Internet Engineering Task Force (IETF) J. Schaad
Request for Comments: 6211 Soaring Hawk Consulting
Category: Standards Track April 2011
ISSN: 2070-1721
Internet Engineering Task Force (IETF) J. Schaad
Request for Comments: 6211 Soaring Hawk Consulting
Category: Standards Track April 2011
ISSN: 2070-1721
Cryptographic Message Syntax (CMS) Algorithm Identifier Protection Attribute
加密消息语法(CMS)算法标识符保护属性
Abstract
摘要
The Cryptographic Message Syntax (CMS), unlike X.509/PKIX certificates, is vulnerable to algorithm substitution attacks. In an algorithm substitution attack, the attacker changes either the algorithm being used or the parameters of the algorithm in order to change the result of a signature verification process. In X.509 certificates, the signature algorithm is protected because it is duplicated in the TBSCertificate.signature field with the proviso that the validator is to compare both fields as part of the signature validation process. This document defines a new attribute that contains a copy of the relevant algorithm identifiers so that they are protected by the signature or authentication process.
与X.509/PKIX证书不同,加密消息语法(CMS)容易受到算法替换攻击。在算法替换攻击中,攻击者更改正在使用的算法或算法参数,以更改签名验证过程的结果。在X.509证书中,签名算法受到保护,因为它在TBSCertificate.signature字段中重复,但有一个条件,即验证器在签名验证过程中要比较这两个字段。本文档定义了一个新属性,该属性包含相关算法标识符的副本,以便它们受到签名或身份验证过程的保护。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6211.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6211.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Attribute Structure . . . . . . . . . . . . . . . . . . . . . . 5
3. Verification Process . . . . . . . . . . . . . . . . . . . . . 7
3.1. Signed Data Verification Changes . . . . . . . . . . . . . 7
3.2. Authenticated Data Verification Changes . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . . 8
6.2. Informational References . . . . . . . . . . . . . . . . . 9
Appendix A. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . 10
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notation . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Attribute Structure . . . . . . . . . . . . . . . . . . . . . . 5
3. Verification Process . . . . . . . . . . . . . . . . . . . . . 7
3.1. Signed Data Verification Changes . . . . . . . . . . . . . 7
3.2. Authenticated Data Verification Changes . . . . . . . . . . 7
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 8
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Normative References . . . . . . . . . . . . . . . . . . . 8
6.2. Informational References . . . . . . . . . . . . . . . . . 9
Appendix A. 2008 ASN.1 Module . . . . . . . . . . . . . . . . . 10
The Cryptographic Message Syntax [CMS], unlike X.509/PKIX certificates [RFC5280], is vulnerable to algorithm substitution attacks. In an algorithm substitution attack, the attacker changes either the algorithm being used or the parameters of the algorithm in order to change the result of a signature verification process. In X.509 certificates, the signature algorithm is protected because it is duplicated in the TBSCertificate.signature field with the proviso that the validator is to compare both fields as part of the signature validation process. This document defines a new attribute that contains a copy of the relevant algorithm identifiers so that they are protected by the signature or authentication process.
与X.509/PKIX证书[RFC5280]不同,加密消息语法[CMS]容易受到算法替换攻击。在算法替换攻击中,攻击者更改正在使用的算法或算法参数,以更改签名验证过程的结果。在X.509证书中,签名算法受到保护,因为它在TBSCertificate.signature字段中重复,但有一个条件,即验证器在签名验证过程中要比较这两个字段。本文档定义了一个新属性,该属性包含相关算法标识符的副本,以便它们受到签名或身份验证过程的保护。
In an algorithm substitution attack, the attacker looks for a different algorithm that produces the same result as the algorithm used by the signer. As an example, if the creator of the message used SHA-1 as the digest algorithm to hash the message content, then the attacker looks for a different hash algorithm that produces a result that is of the same length, but with which it is easier to find collisions. Examples of other algorithms that produce a hash value of the same length would be SHA-0 or RIPEMD-160. Similar attacks can be mounted against parameterized algorithm identifiers. When looking at some of the proposed randomized hashing functions, such as that in [RANDOM-HASH], the associated security proofs assume that the parameters are solely under the control of the originator and not subject to selection by the attacker.
