8
|
1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
Network Working Group J. Linn
|
|
8 |
Request for Comments: 1421 IAB IRTF PSRG, IETF PEM WG
|
|
9 |
Obsoletes: 1113 February 1993
|
|
10 |
|
|
11 |
|
|
12 |
Privacy Enhancement for Internet Electronic Mail:
|
|
13 |
Part I: Message Encryption and Authentication Procedures
|
|
14 |
|
|
15 |
Status of this Memo
|
|
16 |
|
|
17 |
This RFC specifies an IAB standards track protocol for the Internet
|
|
18 |
community, and requests discussion and suggestions for improvements.
|
|
19 |
Please refer to the current edition of the "IAB Official Protocol
|
|
20 |
Standards" for the standardization state and status of this protocol.
|
|
21 |
Distribution of this memo is unlimited.
|
|
22 |
|
|
23 |
Acknowledgements
|
|
24 |
|
|
25 |
This document is the outgrowth of a series of meetings of the Privacy
|
|
26 |
and Security Research Group (PSRG) of the IRTF and the PEM Working
|
|
27 |
Group of the IETF. I would like to thank the members of the PSRG and
|
|
28 |
the IETF PEM WG, as well as all participants in discussions on the
|
|
29 |
"pem-dev@tis.com" mailing list, for their contributions to this
|
|
30 |
document.
|
|
31 |
|
|
32 |
1. Executive Summary
|
|
33 |
|
|
34 |
This document defines message encryption and authentication
|
|
35 |
procedures, in order to provide privacy-enhanced mail (PEM) services
|
|
36 |
for electronic mail transfer in the Internet. It is intended to
|
|
37 |
become one member of a related set of four RFCs. The procedures
|
|
38 |
defined in the current document are intended to be compatible with a
|
|
39 |
wide range of key management approaches, including both symmetric
|
|
40 |
(secret-key) and asymmetric (public-key) approaches for encryption of
|
|
41 |
data encrypting keys. Use of symmetric cryptography for message text
|
|
42 |
encryption and/or integrity check computation is anticipated. RFC
|
|
43 |
1422 specifies supporting key management mechanisms based on the use
|
|
44 |
of public-key certificates. RFC 1423 specifies algorithms, modes,
|
|
45 |
and associated identifiers relevant to the current RFC and to RFC
|
|
46 |
1422. RFC 1424 provides details of paper and electronic formats and
|
|
47 |
procedures for the key management infrastructure being established in
|
|
48 |
support of these services.
|
|
49 |
|
|
50 |
Privacy enhancement services (confidentiality, authentication,
|
|
51 |
message integrity assurance, and non-repudiation of origin) are
|
|
52 |
offered through the use of end-to-end cryptography between originator
|
|
53 |
and recipient processes at or above the User Agent level. No special
|
|
54 |
processing requirements are imposed on the Message Transfer System at
|
|
55 |
|
|
56 |
|
|
57 |
|
|
58 |
Linn [Page 1]
|
|
59 |
|
|
60 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
61 |
|
|
62 |
|
|
63 |
endpoints or at intermediate relay sites. This approach allows
|
|
64 |
privacy enhancement facilities to be incorporated selectively on a
|
|
65 |
site-by-site or user-by-user basis without impact on other Internet
|
|
66 |
entities. Interoperability among heterogeneous components and mail
|
|
67 |
transport facilities is supported.
|
|
68 |
|
|
69 |
The current specification's scope is confined to PEM processing
|
|
70 |
procedures for the RFC-822 textual mail environment, and defines the
|
|
71 |
Content-Domain indicator value "RFC822" to signify this usage.
|
|
72 |
Follow-on work in integration of PEM capabilities with other
|
|
73 |
messaging environments (e.g., MIME) is anticipated and will be
|
|
74 |
addressed in separate and/or successor documents, at which point
|
|
75 |
additional Content-Domain indicator values will be defined.
|
|
76 |
|
|
77 |
2. Terminology
|
|
78 |
|
|
79 |
For descriptive purposes, this RFC uses some terms defined in the OSI
|
|
80 |
X.400 Message Handling System Model per the CCITT Recommendations.
|
|
81 |
This section replicates a portion of (1984) X.400's Section 2.2.1,
|
|
82 |
"Description of the MHS Model: Overview" in order to make the
|
|
83 |
terminology clear to readers who may not be familiar with the OSI MHS
|
|
84 |
Model.
|
|
85 |
|
|
86 |
In the [MHS] model, a user is a person or a computer application. A
|
|
87 |
user is referred to as either an originator (when sending a message)
|
|
88 |
or a recipient (when receiving one). MH Service elements define the
|
|
89 |
set of message types and the capabilities that enable an originator
|
|
90 |
to transfer messages of those types to one or more recipients.
|
|
91 |
|
|
92 |
An originator prepares messages with the assistance of his or her
|
|
93 |
User Agent (UA). A UA is an application process that interacts with
|
|
94 |
the Message Transfer System (MTS) to submit messages. The MTS
|
|
95 |
delivers to one or more recipient UAs the messages submitted to it.
|
|
96 |
Functions performed solely by the UA and not standardized as part of
|
|
97 |
the MH Service elements are called local UA functions.
|
|
98 |
|
|
99 |
The MTS is composed of a number of Message Transfer Agents (MTAs).
|
|
100 |
Operating together, the MTAs relay messages and deliver them to the
|
|
101 |
intended recipient UAs, which then make the messages available to the
|
|
102 |
intended recipients.
|
|
103 |
|
|
104 |
The collection of UAs and MTAs is called the Message Handling System
|
|
105 |
(MHS). The MHS and all of its users are collectively referred to as
|
|
106 |
the Message Handling Environment.
|
|
107 |
|
|
108 |
|
|
109 |
|
|
110 |
|
|
111 |
|
|
112 |
|
|
113 |
|
|
114 |
Linn [Page 2]
|
|
115 |
|
|
116 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
117 |
|
|
118 |
|
|
119 |
3. Services, Constraints, and Implications
|
|
120 |
|
|
121 |
This RFC defines mechanisms to enhance privacy for electronic mail
|
|
122 |
transferred in the Internet. The facilities discussed in this RFC
|
|
123 |
provide privacy enhancement services on an end-to-end basis between
|
|
124 |
originator and recipient processes residing at the UA level or above.
|
|
125 |
No privacy enhancements are offered for message fields which are
|
|
126 |
added or transformed by intermediate relay points between PEM
|
|
127 |
processing components.
|
|
128 |
|
|
129 |
If an originator elects to perform PEM processing on an outbound
|
|
130 |
message, all PEM-provided security services are applied to the PEM
|
|
131 |
message's body in its entirety; selective application to portions of
|
|
132 |
a PEM message is not supported. Authentication, integrity, and (when
|
|
133 |
asymmetric key management is employed) non-repudiation of origin
|
|
134 |
services are applied to all PEM messages; confidentiality services
|
|
135 |
are optionally selectable.
|
|
136 |
|
|
137 |
In keeping with the Internet's heterogeneous constituencies and usage
|
|
138 |
modes, the measures defined here are applicable to a broad range of
|
|
139 |
Internet hosts and usage paradigms. In particular, it is worth
|
|
140 |
noting the following attributes:
|
|
141 |
|
|
142 |
1. The mechanisms defined in this RFC are not restricted to a
|
|
143 |
particular host or operating system, but rather allow
|
|
144 |
interoperability among a broad range of systems. All
|
|
145 |
privacy enhancements are implemented at the application
|
|
146 |
layer, and are not dependent on any privacy features at
|
|
147 |
lower protocol layers.
|
|
148 |
|
|
149 |
2. The defined mechanisms are compatible with non-enhanced
|
|
150 |
Internet components. Privacy enhancements are implemented
|
|
151 |
in an end-to-end fashion which does not impact mail
|
|
152 |
processing by intermediate relay hosts which do not
|
|
153 |
incorporate privacy enhancement facilities. It is
|
|
154 |
necessary, however, for a message's originator to be
|
|
155 |
cognizant of whether a message's intended recipient
|
|
156 |
implements privacy enhancements, in order that encoding and
|
|
157 |
possible encryption will not be performed on a message whose
|
|
158 |
destination is not equipped to perform corresponding inverse
|
|
159 |
transformations. (Section 4.6.1.1.3 of this RFC describes a
|
|
160 |
PEM message type ("MIC-CLEAR") which represents a signed,
|
|
161 |
unencrypted PEM message in a form readable without PEM
|
|
162 |
processing capabilities yet validatable by PEM-equipped
|
|
163 |
recipients.)
|
|
164 |
|
|
165 |
3. The defined mechanisms are compatible with a range of mail
|
|
166 |
transport facilities (MTAs). Within the Internet,
|
|
167 |
|
|
168 |
|
|
169 |
|
|
170 |
Linn [Page 3]
|
|
171 |
|
|
172 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
173 |
|
|
174 |
|
|
175 |
electronic mail transport is effected by a variety of SMTP
|
|
176 |
[2] implementations. Certain sites, accessible via SMTP,
|
|
177 |
forward mail into other mail processing environments (e.g.,
|
|
178 |
USENET, CSNET, BITNET). The privacy enhancements must be
|
|
179 |
able to operate across the SMTP realm; it is desirable that
|
|
180 |
they also be compatible with protection of electronic mail
|
|
181 |
sent between the SMTP environment and other connected
|
|
182 |
environments.
|
|
183 |
|
|
184 |
4. The defined mechanisms are compatible with a broad range of
|
|
185 |
electronic mail user agents (UAs). A large variety of
|
|
186 |
electronic mail user agent programs, with a corresponding
|
|
187 |
broad range of user interface paradigms, is used in the
|
|
188 |
Internet. In order that electronic mail privacy
|
|
189 |
enhancements be available to the broadest possible user
|
|
190 |
community, selected mechanisms should be usable with the
|
|
191 |
widest possible variety of existing UA programs. For
|
|
192 |
purposes of pilot implementation, it is desirable that
|
|
193 |
privacy enhancement processing be incorporable into a
|
|
194 |
separate program, applicable to a range of UAs, rather than
|
|
195 |
requiring internal modifications to each UA with which PEM
|
|
196 |
services are to be provided.
|
|
197 |
|
|
198 |
5. The defined mechanisms allow electronic mail privacy
|
|
199 |
enhancement processing to be performed on personal computers
|
|
200 |
(PCs) separate from the systems on which UA functions are
|
|
201 |
implemented. Given the expanding use of PCs and the limited
|
|
202 |
degree of trust which can be placed in UA implementations on
|
|
203 |
many multi-user systems, this attribute can allow many users
|
|
204 |
to process PEM with a higher assurance level than a strictly
|
|
205 |
UA-integrated approach would allow.
|
|
206 |
|
|
207 |
6. The defined mechanisms support privacy protection of
|
|
208 |
electronic mail addressed to mailing lists (distribution
|
|
209 |
lists, in ISO parlance).
