Key transport algorithms are public key encryption algorithms specified for encrypting and decrypting keys. As implicit input, they take their keying material and the key to encrypt (transport). Their identifiers normally appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey, which is in turn a child of KeyInfo (see Figure 18-1). The type of key being transported that is, the algorithm in which the transported key will be used is given by the Algorithm attribute of the EncryptionMethod child of the EncryptedData or Encrypted/Key parent of this KeyInfo (see Figure 18-2).
Key transport algorithms may optionally be used to encrypt data. In that case, they appear directly as the Algorithm attribute of an EncryptionMethod child of an EncryptedData element. Because they use public key algorithms directly, these algorithms do not work efficiently in the transport of any amounts of data significantly larger than symmetric keys.
The key transport algorithms given in this section are used in conjunction with the Cryptographic Message Syntax (CMS) of S/MIME [RFC 2630].
18.7.1 RSA Version 1.5
RSA Version 1.5 Identifier: http://www.w3.org/2001/04/xmlenc#rsa-1_5
RSA version 1.5 is the RSAES-PKCS1-v1_5 algorithm described in [RFC 2437]. It takes no explicit parameters. An example of an RSA Version 1.5 EncryptionMethod element follows:
The CipherValue for such an encrypted key is the base-64 [RFC 2045] encoding of the byte string computed as per PKCS#1 [RFC 2437, Section 7.2.1: encryption operation]. As specified in the EME-PKCS1-v1_5 function [RFC 2437, Section 22.214.171.124], the value input to the key transport function is as follows:
Here the padding has the following special form:
where "|" is concatenation; "02" and "00" are the fixed octets x02 and x00; "PS" is a string of strong pseudo-random octets [RFC 1750] at least eight octets long, containing no zero octets, and long enough that the value of the quantity being encrypted is one byte shorter than the RSA modulus; and "key" is the key being transported. The key is 192 bits for triple DES and 128, 192, or 256 bits for AES. Support of this key transport algorithm for triple DES keys is mandatory under XML Encryption. Support of this algorithm for AES or other keys is optional. RSA-OAEP is recommended for the transport of AES keys.
The resulting base-64 [RFC 2045] string is the value of the child text node of the CipherValue element. For example:
<CipherValue>IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4 t0/gyTE96639In0FZFY2/rvP+/bMJ01EarmKZ sR5VW3rwoPxw= </CipherValue>
RSA OAEP Identifier: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
The RSAES-OAEP-ENCRYPT algorithm is described in [RFC 2437]. (OAEP stands for Optimal Asymmetric Encryption Padding. The next-to-last character of the URI is the digit 1, and "mgf" stands for "mask-generating function.") As explicit parameters, the RSA-OAEP algorithm takes a message digest function and an optional octet string OAEPparams. The OAEP message digest function is indicated by the Algorithm attribute of a child DigestMethod element, and the octet string is the base-64 decoding of the text child of an optional OAEPparams element. (The SHA-1 digest function is always used inside the mask generator function when this identifier specifies the key transport algorithm.) An example of an RSA-OAEP element follows:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgflp"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <OAEPparams>Zm9v</OAEPparams> <EncryptionMethod>
The CipherData for an RSA-OAEP encrypted key is the base-64 [RFC 2045] encoding of the byte string computed as per PKCS#1 [RFC 2437, Section 7.1.1: encryption operation]. As described in the EME-OAEP-ENCODE function [RFC 2437, Section 126.96.36.199], the value input to the key transport function is calculated by using the message digest function and the string specified in the DigestMethod and OAEPparams element and by using the mask generator function MGF1 specified in [RFC 2437]. The desired output length for EME-OAEP-ENCODE is one byte shorter than the RSA modulus.
Standards-conformant XML Encryption applications must implement RSA-OAEP for the transport of 128- and 256-bit AES keys. They may optionally implement RSA-OAEP for the transport of 192-bit AES keys, triple DES keys, and other keys.