Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
RFC 5084
| Document | Type | RFC - Proposed Standard (November 2007; Errata) | |
|---|---|---|---|
| Author | Russ Housley | ||
| Last updated | 2016-07-02 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 5084 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Tim Polk | ||
| Send notices to | (None) | ||
Network Working Group R. Housley
Request for Comments: 5084 Vigil Security
Category: Standards Track November 2007
Using AES-CCM and AES-GCM Authenticated Encryption
in the Cryptographic Message Syntax (CMS)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Abstract
This document specifies the conventions for using the AES-CCM and the
AES-GCM authenticated encryption algorithms with the Cryptographic
Message Syntax (CMS) authenticated-enveloped-data content type.
1. Introduction
This document specifies the conventions for using Advanced Encryption
Standard-Counter with Cipher Block Chaining-Message Authentication
Code (AES-CCM) and AES-Galois/Counter Mode (GCM) authenticated
encryption algorithms as the content-authenticated-encryption
algorithm with the Cryptographic Message Syntax [CMS] authenticated-
enveloped-data content type [AuthEnv].
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [STDWORDS].
1.2. ASN.1
CMS values are generated using ASN.1 [X.208-88], which uses the Basic
Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules
(DER) [X.509-88].
1.3. AES
Dr. Joan Daemen and Dr. Vincent Rijmen, both from Belgium, developed
the Rijndael block cipher algorithm, and they submitted it for
consideration as the Advanced Encryption Standard (AES). Rijndael
Housley Standards Track [Page 1]
RFC 5084 Using AES-CCM and AES-GCM in the CMS November 2007
was selected by the National Institute for Standards and Technology
(NIST), and it is specified in a U.S. Federal Information Processing
Standard (FIPS) Publication [AES]. NIST selected the Rijndael
algorithm for AES because it offers a combination of security,
performance, efficiency, ease of implementation, and flexibility.
Specifically, the algorithm performs well in both hardware and
software across a wide range of computing environments. Also, the
very low memory requirements of the algorithm make it very well
suited for restricted-space environments. The AES is widely used by
organizations, institutions, and individuals outside of the U.S.
Government.
The AES specifies three key sizes: 128, 192, and 256 bits.
1.4. AES-CCM
The Counter with CBC-MAC (CCM) mode of operation is specified in
[CCM]. CCM is a generic authenticated encryption block cipher mode.
CCM is defined for use with any 128-bit block cipher, but in this
document, CCM is used with the AES block cipher.
AES-CCM has four inputs: an AES key, a nonce, a plaintext, and
optional additional authenticated data (AAD). AES-CCM generates two
outputs: a ciphertext and a message authentication code (also called
an authentication tag).
The nonce is generated by the party performing the authenticated
encryption operation. Within the scope of any authenticated-
encryption key, the nonce value MUST be unique. That is, the set of
nonce values used with any given key MUST NOT contain any duplicate
values. Using the same nonce for two different messages encrypted
with the same key destroys the security properties.
AAD is authenticated but not encrypted. Thus, the AAD is not
included in the AES-CCM output. It can be used to authenticate
plaintext packet headers. In the CMS authenticated-enveloped-data
content type, authenticated attributes comprise the AAD.
1.5. AES-GCM
The Galois/Counter Mode (GCM) is specified in [GCM]. GCM is a
generic authenticated encryption block cipher mode. GCM is defined
for use with any 128-bit block cipher, but in this document, GCM is
used with the AES block cipher.
AES-GCM has four inputs: an AES key, an initialization vector (IV), a
plaintext content, and optional additional authenticated data (AAD).
AES-GCM generates two outputs: a ciphertext and message
Housley Standards Track [Page 2]
RFC 5084 Using AES-CCM and AES-GCM in the CMS November 2007
authentication code (also called an authentication tag). To have a
common set of terms for AES-CCM and AES-GCM, the AES-GCM IV is
referred to as a nonce in the remainder of this document.
The nonce is generated by the party performing the authenticated
encryption operation. Within the scope of any authenticated-
Show full document text