| draft-ietf-lamps-rfc5751-bis-08.txt | draft-ietf-lamps-rfc5751-bis-09.txt | |||
|---|---|---|---|---|
| LAMPS J. Schaad | LAMPS J. Schaad | |||
| Internet-Draft August Cellars | Internet-Draft August Cellars | |||
| Obsoletes: 5751 (if approved) B. Ramsdell | Obsoletes: 5751 (if approved) B. Ramsdell | |||
| Intended status: Standards Track Brute Squad Labs, Inc. | Intended status: Standards Track Brute Squad Labs, Inc. | |||
| Expires: November 3, 2018 S. Turner | Expires: November 23, 2018 S. Turner | |||
| sn3rd | sn3rd | |||
| May 2, 2018 | May 22, 2018 | |||
| Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 | |||
| Message Specification | Message Specification | |||
| draft-ietf-lamps-rfc5751-bis-08 | draft-ietf-lamps-rfc5751-bis-09 | |||
| Abstract | Abstract | |||
| This document defines Secure/Multipurpose Internet Mail Extensions | This document defines Secure/Multipurpose Internet Mail Extensions | |||
| (S/MIME) version 4.0. S/MIME provides a consistent way to send and | (S/MIME) version 4.0. S/MIME provides a consistent way to send and | |||
| receive secure MIME data. Digital signatures provide authentication, | receive secure MIME data. Digital signatures provide authentication, | |||
| message integrity, and non-repudiation with proof of origin. | message integrity, and non-repudiation with proof of origin. | |||
| Encryption provides data confidentiality. Compression can be used to | Encryption provides data confidentiality. Compression can be used to | |||
| reduce data size. This document obsoletes RFC 5751. | reduce data size. This document obsoletes RFC 5751. | |||
| skipping to change at page 1, line 47 ¶ | skipping to change at page 1, line 47 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 3, 2018. | This Internet-Draft will expire on November 23, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
| 4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37 | 4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37 | |||
| 4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37 | 4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37 | |||
| 4.3. Signature Verification . . . . . . . . . . . . . . . . . 37 | 4.3. Signature Verification . . . . . . . . . . . . . . . . . 37 | |||
| 4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38 | 4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38 | 4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 | |||
| 5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38 | 5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38 | |||
| 5.2. Media Type for application/pkcs7-signature . . . . . . . 39 | 5.2. Media Type for application/pkcs7-signature . . . . . . . 39 | |||
| 5.3. Register authEnveloped-data smime-type . . . . . . . . . 40 | 5.3. Register authEnveloped-data smime-type . . . . . . . . . 40 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 44 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 45 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 48 | 7.2. Informative References . . . . . . . . . . . . . . . . . 49 | |||
| Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 52 | Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 52 | |||
| Appendix B. Historic Mail Considerations . . . . . . . . . . . . 54 | Appendix B. Historic Mail Considerations . . . . . . . . . . . . 54 | |||
| B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54 | B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 55 | |||
| B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54 | B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 55 | |||
| B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56 | B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 57 | |||
| B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56 | B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 57 | |||
| Appendix C. Moving S/MIME v2 Message Specification to Historic | Appendix C. Moving S/MIME v2 Message Specification to Historic | |||
| Status . . . . . . . . . . . . . . . . . . . . . . . 57 | Status . . . . . . . . . . . . . . . . . . . . . . . 57 | |||
| Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 57 | Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 58 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 | |||
| 1. Introduction | 1. Introduction | |||
| S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a | S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a | |||
| consistent way to send and receive secure MIME data. Based on the | consistent way to send and receive secure MIME data. Based on the | |||
| popular Internet MIME standard, S/MIME provides the following | popular Internet MIME standard, S/MIME provides the following | |||
| cryptographic security services for electronic messaging | cryptographic security services for electronic messaging | |||
| applications: authentication, message integrity and non-repudiation | applications: authentication, message integrity and non-repudiation | |||
| of origin (using digital signatures), and data confidentiality (using | of origin (using digital signatures), and data confidentiality (using | |||
| encryption). As a supplementary service, S/MIME provides message | encryption). As a supplementary service, S/MIME provides message | |||
| skipping to change at page 44, line 28 ¶ | skipping to change at page 44, line 28 ¶ | |||
| the message does not provide this information. | the message does not provide this information. | |||
| When compression is used with encryption, it has the potential to add | When compression is used with encryption, it has the potential to add | |||
| an additional layer of security. However, care needs to be taken | an additional layer of security. However, care needs to be taken | |||
| when designing a protocol that relies on this not to create a | when designing a protocol that relies on this not to create a | |||
| compression oracle. Compression oracle attacks require an adaptive | compression oracle. Compression oracle attacks require an adaptive | |||
| input to the process and attack the unknown content of a message | input to the process and attack the unknown content of a message | |||
| based on the length of the compressed output, this means that no | based on the length of the compressed output, this means that no | |||
| attack on the encryption key is necessarily required. | attack on the encryption key is necessarily required. | |||
| A recent paper on S/MIME and OpenPGP Email security [Efail] has | ||||
