Use of the RSAES-OAEP Key Transport Algorithm in Cryptographic Message Syntax (CMS)
RFC 3560

Document Type RFC - Proposed Standard (July 2003; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3560 (Proposed Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
Send notices to <turners@ieca.com>, <blake@brutesquadlabs.com>
Network Working Group                                         R. Housley
Request for Comments: 3560                                Vigil Security
Category: Standards Track                                      July 2003

            Use of the RSAES-OAEP Key Transport Algorithm in
                 the Cryptographic Message Syntax (CMS)

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2003).  All Rights Reserved.

Abstract

   This document describes the conventions for using the RSAES-OAEP key
   transport algorithm with the Cryptographic Message Syntax (CMS).  The
   CMS specifies the enveloped-data content type, which consists of an
   encrypted content and encrypted content-encryption keys for one or
   more recipients.  The RSAES-OAEP key transport algorithm can be used
   to encrypt content-encryption keys for intended recipients.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Enveloped-data Conventions . . . . . . . . . . . . . . . . . .  3
       2.1.  EnvelopedData Fields . . . . . . . . . . . . . . . . . .  3
       2.2.  KeyTransRecipientInfo Fields . . . . . . . . . . . . . .  4
   3.  RSAES-OAEP Algorithm Identifiers and Parameters. . . . . . . .  4
   4.  Certificate Conventions. . . . . . . . . . . . . . . . . . . .  6
   5.  SMIMECapabilities Attribute Conventions. . . . . . . . . . . .  8
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . .  9
   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 11
   8.  Intellectual Property Rights Statement . . . . . . . . . . . . 11
   9.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 11
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       10.1.  Normative References. . . . . . . . . . . . . . . . . . 11
       10.2.  Informative References. . . . . . . . . . . . . . . . . 12
   Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 18

Housley                     Standards Track                     [Page 1]
RFC 3560                   RSAES-OAEP in CMS                   July 2003

1.  Introduction

   PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant
   of the RSA key transport algorithm.  PKCS #1 Version 1.5 key
   transport is vulnerable to adaptive chosen ciphertext attacks,
   especially when it is used to for key management in interactive
   applications.  This attack is often referred to as the "Million
   Message Attack," and it explained in [RSALABS] and [CRYPTO98].
   Exploitation of this vulnerability, which reveals the result of a
   particular RSA decryption, requires access to an oracle which will
   respond to hundreds of thousands of ciphertexts, which are
   constructed adaptively in response to previously received replies
   that provide information on the successes or failures of attempted
   decryption operations.

   The attack is significantly less feasible in store-and-forward
   environments, such as S/MIME.  RFC 3218 [MMA] discussed the
   countermeasures to this attack that are available when PKCS #1
   Version 1.5 key transport is used in conjunction with the
   Cryptographic Message Syntax (CMS) [CMS].

   When PKCS #1 Version 1.5 key transport is applied as an intermediate
   encryption layer within an interactive request-response
   communications environment, exploitation could be more feasible.
   However, Secure Sockets Layer (SSL) [SSL] and Transport Layer
   Security (TLS) [TLS] protocol implementations could include
   countermeasures that detect and prevent the Million Message Attack
   and other chosen-ciphertext attacks.  These countermeasures are
   performed within the protocol level.

   In the interest of long-term security assurance, it is prudent to
   adopt an improved cryptographic technique rather than embedding
   countermeasures within protocols.  To this end, an updated version of
   PKCS #1 has been published.  PKCS #1 Version 2.1 [PKCS#1v2.1]
   supersedes RFC 2313.  It preserves support for the PKCS #1 Version
   1.5 encryption padding format, and it also defines a new one.  To
   resolve the adaptive chosen ciphertext vulnerability, the PKCS #1
   Version 2.1 specifies and recommends use of Optimal Asymmetric
   Encryption Padding (OAEP) for RSA key transport.
Show full document text