FACTORES PROTECTORES: ALTERNATIVAS PARA RESISTIR.

The thing to note about the enveloped-data content type is key management. Five different key management techniques are defined to get the content encryption key to the recipient. Key transport recipient info, key agreement recipient info, key encryption key recipient info, password recipient info, and other recipient info are described later in the chapter.

The encrypted-data content type is identified by the id-envelopedData object identifier, and it has the following syntax:

ct-EnvelopedData CONTENT-TYPE ::=

{ EnvelopedData IDENTIFIED BY id-envelopedData } id-envelopedData OBJECT IDENTIFIER ::=

{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 3 } EnvelopedData ::= SEQUENCE {

version CMSVersion,

originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, recipientInfos RecipientInfos,

encryptedContentInfo EncryptedContentInfo, unprotectedAttrs [1] IMPLICIT Attributes

Turner c06.tex V3 - 03/26/2008 5:34pm Page 99

Chapter 6 ■ Protecting Email Message Contents 99

OriginatorInfo ::= SEQUENCE {

certs [0] IMPLICIT CertificateSet OPTIONAL,

crls [1] IMPLICIT RevocationInfoChoices OPTIONAL } RecipientInfos ::= SET SIZE (1..MAX) OF RecipientInfo EncryptedContent ::= OCTET STRING

RecipientInfo ::= CHOICE { ktri KeyTransRecipientInfo, kari [1] KeyAgreeRecipientInfo, kekri [2] KEKRecipientInfo, pwri [3] PasswordRecipientinfo, ori [4] OtherRecipientInfo }

Key Transport Recipient Info

TheKeyTransportRecipientInfois used, as its name implies, to support key transport algorithms, namely RSA. If you remember our discussion of RSA from Chapter 4, Alice creates a symmetric key and encrypts it with Bob’s public key, and then Bob uses his own private key to decrypt the value and recover the symmetric key. That’s why there’s no need to include the originator’s certificate. The recipient figures out which KeyTransportRecipientInfo is theirs with the rid field. The encryptedKey contains the encrypted content encryption key. A separateKeyTransportRecipientInfo is needed for each recipient. TheKeyTransportRecipientInfouses the following syntax:

KeyTransRecipientInfo ::= SEQUENCE {

version CMSVersion, -- always set to 0 or 2

rid RecipientIdentifier, keyEncryptionAlgorithm AlgorithmIdentifier {{KeyTransportAlgorithmList}}, encryptedKey EncryptedKey } RecipientIdentifier ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, subjectKeyIdentifier [0] SubjectKeyIdentifier }

N O T E There is a link to the recipient’s certificate; it must contain the key usage extension with thekeyEnciphermentbit set.

100 Part III ■ Secure Email

Key Agreement Recipient Info

The KeyAgreeRecipientInfo is used to support key agreement algorithms; for example, DH, ECDH, and ECMQV. If you remember our discussion of DH from Chapter 4, Alice fetches Bob’s certificate to obtain his public key and then Alice generates a public/private key pair in the same group as Bob’s key pair. Alice combines her private key with Bob’s public key to obtain a pairwise symmetric key. Bob needs Alice’s public key to combine with his private key to obtain the same pairwise symmetric key. That’s why you need to include either Alice’s certificate or just her public key. The ukm field is used by some key management schemes that make use of additional private keying material. Unlike theKeyTransportRecipientInfo, oneKeyAgreeRecipientInfocan be used by all recipients, assuming that the same algorithm and originator public key are used. Inside, there is a sequence ofRecipientEncryptedKeyvalues, one for each intended recipient. Recipients figure out whichKeyAgreeRecipientInfois theirs by examining theridfield. TheKeyAgreeRecipientInfouses the following syntax:

