message will encrypt the same CPK.  This means, unfortunately, that
   the top-level CMS structures described above do not provide data-
   origin authentication.  Consider, for example, the following sequence
   of events:

   o  Alice sends an AuthEnvelopedData message to both Bob and Mallory.
      This message uses a fresh, new content-authenticated-encryption
      key to protect the plaintext with authenticated-encryption
      algorithm.  This algorithm will produce both ciphertext and MAC
      value, thus providing both confidentiality and integrity
      guarantees.  Furthermore, Alice will wrap this content-
      authenticated-encryption key to both Bob and Mallory.  The final
      AuthEnvelopedData message contains the ciphertext, the MAC value,
      and both wrap-structures (one for Bob and one for Mallory).

   o  Mallory intercepts the message and prevents Bob from receiving it.

   o  Mallory unwraps the content-authenticated-encryption key from the
      wrap intended for her.  Mallory then creates new plaintext of her
      choice, and encrypts it using the same authenticated-encryption
      algorithm and the same content-authenticated-encryption key used
      by Alice.

Herzog & Khazan         Expires September 2, 2012               [Page 5]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   o  Mallory then replaces the ciphertext and MAC value of Alice's
      message with the values just generated.  She may additionally
      remove her key-wrap structure from Alice's message.

   o  Mallory sends the modified message to Bob.

   o  Bob receives the message, unwraps the content-authenticated-
      encryption key, and decrypts/authenticates the message.

   At this point, Bob has received and validated a message that appears
   to have been sent by Alice, but whose content was chosen by Mallory.
   Furthermore, Mallory may not even be an apparent receiver of the
   modified message.

   This same 'attack' can be successfully launched against EnvelopedData
   and AuthenticatedData structures.  We rush to note, however, that
   none of these structures were actually designed to provide 'data-
   origin authentication'.  By data-origin authentication, we mean the
   guarantee that a recipient will not accept a message that was not
   sent, exactly as received, by the ostensible sender.  This would
   require that the messages identify the ostensible sender, but these
   structures might not do so:

   o  These structures do contain an OriginiatorInfo field, which would
      identify the sender.  This value is sometimes optional, however.

   o  The key-wrap structures, listed above, may partially identify the
      sender.  The use of password-based key-wrap, for example, implies
      that the (ostensible) sender is among the entities that know the
      password.  Likewise, the use of key-encrypting-key key-wrap
      implies that the (ostensible) sender is among the entities that
      know the key.  This is only partial identification, however, and
      the key-transport key-wrap method will not identify the ostensible
      sender.  (The key-agreement method will identify the sender, if
      the sender uses a certified public value [RFC6278].)

   We also note that it is not strictly necessary for these top-level
   CMS structures to provide data-origin authentication.  CMS already
   provides an entirely separate structure for this purpose: the
   SignedData structure, which applies digital signatures to the
   encapsulated 'plaintext.'  Furthermore, these top-level structures
   can be encapsulated in each other.  Alice, above, can entirely
   prevent the described attack by encapsulating the AuthEnvelopedData
   structure in a SignedData structure.  Then the AuthEnvelopedData
   structure would be signed by Alice, and Mallory could not change that
   structure's plaintext without invalidating Alice's signature.

   Unfortunately, this is not a universal solution.  In particular, the

Herzog & Khazan         Expires September 2, 2012               [Page 6]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   sender may not have a certified public signature key, or the ability
   to send their signature-verification key to the recipients in an
   authenticated manner.  In this case, the SignedData structure will
   not be able to provide data-origin authentication guarantees to the
   recipients(s).  Also, 'small' hardware implementations may not be
   able to include the number-theoretic algorithms that underlie public-
   key signature schemes, and would therefore be unable to create or
   process SignedData structures.

