18.7 Key Transport Algorithms


Key transport algorithms are public key encryption algorithms specified for encrypting and decrypting keys. As implicit input, they take their keying material and the key to encrypt (transport). Their identifiers normally appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey, which is in turn a child of KeyInfo (see Figure 18-1). The type of key being transported that is, the algorithm in which the transported key will be used is given by the Algorithm attribute of the EncryptionMethod child of the EncryptedData or Encrypted/Key parent of this KeyInfo (see Figure 18-2).

Key transport algorithms may optionally be used to encrypt data. In that case, they appear directly as the Algorithm attribute of an EncryptionMethod child of an EncryptedData element. Because they use public key algorithms directly, these algorithms do not work efficiently in the transport of any amounts of data significantly larger than symmetric keys.

The key transport algorithms given in this section are used in conjunction with the Cryptographic Message Syntax (CMS) of S/MIME [RFC 2630].

18.7.1 RSA Version 1.5

 RSA Version 1.5 Identifier:     http://www.w3.org/2001/04/xmlenc#rsa-1_5 

RSA version 1.5 is the RSAES-PKCS1-v1_5 algorithm described in [RFC 2437]. It takes no explicit parameters. An example of an RSA Version 1.5 EncryptionMethod element follows:

 <EncryptionMethod   Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> 

The CipherValue for such an encrypted key is the base-64 [RFC 2045] encoding of the byte string computed as per PKCS#1 [RFC 2437, Section 7.2.1: encryption operation]. As specified in the EME-PKCS1-v1_5 function [RFC 2437, Section 9.1.2.1], the value input to the key transport function is as follows:

graphics/18equ09.gif


Here the padding has the following special form:

graphics/18equ10.gif


where "|" is concatenation; "02" and "00" are the fixed octets x02 and x00; "PS" is a string of strong pseudo-random octets [RFC 1750] at least eight octets long, containing no zero octets, and long enough that the value of the quantity being encrypted is one byte shorter than the RSA modulus; and "key" is the key being transported. The key is 192 bits for triple DES and 128, 192, or 256 bits for AES. Support of this key transport algorithm for triple DES keys is mandatory under XML Encryption. Support of this algorithm for AES or other keys is optional. RSA-OAEP is recommended for the transport of AES keys.

The resulting base-64 [RFC 2045] string is the value of the child text node of the CipherValue element. For example:

 <CipherValue>IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4              t0/gyTE96639In0FZFY2/rvP+/bMJ01EarmKZ              sR5VW3rwoPxw= </CipherValue> 

18.7.2 RSA-OAEP

 RSA OAEP Identifier:     http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p 

The RSAES-OAEP-ENCRYPT algorithm is described in [RFC 2437]. (OAEP stands for Optimal Asymmetric Encryption Padding. The next-to-last character of the URI is the digit 1, and "mgf" stands for "mask-generating function.") As explicit parameters, the RSA-OAEP algorithm takes a message digest function and an optional octet string OAEPparams. The OAEP message digest function is indicated by the Algorithm attribute of a child DigestMethod element, and the octet string is the base-64 decoding of the text child of an optional OAEPparams element. (The SHA-1 digest function is always used inside the mask generator function when this identifier specifies the key transport algorithm.) An example of an RSA-OAEP element follows:

 <EncryptionMethod  Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgflp">   <DigestMethod    Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>   <OAEPparams>Zm9v</OAEPparams> <EncryptionMethod> 

The CipherData for an RSA-OAEP encrypted key is the base-64 [RFC 2045] encoding of the byte string computed as per PKCS#1 [RFC 2437, Section 7.1.1: encryption operation]. As described in the EME-OAEP-ENCODE function [RFC 2437, Section 9.1.1.1], the value input to the key transport function is calculated by using the message digest function and the string specified in the DigestMethod and OAEPparams element and by using the mask generator function MGF1 specified in [RFC 2437]. The desired output length for EME-OAEP-ENCODE is one byte shorter than the RSA modulus.

Standards-conformant XML Encryption applications must implement RSA-OAEP for the transport of 128- and 256-bit AES keys. They may optionally implement RSA-OAEP for the transport of 192-bit AES keys, triple DES keys, and other keys.



Secure XML(c) The New Syntax for Signatures and Encryption
Secure XML: The New Syntax for Signatures and Encryption
ISBN: 0201756056
EAN: 2147483647
Year: 2005
Pages: 186

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net