|
|
210 |
|
|
211 |
7. The mechanisms defined within this RFC are compatible with a
|
|
212 |
variety of supporting key management approaches, including
|
|
213 |
(but not limited to) manual pre-distribution, centralized
|
|
214 |
key distribution based on symmetric cryptography, and the
|
|
215 |
use of public-key certificates per RFC 1422. Different
|
|
216 |
key management mechanisms may be used for different
|
|
217 |
recipients of a multicast message. For two PEM
|
|
218 |
implementations to interoperate, they must share a common
|
|
219 |
key management mechanism; support for the mechanism defined
|
|
220 |
in RFC 1422 is strongly encouraged.
|
|
221 |
|
|
222 |
|
|
223 |
|
|
224 |
|
|
225 |
|
|
226 |
Linn [Page 4]
|
|
227 |
|
|
228 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
229 |
|
|
230 |
|
|
231 |
In order to achieve applicability to the broadest possible range of
|
|
232 |
Internet hosts and mail systems, and to facilitate pilot
|
|
233 |
implementation and testing without the need for prior and pervasive
|
|
234 |
modifications throughout the Internet, the following design
|
|
235 |
principles were applied in selecting the set of features specified in
|
|
236 |
this RFC:
|
|
237 |
|
|
238 |
1. This RFC's measures are restricted to implementation at
|
|
239 |
endpoints and are amenable to integration with existing
|
|
240 |
Internet mail protocols at the user agent (UA) level or
|
|
241 |
above, rather than necessitating modifications to existing
|
|
242 |
mail protocols or integration into the message transport
|
|
243 |
system (e.g., SMTP servers).
|
|
244 |
|
|
245 |
2. The set of supported measures enhances rather than restricts
|
|
246 |
user capabilities. Trusted implementations, incorporating
|
|
247 |
integrity features protecting software from subversion by
|
|
248 |
local users, cannot be assumed in general. No mechanisms
|
|
249 |
are assumed to prevent users from sending, at their
|
|
250 |
discretion, messages to which no PEM processing has been
|
|
251 |
applied. In the absence of such features, it appears more
|
|
252 |
feasible to provide facilities which enhance user services
|
|
253 |
(e.g., by protecting and authenticating inter-user traffic)
|
|
254 |
than to enforce restrictions (e.g., inter-user access
|
|
255 |
control) on user actions.
|
|
256 |
|
|
257 |
3. The set of supported measures focuses on a set of functional
|
|
258 |
capabilities selected to provide significant and tangible
|
|
259 |
benefits to a broad user community. By concentrating on the
|
|
260 |
most critical set of services, we aim to maximize the added
|
|
261 |
privacy value that can be provided with a modest level of
|
|
262 |
implementation effort.
|
|
263 |
|
|
264 |
Based on these principles, the following facilities are provided:
|
|
265 |
|
|
266 |
1. disclosure protection,
|
|
267 |
|
|
268 |
2. originator authenticity,
|
|
269 |
|
|
270 |
3. message integrity measures, and
|
|
271 |
|
|
272 |
4. (if asymmetric key management is used) non-repudiation of
|
|
273 |
origin,
|
|
274 |
|
|
275 |
but the following privacy-relevant concerns are not addressed:
|
|
276 |
|
|
277 |
1. access control,
|
|
278 |
|
|
279 |
|
|
280 |
|
|
281 |
|
|
282 |
Linn [Page 5]
|
|
283 |
|
|
284 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
285 |
|
|
286 |
|
|
287 |
2. traffic flow confidentiality,
|
|
288 |
|
|
289 |
3. address list accuracy,
|
|
290 |
|
|
291 |
4. routing control,
|
|
292 |
|
|
293 |
5. issues relating to the casual serial reuse of PCs by
|
|
294 |
multiple users,
|
|
295 |
|
|
296 |
6. assurance of message receipt and non-deniability of receipt,
|
|
297 |
|
|
298 |
7. automatic association of acknowledgments with the messages
|
|
299 |
to which they refer, and
|
|
300 |
|
|
301 |
8. message duplicate detection, replay prevention, or other
|
|
302 |
stream-oriented services
|
|
303 |
|
|
304 |
4. Processing of Messages
|
|
305 |
|
|
306 |
4.1 Message Processing Overview
|
|
307 |
|
|
308 |
This subsection provides a high-level overview of the components and
|
|
309 |
processing steps involved in electronic mail privacy enhancement
|
|
310 |
processing. Subsequent subsections will define the procedures in
|
|
311 |
more detail.
|
|
312 |
|
|
313 |
4.1.1 Types of Keys
|
|
314 |
|
|
315 |
A two-level keying hierarchy is used to support PEM transmission:
|
|
316 |
|
|
317 |
1. Data Encrypting Keys (DEKs) are used for encryption of
|
|
318 |
message text and (with certain choices among a set of
|
|
319 |
alternative algorithms) for computation of message integrity
|
|
320 |
check (MIC) quantities. In the asymmetric key management
|
|
321 |
environment, DEKs are also used to encrypt the signed
|
|
322 |
representations of MICs in PEM messages to which
|
|
323 |
confidentiality has been applied. DEKs are generated
|
|
324 |
individually for each transmitted message; no
|
|
325 |
predistribution of DEKs is needed to support PEM
|
|
326 |
transmission.
|
|
327 |
|
|
328 |
2. Interchange Keys (IKs) are used to encrypt DEKs for
|
|
329 |
transmission within messages. Ordinarily, the same IK will
|
|
330 |
be used for all messages sent from a given originator to a
|
|
331 |
given recipient over a period of time. Each transmitted
|
|
332 |
message includes a representation of the DEK(s) used for
|
|
333 |
message encryption and/or MIC computation, encrypted under
|
|
334 |
an individual IK per named recipient. The representation is
|
|
335 |
|
|
336 |
|
|
337 |
|
|
338 |
Linn [Page 6]
|
|
339 |
|
|
340 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
341 |
|
|
342 |
|
|
343 |
associated with Originator-ID and Recipient-ID fields
|
|
344 |
(defined in different forms so as to distinguish symmetric
|
|
345 |
from asymmetric cases), which allow each individual
|
|
346 |
recipient to identify the IK used to encrypt DEKs and/or
|
|
347 |
MICs for that recipient's use. Given an appropriate IK, a
|
|
348 |
recipient can decrypt the corresponding transmitted DEK
|
|
349 |
representation, yielding the DEK required for message text
|
|
350 |
decryption and/or MIC validation. The definition of an IK
|
|
351 |
differs depending on whether symmetric or asymmetric
|
|
352 |
cryptography is used for DEK encryption:
|
|
353 |
|
|
354 |
2a. When symmetric cryptography is used for DEK
|
|
355 |
encryption, an IK is a single symmetric key shared
|
|
356 |
between an originator and a recipient. In this
|
|
357 |
case, the same IK is used to encrypt MICs as well
|
|
358 |
as DEKs for transmission. Version/expiration
|
|
359 |
information and IA identification associated with
|
|
360 |
the originator and with the recipient must be
|
|
361 |
concatenated in order to fully qualify a symmetric
|
|
362 |
IK.
|
|
363 |
|
|
364 |
2b. When asymmetric cryptography is used, the IK
|
|
365 |
component used for DEK encryption is the public
|
|
366 |
component [8] of the recipient. The IK component
|
|
367 |
used for MIC encryption is the private component of
|
|
368 |
the originator, and therefore only one encrypted
|
|
369 |
MIC representation need be included per message,
|
|
370 |
rather than one per recipient. Each of these IK
|
|
371 |
components can be fully qualified in a Recipient-ID
|
|
372 |
or Originator-ID field, respectively.
|
|
373 |
Alternatively, an originator's IK component may be
|
|
374 |
determined from a certificate carried in an
|
|
375 |
"Originator-Certificate:" field.
|
|
376 |
|
|
377 |
4.1.2 Processing Procedures
|
|
378 |
|
|
379 |
When PEM processing is to be performed on an outgoing message, a DEK
|
|
380 |
is generated [1] for use in message encryption and (if a chosen MIC
|
|
381 |
algorithm requires a key) a variant of the DEK is formed for use in
|
|
382 |
MIC computation. DEK generation can be omitted for the case of a
|
|
383 |
message where confidentiality is not to be applied, unless a chosen
|
|
384 |
MIC computation algorithm requires a DEK. Other parameters (e.g.,
|
|
385 |
Initialization Vectors (IVs)) as required by selected encryption
|
|
386 |
algorithms are also generated.
|
|
387 |
|
|
388 |
One or more Originator-ID and/or "Originator-Certificate:" fields are
|
|
389 |
included in a PEM message's encapsulated header to provide recipients
|
|
390 |
with an identification component for the IK(s) used for message
|
|
391 |
|
|
392 |
|
|
393 |
|
|
394 |
Linn [Page 7]
|
|
395 |
|
|
396 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
397 |
|
|
398 |
|
|
399 |
processing. All of a message's Originator-ID and/or "Originator-
|
|
400 |
Certificate:" fields are assumed to correspond to the same principal;
|
|
401 |
the facility for inclusion of multiple such fields accomodates the
|
|
402 |
prospect that different keys, algorithms, and/or certification paths
|
|
403 |
may be required for processing by different recipients. When a
|
|
404 |
message includes recipients for which asymmetric key management is
|
|
405 |
employed as well as recipients for which symmetric key management is
|
|
406 |
employed, a separate Originator-ID or "Originator-Certificate:" field
|
|
407 |
precedes each set of recipients.
|
|
408 |
|
|
409 |
In the symmetric case, per-recipient IK components are applied for
|
|
410 |
each individually named recipient in preparation of ENCRYPTED, MIC-
|
|
411 |
ONLY, and MIC-CLEAR messages. A corresponding "Recipient-ID-
|
|
412 |
Symmetric:" field, interpreted in the context of the most recent
|
|
413 |
preceding "Originator-ID-Symmetric:" field, serves to identify each
|
|
414 |
IK. In the asymmetric case, per-recipient IK components are applied
|
|
415 |
only for ENCRYPTED messages, are independent of originator-oriented
|
|
416 |
header elements, and are identified by "Recipient-ID-Asymmetric:"
|
|
417 |
fields. Each Recipient-ID field is followed by a "Key-Info:" field,
|
|
418 |
which transfers the message's DEK encrypted under the IK appropriate
|
|
419 |
for the specified recipient.
|
|
420 |
|
|
421 |
When symmetric key management is used for a given recipient, the
|
|
422 |
"Key-Info:" field following the corresponding "Recipient-ID-
|
|
423 |
Symmetric:" field also transfers the message's computed MIC,
|
|
424 |
encrypted under the recipient's IK. When asymmetric key management is
|
|
425 |
used, a "MIC-Info:" field associated with an "Originator-ID-
|
|
426 |
Asymmetric:" or "Originator-Certificate:" field carries the message's
|
|
427 |
MIC, asymmetrically signed using the private component of the
|
|
428 |
originator. If the PEM message is of type ENCRYPTED (as defined in
|
|
429 |
Section 4.6.1.1.1 of this RFC), the asymmetrically signed MIC is
|
|
430 |
symmetrically encrypted using the same DEK, algorithm, encryption
|
|
431 |
mode and other cryptographic parameters as used to encrypt the
|
|
432 |
message text, prior to inclusion in the "MIC-Info:" field.