   Given this, it is desirable to identify alternate methods to achieve
   data-origin authentication in CMS.  In this document, we describe a
   method by which EnvelopedData, AuthenticatedData, and
   AuthEnvelopedData structures can provide data-origin authentication
   using only symmetric cryptographic algorithms.  Specifically, we
   define the With-MAC key-wrap 'algorithm.'  In actuality, this
   'algorithm' is a pseudo-algorithm which allows key-wrap structures to
   contain both:

   o  A content-protecting symmetric key (encrypted, as before), and

   o  A MAC value protecting the contents of the enclosing
      EnvelopedData, AuthenticatedData, or AuthEnvelopedData structure.

   If the standard CMS encryption operation in an EnvelopedData
   structure is

   KEK1( CPK ) || KEK2( CPK ) || ... || CPK( data )

   then the encryption operation of this document is

   KEK1'( CPK ), MAC1'( CPK( data ) ) ||
     KEK2'( CPK ), MAC2'( CPK( data) ) ||... || CPK( data )

   where KEK1' and MAC1' are both derived from KEK1.  Specifically, the
   encryption of the CPK is created using a 'wrap-encryption' key, and
   the MAC is generated using a 'wrap-MAC' key.  Both of these keys are
   derived from the wrap-key using a key-derivation function.
   Therefore, the MAC value authenticates the origin of the data to the
   same extent that the key-wrap mechanism cryptographically
   authenticates the sender of the message.

   In this way, the With-MAC algorithm provides the following
   guarantees:

   o  When the key-wrap mechanism is based on a shared key-encrypting
      key (KEKRecipientInfo) it guarantees to the receiver that the data
      was sent by someone who knows the relevant key-transportation key.

Herzog & Khazan         Expires September 2, 2012               [Page 7]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   o  When the key-wrap mechanism is based on passwords
      (PasswordRecipientInfo) it guarantees to the receiver that the
      data was sent by someone who knows the relevant password.

   o  When the key-wrap mechanism is based on key-agreement mechanisms
      (KeyAgreeRecipientInfo) and the sender uses a long-term, certified
      value, it guarantees to the receiver that the data was sent by
      someone who knows the sender's private key-agreement key.

   The With-MAC algorithm can not be used when the key-wrap method is
   based on key-transport.  It can be used when the key-wrap method is
   based on key-agreement and the sender uses an ephemeral value, but it
   provides no data-authentication properties.

   Because the With-MAC algorithm uses only symmetric-key algorithms, it
   may also be more appropriate than the SignedData structure for
   resource-constrained (e. g., power, space) hardware implementations.
   Lastly, we note that MAC values tend to be smaller than digital
   signatures.  Under some circumstances, such as when there are
   relatively few key-wraps, the With-MAC algorithm may result in
   shorter messages than a SignedData structure.

2.  Requirements Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

3.  Structures of the With-MAC key-wrap algorithm

   In the KeyTransRecipientInfo, KeyAgreeRecipientInfo,
   PasswordRecipientInfo and KEKRecipientInfo, the CPK-wrapping
   algorithm is identified through an AlgorithmIdentifier structure
   [RFC5280]:

   AlgorithmIdentifier  ::=  SEQUENCE  {
        algorithm     OBJECT IDENTIFIER,
        parameters    ANY DEFINED BY algorithm OPTIONAL  }

   The With-MAC key-wrap algorithm has the algorithm identifier:

   id-alg-WithMACWrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
       us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) X }

Herzog & Khazan         Expires September 2, 2012               [Page 8]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   When the algorithm field of an AlgorithmIdentifier structure is id-
   alg-WithMACWrap, the parameters field MUST be a WithMACParameters
   value:

   WithMACParameters  ::=  SEQUENCE  {
        wrapAlgorithm   KeyEncryptionAlgorithmIdentifier,
        kdfAlgorithm    KeyDerivationAlgorithmIdentifier,
        macAlgorithm    MessageAuthenticationCodeAlgorithm }

   The fields are used as follows:

   o  The wrapAlgorithm value identifies the algorithm which will be
      used to wrap the CPK.

   o  The kdfAlgorithm value identifies the key-derivation function
      which will be used to derive the wrap-encryption key and the wrap-
      MAC key from the wrap-key.

   o  The macAlgorithm value identifies the MAC algorithm used to
      provide data-origin authentication.

