--- 1/draft-ietf-lamps-rfc5751-bis-08.txt 2018-05-22 20:13:08.476262121 -0700 +++ 2/draft-ietf-lamps-rfc5751-bis-09.txt 2018-05-22 20:13:08.588264845 -0700 @@ -1,22 +1,22 @@ LAMPS J. Schaad Internet-Draft August Cellars Obsoletes: 5751 (if approved) B. Ramsdell Intended status: Standards Track Brute Squad Labs, Inc. -Expires: November 3, 2018 S. Turner +Expires: November 23, 2018 S. Turner sn3rd - May 2, 2018 + May 22, 2018 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification - draft-ietf-lamps-rfc5751-bis-08 + draft-ietf-lamps-rfc5751-bis-09 Abstract This document defines Secure/Multipurpose Internet Mail Extensions (S/MIME) version 4.0. S/MIME provides a consistent way to send and receive secure MIME data. Digital signatures provide authentication, message integrity, and non-repudiation with proof of origin. Encryption provides data confidentiality. Compression can be used to reduce data size. This document obsoletes RFC 5751. @@ -36,21 +36,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 3, 2018. + This Internet-Draft will expire on November 23, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -126,33 +126,33 @@ 4.1. Key Pair Generation . . . . . . . . . . . . . . . . . . . 37 4.2. Signature Generation . . . . . . . . . . . . . . . . . . 37 4.3. Signature Verification . . . . . . . . . . . . . . . . . 37 4.4. Encryption . . . . . . . . . . . . . . . . . . . . . . . 38 4.5. Decryption . . . . . . . . . . . . . . . . . . . . . . . 38 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 5.1. Media Type for application/pkcs7-mime . . . . . . . . . . 38 5.2. Media Type for application/pkcs7-signature . . . . . . . 39 5.3. Register authEnveloped-data smime-type . . . . . . . . . 40 6. Security Considerations . . . . . . . . . . . . . . . . . . . 40 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 - 7.1. Normative References . . . . . . . . . . . . . . . . . . 44 - 7.2. Informative References . . . . . . . . . . . . . . . . . 48 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 45 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 45 + 7.2. Informative References . . . . . . . . . . . . . . . . . 49 Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . 52 Appendix B. Historic Mail Considerations . . . . . . . . . . . . 54 - B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 54 - B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 54 - B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 56 - B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 56 + B.1. DigestAlgorithmIdentifier . . . . . . . . . . . . . . . . 55 + B.2. Signature Algorithms . . . . . . . . . . . . . . . . . . 55 + B.3. ContentEncryptionAlgorithmIdentifier . . . . . . . . . . 57 + B.4. KeyEncryptionAlgorithmIdentifier . . . . . . . . . . . . 57 Appendix C. Moving S/MIME v2 Message Specification to Historic Status . . . . . . . . . . . . . . . . . . . . . . . 57 - Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 57 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 + Appendix D. Acknowledgments . . . . . . . . . . . . . . . . . . 58 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58 1. Introduction S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a consistent way to send and receive secure MIME data. Based on the popular Internet MIME standard, S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures), and data confidentiality (using encryption). As a supplementary service, S/MIME provides message @@ -2015,20 +2015,43 @@ the message does not provide this information. When compression is used with encryption, it has the potential to add an additional layer of security. However, care needs to be taken when designing a protocol that relies on this not to create a compression oracle. Compression oracle attacks require an adaptive input to the process and attack the unknown content of a message based on the length of the compressed output, this means that no attack on the encryption key is necessarily required. + A recent paper on S/MIME and OpenPGP Email security [Efail] has + pointed out a number of problems with the current S/MIME + specifications and how people have implemented mail clients. Due to + the nature of how CBC mode operates, the modes allow for malleability + of plaintexts. This malleability allows for attackers to make + changes in the cipher text and, if parts of the plain text are known, + create arbitrary plaintexts blocks. These changes can be made + without the weak integrity check in CBC mode being triggered. This + type of attack can be prevented by the use of an AEAD algorithm with + a more robust integrity check on the decryption process. It is + therefore recommended that mail systems migrate to using AES-GCM as + quickly as possible and that the decrypted content not be acted on + prior to finishing the integrity check. + + The other attack that is highlighted in [Efail] is an error in how + mail clients deal with HTML and multipart/mixed messages. Clients + MUST require that a text/html content type is a complete HTML + document (per [RFC1866]). Clients SHOULD treat each of the different + pieces of the multipart/mixed construct as being of different + origins. Clients MUST treat each encrypted or signed piece of a MIME + message as being of different origins both from unprotected content + and from each other. + 7. References 7.1. Normative References [ASN.1] "Information Technology - Abstract Syntax Notation (ASN.1)". ASN.1 syntax consists of the following references [X.680], [X.681], [X.682], and [X.683]. @@ -2059,22 +2082,22 @@ cms-ecdh-new-curves-10 (work in progress), August 2017. [I-D.ietf-curdle-cms-eddsa-signatures] Housley, R., "Use of EdDSA Signatures in the Cryptographic Message Syntax (CMS)", draft-ietf-curdle-cms-eddsa- signatures-08 (work in progress), October 2017. [I-D.ietf-lamps-rfc5750-bis] Schaad, J., Ramsdell, B., and S. Turner, "Secure/ Multipurpose Internet Mail Extensions (S/ MIME) Version - 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-05 - (work in progress), April 2018. + 4.0 Certificate Handling", draft-ietf-lamps-rfc5750-bis-06 + (work in progress), May 2018. [MIME-SPEC] "MIME Message Specifications". This is the set of documents that define how to use MIME. This set of documents is [RFC2045], [RFC2046], [RFC2047], [RFC2049], [RFC6838], and [RFC4289]. [RFC1847] Galvin, J., Murphy, S., Crocker, S., and N. Freed, "Security Multiparts for MIME: Multipart/Signed and @@ -2213,26 +2235,36 @@ (ASN.1): Parameterization of ASN.1 specifications", ITU-T X.683, ISO/IEC 8824-4:2008, November 2008. [X.690] "Information Technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER).", ITU-T X.690, ISO/IEC 8825-1:2002, July 2002. 7.2. Informative References + [Efail] Poddebniak, D., Muller, J., Dresen, C., Ising, F., + Schinzel, S., Friedberger, S., Somorovsky, J., and J. + Schwenk, "Efail: Breaking S/MIME and OpenPGP Email + Encryption using Exfiltration Channels", Work in + Progress , May 2018. + [FIPS186-2] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS) [With Change Notice 1]", Federal Information Processing Standards Publication 186-2, January 2000. + [RFC1866] Berners-Lee, T. and D. Connolly, "Hypertext Markup + Language - 2.0", RFC 1866, DOI 10.17487/RFC1866, November + 1995, . + [RFC2268] Rivest, R., "A Description of the RC2(r) Encryption Algorithm", RFC 2268, DOI 10.17487/RFC2268, March 1998, . [RFC2311] Dusse, S., Hoffman, P., Ramsdell, B., Lundblade, L., and L. Repka, "S/MIME Version 2 Message Specification", RFC 2311, DOI 10.17487/RFC2311, March 1998, . [RFC2312] Dusse, S., Hoffman, P., Ramsdell, B., and J. Weinstein,