|
|
433 |
|
|
434 |
4.1.2.1 Processing Steps
|
|
435 |
|
|
436 |
A four-phase transformation procedure is employed in order to
|
|
437 |
represent encrypted message text in a universally transmissible form
|
|
438 |
and to enable messages encrypted on one type of host computer to be
|
|
439 |
decrypted on a different type of host computer. A plaintext message
|
|
440 |
is accepted in local form, using the host's native character set and
|
|
441 |
line representation. The local form is converted to a canonical
|
|
442 |
message text representation, defined as equivalent to the inter-SMTP
|
|
443 |
representation of message text. This canonical representation forms
|
|
444 |
the input to the MIC computation step (applicable to ENCRYPTED, MIC-
|
|
445 |
ONLY, and MIC-CLEAR messages) and the encryption process (applicable
|
|
446 |
to ENCRYPTED messages only).
|
|
447 |
|
|
448 |
|
|
449 |
|
|
450 |
Linn [Page 8]
|
|
451 |
|
|
452 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
453 |
|
|
454 |
|
|
455 |
For ENCRYPTED PEM messages, the canonical representation is padded as
|
|
456 |
required by the encryption algorithm, and this padded canonical
|
|
457 |
representation is encrypted. The encrypted text (for an ENCRYPTED
|
|
458 |
message) or the unpadded canonical form (for a MIC-ONLY message) is
|
|
459 |
then encoded into a printable form. The printable form is composed
|
|
460 |
of a restricted character set which is chosen to be universally
|
|
461 |
representable across sites, and which will not be disrupted by
|
|
462 |
processing within and between MTS entities. MIC-CLEAR PEM messages
|
|
463 |
omit the printable encoding step.
|
|
464 |
|
|
465 |
The output of the previous processing steps is combined with a set of
|
|
466 |
header fields carrying cryptographic control information. The
|
|
467 |
resulting PEM message is passed to the electronic mail system to be
|
|
468 |
included within the text portion of a transmitted message. There is
|
|
469 |
no requirement that a PEM message comprise the entirety of an MTS
|
|
470 |
message's text portion; this allows PEM-protected information to be
|
|
471 |
accompanied by (unprotected) annotations. It is also permissible for
|
|
472 |
multiple PEM messages (and associated unprotected text, outside the
|
|
473 |
PEM message boundaries) to be represented within the encapsulated
|
|
474 |
text of a higher-level PEM message. PEM message signatures are
|
|
475 |
forwardable when asymmetric key management is employed; an authorized
|
|
476 |
recipient of a PEM message with confidentiality applied can reduce
|
|
477 |
that message to a signed but unencrypted form for forwarding purposes
|
|
478 |
or can re-encrypt that message for subsequent transmission.
|
|
479 |
|
|
480 |
When a PEM message is received, the cryptographic control fields
|
|
481 |
within its encapsulated header provide the information required for
|
|
482 |
each authorized recipient to perform MIC validation and decryption of
|
|
483 |
the received message text. For ENCRYPTED and MIC-ONLY messages, the
|
|
484 |
printable encoding is converted to a bitstring. Encrypted portions
|
|
485 |
of the transmitted message are decrypted. The MIC is validated.
|
|
486 |
Then, the recipient PEM process converts the canonical representation
|
|
487 |
to its appropriate local form.
|
|
488 |
|
|
489 |
4.1.2.2 Error Cases
|
|
490 |
|
|
491 |
A variety of error cases may occur and be detected in the course of
|
|
492 |
processing a received PEM message. The specific actions to be taken
|
|
493 |
in response to such conditions are local matters, varying as
|
|
494 |
functions of user preferences and the type of user interface provided
|
|
495 |
by a particular PEM implementation, but certain general
|
|
496 |
recommendations are appropriate. Syntactically invalid PEM messages
|
|
497 |
should be flagged as such, preferably with collection of diagnostic
|
|
498 |
information to support debugging of incompatibilities or other
|
|
499 |
failures. RFC 1422 defines specific error processing requirements
|
|
500 |
relevant to the certificate-based key management mechanisms defined
|
|
501 |
therein.
|
|
502 |
|
|
503 |
|
|
504 |
|
|
505 |
|
|
506 |
Linn [Page 9]
|
|
507 |
|
|
508 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
509 |
|
|
510 |
|
|
511 |
Syntactically valid PEM messages which yield MIC failures raise
|
|
512 |
special concern, as they may result from attempted attacks or forged
|
|
513 |
messages. As such, it is unsuitable to display their contents to
|
|
514 |
recipient users without first indicating the fact that the contents'
|
|
515 |
authenticity and integrity cannot be guaranteed and then receiving
|
|
516 |
positive user confirmation of such a warning. MIC-CLEAR messages
|
|
517 |
(discussed in Section 4.6.1.1.3 of this RFC) raise special concerns,
|
|
518 |
as MIC failures on such messages may occur for a broader range of
|
|
519 |
benign causes than are applicable to other PEM message types.
|
|
520 |
|
|
521 |
4.2 Encryption Algorithms, Modes, and Parameters
|
|
522 |
|
|
523 |
For use in conjunction with this RFC, RFC 1423 defines the
|
|
524 |
appropriate algorithms, modes, and associated identifiers to be used
|
|
525 |
for encryption of message text with DEKs.
|
|
526 |
|
|
527 |
The mechanisms defined in this RFC incorporate facilities for
|
|
528 |
transmission of cryptographic parameters (e.g., pseudorandom
|
|
529 |
Initializing Vectors (IVs)) with PEM messages to which the
|
|
530 |
confidentiality service is applied, when required by symmetric
|
|
531 |
message encryption algorithms and modes specified in RFC 1423.
|
|
532 |
|
|
533 |
Certain operations require encryption of DEKs, MICs, and digital
|
|
534 |
signatures under an IK for purposes of transmission. A header
|
|
535 |
facility indicates the mode in which the IK is used for encryption.
|
|
536 |
RFC 1423 specifies encryption algorithm and mode identifiers and
|
|
537 |
minimum essential support requirements for key encryption processing.
|
|
538 |
|
|
539 |
RFC 1422 specifies asymmetric, certificate-based key management
|
|
540 |
procedures based on CCITT Recommendation X.509 to support the message
|
|
541 |
processing procedures defined in this document. Support for the key
|
|
542 |
management approach defined in RFC 1422 is strongly recommended. The
|
|
543 |
message processing procedures can also be used with symmetric key
|
|
544 |
management, given prior distribution of suitable symmetric IKs, but
|
|
545 |
no current RFCs specify key distribution procedures for such IKs.
|
|
546 |
|
|
547 |
4.3 Privacy Enhancement Message Transformations
|
|
548 |
|
|
549 |
4.3.1 Constraints
|
|
550 |
|
|
551 |
An electronic mail encryption mechanism must be compatible with the
|
|
552 |
transparency constraints of its underlying electronic mail
|
|
553 |
facilities. These constraints are generally established based on
|
|
554 |
expected user requirements and on the characteristics of anticipated
|
|
555 |
endpoint and transport facilities. An encryption mechanism must also
|
|
556 |
be compatible with the local conventions of the computer systems
|
|
557 |
which it interconnects. Our approach uses a canonicalization step to
|
|
558 |
abstract out local conventions and a subsequent encoding step to
|
|
559 |
|
|
560 |
|
|
561 |
|
|
562 |
Linn [Page 10]
|
|
563 |
|
|
564 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
565 |
|
|
566 |
|
|
567 |
conform to the characteristics of the underlying mail transport
|
|
568 |
medium (SMTP). The encoding conforms to SMTP constraints. Section
|
|
569 |
4.5 of RFC 821 [2] details SMTP's transparency constraints.
|
|
570 |
|
|
571 |
To prepare a message for SMTP transmission, the following
|
|
572 |
requirements must be met:
|
|
573 |
|
|
574 |
1. All characters must be members of the 7-bit ASCII character
|
|
575 |
set.
|
|
576 |
|
|
577 |
2. Text lines, delimited by the character pair <CR><LF>, must
|
|
578 |
be no more than 1000 characters long.
|
|
579 |
|
|
580 |
3. Since the string <CR><LF>.<CR><LF> indicates the end of a
|
|
581 |
message, it must not occur in text prior to the end of a
|
|
582 |
message.
|
|
583 |
|
|
584 |
Although SMTP specifies a standard representation for line delimiters
|
|
585 |
(ASCII <CR><LF>), numerous systems in the Internet use a different
|
|
586 |
native representation to delimit lines. For example, the <CR><LF>
|
|
587 |
sequences delimiting lines in mail inbound to UNIX systems are
|
|
588 |
transformed to single <LF>s as mail is written into local mailbox
|
|
589 |
files. Lines in mail incoming to record-oriented systems (such as
|
|
590 |
VAX VMS) may be converted to appropriate records by the destination
|
|
591 |
SMTP server [3]. As a result, if the encryption process generated
|
|
592 |
<CR>s or <LF>s, those characters might not be accessible to a
|
|
593 |
recipient UA program at a destination which uses different line
|
|
594 |
delimiting conventions. It is also possible that conversion between
|
|
595 |
tabs and spaces may be performed in the course of mapping between
|
|
596 |
inter-SMTP and local format; this is a matter of local option. If
|
|
597 |
such transformations changed the form of transmitted ciphertext,
|
|
598 |
decryption would fail to regenerate the transmitted plaintext, and a
|
|
599 |
transmitted MIC would fail to compare with that computed at the
|
|
600 |
destination.
|
|
601 |
|
|
602 |
The conversion performed by an SMTP server at a system with EBCDIC as
|
|
603 |
a native character set has even more severe impact, since the
|
|
604 |
conversion from EBCDIC into ASCII is an information-losing
|
|
605 |
transformation. In principle, the transformation function mapping
|
|
606 |
between inter-SMTP canonical ASCII message representation and local
|
|
607 |
format could be moved from the SMTP server up to the UA, given a
|
|
608 |
means to direct that the SMTP server should no longer perform that
|
|
609 |
transformation. This approach has a major disadvantage: internal
|
|
610 |
file (e.g., mailbox) formats would be incompatible with the native
|
|
611 |
forms used on the systems where they reside. Further, it would
|
|
612 |
require modification to SMTP servers, as mail would be passed to SMTP
|
|
613 |
in a different representation than it is passed at present.
|
|
614 |
|
|
615 |
|
|
616 |
|
|
617 |
|
|
618 |
Linn [Page 11]
|
|
619 |
|
|
620 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
621 |
|
|
622 |
|
|
623 |
4.3.2 Approach
|
|
624 |
|
|
625 |
Our approach to supporting PEM across an environment in which
|
|
626 |
intermediate conversions may occur defines an encoding for mail which
|
|
627 |
is uniformly representable across the set of PEM UAs regardless of
|
|
628 |
their systems' native character sets. This encoded form is used (for
|
|
629 |
specified PEM message types) to represent mail text in transit from
|
|
630 |
originator to recipient, but the encoding is not applied to enclosing
|
|
631 |
MTS headers or to encapsulated headers inserted to carry control
|
|
632 |
information between PEM UAs. The encoding's characteristics are such
|
|
633 |
that the transformations anticipated between originator and recipient
|
|
634 |
UAs will not prevent an encoded message from being decoded properly
|
|
635 |
at its destination.
