Network Working Group J. Schaad
Request for Comments: 3565 Soaring Hawk Consulting
Category: Standards Track July 2003
Use of the Advanced Encryption Standard (AES) Encryption
Algorithm in Cryptographic Message Syntax (CMS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document specifies the conventions for using the Advanced
Encryption Standard (AES) algorithm for encryption with the
Cryptographic Message Syntax (CMS).
Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
This document specifies the conventions for using Advanced Encryption
Standard (AES) content encryption algorithm with the Cryptographic
Message Syntax [CMS] enveloped-data and encrypted-data content types.
CMS values are generated using ASN.1 [X.208-88], using the Basic
Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules
Schaad Standards Track [Page 1]RFC 3565 Use of the AES Encryption Algorithm in CMS July 20031.1. AES
The Advanced Encryption Standard (AES) [AES] was developed to replace
DES [DES]. The AES Federal Information Processing Standard (FIPS)
Publication specifies a cryptographic algorithm for use by U.S.
Government organizations. However, the AES will also be widely used
by organizations, institutions, and individuals outside of the U.S.
Two researchers who developed and submitted the Rijndael algorithm
for consideration are both cryptographers from Belgium: Dr. Joan
Daemen of Proton World International and Dr. Vincent Rijmen, a
postdoctoral researcher in the Electrical Engineering Department of
Katholieke Universiteit Leuven.
The National Institute of Standards and technology (NIST) selected
the Rijndael algorithm for AES because it offers a combination of
security, performance, efficiency, ease of implementation, and
flexibility. Specifically, Rijndael appears to be consistently a
very good performer in both hardware and software across a wide range
of computing environments regardless of its use in feedback or
non-feedback modes. Its key setup time is excellent, and its key
agility is good. The very low memory requirements of the Rijndael
algorithm make it very well suited for restricted-space environments,
in which it also demonstrates excellent performance. The Rijndael
algorithm operations are among the easiest to defend against power
and timing attacks. Additionally, it appears that some defense can
be provided against such attacks without significantly impacting the
algorithm's performance. Finally, the algorithm's internal round
structure appears to have good potential to benefit from
The AES specifies three key sizes: 128, 192 and 256 bits.
2. Enveloped-data Conventions
The CMS enveloped-data content type consists of encrypted content and
wrapped content-encryption keys for one or more recipients. The AES
algorithm is used to encrypt the content.
Compliant software MUST meet the requirements for constructing an
enveloped-data content type stated in [CMS] Section 6,
"Enveloped-data Content Type".
The AES content-encryption key MUST be randomly generated for each
instance of an enveloped-data content type. The content-encryption
key (CEK) is used to encrypt the content.
Schaad Standards Track [Page 2]RFC 3565 Use of the AES Encryption Algorithm in CMS July 2003
AES can be used with the enveloped-data content type using any of the
following key management techniques defined in [CMS] Section 6.
1) Key Transport: The AES CEK is uniquely wrapped for each recipient
using the recipient's public RSA key and other values. Section 2.2