S/MIME Working Group S. Moriai
Internet Draft Nippon Telegraph and Telephone Corporation
Expiration Date: April 2003 A. Kato
NTT Software Corporation
October 2002
Use of the Camellia Encryption Algorithm in CMS
<draft-ietf-smime-camellia-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Comments or suggestions for improvement may be made on the
"ietf-smime" mailing list, or directly to the author.
Abstract
This document specifies how to incorporate the Camellia encryption
algorithm into the S/MIME Cryptographic Message Syntax (CMS) as an
additional algorithm for symmetric encryption. The relevant OIDs
and processing steps are provided so that Camellia may be included
in the CMS specification (RFC 3369, RFC 3370) for content and key
encryption.
1. Introduction
This document specifies the conventions for using the Camellia
encryption algorithm [CamelliaSpec][CamelliaID] for encryption with
the Cryptographic Message Syntax (CMS) [CMS].
MORIAI [Page 1]
Internet-Draft Use of Camellia in CMS October 2002
Camellia is a block cipher with 128-bit block size and 128-, 192-,
and 256-bit keys, i.e. the same interface as the Advanced Encryption
Standard (AES). Camellia offers excellent efficiency on both
software and hardware platforms in addition to a high level of
security [CamelliaTech].
CMS values are generated using ASN.1 (X.208-88), using the Basic
Encoding Rules (BER) (X.209-88) and the Distinguished Encoding Rules
(DER) (X.509-88).
The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD
NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document (in
uppercase, as shown) are to be interpreted as described in
[RFC2119].
2. Object Identifiers for Content and Key Encryption
This section provides the OIDs and processing information necessary
for Camellia to be used for content and key encryption in CMS.
Camellia is added to the set of optional symmetric encryption
algorithms in CMS by providing two classes of unique object
identifiers (OIDs). One OID class defines the content encryption
algorithms and the other defines the key encryption algorithms.
Thus a CMS agent can apply Camellia either for content or key
encryption by selecting the corresponding object identifier,
supplying the required parameter, and starting the program code.
2.1 OIDs for Content Encryption
For content encryption the use of Camellia in cipher block chaining
(CBC) mode is RECOMMENDED. The Camellia content-encryption
algorithm, in CBC mode, for the three different key sizes are
identified by the following object identifiers:
id-camellia128-cbc OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) 392 200011 61 security(1)
algorithm(1) symmetric-encryption-algorithm(1)
camellia128-cbc(2) }
id-camellia192-cbc OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) 392 200011 61 security(1)
algorithm(1) symmetric-encryption-algorithm(1)
camellia192-cbc(3) }
id-camellia256-cbc OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) 392 200011 61 security(1)
algorithm(1) symmetric-encryption-algorithm(1)
camellia256-cbc(4) }
To determine the value of IV, the above algorithms take parameter
as:
MORIAI [Page 2]
Internet-Draft Use of Camellia in CMS October 2002
CamelliaCBCParameter ::= CamelliaIV -- Initialization Vector
CamelliaIV ::= OCTET STRING (SIZE(16))
When these object identifiers are used, plaintext is padded before
encrypt it. At least 1 padding octet is appended at the end of the
plaintext to make the length of the plaintext to the multiple of 16
octets. The value of these octets is as same as the number of
appended octets. (e.g., If 10 octets are needed to pad, the value
is 0x0a.)
2.2 OIDs for Key Encryption
The key-wrap/unwrap procedures used to encrypt/decrypt a Camellia
content-encryption key (CEK) with a Camellia key-encryption key
(KEK) are specified in Section 3. Generation and distribution of
key-encryption keys are beyond the scope of this document.