   The With-MAC algorithm CAN NOT be used in a KeyTransRecipientInfo
   structure, but CAN be used in a KeyAgreeRecipientInfo,
   KEKRecipientInfo or PasswordRecipientInfo structure.  When the With-
   MAC key-wrap algorithm is provided as the key-wrap algorithm in one
   of these three structures, the encryptedKey field of that structure
   MUST hold the DER encoding of a EncryptedKeyWithMACValue value:

   EncryptedKeyWithMACValue  ::=  SEQUENCE  {
        encryptedKey             EncryptedKey,
        macValue                 MessageAuthenticationCode }

   These fields are used as follows:

   o  The encryptedKey field holds the wrapped CPK, and

   o  The macValue holds a MAC value computed over the 'ciphertext' of
      the enclosing EnvelopedData, AuthenticatedData, or
      AuthEnvelopedData.  That is, this document follows the 'encrypt
      then MAC' paradigm, in which the plaintext is encrypted and the
      ciphertext MACed.

   These fields are discussed in more detail in the next sections.

Herzog & Khazan         Expires September 2, 2012               [Page 9]
Internet-Draft         With-MAC keywrap algorithm             March 2012

4.  Actions of the sender

   The specific actions of the sender depend on whether it is being used
   as the key-wrap algorithm of a KeyAgreeRecipientInfo,
   PasswordRecipientInfo or KEKRecipientInfo structure, and whether that
   structure is in an EnvelopedData, AuthenticatedData or
   AuthEnvelopedData structure.  In all cases, the sender chooses a key-
   encryption algorithm, a key-derivation algorithm, and a MAC
   algorithm.  It then encodes these choices and their associated
   parameters in a WithMACParameters structure.  If the kdfAlgorithm
   parameters includes a 'key length' field of any type (e.g.  PBKDF2
   [RFC3370]) then this MUST be set to zero.  The sender then creates an
   AlgorithmIdentifier structure composed of the id-alg-WithMACWrap
   value in the algorithm field and that WithMACParameters structure in
   the parameters field.

   The sender then places this AlgorithmIdentifier in the
   keyEncryptionAlgorithm of the key-wrap structure being constructed
   (KeyAgreeRecipientInfo, KEKRecipientInfo, or PasswordRecipientInfo).
   Then, the sender performs the following actions once per EncryptedKey
   value in the key-wrap structure.  This will be exactly once, in the
   case of KEKRecipientInfo and PasswordRecipientInfo, and once per
   RecipientEncryptedKey in the case of KeyAgreeRecipientInfo.

   o  First, the sender generates the CPK and uses it to protect the
      payload of the EnvelopedData, AuthenticatedData or
      AuthEnvelopedData structure as described in [RFC5652].

   o  Then, the sender generates the wrap-key according to the standard
      CMS process for this key-wrap type:

      *  In the case of PasswordRecipientInfo, the wrap key is generated
         by applying a key-derivation function (identified in the
         keyDerivationAlgorithm field of the PasswordRecipientInfo
         structure) to the password.

      *  In the case of KEKRecipientInfo, the wrap key is the key
         identified by the kekid field of that structure.

      *  And in the case of KeyAgreeRecipientInfo, the wrap key is
         generated by applying the relevant key-agreement algorithm to
         the public value or the sender (identified in the originator
         field of the KeyAgreeRecipientInfo structure), the public value
         of the receiver (identified in the rid field of the
         RecipientEncryptedKey structure being built) and the fresh per-
         message randomness (in the ukm field if the
         KeyAgreeRecipientInfo structure) if present.

Herzog & Khazan         Expires September 2, 2012              [Page 10]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   o  The sender then derives the wrap-encryption key from the wrap-key
      by applying the KDF identified in the kdfAlgorithm field of the
      WithMACParameters structure.  Typically, key-derivation functions
      are used to transform a password into a key, and some take an
      additional 'context' or 'info' input [HKDF] [RFC5869]:

      *  If the KDF takes a 'context' or 'info' parameter, then the
         'password' input to the KDF is the wrap key and the
         'context'/'info' parameter will be the value of the
         wrapAlgorithm field of the WithMACParameters structure.  That
         is, the type and length bytes are omitted.