|
|
636 |
|
|
637 |
Four transformation steps, described in the following four
|
|
638 |
subsections, apply to outbound PEM message processing:
|
|
639 |
|
|
640 |
4.3.2.1 Step 1: Local Form
|
|
641 |
|
|
642 |
This step is applicable to PEM message types ENCRYPTED, MIC-ONLY, and
|
|
643 |
MIC-CLEAR. The message text is created in the system's native
|
|
644 |
character set, with lines delimited in accordance with local
|
|
645 |
convention.
|
|
646 |
|
|
647 |
4.3.2.2 Step 2: Canonical Form
|
|
648 |
|
|
649 |
This step is applicable to PEM message types ENCRYPTED, MIC-ONLY, and
|
|
650 |
MIC-CLEAR. The message text is converted to a universal canonical
|
|
651 |
form, similar to the inter-SMTP representation [4] as defined in RFC
|
|
652 |
821 [2] and RFC 822 [5]. The procedures performed in order to
|
|
653 |
accomplish this conversion are dependent on the characteristics of
|
|
654 |
the local form and so are not specified in this RFC.
|
|
655 |
|
|
656 |
PEM canonicalization assures that the message text is represented
|
|
657 |
with the ASCII character set and "<CR><LF>" line delimiters, but does
|
|
658 |
not perform the dot-stuffing transformation discussed in RFC 821,
|
|
659 |
Section 4.5.2. Since a message is converted to a standard character
|
|
660 |
set and representation before encryption, a transferred PEM message
|
|
661 |
can be decrypted and its MIC can be validated at any type of
|
|
662 |
destination host computer. Decryption and MIC validation is
|
|
663 |
performed before any conversions which may be necessary to transform
|
|
664 |
the message into a destination-specific local form.
|
|
665 |
|
|
666 |
4.3.2.3 Step 3: Authentication and Encryption
|
|
667 |
|
|
668 |
Authentication processing is applicable to PEM message types
|
|
669 |
ENCRYPTED, MIC-ONLY, and MIC-CLEAR. The canonical form is input to
|
|
670 |
the selected MIC computation algorithm in order to compute an
|
|
671 |
|
|
672 |
|
|
673 |
|
|
674 |
Linn [Page 12]
|
|
675 |
|
|
676 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
677 |
|
|
678 |
|
|
679 |
integrity check quantity for the message. No padding is added to the
|
|
680 |
canonical form before submission to the MIC computation algorithm,
|
|
681 |
although certain MIC algorithms will apply their own padding in the
|
|
682 |
course of computing a MIC.
|
|
683 |
|
|
684 |
Encryption processing is applicable only to PEM message type
|
|
685 |
ENCRYPTED. RFC 1423 defines the padding technique used to support
|
|
686 |
encryption of the canonically-encoded message text.
|
|
687 |
|
|
688 |
4.3.2.4 Step 4: Printable Encoding
|
|
689 |
|
|
690 |
This printable encoding step is applicable to PEM message types
|
|
691 |
ENCRYPTED and MIC-ONLY. The same processing is also employed in
|
|
692 |
representation of certain specifically identified PEM encapsulated
|
|
693 |
header field quantities as cited in Section 4.6. Proceeding from
|
|
694 |
left to right, the bit string resulting from step 3 is encoded into
|
|
695 |
characters which are universally representable at all sites, though
|
|
696 |
not necessarily with the same bit patterns (e.g., although the
|
|
697 |
character "E" is represented in an ASCII-based system as hexadecimal
|
|
698 |
45 and as hexadecimal C5 in an EBCDIC-based system, the local
|
|
699 |
significance of the two representations is equivalent).
|
|
700 |
|
|
701 |
A 64-character subset of International Alphabet IA5 is used, enabling
|
|
702 |
6 bits to be represented per printable character. (The proposed
|
|
703 |
subset of characters is represented identically in IA5 and ASCII.)
|
|
704 |
The character "=" signifies a special processing function used for
|
|
705 |
padding within the printable encoding procedure.
|
|
706 |
|
|
707 |
To represent the encapsulated text of a PEM message, the encoding
|
|
708 |
function's output is delimited into text lines (using local
|
|
709 |
conventions), with each line except the last containing exactly 64
|
|
710 |
printable characters and the final line containing 64 or fewer
|
|
711 |
printable characters. (This line length is easily printable and is
|
|
712 |
guaranteed to satisfy SMTP's 1000-character transmitted line length
|
|
713 |
limit.) This folding requirement does not apply when the encoding
|
|
714 |
procedure is used to represent PEM header field quantities; Section
|
|
715 |
4.6 discusses folding of PEM encapsulated header fields.
|
|
716 |
|
|
717 |
The encoding process represents 24-bit groups of input bits as output
|
|
718 |
strings of 4 encoded characters. Proceeding from left to right across
|
|
719 |
a 24-bit input group extracted from the output of step 3, each 6-bit
|
|
720 |
group is used as an index into an array of 64 printable characters.
|
|
721 |
The character referenced by the index is placed in the output string.
|
|
722 |
These characters, identified in Table 1, are selected so as to be
|
|
723 |
universally representable, and the set excludes characters with
|
|
724 |
particular significance to SMTP (e.g., ".", "<CR>", "<LF>").
|
|
725 |
|
|
726 |
|
|
727 |
|
|
728 |
|
|
729 |
|
|
730 |
Linn [Page 13]
|
|
731 |
|
|
732 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
733 |
|
|
734 |
|
|
735 |
Special processing is performed if fewer than 24 bits are available
|
|
736 |
in an input group at the end of a message. A full encoding quantum
|
|
737 |
is always completed at the end of a message. When fewer than 24
|
|
738 |
input bits are available in an input group, zero bits are added (on
|
|
739 |
the right) to form an integral number of 6-bit groups. Output
|
|
740 |
character positions which are not required to represent actual input
|
|
741 |
data are set to the character "=". Since all canonically encoded
|
|
742 |
output is an integral number of octets, only the following cases can
|
|
743 |
arise: (1) the final quantum of encoding input is an integral
|
|
744 |
multiple of 24 bits; here, the final unit of encoded output will be
|
|
745 |
an integral multiple of 4 characters with no "=" padding, (2) the
|
|
746 |
final quantum of encoding input is exactly 8 bits; here, the final
|
|
747 |
unit of encoded output will be two characters followed by two "="
|
|
748 |
padding characters, or (3) the final quantum of encoding input is
|
|
749 |
exactly 16 bits; here, the final unit of encoded output will be three
|
|
750 |
characters followed by one "=" padding character.
|
|
751 |
|
|
752 |
|
|
753 |
Value Encoding Value Encoding Value Encoding Value Encoding
|
|
754 |
0 A 17 R 34 i 51 z
|
|
755 |
1 B 18 S 35 j 52 0
|
|
756 |
2 C 19 T 36 k 53 1
|
|
757 |
3 D 20 U 37 l 54 2
|
|
758 |
4 E 21 V 38 m 55 3
|
|
759 |
5 F 22 W 39 n 56 4
|
|
760 |
6 G 23 X 40 o 57 5
|
|
761 |
7 H 24 Y 41 p 58 6
|
|
762 |
8 I 25 Z 42 q 59 7
|
|
763 |
9 J 26 a 43 r 60 8
|
|
764 |
10 K 27 b 44 s 61 9
|
|
765 |
11 L 28 c 45 t 62 +
|
|
766 |
12 M 29 d 46 u 63 /
|
|
767 |
13 N 30 e 47 v
|
|
768 |
14 O 31 f 48 w (pad) =
|
|
769 |
15 P 32 g 49 x
|
|
770 |
16 Q 33 h 50 y
|
|
771 |
|
|
772 |
Printable Encoding Characters
|
|
773 |
Table 1
|
|
774 |
|
|
775 |
|
|
776 |
4.3.2.5 Summary of Transformations
|
|
777 |
|
|
778 |
In summary, the outbound message is subjected to the following
|
|
779 |
composition of transformations (or, for some PEM message types, a
|
|
780 |
subset thereof):
|
|
781 |
|
|
782 |
Transmit_Form = Encode(Encrypt(Canonicalize(Local_Form)))
|
|
783 |
|
|
784 |
|
|
785 |
|
|
786 |
Linn [Page 14]
|
|
787 |
|
|
788 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
789 |
|
|
790 |
|
|
791 |
The inverse transformations are performed, in reverse order, to
|
|
792 |
process inbound PEM messages:
|
|
793 |
|
|
794 |
Local_Form = DeCanonicalize(Decipher(Decode(Transmit_Form)))
|
|
795 |
|
|
796 |
Note that the local form and the functions to transform messages to
|
|
797 |
and from canonical form may vary between the originator and recipient
|
|
798 |
systems without loss of information.
|
|
799 |
|
|
800 |
4.4 Encapsulation Mechanism
|
|
801 |
|
|
802 |
The encapsulation techniques defined in RFC-934 [6] are adopted for
|
|
803 |
encapsulation of PEM messages within separate enclosing MTS messages
|
|
804 |
carrying associated MTS headers. This approach offers a number of
|
|
805 |
advantages relative to a flat approach in which certain fields within
|
|
806 |
a single header are encrypted and/or carry cryptographic control
|
|
807 |
information. As far as the MTS is concerned, the entirety of a PEM
|
|
808 |
message will reside in an MTS message's text portion, not the MTS
|
|
809 |
message's header portion. Encapsulation provides generality and
|
|
810 |
segregates fields with user-to-user significance from those
|
|
811 |
transformed in transit. All fields inserted in the course of
|
|
812 |
encryption/authentication processing are placed in the encapsulated
|
|
813 |
header. This facilitates compatibility with mail handling programs
|
|
814 |
which accept only text, not header fields, from input files or from
|
|
815 |
other programs.
|
|
816 |
|
|
817 |
The encapsulation techniques defined in RFC-934 are consistent with
|
|
818 |
existing Internet mail forwarding and bursting mechanisms. These
|
|
819 |
techniques are designed so that they may be used in a nested manner.
|
|
820 |
The encapsulation techniques may be used to encapsulate one or more
|
|
821 |
PEM messages for forwarding to a third party, possibly in conjunction
|
|
822 |
with interspersed (non-PEM) text which serves to annotate the PEM
|
|
823 |
messages.