KeyAgreeRecipientInfo ::= SEQUENCE {

version CMSVersion, -- always set to 3 originator [0] EXPLICIT OriginatorIdentifierOrKey, ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, keyEncryptionAlgorithm AlgorithmIdentifier {{KeyEncryptionAlgorithmList}}, recipientEncryptedKeys RecipientEncryptedKeys } OriginatorIdentifierOrKey ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, subjectKeyIdentifier [0] SubjectKeyIdentifier, originatorKey [1] OriginatorPublicKey } OriginatorPublicKey ::= SEQUENCE {

algorithm AlgorithmIdentifier {{AlgorithmList}}, publicKey BIT STRING }

RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey RecipientEncryptedKey ::= SEQUENCE {

rid KeyAgreeRecipientIdentifier, encryptedKey EncryptedKey }

KeyAgreeRecipientIdentifier ::= CHOICE {

issuerAndSerialNumber IssuerAndSerialNumber,

Turner c06.tex V3 - 03/26/2008 5:34pm Page 101

Chapter 6 ■ Protecting Email Message Contents 101

RecipientKeyIdentifier ::= SEQUENCE {

subjectKeyIdentifier SubjectKeyIdentifier, date GeneralizedTime OPTIONAL, other OtherKeyAttribute OPTIONAL } SubjectKeyIdentifier ::= OCTET STRING

N O T E There is a link back to the recipient’s certificate; it must contain the key usage extension with thekeyAgreement bit set.

Key Encryption Key Recipient Info

TheKEKRecipientInfois used when the originator and recipient support pre- viously distributed key-encryption keys. The originator indicates which key was used withkekid field, and the encryptedKey is the content-encryption key encrypted with the previously distributed key-encryption key. The KEKRecipientInfouses the following syntax:

KEKRecipientInfo ::= SEQUENCE {

version CMSVersion, -- always set to 4

kekid KEKIdentifier,

keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey }

KEKIdentifier ::= SEQUENCE { keyIdentifier OCTET STRING,

date GeneralizedTime OPTIONAL, other OtherKeyAttribute OPTIONAL }

Password Recipient Info

ThePasswordRecipientInfois used when the originator and recipient support a previously distributed shared password or secret as the key-encryption key. The originator indicates how the key is derived and the key encryption algorithm that is used. TheencryptedKeyis the encrypted content-encryption key. ThePasswordRecipientInfouses the following syntax:

PasswordRecipientInfo ::= SEQUENCE {

version CMSVersion, -- Always set to 0

keyDerivationAlgorithm [0] KeyDerivationAlgorithmIdentifier OPTIONAL, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifiers,

102 Part III ■ Secure Email

Other Recipient Info

TheOtherRecipientInfopermits the definition of additional key management techniques. It identifies them with an object identifier, which also indicates the syntax of the key management fields. The OtherRecipientInfouses the following syntax: OTHER-RECIPIENT ::= TYPE-IDENTIFIER OtherRecipientInfo ::= SEQUENCE { oriType OTHER-RECIPIENT.&id({SupportedOtherRecipInfo}), oriValue OTHER-RECIPIENT.&Type({SupportedOtherRecipInfo}{@oriType})} SupportedOtherRecipInfo OTHER-RECIPIENT ::= { ... }

Encrypted Data

The encrypted data content type provides content confidentiality. Unlike enveloped-data, it provides for no key management information for originator or recipients. The keys must be managed via other means. It is often used for when keying material is available from other sources. The encrypted-data content type is identified by theid-encryptedDataobject identifier, and it has the following syntax:

ct-EncryptedData CONTENT-TYPE ::=

{ EncryptedData IDENTIFIED BY id-encryptedData } id-encryptedData OBJECT IDENTIFIER ::=

{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } EncryptedData ::= SEQUENCE {

version CMSVersion,

encryptedContentInfo EncryptedContentInfo, unprotectedAttrs [1] IMPLICIT Attributes

{{UnprotectedAttributes}} OPTIONAL }

Digest Data

The digested-data content type provides content integrity. Used by itself, this content type has dubious value because both the hash value and the contents are available; this is why it’s normally used an input to enveloped-data. The digested data content type is identified by the id-digestedData object identifier, and it has the following syntax:

ct-DigestedData CONTENT-TYPE ::=

{ DigestedData IDENTIFIED BY id-digestedData } id-digestedData OBJECT IDENTIFIER ::=

Turner c06.tex V3 - 03/26/2008 5:34pm Page 103

Chapter 6 ■ Protecting Email Message Contents 103

DigestedData ::= SEQUENCE { Version CMSVersion,

digestAlgorithm DigestAlgorithmIdentifier, encapContentInfo EncapsulatedContentInfo,

digest Digest }

Digest ::= OCTET STRING