      *  If the KDF does not take a 'context' or 'info' parameter, then
         the 'password' input to the KDF is the concatenation of the
         wrap-key and the value of the wrapAlgorithm field of the
         WithMACParameters structure.  That is, the type and length
         bytes are omitted.

      In both cases, the length of the key to be generated is that
      required by the algorithm identified in the wrapAlgorithm field of
      the WithMACParameters structure.

   o  The sender then uses the wrap-encryption key to wrap the CPK,
      which depends on the top-level structure being built:

      *  In the case of EnvelopedData, the CPK is the content-encryption
         key.

      *  In the case of AuthenticatedData, the CPK is the authentication
         key.

      *  In the case of AuthEnvelopedData, the CPK is the content-
         authenticated-encryption key.

      In all cases, the CPK is wrapped according to the algorithm and
      parameters identified in the wrapAlgorithm field of the
      WithMACParameters structure created above.  This process results
      in an EncryptedKey value, which we will call the 'inner
      EncryptedKey'.

   o  The sender then derives the wrap-MAC key from the wrap-key by
      applying the KDF identified in the kdfAlgorithm field of the
      WithMACParameters structure:

      *  If this KDF takes a 'context' or 'info' parameter, then the
         'password' input to the KDF is the wrap key and the
         'context'/'info' parameter will be the value of the
         macAlgorithm field of the WithMACParameters structure.  That

Herzog & Khazan         Expires September 2, 2012              [Page 11]
Internet-Draft         With-MAC keywrap algorithm             March 2012

         is, the type and length bytes are omitted.

      *  If the KDF does not take a 'context' or 'info' parameter, then
         the 'password' input to the KDF is the concatenation of the
         wrap-key and the value of the macAlgorithm field of the
         WithMACParameters structure.  That is, the type and length
         bytes are omitted.

      In both cases, the length of the key to be generated is that
      required by the algorithm identified in the macAlgorithm field of
      the WithMACParameters structure.

   o  The sender then computes a MAC value by applying the MAC algorithm
      identified in the macAlgorithm field of the WithMACParameters
      structure to the wrap-MAC key and the data to be protected:

      *  In the case of an EnvelopedData structure, the data to be
         protected is the value of the structure's encryptedContentInfo
         field.  The type and length bytes are omitted.

      *  In the case of an AuthenticatedData structure, the data to be
         protected is the the DER encoding of the following structure:

   AuthenticatedDataAuthenticatedContents  ::=  SEQUENCE  {
        encapContentInfo        EncapsulatedContentInfo,
        authAttrs               AuthAttributes OPTIONAL }

         In this structure, the encapContentInfo field holds the same
         value as the same field in the AuthenticatedData structure.
         Likewise, the authAttrs field holds the same value as the same
         field in the AuthenticatedData structure if present, and
         omitted if absent.

      *  In the case of an AuthEnvelopedData structure, the data to be
         protected is the DER encoding of the following structure:

   AuthEnvelopedDataAuthenticatedContents  ::=  SEQUENCE  {
        authEncryptedContentInfo        EncapsulatedContentInfo,
        authAttrs                       AuthAttributes OPTIONAL }

         In this structure, the authEncryptedContentInfo field holds the
         same value as the same field in the AuthEnvelopedData
         structure.  Likewise, the authAttrs field holds the same value
         as the same field in the AuthEnvelopedData structure if

Herzog & Khazan         Expires September 2, 2012              [Page 12]
Internet-Draft         With-MAC keywrap algorithm             March 2012

         present, and omitted if absent.

      The MAC algorithm will output a MessageAuthenticationCode value.

   o  The sender then embeds the inner EncryptedKey value and this
      MessageAuthenticationCode value in an EncryptedKeyWithMACValue
      structure.

   o  The sender then DER-encodes this EncryptedKeyWithMACValue
      structure, and embeds these octets (the 'outer EncryptedKey
      value') in the encryptedKey field being constructed.

