Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
RFC 5084

Document Type RFC - Proposed Standard (November 2007; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 5084 (Proposed Standard)
Telechat date
Responsible AD Tim Polk
Send notices to smime-chairs@ietf.org, housley@vigilsec.com
Network Working Group                                         R. Housley
Request for Comments: 5084                                Vigil Security
Category: Standards Track                                  November 2007

           Using AES-CCM and AES-GCM Authenticated Encryption
               in the Cryptographic Message Syntax (CMS)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document specifies the conventions for using the AES-CCM and the
   AES-GCM authenticated encryption algorithms with the Cryptographic
   Message Syntax (CMS) authenticated-enveloped-data content type.

1.  Introduction

   This document specifies the conventions for using Advanced Encryption
   Standard-Counter with Cipher Block Chaining-Message Authentication
   Code (AES-CCM) and AES-Galois/Counter Mode (GCM) authenticated
   encryption algorithms as the content-authenticated-encryption
   algorithm with the Cryptographic Message Syntax [CMS] authenticated-
   enveloped-data content type [AuthEnv].

1.1.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [STDWORDS].

1.2.  ASN.1

   CMS values are generated using ASN.1 [X.208-88], which uses the Basic
   Encoding Rules (BER) [X.209-88] and the Distinguished Encoding Rules
   (DER) [X.509-88].

1.3.  AES

   Dr. Joan Daemen and Dr. Vincent Rijmen, both from Belgium, developed
   the Rijndael block cipher algorithm, and they submitted it for
   consideration as the Advanced Encryption Standard (AES).  Rijndael

Housley                     Standards Track                     [Page 1]
RFC 5084          Using AES-CCM and AES-GCM in the CMS     November 2007

   was selected by the National Institute for Standards and Technology
   (NIST), and it is specified in a U.S. Federal Information Processing
   Standard (FIPS) Publication [AES].  NIST selected the Rijndael
   algorithm for AES because it offers a combination of security,
   performance, efficiency, ease of implementation, and flexibility.
   Specifically, the algorithm performs well in both hardware and
   software across a wide range of computing environments.  Also, the
   very low memory requirements of the algorithm make it very well
   suited for restricted-space environments.  The AES is widely used by
   organizations, institutions, and individuals outside of the U.S.
   Government.

   The AES specifies three key sizes: 128, 192, and 256 bits.

1.4.  AES-CCM

   The Counter with CBC-MAC (CCM) mode of operation is specified in
   [CCM].  CCM is a generic authenticated encryption block cipher mode.
   CCM is defined for use with any 128-bit block cipher, but in this
   document, CCM is used with the AES block cipher.

   AES-CCM has four inputs: an AES key, a nonce, a plaintext, and
   optional additional authenticated data (AAD).  AES-CCM generates two
   outputs: a ciphertext and a message authentication code (also called
   an authentication tag).

   The nonce is generated by the party performing the authenticated
   encryption operation.  Within the scope of any authenticated-
   encryption key, the nonce value MUST be unique.  That is, the set of
   nonce values used with any given key MUST NOT contain any duplicate
   values.  Using the same nonce for two different messages encrypted
   with the same key destroys the security properties.

   AAD is authenticated but not encrypted.  Thus, the AAD is not
   included in the AES-CCM output.  It can be used to authenticate
   plaintext packet headers.  In the CMS authenticated-enveloped-data
   content type, authenticated attributes comprise the AAD.

1.5.  AES-GCM

   The Galois/Counter Mode (GCM) is specified in [GCM].  GCM is a
   generic authenticated encryption block cipher mode.  GCM is defined
   for use with any 128-bit block cipher, but in this document, GCM is
   used with the AES block cipher.

   AES-GCM has four inputs: an AES key, an initialization vector (IV), a
   plaintext content, and optional additional authenticated data (AAD).
   AES-GCM generates two outputs: a ciphertext and message

Housley                     Standards Track                     [Page 2]
RFC 5084          Using AES-CCM and AES-GCM in the CMS     November 2007
Show full document text