|
|
824 |
|
|
825 |
Two encapsulation boundaries (EB's) are defined for delimiting
|
|
826 |
encapsulated PEM messages and for distinguishing encapsulated PEM
|
|
827 |
messages from interspersed (non-PEM) text. The pre-EB is the string
|
|
828 |
"-----BEGIN PRIVACY-ENHANCED MESSAGE-----", indicating that an
|
|
829 |
encapsulated PEM message follows. The post-EB is either (1) another
|
|
830 |
pre-EB indicating that another encapsulated PEM message follows, or
|
|
831 |
(2) the string "-----END PRIVACY-ENHANCED MESSAGE-----" indicating
|
|
832 |
that any text that immediately follows is non-PEM text. A special
|
|
833 |
point must be noted for the case of MIC-CLEAR messages, the text
|
|
834 |
portions of which may contain lines which begin with the "-"
|
|
835 |
character and which are therefore subject to special processing per
|
|
836 |
RFC-934 forwarding procedures. When the string "- " must be
|
|
837 |
prepended to such a line in the course of a forwarding operation in
|
|
838 |
order to distinguish that line from an encapsulation boundary, MIC
|
|
839 |
|
|
840 |
|
|
841 |
|
|
842 |
Linn [Page 15]
|
|
843 |
|
|
844 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
845 |
|
|
846 |
|
|
847 |
computation is to be performed prior to prepending the "- " string.
|
|
848 |
Figure 1 depicts the encapsulation of a single PEM message.
|
|
849 |
|
|
850 |
This RFC places no a priori limits on the depth to which such
|
|
851 |
encapsulation may be nested nor on the number of PEM messages which
|
|
852 |
may be grouped in this fashion at a single nesting level for
|
|
853 |
forwarding. A implementation compliant with this RFC must not
|
|
854 |
preclude a user from submitting or receiving PEM messages which
|
|
855 |
exploit this encapsulation capability. However, no specific
|
|
856 |
requirements are levied upon implementations with regard to how this
|
|
857 |
capability is made available to the user. Thus, for example, a
|
|
858 |
compliant PEM implementation is not required to automatically detect
|
|
859 |
and process encapsulated PEM messages.
|
|
860 |
|
|
861 |
In using this encapsulation facility, it is important to note that it
|
|
862 |
is inappropriate to forward directly to a third party a message that
|
|
863 |
is ENCRYPTED because recipients of such a message would not have
|
|
864 |
access to the DEK required to decrypt the message. Instead, the user
|
|
865 |
forwarding the message must transform the ENCRYPTED message into a
|
|
866 |
MIC-ONLY or MIC-CLEAR form prior to forwarding. Thus, in order to
|
|
867 |
comply with this RFC, a PEM implementation must provide a facility to
|
|
868 |
enable a user to perform this transformation, while preserving the
|
|
869 |
MIC associated with the original message.
|
|
870 |
|
|
871 |
If a user wishes PEM-provided confidentiality protection for
|
|
872 |
transmitted information, such information must occur in the
|
|
873 |
encapsulated text of an ENCRYPTED PEM message, not in the enclosing
|
|
874 |
MTS header or PEM encapsulated header. If a user wishes to avoid
|
|
875 |
|
|
876 |
|
|
877 |
|
|
878 |
|
|
879 |
|
|
880 |
|
|
881 |
|
|
882 |
|
|
883 |
|
|
884 |
|
|
885 |
|
|
886 |
|
|
887 |
|
|
888 |
|
|
889 |
|
|
890 |
|
|
891 |
|
|
892 |
|
|
893 |
|
|
894 |
|
|
895 |
|
|
896 |
|
|
897 |
|
|
898 |
Linn [Page 16]
|
|
899 |
|
|
900 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
901 |
|
|
902 |
|
|
903 |
Encapsulated Message
|
|
904 |
|
|
905 |
Pre-Encapsulation Boundary (Pre-EB)
|
|
906 |
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
|
|
907 |
|
|
908 |
Encapsulated Header Portion
|
|
909 |
(Contains encryption control fields inserted in plaintext.
|
|
910 |
Examples include "DEK-Info:" and "Key-Info:".
|
|
911 |
Note that, although these control fields have line-oriented
|
|
912 |
representations similar to RFC 822 header fields, the set
|
|
913 |
of fields valid in this context is disjoint from those used
|
|
914 |
in RFC 822 processing.)
|
|
915 |
|
|
916 |
Blank Line
|
|
917 |
(Separates Encapsulated Header from subsequent
|
|
918 |
Encapsulated Text Portion)
|
|
919 |
|
|
920 |
Encapsulated Text Portion
|
|
921 |
(Contains message data encoded as specified in Section 4.3.)
|
|
922 |
|
|
923 |
Post-Encapsulation Boundary (Post-EB)
|
|
924 |
-----END PRIVACY-ENHANCED MESSAGE-----
|
|
925 |
|
|
926 |
|
|
927 |
Encapsulated Message Format
|
|
928 |
Figure 1
|
|
929 |
|
|
930 |
|
|
931 |
disclosing the actual subject of a message to unintended parties, it
|
|
932 |
is suggested that the enclosing MTS header contain a "Subject:" field
|
|
933 |
indicating that "Encrypted Mail Follows".
|
|
934 |
|
|
935 |
If an integrity-protected representation of information which occurs
|
|
936 |
within an enclosing header (not necessarily in the same format as
|
|
937 |
that in which it occurs within that header) is desired, that data can
|
|
938 |
be included within the encapsulated text portion in addition to its
|
|
939 |
inclusion in the enclosing MTS header. For example, an originator
|
|
940 |
wishing to provide recipients with a protected indication of a
|
|
941 |
message's position in a series of messages could include within the
|
|
942 |
encapsulated text a copy of a timestamp or message counter value
|
|
943 |
possessing end-to-end significance and extracted from an enclosing
|
|
944 |
MTS header field. (Note: mailbox specifiers as entered by end users
|
|
945 |
incorporate local conventions and are subject to modification at
|
|
946 |
intermediaries, so inclusion of such specifiers within encapsulated
|
|
947 |
text should not be regarded as a suitable alternative to the
|
|
948 |
authentication semantics defined in RFC 1422 and based on X.500
|
|
949 |
Distinguished Names.) The set of header information (if any) included
|
|
950 |
within the encapsulated text of messages is a local matter, and this
|
|
951 |
|
|
952 |
|
|
953 |
|
|
954 |
Linn [Page 17]
|
|
955 |
|
|
956 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
957 |
|
|
958 |
|
|
959 |
RFC does not specify formatting conventions to distinguish replicated
|
|
960 |
header fields from other encapsulated text.
|
|
961 |
|
|
962 |
4.5 Mail for Mailing Lists
|
|
963 |
|
|
964 |
When mail is addressed to mailing lists, two different methods of
|
|
965 |
processing can be applicable: the IK-per-list method and the IK-per-
|
|
966 |
recipient method. Hybrid approaches are also possible, as in the
|
|
967 |
case of IK-per-list protection of a message on its path from an
|
|
968 |
originator to a PEM-equipped mailing list exploder, followed by IK-
|
|
969 |
per-recipient protection from the exploder to individual list
|
|
970 |
recipients.
|
|
971 |
|
|
972 |
If a message's originator is equipped to expand a destination mailing
|
|
973 |
list into its individual constituents and elects to do so (IK-per-
|
|
974 |
recipient), the message's DEK (and, in the symmetric key management
|
|
975 |
case, MIC) will be encrypted under each per-recipient IK and all such
|
|
976 |
encrypted representations will be incorporated into the transmitted
|
|
977 |
message. Note that per-recipient encryption is required only for the
|
|
978 |
relatively small DEK and MIC quantities carried in the "Key-Info:"
|
|
979 |
field, not for the message text which is, in general, much larger.
|
|
980 |
Although more IKs are involved in processing under the IK-per-
|
|
981 |
recipient method, the pairwise IKs can be individually revoked and
|
|
982 |
possession of one IK does not enable a successful masquerade of
|
|
983 |
another user on the list.
|
|
984 |
|
|
985 |
If a message's originator addresses a message to a list name or
|
|
986 |
alias, use of an IK associated with that name or alias as a entity
|
|
987 |
(IK-per-list), rather than resolution of the name or alias to its
|
|
988 |
constituent destinations, is implied. Such an IK must, therefore, be
|
|
989 |
available to all list members. Unfortunately, it implies an
|
|
990 |
undesirable level of exposure for the shared IK, and makes its
|
|
991 |
revocation difficult. Moreover, use of the IK-per-list method allows
|
|
992 |
any holder of the list's IK to masquerade as another originator to
|
|
993 |
the list for authentication purposes.
|
|
994 |
|
|
995 |
Pure IK-per-list key management in the asymmetric case (with a common
|
|
996 |
private key shared among multiple list members) is particularly
|
|
997 |
disadvantageous in the asymmetric environment, as it fails to
|
|
998 |
preserve the forwardable authentication and non-repudiation
|
|
999 |
characteristics which are provided for other messages in this
|
|
1000 |
environment. Use of a hybrid approach with a PEM-capable exploder is
|
|
1001 |
therefore particularly recommended for protection of mailing list
|
|
1002 |
traffic when asymmetric key management is used; such an exploder
|
|
1003 |
would reduce (per discussion in Section 4.4 of this RFC) incoming
|
|
1004 |
ENCRYPTED messages to MIC-ONLY or MIC-CLEAR form before forwarding
|
|
1005 |
them (perhaps re-encrypted under individual, per-recipient keys) to
|
|
1006 |
list members.
|
|
1007 |
|
|
1008 |
|
|
1009 |
|
|
1010 |
Linn [Page 18]
|
|
1011 |
|
|
1012 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1013 |
|
|
1014 |
|
|
1015 |
4.6 Summary of Encapsulated Header Fields
|
|
1016 |
|
|
1017 |
This section defines the syntax and semantics of the encapsulated
|
|
1018 |
header fields to be added to messages in the course of privacy
|
|
1019 |
enhancement processing.
|
|
1020 |
|
|
1021 |
The fields are presented in three groups. Normally, the groups will
|
|
1022 |
appear in encapsulated headers in the order in which they are shown,
|
|
1023 |
though not all fields in each group will appear in all messages. The
|
|
1024 |
following figures show the appearance of small example encapsulated
|
|
1025 |
messages. Figure 2 assumes the use of symmetric cryptography for key
|
|
1026 |
management. Figure 3 illustrates an example encapsulated ENCRYPTED
|
|
1027 |
message in which asymmetric key management is used.