| pointed out a number of problems with the current S/MIME | ||||
| specifications and how people have implemented mail clients. Due to | ||||
| the nature of how CBC mode operates, the modes allow for malleability | ||||
| of plaintexts. This malleability allows for attackers to make | ||||
| changes in the cipher text and, if parts of the plain text are known, | ||||
| create arbitrary plaintexts blocks. These changes can be made | ||||
| without the weak integrity check in CBC mode being triggered. This | ||||
| type of attack can be prevented by the use of an AEAD algorithm with | ||||
| a more robust integrity check on the decryption process. It is | ||||
| therefore recommended that mail systems migrate to using AES-GCM as | ||||
| quickly as possible and that the decrypted content not be acted on | ||||
| prior to finishing the integrity check. | ||||
| The other attack that is highlighted in [Efail] is an error in how | ||||
| mail clients deal with HTML and multipart/mixed messages. Clients | ||||
| MUST require that a text/html content type is a complete HTML | ||||
| document (per [RFC1866]). Clients SHOULD treat each of the different | ||||
| pieces of the multipart/mixed construct as being of different | ||||
| origins. Clients MUST treat each encrypted or signed piece of a MIME | ||||
| message as being of different origins both from unprotected content | ||||
| and from each other. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [ASN.1] "Information Technology - Abstract Syntax Notation | [ASN.1] "Information Technology - Abstract Syntax Notation | |||
| (ASN.1)". | (ASN.1)". | |||
| ASN.1 syntax consists of the following references [X.680], | ASN.1 syntax consists of the following references [X.680], | |||
| [X.681], [X.682], and [X.683]. | [X.681], [X.682], and [X.683]. | |||
| skipping to change at page 45, line 24 ¶ | skipping to change at page 45, line 49 ¶ | |||
| cms-ecdh-new-curves-10 (work in progress), August 2017. | cms-ecdh-new-curves-10 (work in progress), August 2017. | |||
| [I-D.ietf-curdle-cms-eddsa-signatures] | [I-D.ietf-curdle-cms-eddsa-signatures] | |||
| Housley, R., "Use of EdDSA Signatures in the Cryptographic | Housley, R., "Use of EdDSA Signatures in the Cryptographic | |||
| Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa- | Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa- | |||
| signatures-08 (work in progress), October 2017. | signatures-08 (work in progress), October 2017. | |||
| [I-D.ietf-lamps-rfc5750-bis] | [I-D.ietf-lamps-rfc5750-bis] | |||
| Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | Schaad, J., Ramsdell, B., and S. Turner, "Secure/ | |||
| Multipurpose Internet Mail Extensions (S/ MIME) Version | Multipurpose Internet Mail Extensions (S/ MIME) Version | |||
| 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-05 | 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-06 | |||
| (work in progress), April 2018. | (work in progress), May 2018. | |||
| [MIME-SPEC] | [MIME-SPEC] | |||
| "MIME Message Specifications". | "MIME Message Specifications". | |||
| This is the set of documents that define how to use MIME. | This is the set of documents that define how to use MIME. | |||
| This set of documents is [RFC2045], [RFC2046], [RFC2047], | This set of documents is [RFC2045], [RFC2046], [RFC2047], | |||
| [RFC2049], [RFC6838], and [RFC4289]. | [RFC2049], [RFC6838], and [RFC4289]. | |||
| [RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed, | [RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed, | |||
| "Security Multiparts for MIME: Multipart/Signed and | "Security Multiparts for MIME: Multipart/Signed and | |||
| skipping to change at page 48, line 32 ¶ | skipping to change at page 49, line 12 ¶ | |||
| (ASN.1): Parameterization of ASN.1 specifications", | (ASN.1): Parameterization of ASN.1 specifications", | |||
| ITU-T X.683, ISO/IEC 8824-4:2008, November 2008. | ITU-T X.683, ISO/IEC 8824-4:2008, November 2008. | |||
| [X.690] "Information Technology - ASN.1 encoding rules: | [X.690] "Information Technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), Canonical | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (CER) and Distinguished Encoding Rules | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| (DER).", ITU-T X.690, ISO/IEC 8825-1:2002, July 2002. | (DER).", ITU-T X.690, ISO/IEC 8825-1:2002, July 2002. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [Efail] Poddebniak, D., Muller, J., Dresen, C., Ising, F., | ||||
| Schinzel, S., Friedberger, S., Somorovsky, J., and J. | ||||
| Schwenk, "Efail: Breaking S/MIME and OpenPGP Email | ||||
| Encryption using Exfiltration Channels", Work in | ||||
| Progress , May 2018. | ||||
| [FIPS186-2] | [FIPS186-2] | |||
| National Institute of Standards and Technology (NIST), | National Institute of Standards and Technology (NIST), | |||
| "Digital Signature Standard (DSS) [With Change Notice 1]", | "Digital Signature Standard (DSS) [With Change Notice 1]", | |||
| Federal Information Processing Standards | Federal Information Processing Standards | |||
| Publication 186-2, January 2000. | Publication 186-2, January 2000. | |||
| [RFC1866] Berners-Lee, T. and D. Connolly, "Hypertext Markup | ||||
| Language - 2.0", RFC 1866, DOI 10.17487/RFC1866, November | ||||
| 1995, <https://www.rfc-editor.org/info/rfc1866>. | ||||
| [RFC2268] Rivest, R., "A Description of the RC2(r) Encryption | [RFC2268] Rivest, R., "A Description of the RC2(r) Encryption | |||
| Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998, | Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998, | |||
| <https://www.rfc-editor.org/info/rfc2268>. | <https://www.rfc-editor.org/info/rfc2268>. | |||
| [RFC2311] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L., and | [RFC2311] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L., and | |||
| L. Repka, "S/MIME Version 2 Message Specification", | L. Repka, "S/MIME Version 2 Message Specification", | |||
| RFC 2311, DOI 10.17487/RFC2311, March 1998, | RFC 2311, DOI 10.17487/RFC2311, March 1998, | |||
| <https://www.rfc-editor.org/info/rfc2311>. | <https://www.rfc-editor.org/info/rfc2311>. | |||
| [RFC2312] Dusse, S., Hoffman, P., Ramsdell, B., and J. Weinstein, | [RFC2312] Dusse, S., Hoffman, P., Ramsdell, B., and J. Weinstein, | |||
| End of changes. 11 change blocks. | ||||
| 15 lines changed or deleted | 48 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||