在算法替换攻击中,攻击者寻找与签名者使用的算法产生相同结果的不同算法。例如,如果消息的创建者使用SHA-1作为摘要算法对消息内容进行哈希,则攻击者会寻找另一种哈希算法,该算法生成的结果长度相同,但更容易找到冲突。产生相同长度散列值的其他算法的示例为SHA-0或RIPEMD-160。可以针对参数化算法标识符发起类似的攻击。当查看一些建议的随机散列函数时,如[RANDOM-HASH]中的函数,相关的安全性证明假设参数完全由发起人控制,不受攻击者的选择。
Some algorithms have been internally designed to be more resistant to this type of attack. Thus, an RSA PKCS #1 v.15 signature [RFC3447] cannot have the associated hash algorithm changed because it is encoded as part of the signature. The Digital Signature Algorithm (DSA) was originally defined so that it would only work with SHA-1 as a hash algorithm; thus, by knowing the public key from the certificate, a validator can be assured that the hash algorithm cannot be changed. There is a convention, undocumented as far as I can tell, that the same hash algorithm should be used for both the content digest and the signature digest. There are cases, such as third-party signers that are only given a content digest, where such a convention cannot be enforced.
一些算法在内部设计为更能抵抗这种类型的攻击。因此,RSA PKCS#1 v.15签名[RFC3447]不能更改相关的哈希算法,因为它是作为签名的一部分进行编码的。数字签名算法(DSA)最初的定义是,它只能作为哈希算法与SHA-1一起使用;因此,通过从证书中了解公钥,验证器可以确保哈希算法不能更改。据我所知,有一个惯例是没有文档记录的,内容摘要和签名摘要都应该使用相同的哈希算法。在某些情况下,例如仅向第三方签名者提供内容摘要,这样的约定无法实施。
As with all attacks, the attack is going to be desirable on items that are both long term and high value. One would expect that these attacks are more likely to be made on older documents, as the algorithms being used when the message was signed would be more likely to have degraded over time. Countersigning, the classic method of protecting a signature, does not provide any additional protection against an algorithm substitution attack because
与所有攻击一样,对长期和高价值的物品进行攻击是可取的。人们可能会认为,这些攻击更有可能发生在较旧的文档上,因为在消息签名时使用的算法更有可能随着时间的推移而降级。反签名是保护签名的经典方法,它不会对算法替换攻击提供任何额外的保护,因为
countersignatures sign just the signature, but the algorithm substitution attacks leave the signature value alone while changing the algorithms being used.
反签名只对签名进行签名,但算法替换攻击在更改所使用的算法时不使用签名值。
Using the SignerInfo structure from CMS, let's take a more detailed look at each of the fields in the structure and discuss what fields are and are not protected by the signature. I have included a copy of the ASN.1 here for convenience. A similar analysis of the AuthenticatedData structure is left to the reader, but it can be done in much the same way.
使用CMS中的SwitueNevices结构,让我们更详细地查看结构中的每个字段,并讨论哪些字段是不受签名保护的字段。为了方便起见,我在这里附上了ASN.1的副本。对AuthenticatedData结构的类似分析留给读者,但也可以用大致相同的方式进行。
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
version is not protected by the signature. As many implementations of CMS today ignore the value of this field, that is not a problem. If the value is increased, then no changes in the processing are expected. If the value is decreased, implementations that respect the structure would fail to decode, but an erroneous signature validation would not be completed successfully.
版本不受签名保护。今天,CMS的许多实现忽略了这个字段的价值,这不是问题。如果该值增加,则处理过程中不会发生任何更改。如果该值减小,则尊重该结构的实现将无法解码,但错误的签名验证将无法成功完成。
sid can be protected using either version of the signing certificate authenticated attribute. SigningCertificateV2 is defined in [RFC5035]. SigningCertificate is defined in [ESS-BASE]. In addition to allowing for the protection of the signer identifier, the specific certificate is protected by including a hash of the certificate to be used for validation.