|
|
1028 |
|
|
1029 |
|
|
1030 |
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
|
|
1031 |
Proc-Type: 4,ENCRYPTED
|
|
1032 |
Content-Domain: RFC822
|
|
1033 |
DEK-Info: DES-CBC,F8143EDE5960C597
|
|
1034 |
Originator-ID-Symmetric: linn@zendia.enet.dec.com,,
|
|
1035 |
Recipient-ID-Symmetric: linn@zendia.enet.dec.com,ptf-kmc,3
|
|
1036 |
Key-Info: DES-ECB,RSA-MD2,9FD3AAD2F2691B9A,
|
|
1037 |
B70665BB9BF7CBCDA60195DB94F727D3
|
|
1038 |
Recipient-ID-Symmetric: pem-dev@tis.com,ptf-kmc,4
|
|
1039 |
Key-Info: DES-ECB,RSA-MD2,161A3F75DC82EF26,
|
|
1040 |
E2EF532C65CBCFF79F83A2658132DB47
|
|
1041 |
|
|
1042 |
LLrHB0eJzyhP+/fSStdW8okeEnv47jxe7SJ/iN72ohNcUk2jHEUSoH1nvNSIWL9M
|
|
1043 |
8tEjmF/zxB+bATMtPjCUWbz8Lr9wloXIkjHUlBLpvXR0UrUzYbkNpk0agV2IzUpk
|
|
1044 |
J6UiRRGcDSvzrsoK+oNvqu6z7Xs5Xfz5rDqUcMlK1Z6720dcBWGGsDLpTpSCnpot
|
|
1045 |
dXd/H5LMDWnonNvPCwQUHt==
|
|
1046 |
-----END PRIVACY-ENHANCED MESSAGE-----
|
|
1047 |
|
|
1048 |
Example Encapsulated Message (Symmetric Case)
|
|
1049 |
Figure 2
|
|
1050 |
|
|
1051 |
|
|
1052 |
Figure 4 illustrates an example encapsulated MIC-ONLY message in
|
|
1053 |
which asymmetric key management is used; since no per-recipient keys
|
|
1054 |
are involved in preparation of asymmetric-case MIC-ONLY messages,
|
|
1055 |
this example should be processable for test purposes by arbitrary PEM
|
|
1056 |
implementations.
|
|
1057 |
|
|
1058 |
Fully-qualified domain names (FQDNs) for hosts, appearing in the
|
|
1059 |
mailbox names found in entity identifier subfields of "Originator-
|
|
1060 |
ID-Symmetric:" and "Recipient-ID-Symmetric:" fields, are processed in
|
|
1061 |
a case-insensitive fashion. Unless specified to the contrary, other
|
|
1062 |
field arguments (including the user name components of mailbox names)
|
|
1063 |
|
|
1064 |
|
|
1065 |
|
|
1066 |
Linn [Page 19]
|
|
1067 |
|
|
1068 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1069 |
|
|
1070 |
|
|
1071 |
are to be processed in a case-sensitive fashion.
|
|
1072 |
|
|
1073 |
In most cases, numeric quantities are represented in header fields as
|
|
1074 |
contiguous strings of hexadecimal digits, where each digit is
|
|
1075 |
represented by a character from the ranges "0"-"9" or upper case
|
|
1076 |
"A"-"F". Since public-key certificates and quantities encrypted
|
|
1077 |
|
|
1078 |
|
|
1079 |
|
|
1080 |
|
|
1081 |
|
|
1082 |
|
|
1083 |
|
|
1084 |
|
|
1085 |
|
|
1086 |
|
|
1087 |
|
|
1088 |
|
|
1089 |
|
|
1090 |
|
|
1091 |
|
|
1092 |
|
|
1093 |
|
|
1094 |
|
|
1095 |
|
|
1096 |
|
|
1097 |
|
|
1098 |
|
|
1099 |
|
|
1100 |
|
|
1101 |
|
|
1102 |
|
|
1103 |
|
|
1104 |
|
|
1105 |
|
|
1106 |
|
|
1107 |
|
|
1108 |
|
|
1109 |
|
|
1110 |
|
|
1111 |
|
|
1112 |
|
|
1113 |
|
|
1114 |
|
|
1115 |
|
|
1116 |
|
|
1117 |
|
|
1118 |
|
|
1119 |
|
|
1120 |
|
|
1121 |
|
|
1122 |
Linn [Page 20]
|
|
1123 |
|
|
1124 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1125 |
|
|
1126 |
|
|
1127 |
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
|
|
1128 |
Proc-Type: 4,ENCRYPTED
|
|
1129 |
Content-Domain: RFC822
|
|
1130 |
DEK-Info: DES-CBC,BFF968AA74691AC1
|
|
1131 |
Originator-Certificate:
|
|
1132 |
MIIBlTCCAScCAWUwDQYJKoZIhvcNAQECBQAwUTELMAkGA1UEBhMCVVMxIDAeBgNV
|
|
1133 |
BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMQ8wDQYDVQQLEwZCZXRhIDExDzAN
|
|
1134 |
BgNVBAsTBk5PVEFSWTAeFw05MTA5MDQxODM4MTdaFw05MzA5MDMxODM4MTZaMEUx
|
|
1135 |
CzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEU
|
|
1136 |
MBIGA1UEAxMLVGVzdCBVc2VyIDEwWTAKBgRVCAEBAgICAANLADBIAkEAwHZHl7i+
|
|
1137 |
yJcqDtjJCowzTdBJrdAiLAnSC+CnnjOJELyuQiBgkGrgIh3j8/x0fM+YrsyF1u3F
|
|
1138 |
LZPVtzlndhYFJQIDAQABMA0GCSqGSIb3DQEBAgUAA1kACKr0PqphJYw1j+YPtcIq
|
|
1139 |
iWlFPuN5jJ79Khfg7ASFxskYkEMjRNZV/HZDZQEhtVaU7Jxfzs2wfX5byMp2X3U/
|
|
1140 |
5XUXGx7qusDgHQGs7Jk9W8CW1fuSWUgN4w==
|
|
1141 |
Key-Info: RSA,
|
|
1142 |
I3rRIGXUGWAF8js5wCzRTkdhO34PTHdRZY9Tuvm03M+NM7fx6qc5udixps2Lng0+
|
|
1143 |
wGrtiUm/ovtKdinz6ZQ/aQ==
|
|
1144 |
Issuer-Certificate:
|
|
1145 |
MIIB3DCCAUgCAQowDQYJKoZIhvcNAQECBQAwTzELMAkGA1UEBhMCVVMxIDAeBgNV
|
|
1146 |
BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMQ8wDQYDVQQLEwZCZXRhIDExDTAL
|
|
1147 |
BgNVBAsTBFRMQ0EwHhcNOTEwOTAxMDgwMDAwWhcNOTIwOTAxMDc1OTU5WjBRMQsw
|
|
1148 |
CQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4xDzAN
|
|
1149 |
BgNVBAsTBkJldGEgMTEPMA0GA1UECxMGTk9UQVJZMHAwCgYEVQgBAQICArwDYgAw
|
|
1150 |
XwJYCsnp6lQCxYykNlODwutF/jMJ3kL+3PjYyHOwk+/9rLg6X65B/LD4bJHtO5XW
|
|
1151 |
cqAz/7R7XhjYCm0PcqbdzoACZtIlETrKrcJiDYoP+DkZ8k1gCk7hQHpbIwIDAQAB
|
|
1152 |
MA0GCSqGSIb3DQEBAgUAA38AAICPv4f9Gx/tY4+p+4DB7MV+tKZnvBoy8zgoMGOx
|
|
1153 |
dD2jMZ/3HsyWKWgSF0eH/AJB3qr9zosG47pyMnTf3aSy2nBO7CMxpUWRBcXUpE+x
|
|
1154 |
EREZd9++32ofGBIXaialnOgVUn0OzSYgugiQ077nJLDUj0hQehCizEs5wUJ35a5h
|
|
1155 |
MIC-Info: RSA-MD5,RSA,
|
|
1156 |
UdFJR8u/TIGhfH65ieewe2lOW4tooa3vZCvVNGBZirf/7nrgzWDABz8w9NsXSexv
|
|
1157 |
AjRFbHoNPzBuxwmOAFeA0HJszL4yBvhG
|
|
1158 |
Recipient-ID-Asymmetric:
|
|
1159 |
MFExCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5j
|
|
1160 |
LjEPMA0GA1UECxMGQmV0YSAxMQ8wDQYDVQQLEwZOT1RBUlk=,
|
|
1161 |
66
|
|
1162 |
Key-Info: RSA,
|
|
1163 |
O6BS1ww9CTyHPtS3bMLD+L0hejdvX6Qv1HK2ds2sQPEaXhX8EhvVphHYTjwekdWv
|
|
1164 |
7x0Z3Jx2vTAhOYHMcqqCjA==
|
|
1165 |
|
|
1166 |
qeWlj/YJ2Uf5ng9yznPbtD0mYloSwIuV9FRYx+gzY+8iXd/NQrXHfi6/MhPfPF3d
|
|
1167 |
jIqCJAxvld2xgqQimUzoS1a4r7kQQ5c/Iua4LqKeq3ciFzEv/MbZhA==
|
|
1168 |
-----END PRIVACY-ENHANCED MESSAGE-----
|
|
1169 |
|
|
1170 |
Example Encapsulated ENCRYPTED Message (Asymmetric Case)
|
|
1171 |
Figure 3
|
|
1172 |
|
|
1173 |
|
|
1174 |
|
|
1175 |
|
|
1176 |
|
|
1177 |
|
|
1178 |
Linn [Page 21]
|
|
1179 |
|
|
1180 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1181 |
|
|
1182 |
|
|
1183 |
using asymmetric algorithms are large in size, use of a more space-
|
|
1184 |
efficient encoding technique is appropriate for such quantities, and
|
|
1185 |
the encoding mechanism defined in Section 4.3.2.4 of this RFC,
|
|
1186 |
representing 6 bits per printed character, is adopted for this
|
|
1187 |
purpose.
|
|
1188 |
|
|
1189 |
Encapsulated headers of PEM messages are folded using whitespace per
|
|
1190 |
RFC 822 header folding conventions; no PEM-specific conventions are
|
|
1191 |
defined for encapsulated header folding. The example shown in Figure
|
|
1192 |
4 shows (in its "MIC-Info:" field) an asymmetrically encrypted
|
|
1193 |
quantity in its printably encoded representation, illustrating the
|
|
1194 |
use of RFC 822 folding.
|
|
1195 |
|
|
1196 |
In contrast to the encapsulated header representations defined in RFC
|
|
1197 |
1113 and its precursors, the field identifiers adopted in this RFC do
|
|
1198 |
not begin with the prefix "X-" (for example, the field previously
|
|
1199 |
denoted "X-Key-Info:" is now denoted "Key-Info:") and such prefixes
|
|
1200 |
are not to be emitted by implementations conformant to this RFC. To
|
|
1201 |
simplify transition and interoperability with earlier
|
|
1202 |
implementations, it is suggested that implementations based on this
|
|
1203 |
RFC accept incoming encapsulated header fields carrying the "X-"
|
|
1204 |
prefix and act on such fields as if the "X-" were not present.