The Camellia key-encryption algorithm has the following object
identifier:
$@!!!!!!(Jid-camellia128-wrap OBJECT IDENTIFIER ::=
$@!!!!!!(J { iso(1) member-body(2) 392 200011 61 security(1)
$@!!!!!!(J algorithm(1) key-wrap-algorithm(3)
$@!!!!!!(J camellia128-wrap(2) }
$@!!!!!!(Jid-camellia192-wrap OBJECT IDENTIFIER ::=
$@!!!!!!(J { iso(1) member-body(2) 392 200011 61 security(1)
$@!!!!!!(J algorithm(1) key-wrap-algorithm(3)
$@!!!!!!(J camellia192-wrap(3) }
$@!!!!!!(Jid-camellia256-wrap OBJECT IDENTIFIER ::=
$@!!!!!!(J { iso(1) member-body(2) 392 200011 61 security(1)
$@!!!!!!(J algorithm(1) key-wrap-algorithm(3)
$@!!!!!!(J camellia256-wrap(4) }
In all cases the parameters field of AlgorithmIdentifier MUST be
NULL. The OID gives the KEK key size, but does not make any
statements as to the size of the wrapped Camellia CEK.
Implementations MAY use different KEK and CEK sizes. Implements
MUST support the CEK and the KEK having the same length. If
different lengths are supported, the KEK MUST be of equal or greater
length than the CEK.
We don't need additional parameter information associated with this
object identifier contains, because the key wrapping procedure
itself defines how and when to use an IV.
3. Key Wrap Algorithm
Camellia key wrapping and unwrapping is done in conformance with the
MORIAI [Page 3]
Internet-Draft Use of Camellia in CMS October 2002
AES key wrap algorithm [AES-WRAP][RFC3394], because Camellia and AES
have the same block and key sizes, i.e. the block size of 128 bits
and key sizes of 128, 192, and 256 bits.
3.1 Camellia Key Wrap
Key wrapping with Camellia is identical to [RFC3394], Section 2.2.1,
with "AES" replaced by "Camellia".
3.2 Camellia Key Unwrap
Key unwrapping with Camellia is identical to [RFC3394], Section
2.2.2, with "AES" replaced by "Camellia".
4. Security Considerations
This document specifies the use of Camellia for encrypting the
content of a CMS message and for encrypting the symmetric key used
to encrypt the content of a CMS message. Since Camellia supports
the key length of 128, 192 and 256 bits, it provides enough security
against exhaustive key attacks. Against other attacks Camellia is
believed to be secure, and it has withstood extensive cryptanalytic
efforts in several open, worldwide cryptographic evaluation
projects.
For other security considerations, please refer to the security
considerations of the CMS specifications [CMS][CMSALG] and the AES
key wrap algorithm [AES-WRAP][RFC3394].
5. Intellectual Property Statement
Mitsubishi Electric Corporation (Mitsubishi Electric) and Nippon
Telegraph and Telephone Corporation (NTT) have pending applications
or filed patents which are essential to Camellia. License policy
for these essential patents will be available on the IETF page of
Intellectual Property Rights Notices.
References
[AES-WRAP] National Institute of Standards and Technology. AES Key
Wrap Specification. 17 November 2001.
http://csrc.nist.gov/encryption/kms/key-wrap.pdf
[CamelliaID] J. Nakajima and S. Moriai, "A Description of the
Camellia Encryption Algorithm", Internet-Draft, July 2001.
draft-nakajima-camellia-02.txt
[CamelliaSpec] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita ``Specification of Camellia - a
128-bit Block Cipher''. http://info.isl.ntt.co.jp/camellia/
MORIAI [Page 4]
Internet-Draft Use of Camellia in CMS October 2002
[CamelliaTech] K. Aoki, T. Ichikawa, M. Kanda, M. Matsui, S. Moriai,
J. Nakajima, and T. Tokita ``Camellia: A 128-Bit Block Cipher
Suitable for Multiple Platforms - Design and Analysis -'', In
Selected Areas in Cryptography, 7th Annual International
Workshop, SAC 2000, August 2000, Proceedings, Lecture Notes in
Computer Science 2012, pp.39--56, Springer-Verlag, 2001.
[CMS] R. Housley, "Cryptographic Message Syntax", RFC 3369, August
2002.
[CMSALG] R. Housley, "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002.
[RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3394] J. Schaad and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 3394, September 2002.
Authors' Address
Shiho Moriai
Nippon Telegraph and Telephone Corporation
Phone: +81-468-59-2007
FAX: +81-468-59-3858
Email: shiho@isl.ntt.co.jp
Akihiro Kato
NTT Software Corporation
Phone: +81-45-212-7404
FAX: +81-45-212-7410
Email: akato@po.ntts.co.jp
MORIAI [Page 5]
