Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
RFC 5084
Document | Type | RFC - Proposed Standard (November 2007; Errata) | |
---|---|---|---|
Author | Russ Housley | ||
Last updated | 2016-07-02 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 5084 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Tim Polk | ||
Send notices to | (None) |
Network Working Group R. Housley Request for Comments: 5084 Vigil Security Category: Standards Track November 2007 Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Abstract This document specifies the conventions for using the AES-CCM and the AES-GCM authenticated encryption algorithms with the Cryptographic Message Syntax (CMS) authenticated-enveloped-data content type. 1. Introduction This document specifies the conventions for using Advanced Encryption Standard-Counter with Cipher Block Chaining-Message Authentication Code (AES-CCM) and AES-Galois/Counter Mode (GCM) authenticated encryption algorithms as the content-authenticated-encryption algorithm with the Cryptographic Message Syntax [CMS] authenticated- enveloped-data content type [AuthEnv]. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [STDWORDS]. 1.2. ASN.1 CMS values are generated using ASN.1 [X.208-88], which uses the Basic Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules (DER) [X.509-88]. 1.3. AES Dr. Joan Daemen and Dr. Vincent Rijmen, both from Belgium, developed the Rijndael block cipher algorithm, and they submitted it for consideration as the Advanced Encryption Standard (AES). Rijndael Housley Standards Track [Page 1] RFC 5084 Using AES-CCM and AES-GCM in the CMS November 2007 was selected by the National Institute for Standards and Technology (NIST), and it is specified in a U.S. Federal Information Processing Standard (FIPS) Publication [AES]. NIST selected the Rijndael algorithm for AES because it offers a combination of security, performance, efficiency, ease of implementation, and flexibility. Specifically, the algorithm performs well in both hardware and software across a wide range of computing environments. Also, the very low memory requirements of the algorithm make it very well suited for restricted-space environments. The AES is widely used by organizations, institutions, and individuals outside of the U.S. Government. The AES specifies three key sizes: 128, 192, and 256 bits. 1.4. AES-CCM The Counter with CBC-MAC (CCM) mode of operation is specified in [CCM]. CCM is a generic authenticated encryption block cipher mode. CCM is defined for use with any 128-bit block cipher, but in this document, CCM is used with the AES block cipher. AES-CCM has four inputs: an AES key, a nonce, a plaintext, and optional additional authenticated data (AAD). AES-CCM generates two outputs: a ciphertext and a message authentication code (also called an authentication tag). The nonce is generated by the party performing the authenticated encryption operation. Within the scope of any authenticated- encryption key, the nonce value MUST be unique. That is, the set of nonce values used with any given key MUST NOT contain any duplicate values. Using the same nonce for two different messages encrypted with the same key destroys the security properties. AAD is authenticated but not encrypted. Thus, the AAD is not included in the AES-CCM output. It can be used to authenticate plaintext packet headers. In the CMS authenticated-enveloped-data content type, authenticated attributes comprise the AAD. 1.5. AES-GCM The Galois/Counter Mode (GCM) is specified in [GCM]. GCM is a generic authenticated encryption block cipher mode. GCM is defined for use with any 128-bit block cipher, but in this document, GCM is used with the AES block cipher. AES-GCM has four inputs: an AES key, an initialization vector (IV), a plaintext content, and optional additional authenticated data (AAD). AES-GCM generates two outputs: a ciphertext and message Housley Standards Track [Page 2] RFC 5084 Using AES-CCM and AES-GCM in the CMS November 2007 authentication code (also called an authentication tag). To have a common set of terms for AES-CCM and AES-GCM, the AES-GCM IV is referred to as a nonce in the remainder of this document. The nonce is generated by the party performing the authenticated encryption operation. Within the scope of any authenticated-Show full document text