|
|
1205 |
|
|
1206 |
|
|
1207 |
|
|
1208 |
|
|
1209 |
|
|
1210 |
|
|
1211 |
|
|
1212 |
|
|
1213 |
|
|
1214 |
|
|
1215 |
|
|
1216 |
|
|
1217 |
|
|
1218 |
|
|
1219 |
|
|
1220 |
|
|
1221 |
|
|
1222 |
|
|
1223 |
|
|
1224 |
|
|
1225 |
|
|
1226 |
|
|
1227 |
|
|
1228 |
|
|
1229 |
|
|
1230 |
|
|
1231 |
|
|
1232 |
|
|
1233 |
|
|
1234 |
Linn [Page 22]
|
|
1235 |
|
|
1236 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1237 |
|
|
1238 |
|
|
1239 |
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
|
|
1240 |
Proc-Type: 4,MIC-ONLY
|
|
1241 |
Content-Domain: RFC822
|
|
1242 |
Originator-Certificate:
|
|
1243 |
MIIBlTCCAScCAWUwDQYJKoZIhvcNAQECBQAwUTELMAkGA1UEBhMCVVMxIDAeBgNV
|
|
1244 |
BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMQ8wDQYDVQQLEwZCZXRhIDExDzAN
|
|
1245 |
BgNVBAsTBk5PVEFSWTAeFw05MTA5MDQxODM4MTdaFw05MzA5MDMxODM4MTZaMEUx
|
|
1246 |
CzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEU
|
|
1247 |
MBIGA1UEAxMLVGVzdCBVc2VyIDEwWTAKBgRVCAEBAgICAANLADBIAkEAwHZHl7i+
|
|
1248 |
yJcqDtjJCowzTdBJrdAiLAnSC+CnnjOJELyuQiBgkGrgIh3j8/x0fM+YrsyF1u3F
|
|
1249 |
LZPVtzlndhYFJQIDAQABMA0GCSqGSIb3DQEBAgUAA1kACKr0PqphJYw1j+YPtcIq
|
|
1250 |
iWlFPuN5jJ79Khfg7ASFxskYkEMjRNZV/HZDZQEhtVaU7Jxfzs2wfX5byMp2X3U/
|
|
1251 |
5XUXGx7qusDgHQGs7Jk9W8CW1fuSWUgN4w==
|
|
1252 |
Issuer-Certificate:
|
|
1253 |
MIIB3DCCAUgCAQowDQYJKoZIhvcNAQECBQAwTzELMAkGA1UEBhMCVVMxIDAeBgNV
|
|
1254 |
BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMQ8wDQYDVQQLEwZCZXRhIDExDTAL
|
|
1255 |
BgNVBAsTBFRMQ0EwHhcNOTEwOTAxMDgwMDAwWhcNOTIwOTAxMDc1OTU5WjBRMQsw
|
|
1256 |
CQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4xDzAN
|
|
1257 |
BgNVBAsTBkJldGEgMTEPMA0GA1UECxMGTk9UQVJZMHAwCgYEVQgBAQICArwDYgAw
|
|
1258 |
XwJYCsnp6lQCxYykNlODwutF/jMJ3kL+3PjYyHOwk+/9rLg6X65B/LD4bJHtO5XW
|
|
1259 |
cqAz/7R7XhjYCm0PcqbdzoACZtIlETrKrcJiDYoP+DkZ8k1gCk7hQHpbIwIDAQAB
|
|
1260 |
MA0GCSqGSIb3DQEBAgUAA38AAICPv4f9Gx/tY4+p+4DB7MV+tKZnvBoy8zgoMGOx
|
|
1261 |
dD2jMZ/3HsyWKWgSF0eH/AJB3qr9zosG47pyMnTf3aSy2nBO7CMxpUWRBcXUpE+x
|
|
1262 |
EREZd9++32ofGBIXaialnOgVUn0OzSYgugiQ077nJLDUj0hQehCizEs5wUJ35a5h
|
|
1263 |
MIC-Info: RSA-MD5,RSA,
|
|
1264 |
jV2OfH+nnXHU8bnL8kPAad/mSQlTDZlbVuxvZAOVRZ5q5+Ejl5bQvqNeqOUNQjr6
|
|
1265 |
EtE7K2QDeVMCyXsdJlA8fA==
|
|
1266 |
|
|
1267 |
LSBBIG1lc3NhZ2UgZm9yIHVzZSBpbiB0ZXN0aW5nLg0KLSBGb2xsb3dpbmcgaXMg
|
|
1268 |
YSBibGFuayBsaW5lOg0KDQpUaGlzIGlzIHRoZSBlbmQuDQo=
|
|
1269 |
-----END PRIVACY-ENHANCED MESSAGE-----
|
|
1270 |
|
|
1271 |
Example Encapsulated MIC-ONLY Message (Asymmetric Case)
|
|
1272 |
Figure 4
|
|
1273 |
|
|
1274 |
|
|
1275 |
4.6.1 Per-Message Encapsulated Header Fields
|
|
1276 |
|
|
1277 |
This group of encapsulated header fields contains fields which occur
|
|
1278 |
no more than once in a PEM message, generally preceding all other
|
|
1279 |
encapsulated header fields.
|
|
1280 |
|
|
1281 |
4.6.1.1 Proc-Type Field
|
|
1282 |
|
|
1283 |
The "Proc-Type:" encapsulated header field, required for all PEM
|
|
1284 |
messages, identifies the type of processing performed on the
|
|
1285 |
transmitted message. Only one "Proc-Type:" field occurs in a
|
|
1286 |
message; the "Proc-Type:" field must be the first encapsulated header
|
|
1287 |
|
|
1288 |
|
|
1289 |
|
|
1290 |
Linn [Page 23]
|
|
1291 |
|
|
1292 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1293 |
|
|
1294 |
|
|
1295 |
field in the message.
|
|
1296 |
|
|
1297 |
The "Proc-Type:" field has two subfields, separated by a comma. The
|
|
1298 |
first subfield is a decimal number which is used to distinguish among
|
|
1299 |
incompatible encapsulated header field interpretations which may
|
|
1300 |
arise as changes are made to this standard. Messages processed
|
|
1301 |
according to this RFC will carry the subfield value "4" to
|
|
1302 |
distinguish them from messages processed in accordance with prior PEM
|
|
1303 |
RFCs. The second subfield assumes one of a set of string values,
|
|
1304 |
defined in the following subsections.
|
|
1305 |
|
|
1306 |
4.6.1.1.1 ENCRYPTED
|
|
1307 |
|
|
1308 |
The "ENCRYPTED" specifier signifies that confidentiality,
|
|
1309 |
authentication, integrity, and (given use of asymmetric key
|
|
1310 |
management) non-repudiation of origin security services have been
|
|
1311 |
applied to a PEM message's encapsulated text. ENCRYPTED messages
|
|
1312 |
require a "DEK-Info:" field and individual Recipient-ID and "Key-
|
|
1313 |
Info:" fields for all message recipients.
|
|
1314 |
|
|
1315 |
4.6.1.1.2 MIC-ONLY
|
|
1316 |
|
|
1317 |
The "MIC-ONLY" specifier signifies that all of the security services
|
|
1318 |
specified for ENCRYPTED messages, with the exception of
|
|
1319 |
confidentiality, have been applied to a PEM message's encapsulated
|
|
1320 |
text. MIC-ONLY messages are encoded (per Section 4.3.2.4 of this RFC)
|
|
1321 |
to protect their encapsulated text against modifications at message
|
|
1322 |
transfer or relay points.
|
|
1323 |
|
|
1324 |
Specification of MIC-ONLY, when applied in conjunction with certain
|
|
1325 |
combinations of key management and MIC algorithm options, permits
|
|
1326 |
certain fields which are superfluous in the absence of encryption to
|
|
1327 |
be omitted from the encapsulated header. In particular, when a
|
|
1328 |
keyless MIC computation is employed for recipients for whom
|
|
1329 |
asymmetric cryptography is used, "Recipient-ID-Asymmetric:" and
|
|
1330 |
"Key-Info:" fields can be omitted. The "DEK-Info:" field can be
|
|
1331 |
omitted for all "MIC-ONLY" messages.
|
|
1332 |
|
|
1333 |
4.6.1.1.3 MIC-CLEAR
|
|
1334 |
|
|
1335 |
The "MIC-CLEAR" specifier represents a PEM message with the same
|
|
1336 |
security service selection as for a MIC-ONLY message. The set of
|
|
1337 |
encapsulated header fields required in a MIC-CLEAR message is the
|
|
1338 |
same as that required for a MIC-ONLY message.
|
|
1339 |
|
|
1340 |
MIC-CLEAR message processing omits the encoding step defined in
|
|
1341 |
Section 4.3.2.4 of this RFC to protect a message's encapsulated text
|
|
1342 |
against modifications within the MTS. As a result, a MIC-CLEAR
|
|
1343 |
|
|
1344 |
|
|
1345 |
|
|
1346 |
Linn [Page 24]
|
|
1347 |
|
|
1348 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1349 |
|
|
1350 |
|
|
1351 |
message's text can be read by recipients lacking access to PEM
|
|
1352 |
software, even though such recipients cannot validate the message's
|
|
1353 |
signature. The canonical encoding discussed in Section 4.3.2.2 is
|
|
1354 |
performed, so interoperation among sites with different native
|
|
1355 |
character sets and line representations is not precluded so long as
|
|
1356 |
those native formats are unambiguously translatable to and from the
|
|
1357 |
canonical form. (Such interoperability is feasible only for those
|
|
1358 |
characters which are included in the canonical representation set.)
|
|
1359 |
|
|
1360 |
Omission of the printable encoding step implies that MIC-CLEAR
|
|
1361 |
message MICs will be validatable only in environments where the MTS
|
|
1362 |
does not modify messages in transit, or where the modifications
|
|
1363 |
performed can be determined and inverted before MIC validation
|
|
1364 |
processing. Failed MIC validation on a MIC-CLEAR message does not,
|
|
1365 |
therefore, necessarily signify a security-relevant event; as a
|
|
1366 |
result, it is recommended that PEM implementations reflect to their
|
|
1367 |
users (in a suitable local fashion) the type of PEM message being
|
|
1368 |
processed when reporting a MIC validation failure.
|
|
1369 |
|
|
1370 |
A case of particular relevance arises for inbound SMTP processing on
|
|
1371 |
systems which delimit text lines with local native representations
|
|
1372 |
other than the SMTP-conventional <CR><LF>. When mail is delivered to
|
|
1373 |
a UA on such a system and presented for PEM processing, the <CR><LF>
|
|
1374 |
has already been translated to local form. In order to validate a
|
|
1375 |
MIC-CLEAR message's MIC in this situation, the PEM module must
|
|
1376 |
recanonicalize the incoming message in order to determine the inter-
|
|
1377 |
SMTP representation of the canonically encoded message (as defined in
|
|
1378 |
Section 4.3.2.2 of this RFC), and must compute the reference MIC
|
|
1379 |
based on that representation.
|
|
1380 |
|
|
1381 |
4.6.1.1.4 CRL
|
|
1382 |
|
|
1383 |
The "CRL" specifier indicates a special PEM message type, used to
|
|
1384 |
transfer one or more Certificate Revocation Lists. The format of PEM
|
|
1385 |
CRLs is defined in RFC 1422. No user data or encapsulated text
|
|
1386 |
accompanies an encapsulated header specifying the CRL message type; a
|
|
1387 |
correctly-formed CRL message's PEM header is immediately followed by
|
|
1388 |
its terminating message boundary line, with no blank line
|
|
1389 |
intervening.