5.  Actions of the receiver

   When the receiver processes an EnvelopedData, AuthenticatedData or
   AuthEnvelopedData structure, and

   o  has selected has selected a RecipientInfo structure to process for
      the CPK, and

   o  recognizes the id-alg-WithMACWrap value in the algorithm field of
      the AlgorithmIdentifier value in the keyEncryptionAlgorithm field
      of that RecipientInfo structure,

   it will perform the following steps:

   o  It first parses the parameters field of that AlgorithmIdentifier
      as a WithMACParameters structure, above.  If the
      AlgorithmIdentifier in the kdfAlgorithm field contains a key-
      length parameter in the Parameters field, this MUST be set to
      zero.

   o  The receiver then generates or retrieves the wrap-key according to
      the standard CMS process for this key-wrap type.  It then derives
      a wrap-encryption key and wrap-MAC key from the wrap-key as
      described in Section 4, using the algorithm identified in the
      kdfAlgorithm field of the WithMACParameters structure.

   o  It then parses the encryptedKey field of that RecipientInfo
      structure (or the relevant RecipientEncryptedKey structure, in the
      case of a KeyAgreeRecipientInfo) as the DER encoding of a
      EncryptedKeyWithMACValue.  In this way, it recovers the 'inner'
      EncryptedKey value and a MessageAuthenticationCode value.

   o  It then decrypts the inner EncryptedKey value with the wrap-
      encryption key, according to the algorithm identified in the
      wrapAlgorithm field of the WithMACParameters structure, In doing

Herzog & Khazan         Expires September 2, 2012              [Page 13]
Internet-Draft         With-MAC keywrap algorithm             March 2012

      so, it recovers the wrapped key--be it content-encryption key,
      authentication key, or content-authenticated-encryption key.

   o  At this point, the receiver MUST both:

      *  Use the wrapped key to process the encryptedContentInfo,
         encapContentInfo, or authEncryptedContentInfo as specified in
         [RFC5652], [RFC5652] and [RFC5083] respectively, and

      *  Use the wrap-MAC key and the MAC algorithm specified in the
         macAlgorithm field of the WithMACParameters structure to verify
         the integrity of the protected data (defined in Section 4).

      The receiver SHOULD reject the entire top-level structure
      (EnvelopedData, AuthenticatedData, or AuthEnvelopedData) if the
      MAC value fails to verify.

6.  Requirements and Recommendations

   This document does not define the actions of sender or receiver when
   the top-level structure is EncryptedData or DigestedData.  Therefore,
   this algorithm MUST NOT be used in EncryptedData or DigestedData
   structures.  Similarly, this document does not define the actions of
   sender or receiver when the key-wrap mechanism is key-transport.
   Therefore, the With-MAC algorithm MUST NOT be used when the key-wrap
   structure is KeyTransRecipientInfo.  This algorithm MAY but SHOULD
   NOT be used when the key-wrap method is based on key-agreement and
   the sender uses an ephemeral value, as the algorithm provides no
   data-origin guarantees in this case.  (See Section 7.)  However,
   receivers that support the use of this algorithm when the sender uses
   a static key-agreement key MUST also gracefully accept this use of
   this algorithm when the sender uses an ephemeral value.  Such
   receivers MUST also reject the entire top-level structure when the
   MAC fails to verify, as in Section 5, even when the sender uses an
   ephemeral value.

   It is RECOMMENDED that implementations of this specification support
   EnvelopedData, AuthenticatedData and AuthEnvelopedData.

   Implementations that support this specification MUST support the
   following key-wrap algorithms: id-aes128-wrap, id-aes192-wrap, id-
   aes256-wrap [RFC3394].

   Implementations that support this specification MUST support the
   following key-derivation function algorithm: id-PBKDF2 [RFC3370].
   Furthermore, implementations that support this specification MUST
   support the use of the MAC algorithms of the next paragraph for use

Herzog & Khazan         Expires September 2, 2012              [Page 14]
Internet-Draft         With-MAC keywrap algorithm             March 2012

   as the prf or this KDF [SP800-132].