可以使用签名证书认证属性的任一版本来保护sid。[RFC5035]中定义了签名证书EV2。签名证书在[ESS-BASE]中定义。除了允许保护签名者标识符之外,还通过包括用于验证的证书的散列来保护特定证书。
digestAlgorithm has been implicitly protected by the fact that CMS has only defined one digest algorithm for each hash value length. (The algorithm RIPEMD-160 was never standardized.) There is also an unwritten convention that the same digest algorithm should be used both here and for the signature algorithm. If newer digest algorithms are defined so that there are multiple algorithms for a given hash length (it is expected that the SHA-3 project will do so), or that parameters are defined for a specific algorithm, much of the implicit protection will be lost.
digestAlgorithm受到隐式保护,因为CMS只为每个哈希值长度定义了一个摘要算法。(RIPEMD-160算法从未标准化。)还有一个不成文的约定,即此处和签名算法都应使用相同的摘要算法。如果定义了较新的摘要算法,使得给定哈希长度有多个算法(预计SHA-3项目将这样做),或者为特定算法定义了参数,那么大部分隐式保护将丢失。
signedAttributes are directly protected by the signature when they are present. The Distinguished Encoding Rules (DER) encoding of this value is what is hashed for the signature computation.
签名属性在存在时直接受签名保护。此值的可分辨编码规则(DER)编码是为签名计算而散列的内容。
signatureAlgorithm has been protected by implication in the past. The use of an RSA public key implied that the RSA v1.5 signature algorithm was being used. The hash algorithm and this fact could be checked by the internal padding defined. This is no longer true with the addition of the RSA-PSS signature algorithms. The use of a DSA public key implied the SHA-1 hash algorithm as that was the only possible hash algorithm and the DSA was the public signature algorithm. This is still somewhat true as there is an implicit tie between the length of the DSA public key and the length of the hash algorithm to be used, but this is known by convention and there is no explicit enforcement for this.
签名算法在过去一直受到暗示的保护。使用RSA公钥意味着正在使用RSA v1.5签名算法。哈希算法和这个事实可以通过定义的内部填充进行检查。随着RSA-PSS签名算法的增加,情况不再如此。使用DSA公钥意味着SHA-1哈希算法,因为这是唯一可能的哈希算法,而DSA是公共签名算法。这在某种程度上仍然是正确的,因为DSA公钥的长度和要使用的哈希算法的长度之间存在隐式联系,但这是惯例所知的,并且没有明确的强制执行。
signature is not directly protected by any other value unless a counter signature is present. However, this represents the cryptographically computed value that protects the rest of the signature information.
除非存在反签名,否则签名不受任何其他值的直接保护。但是,这表示保护其余签名信息的加密计算值。
unsignedAttrs is not protected by the signature value. The SignedData structure was explicitly designed that unsignedAttrs are not protected by the signature value.
unsignedAttrs不受签名值的保护。SignedData结构被明确设计为不受签名值保护的UnsignedAttr。
As can be seen above, the digestAlgorithm and signatureAlgorithm fields have been indirectly rather than explicitly protected in the past. With new algorithms that have been or are being defined, this will no longer be the case. This document defines and describes a new attribute that will explicitly protect these fields along with the macAlgorithm field of the AuthenticatedData structure.
如上所述,digestAlgorithm和signatureAlgorithm字段在过去一直受到间接保护,而不是明确保护。随着已经或正在定义的新算法的出现,情况将不再如此。本文档定义并描述了一个新属性,该属性将显式保护这些字段以及AuthenticatedData结构的macAlgorithm字段。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The following defines the algorithm protection attribute:
下面定义了算法保护属性:
The algorithm protection attribute has the ASN.1 type CMSAlgorithmProtection:
算法保护属性具有ASN.1类型CMSAlgorithmProtection:
aa-cmsAlgorithmProtection ATTRIBUTE ::= {
TYPE CMSAlgorithmProtection
IDENTIFIED BY { id-aa-CMSAlgorithmProtection }
}
aa-cmsAlgorithmProtection ATTRIBUTE ::= {
TYPE CMSAlgorithmProtection
IDENTIFIED BY { id-aa-CMSAlgorithmProtection }
}
The following object identifier identifies the algorithm protection attribute:
以下对象标识符标识算法保护属性:
id-aa-CMSAlgorithmProtection OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 52 }
id-aa-CMSAlgorithmProtection OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) 52 }
The algorithm protection attribute uses the following ASN.1 type:
算法保护属性使用以下ASN.1类型:
CMSAlgorithmProtection ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
signatureAlgorithm [1] SignatureAlgorithmIdentifier OPTIONAL,
macAlgorithm [2] MessageAuthenticationCodeAlgorithm
OPTIONAL
}
(WITH COMPONENTS { signatureAlgorithm PRESENT,
macAlgorithm ABSENT } |
WITH COMPONENTS { signatureAlgorithm ABSENT,
macAlgorithm PRESENT })
CMSAlgorithmProtection ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
signatureAlgorithm [1] SignatureAlgorithmIdentifier OPTIONAL,
macAlgorithm [2] MessageAuthenticationCodeAlgorithm
OPTIONAL
}
(WITH COMPONENTS { signatureAlgorithm PRESENT,
macAlgorithm ABSENT } |
WITH COMPONENTS { signatureAlgorithm ABSENT,
macAlgorithm PRESENT })
The fields are defined as follows:
这些字段定义如下:
digestAlgorithm contains a copy of the SignerInfo.digestAlgorithm field or the AuthenticatedData.digestAlgorithm field including any parameters associated with it.