   Implementations that support this specification MUST support the
   following MAC algorithms: id-hmacWithSHA224, id-hmacWithSHA256, id-
   hmacWithSHA384, id-hmacWithSHA512, all with parameters present but
   set to type NULL [RFC4231].

7.  Security considerations

   The goal of this document is to add data-origin authentication to
   EnvelopedData, AuthenticatedData, and AuthEnvelopedData structures
   without weakening the existing security properties of those
   structures.  To that end, it is essential that the key-derivation
   function used to derive the wrap-encryption and wrap-MAC key from the
   wrap key be sufficiently strong.  Such algorithms are designed to
   take two inputs: some secret, weak randomness and some public, strong
   randomness, and are designed to output strong, secret randomness.  In
   this application, the strong, public randomness is a salt value
   included in the AlgorithmIdentifier structure in the kdfAlgorithm
   field.  However, this salt will be used twice: either to derive two
   keys from two related 'passwords' (the wrap-key concatenated with
   either the wrapAlgorithm value or the macAlgorithm value) or the same
   password (the wrap-key) in two different contexts (the wrapAlgorithm
   value or the macAlgorithm value).  The security of this algorithm
   requires that the KDF ensure two resulting key (the wrap-encryption
   and wrap-MAC keys) are cryptographically independent.  See [HKDF] for
   details.  It is not yet known whether the PBKDF2 function satisfies
   this property, but there is no evidence to the contrary either.
   However, the HKDF scheme [RFC5869] provably achieves this property,
   and should be added to Section 6 as a required and default algorithm
   when it receives an object identifier.

   In keeping with [RFC6476], this specification uses the 'encrypt then
   MAC' approach to combining encryption and integrity, rather than the
   'MAC then encrypt' approach.  For a discussion of this issue, see
   [EncryptThenAuth].

   This algorithm provides no data-origin guarantees when there is no
   binding between the wrap-key and the data-origin.  Therefore, this
   document does not define the usage of this algorithm when the key-
   wrap mechanism is key-transport.  Similarly, this algorithm will
   provide no data-origin guarantees when the key-wrap mechanisms is
   key-agreement and the data-origin uses an ephemeral key-agreement key
   value.  Although such usage is valid under this specification, there
   is no advantage to using this algorithm rather than the algorithm
   identified in the wrapAlgorithm field of the WithMACParameters
   structure.

Herzog & Khazan         Expires September 2, 2012              [Page 15]
Internet-Draft         With-MAC keywrap algorithm             March 2012

8.  IANA Considerations

   This document makes use of object identifiers.  These object
   identifiers have been registered in an arc delegated to the IETF
   S/MIME Working Group.  This arc and its registration procedures will
   be transferred to IANA soon.  No further action by IANA is necessary
   for this document or any anticipated updates.

9.  Acknowledgements

   The authors would like thank Jim Schaad for informing them of the
   attack described in Section 1.  We would also like to thank Russ
   Housely and Sean Turner for their valuable comments.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", RFC 2119, March 1997.

   [RFC3370]  Housley, R., "Cryptographic Message Syntax (CMS)
              Algorithms", RFC 3370, August 2002.

   [RFC3394]  Schaad, J. and R. Housley, "Advanced Encryption Standard
              (AES) Key Wrap Algorithm", RFC 3394, September 2002.

   [RFC4231]  Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-
              224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512",
              RFC 4231, December 2005.

   [RFC5083]  Housley, R., "Cryptographic Message Syntax (CMS)
              Authenticated-Enveloped-Data Content Type", RFC 5083,
              November 2007.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)",
              RFC 5652, September 2009.

   [SP800-132]
              Turan, M., Barker, E., Burr, W., and L. Chen,
              "Recommendation for Password-Based Key Derivation Part 1:

Herzog & Khazan         Expires September 2, 2012              [Page 16]
Internet-Draft         With-MAC keywrap algorithm             March 2012

              Storage Applications (DRAFT)", NIST Special
              Publication 800-132, June 2010.