digestAlgorithm包含SignerInfo.digestAlgorithm字段或AuthenticatedData.digestAlgorithm字段的副本,包括与之关联的任何参数。
signatureAlgorithm contains a copy of the signature algorithm identifier and any parameters associated with it (SignerInfo.signatureAlgorithm). This field is populated only if the attribute is placed in a SignerInfo.signedAttrs sequence.
signatureAlgorithm包含签名算法标识符及其相关参数(SignerInfo.signatureAlgorithm)的副本。仅当属性放置在SignerInfo.signedAttrs序列中时,才会填充此字段。
macAlgorithm contains a copy of the message authentication code algorithm identifier and any parameters associated with it (AuthenticatedData.macAlgorithm). This field is populated only if the attribute is placed in an AuthenticatedData.authAttrs sequence.
macAlgorithm包含消息身份验证代码算法标识符的副本以及与其关联的任何参数(AuthenticatedData.macAlgorithm)。仅当属性放置在AuthenticatedData.authAttrs序列中时,才会填充此字段。
Exactly one of signatureAlgorithm or macAlgorithm SHALL be present.
签名算法或macAlgorithm中只有一种应出现。
An algorithm protection attribute MUST have a single attribute value, even though the syntax is defined as a SET OF AttributeValue. There MUST NOT be zero or multiple instances of AttributeValue present.
算法保护属性必须具有单个属性值,即使语法定义为一组AttributeValue。AttributeValue的实例不能为零或多个。
The algorithm protection attribute MUST be a signed attribute or an authenticated attribute; it MUST NOT be an unsigned attribute, an unauthenticated attribute, or an unprotected attribute.
算法保护属性必须是已签名属性或已验证属性;它不能是未签名的属性、未经身份验证的属性或未受保护的属性。
The SignedAttributes and AuthAttributes syntax are each defined as a SET of Attributes. The SignedAttributes in a signerInfo MUST include only one instance of the algorithm protection attribute. Similarly, the AuthAttributes in an AuthenticatedData MUST include only one instance of the algorithm protection attribute.
SignedAttribute和AuthAttributes语法都定义为一组属性。signerInfo中的SignedAttribute只能包含算法保护属性的一个实例。类似地,AuthenticatedData中的AuthAttributes必须仅包含算法保护属性的一个实例。
While the exact verification steps depend on the structure that is being validated, there are some common rules to be followed when comparing the two algorithm structures:
虽然准确的验证步骤取决于正在验证的结构,但在比较两种算法结构时,需要遵循一些常见规则:
o A field with a default value MUST compare as identical, independently of whether the value is defaulted or is explicitly provided. This implies that a binary compare of the encoded bytes is insufficient.
o 具有默认值的字段必须进行相同的比较,这与该值是默认值还是显式提供值无关。这意味着编码字节的二进制比较是不够的。
o For some algorithms, such as SHA-1, the parameter value of NULL can be included in the ASN.1 encoding by some implementations and be omitted by other implementations. It is left to the implementer of this attribute to decide the comparison for equality is satisfied in this case. As a general rule, the same implementation is expected to produce both encoded values thus making it unlikely that this corner case should exist. This is an issue because some implementations will omit a NULL element, while others will encode a NULL element for some digest algorithms such as SHA-1 (see the comments in Section 2.1 of [RFC3370]). The issue is even worse because the NULL is absent in some cases (e.g., [RFC3370]), but is required in other cases (e.g., [RFC4056]).
o 对于一些算法,例如SHA-1,NULL的参数值可以由一些实现包含在ASN.1编码中,而由其他实现忽略。在这种情况下,由该属性的实现者决定是否满足相等性比较。作为一般规则,相同的实现预期会产生两个编码值,因此不太可能存在这种情况。这是一个问题,因为一些实现将省略NULL元素,而其他实现将为一些摘要算法(如SHA-1)编码NULL元素(参见[RFC3370]第2.1节中的注释)。问题甚至更糟,因为在某些情况下(例如,[RFC3370])不存在空值,但在其他情况下(例如,[RFC4056])需要空值。
If a CMS validator supports this attribute, the following additional verification steps MUST be performed:
如果CMS验证器支持此属性,则必须执行以下附加验证步骤:
1. The SignerInfo.digestAlgorithm field MUST be compared to the digestAlgorithm field in the attribute. If the fields are not the same (modulo encoding), then signature validation MUST fail.
1. 必须将SignerInfo.digestAlgorithm字段与属性中的digestAlgorithm字段进行比较。如果字段不相同(模编码),则签名验证必须失败。
2. The SignerInfo.signatureAlgorithm field MUST be compared to the signatureAlgorithm field in the attribute. If the fields are not the same (modulo encoding), then the signature validation MUST fail.
2. 必须将SignerInfo.signatureAlgorithm字段与属性中的signatureAlgorithm字段进行比较。如果字段不相同(模编码),则签名验证必须失败。
If a CMS validator supports this attribute, the following additional verification steps MUST be performed:
如果CMS验证器支持此属性,则必须执行以下附加验证步骤:
1. The AuthenticatedData.digestAlgorithm field MUST be compared to the digestAlgorithm field in the attribute. If the fields are not same (modulo encoding), then authentication MUST fail.
1. 必须将AuthenticatedData.digestAlgorithm字段与属性中的digestAlgorithm字段进行比较。如果字段不相同(模编码),则身份验证必须失败。
2. The AuthenticatedData.macAlgorithm field MUST be compared to the macAlgorithm field in the attribute. If the fields are not the same (modulo encoding), then the authentication MUST fail.
2. 必须将AuthenticatedData.macAlgorithm字段与属性中的macAlgorithm字段进行比较。如果字段不相同(模编码),则身份验证必须失败。
All identifiers are assigned out of the S/MIME OID arc.
所有标识符都在S/MIME OID弧外分配。
This document is designed to address the security issue of algorithm substitutions of the algorithms used by the validator. At this time, there is no known method to exploit this type of attack. If the attack could be successful, then either a weaker algorithm could be substituted for a stronger algorithm or the parameters could be modified by an attacker to change the behavior of the hashing algorithm used. (One example would be changing the initial parameter value for [RFC6210].)
本文档旨在解决验证程序使用的算法替换算法的安全问题。目前,还没有已知的方法可以利用这种类型的攻击。如果攻击成功,则攻击者可以用较弱的算法替换较强的算法,或者修改参数以改变所用哈希算法的行为。(一个示例是更改[RFC6210]的初始参数值。)
The attribute defined in this document is to be placed in a location that is protected by the signature or message authentication code. This attribute does not provide any additional security if placed in an unsigned or unauthenticated location.
本文档中定义的属性将放置在受签名或消息身份验证代码保护的位置。如果将此属性放置在未签名或未经验证的位置,则不会提供任何额外的安全性。
[ASN.1-2008] ITU-T, "ITU-T Recommendations X.680, X.681, X.682, and X.683", 2008.
[ASN.1-2008]ITU-T,“ITU-T建议X.680、X.681、X.682和X.683”,2008年。
[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, September 2009.
[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 56522009年9月。
[ESS-BASE] Hoffman, P., "Enhanced Security Services for S/MIME", RFC 2634, June 1999.
[ESS-BASE]Hoffman,P.,“S/MIME的增强安全服务”,RFC 2634,1999年6月。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC5035] Schaad, J., "Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility", RFC 5035, August 2007.
[RFC5035]Schaad,J.,“增强安全服务(ESS)更新:添加CertID算法敏捷性”,RFC 5035,2007年8月。
[RFC5912] Hoffman, P. and J. Schaad, "New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)", RFC 5912, June 2010.
[RFC5912]Hoffman,P.和J.Schaad,“使用X.509(PKIX)的公钥基础设施的新ASN.1模块”,RFC 5912,2010年6月。
[RANDOM-HASH] Halevi, S. and H. Krawczyk, "Strengthening Digital Signatures via Random Hashing", January 2007, <http://webee.technion.ac.il/~hugo/rhash/rhash.pdf>.