   [X.680]    ITU-T, "Information Technology - Abstract Syntax Notation
              One", Recommendation X.680, ISO/IEC 8824-1:2002, 2002.

   [X.681]    ITU-T, "Information Technology - Abstract Syntax Notation
              One: Information Object Specification",
              Recommendation X.681, ISO/IEC 8824-2:2002, 2002.

   [X.682]    ITU-T, "Information Technology - Abstract Syntax Notation
              One: Constraint Specification", Recommendation X.682, ISO/
              IEC 8824-3:2002, 2002.

   [X.683]    ITU-T, "Information Technology - Abstract Syntax Notation
              One: Parameterization of ASN.1 Specifications",
              Recommendation X.683, ISO/IEC 8824-4:2002, 2002.

10.2.  Informative References

   [EncryptThenAuth]
              Krawczyk, H., "The Order of Encryption and Authentication
              for Protecting Communications (or: How Secure Is SSL?)",
              Proceedings of CRYPTO 2001, August 2001.

   [HKDF]     Krawczyk, H., "Cryptographic Extraction and Key
              Derivation: The HKDF Scheme", Proceedings of CRYPTO 2010,
              August 2010.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869, May 2010.

   [RFC6278]  Herzog, J. and R. Khazan, "Use of static-static Elliptic-
              Curve Diffie-Hellman key agreement in Cryptographic
              Message Syntax", RFC 6278, November 2010.

   [RFC6476]  Gutmann, p., "Using Message Authentication Code (MAC)
              Encryption in the Cryptographic Message Syntax (CMS)",
              RFC 6476, January 2012.

Appendix A.  ASN.1 Module

   This appendix provides the normative ASN.1 definitions for the
   structures described in this specification using ASN.1 as defined in
   [X.680] through [X.683].

Herzog & Khazan         Expires September 2, 2012              [Page 17]
Internet-Draft         With-MAC keywrap algorithm             March 2012

 WithMACKeyEncryption
   { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
     smime(16) modules(0) XX }

 DEFINITIONS IMPLICIT TAGS ::=

 BEGIN

 -- EXPORTS ALL

 IMPORTS

    KeyEncryptionAlgorithmIdentifier,
    KeyDerivationAlgorithmIdentifier,
    MessageAuthenticationCodeAlgorithm,
    EncryptedKey,
    MessageAuthenticationCode,
    AuthAttributes,
    EncapsulatedContentInfo,
    EncryptedContentInfo
      FROM CryptographicMessageSyntax2004
        { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
          smime(16) modules(0) cms-2004(24)}
    ;

 id-alg-WithMACWrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) X }

 WithMACParameters  ::=  SEQUENCE  {
      wrapAlgorithm               KeyEncryptionAlgorithmIdentifier,
      kdfAlgorithm                KeyDerivationAlgorithmIdentifier,
      macAlgorithm                MessageAuthenticationCodeAlgorithm }

 EncryptedKeyWithMACValue  ::=  SEQUENCE  {
      encryptedKey             EncryptedKey,
      macValue                 MessageAuthenticationCode }

 AuthenticatedDataAuthenticatedContents  ::=  SEQUENCE  {
      encapContentInfo        EncapsulatedContentInfo,
      authAttrs               AuthAttributes OPTIONAL }

 AuthEnvelopedDataAuthenticatedContents  ::=  SEQUENCE  {
      authEncryptedContentInfo        EncryptedContentInfo,
      authAttrs                       AuthAttributes OPTIONAL }

 END

Herzog & Khazan         Expires September 2, 2012              [Page 18]
Internet-Draft         With-MAC keywrap algorithm             March 2012

Authors' Addresses

   Jonathan C. Herzog
   MIT Lincoln Laboratory
   244 Wood St.
   Lexington, MA  02144
   USA

   Email: jherzog@ll.mit.edu

   Roger Khazan
   MIT Lincoln Laboratory
   244 Wood St.
   Lexington, MA  02144
   USA

   Email: rkh@ll.mit.edu

Herzog & Khazan         Expires September 2, 2012              [Page 19]