[随机散列]Halevi,S.和H.Krawczyk,“通过随机散列增强数字签名”,2007年1月<http://webee.technion.ac.il/~hugo/rhash/rhash.pdf>。
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002.
[RFC3370]Housley,R.,“加密消息语法(CMS)算法”,RFC3370,2002年8月。
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003.
[RFC3447]Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范版本2.1”,RFC 3447,2003年2月。
[RFC4056] Schaad, J., "Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)", RFC 4056, June 2005.
[RFC4056]Schaad,J.,“在加密消息语法(CMS)中使用RSASSA-PSS签名算法”,RFC 4056,2005年6月。
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008.
[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 52802008年5月。
[RFC6210] Schaad, J., "Experiment: Hash Functions with Parameters in the Cryptographic Message Syntax (CMS) and S/MIME", RFC 6210, April 2011.
[RFC6210]Schaad,J.,“实验:具有加密消息语法(CMS)和S/MIME参数的哈希函数”,RFC 6210,2011年4月。
The ASN.1 module defined uses the 2008 ASN.1 definitions found in [ASN.1-2008]. This module contains the ASN.1 module that contains the required definitions for the types and values defined in this document. The module uses the ATTRIBUTE class defined in [RFC5912].
定义的ASN.1模块使用[ASN.1-2008]中的2008 ASN.1定义。此模块包含ASN.1模块,该模块包含本文档中定义的类型和值所需的定义。模块使用[RFC5912]中定义的属性类。
CMSAlgorithmProtectionAttribute
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cms-algorithmProtect(52) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
CMSAlgorithmProtectionAttribute
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0)
id-mod-cms-algorithmProtect(52) }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
IMPORTS
-- Cryptographic Message Syntax (CMS) [CMS]
--加密消息语法(CMS)[CMS]
DigestAlgorithmIdentifier, MessageAuthenticationCodeAlgorithm,
SignatureAlgorithmIdentifier
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
DigestAlgorithmIdentifier, MessageAuthenticationCodeAlgorithm,
SignatureAlgorithmIdentifier
FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
-- Common PKIX structures [RFC5912]
--通用PKIX结构[RFC5912]
ATTRIBUTE
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57)};
ATTRIBUTE
FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkixCommon-02(57)};
--
-- The CMS Algorithm Protection attribute is a Signed Attribute or
-- an Authenticated Attribute.
--
-- Add this attribute to SignedAttributesSet in [CMS]
-- Add this attribute to AuthAttributeSet in [CMS]
--
--
-- The CMS Algorithm Protection attribute is a Signed Attribute or
-- an Authenticated Attribute.
--
-- Add this attribute to SignedAttributesSet in [CMS]
-- Add this attribute to AuthAttributeSet in [CMS]
--
aa-cmsAlgorithmProtection ATTRIBUTE ::= {
TYPE CMSAlgorithmProtection
IDENTIFIED BY { id-aa-cmsAlgorithmProtect }
}
aa-cmsAlgorithmProtection ATTRIBUTE ::= {
TYPE CMSAlgorithmProtection
IDENTIFIED BY { id-aa-cmsAlgorithmProtect }
}
id-aa-cmsAlgorithmProtect OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) 52 }
id-aa-cmsAlgorithmProtect OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs9(9) 52 }
CMSAlgorithmProtection ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
signatureAlgorithm [1] SignatureAlgorithmIdentifier OPTIONAL,
macAlgorithm [2] MessageAuthenticationCodeAlgorithm
OPTIONAL
}
(WITH COMPONENTS { signatureAlgorithm PRESENT,
macAlgorithm ABSENT } |
WITH COMPONENTS { signatureAlgorithm ABSENT,
macAlgorithm PRESENT })
CMSAlgorithmProtection ::= SEQUENCE {
digestAlgorithm DigestAlgorithmIdentifier,
signatureAlgorithm [1] SignatureAlgorithmIdentifier OPTIONAL,
macAlgorithm [2] MessageAuthenticationCodeAlgorithm
OPTIONAL
}
(WITH COMPONENTS { signatureAlgorithm PRESENT,
macAlgorithm ABSENT } |
WITH COMPONENTS { signatureAlgorithm ABSENT,
macAlgorithm PRESENT })
END
终止
Author's Address
作者地址
Jim Schaad Soaring Hawk Consulting
吉姆·沙德·霍克咨询公司
EMail: ietf@augustcellars.com
EMail: ietf@augustcellars.com