|
|
1390 |
|
|
1391 |
Only three types of fields are valid in the encapsulated header
|
|
1392 |
comprising a CRL message. The "CRL:" field carries a printable
|
|
1393 |
representation of a CRL, encoded using the procedures defined in
|
|
1394 |
Section 4.3.2.4 of this RFC. "CRL:" fields may (as an option) be
|
|
1395 |
followed by no more than one "Originator-Certificate:" field and any
|
|
1396 |
number of "Issuer-Certificate:" fields. The "Originator-Certificate:"
|
|
1397 |
and "Issuer-Certificate:" fields refer to the most recently previous
|
|
1398 |
"CRL:" field, and provide certificates useful in validating the
|
|
1399 |
|
|
1400 |
|
|
1401 |
|
|
1402 |
Linn [Page 25]
|
|
1403 |
|
|
1404 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1405 |
|
|
1406 |
|
|
1407 |
signature included in the CRL. "Originator-Certificate:" and
|
|
1408 |
"Issuer-Certificate:" fields' contents are the same for CRL messages
|
|
1409 |
as they are for other PEM message types.
|
|
1410 |
|
|
1411 |
4.6.1.2 Content-Domain Field
|
|
1412 |
|
|
1413 |
The "Content-Domain:" encapsulated header field describes the type of
|
|
1414 |
content which is represented within a PEM message's encapsulated
|
|
1415 |
text. It carries one string argument, whose value is defined as
|
|
1416 |
"RFC822" to indicate processing of RFC-822 mail as defined in this
|
|
1417 |
specification. It is anticipated that additional "Content-Domain:"
|
|
1418 |
values will be defined subsequently, in additional or successor
|
|
1419 |
documents to this specification. Only one "Content-Domain:" field
|
|
1420 |
occurs in a PEM message; this field is the PEM message's second
|
|
1421 |
encapsulated header field, immediately following the "Proc-Type:"
|
|
1422 |
field.
|
|
1423 |
|
|
1424 |
4.6.1.3 DEK-Info Field
|
|
1425 |
|
|
1426 |
The "DEK-Info:" encapsulated header field identifies the message text
|
|
1427 |
encryption algorithm and mode, and also carries any cryptographic
|
|
1428 |
parameters (e.g., IVs) used for message encryption. No more than one
|
|
1429 |
"DEK-Info:" field occurs in a message; the field is required for all
|
|
1430 |
messages specified as "ENCRYPTED" in the "Proc-Type:" field.
|
|
1431 |
|
|
1432 |
The "DEK-Info:" field carries either one argument or two arguments
|
|
1433 |
separated by a comma. The first argument identifies the algorithm
|
|
1434 |
and mode used for message text encryption. The second argument, if
|
|
1435 |
present, carries any cryptographic parameters required by the
|
|
1436 |
algorithm and mode identified in the first argument. Appropriate
|
|
1437 |
message encryption algorithms, modes and identifiers and
|
|
1438 |
corresponding cryptographic parameters and formats are defined in RFC
|
|
1439 |
1423.
|
|
1440 |
|
|
1441 |
4.6.2 Encapsulated Header Fields Normally Per-Message
|
|
1442 |
|
|
1443 |
This group of encapsulated header fields contains fields which
|
|
1444 |
ordinarily occur no more than once per message. Depending on the key
|
|
1445 |
management option(s) employed, some of these fields may be absent
|
|
1446 |
from some messages.
|
|
1447 |
|
|
1448 |
4.6.2.1 Originator-ID Fields
|
|
1449 |
|
|
1450 |
Originator-ID encapsulated header fields identify a message's
|
|
1451 |
originator and provide the originator's IK identification component.
|
|
1452 |
Two varieties of Originator-ID fields are defined, the "Originator-
|
|
1453 |
ID-Asymmetric:" and "Originator-ID-Symmetric:" field. An
|
|
1454 |
"Originator-ID-Symmetric:" header field is required for all PEM
|
|
1455 |
|
|
1456 |
|
|
1457 |
|
|
1458 |
Linn [Page 26]
|
|
1459 |
|
|
1460 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1461 |
|
|
1462 |
|
|
1463 |
messages employing symmetric key management. The analogous
|
|
1464 |
"Originator-ID-Asymmetric:" field, for the asymmetric key management
|
|
1465 |
case, is used only when no corresponding "Originator-Certificate:"
|
|
1466 |
field is included.
|
|
1467 |
|
|
1468 |
Most commonly, only one Originator-ID or "Originator-Certificate:"
|
|
1469 |
field will occur within a message. For the symmetric case, the IK
|
|
1470 |
identification component carried in an "Originator-ID-Symmetric:"
|
|
1471 |
field applies to processing of all subsequent "Recipient-ID-
|
|
1472 |
Symmetric:" fields until another "Originator-ID-Symmetric:" field
|
|
1473 |
occurs. It is illegal for a "Recipient-ID-Symmetric:" field to occur
|
|
1474 |
before a corresponding "Originator-ID-Symmetric:" field has been
|
|
1475 |
provided. For the asymmetric case, processing of "Recipient-ID-
|
|
1476 |
Asymmetric:" fields is logically independent of preceding
|
|
1477 |
"Originator-ID-Asymmetric:" and "Originator-Certificate:" fields.
|
|
1478 |
|
|
1479 |
Multiple Originator-ID and/or "Originator-Certificate:" fields may
|
|
1480 |
occur in a message when different originator-oriented IK components
|
|
1481 |
must be used by a message's originator in order to prepare a message
|
|
1482 |
so as to be suitable for processing by different recipients. In
|
|
1483 |
particular, multiple such fields will occur when both symmetric and
|
|
1484 |
asymmetric cryptography are applied to a single message in order to
|
|
1485 |
process the message for different recipients.
|
|
1486 |
|
|
1487 |
Originator-ID subfields are delimited by the comma character (","),
|
|
1488 |
optionally followed by whitespace. Section 5.2, Interchange Keys,
|
|
1489 |
discusses the semantics of these subfields and specifies the alphabet
|
|
1490 |
from which they are chosen.
|
|
1491 |
|
|
1492 |
4.6.2.1.1 Originator-ID-Asymmetric Field
|
|
1493 |
|
|
1494 |
The "Originator-ID-Asymmetric:" field contains an Issuing Authority
|
|
1495 |
subfield, and then a Version/Expiration subfield. This field is used
|
|
1496 |
only when the information it carries is not available from an
|
|
1497 |
included "Originator-Certificate:" field.
|
|
1498 |
|
|
1499 |
4.6.2.1.2 Originator-ID-Symmetric Field
|
|
1500 |
|
|
1501 |
The "Originator-ID-Symmetric:" field contains an Entity Identifier
|
|
1502 |
subfield, followed by an (optional) Issuing Authority subfield, and
|
|
1503 |
then an (optional) Version/Expiration subfield. Optional
|
|
1504 |
"Originator-ID-Symmetric:" subfields may be omitted only if rendered
|
|
1505 |
redundant by information carried in subsequent "Recipient-ID-
|
|
1506 |
Symmetric:" fields, and will normally be omitted in such cases.
|
|
1507 |
|
|
1508 |
|
|
1509 |
|
|
1510 |
|
|
1511 |
|
|
1512 |
|
|
1513 |
|
|
1514 |
Linn [Page 27]
|
|
1515 |
|
|
1516 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1517 |
|
|
1518 |
|
|
1519 |
4.6.2.2 Originator-Certificate Field
|
|
1520 |
|
|
1521 |
The "Originator-Certificate:" encapsulated header field is used only
|
|
1522 |
when asymmetric key management is employed for one or more of a
|
|
1523 |
message's recipients. To facilitate processing by recipients (at
|
|
1524 |
least in advance of general directory server availability), inclusion
|
|
1525 |
of this field in all messages is strongly recommended. The field
|
|
1526 |
transfers an originator's certificate as a numeric quantity,
|
|
1527 |
comprised of the certificate's DER encoding, represented in the
|
|
1528 |
header field with the encoding mechanism defined in Section 4.3.2.4
|
|
1529 |
of this RFC. The semantics of a certificate are discussed in RFC
|
|
1530 |
1422.
|
|
1531 |
|
|
1532 |
4.6.2.3 MIC-Info Field
|
|
1533 |
|
|
1534 |
The "MIC-Info:" encapsulated header field, used only when asymmetric
|
|
1535 |
key management is employed for at least one recipient of a message,
|
|
1536 |
carries three arguments, separated by commas. The first argument
|
|
1537 |
identifies the algorithm under which the accompanying MIC is
|
|
1538 |
computed. The second argument identifies the algorithm under which
|
|
1539 |
the accompanying MIC is signed. The third argument represents a MIC
|
|
1540 |
signed with an originator's private key.
|
|
1541 |
|
|
1542 |
For the case of ENCRYPTED PEM messages, the signed MIC is, in turn,
|
|
1543 |
symmetrically encrypted using the same DEK, algorithm, mode and
|
|
1544 |
cryptographic parameters as are used to encrypt the message's
|
|
1545 |
encapsulated text. This measure prevents unauthorized recipients
|
|
1546 |
from determining whether an intercepted message corresponds to a
|
|
1547 |
predetermined plaintext value.
|
|
1548 |
|
|
1549 |
Appropriate MIC algorithms and identifiers, signature algorithms and
|
|
1550 |
identifiers, and signed MIC formats are defined in RFC 1423.
|
|
1551 |
|
|
1552 |
A "MIC-Info:" field will occur after a sequence of fields beginning
|
|
1553 |
with a "Originator-ID-Asymmetric:" or "Originator-Certificate:" field
|
|
1554 |
and followed by any associated "Issuer-Certificate:" fields. A
|
|
1555 |
"MIC-Info:" field applies to all subsequent recipients for whom
|
|
1556 |
asymmetric key management is used, until and unless overridden by a
|
|
1557 |
subsequent "Originator-ID-Asymmetric:" or "Originator-Certificate:"
|
|
1558 |
and corresponding "MIC-Info:".
|
|
1559 |
|
|
1560 |
4.6.3 Encapsulated Header Fields with Variable Occurrences
|
|
1561 |
|
|
1562 |
This group of encapsulated header fields contains fields which will
|
|
1563 |
normally occur variable numbers of times within a message, with
|
|
1564 |
numbers of occurrences ranging from zero to non-zero values which are
|
|
1565 |
independent of the number of recipients.
|
|
1566 |
|
|
1567 |
|
|
1568 |
|
|
1569 |
|
|
1570 |
Linn [Page 28]
|
|
1571 |
|
|
1572 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1573 |
|
|
1574 |
|
|
1575 |
4.6.3.1 Issuer-Certificate Field
|
|
1576 |
|
|
1577 |
The "Issuer-Certificate:" encapsulated header field is meaningful
|
|
1578 |
only when asymmetric key management is used for at least one of a
|
|
1579 |
message's recipients. A typical "Issuer-Certificate:" field would
|
|
1580 |
contain the certificate containing the public component used to sign
|
|
1581 |
the certificate carried in the message's "Originator-Certificate:"
|
|
1582 |
field, for recipients' use in chaining through that certificate's
|
|
1583 |
certification path. Other "Issuer-Certificate:" fields, typically
|
|
1584 |
representing higher points in a certification path, also may be
|
|
1585 |
included by an originator. It is recommended that the "Issuer-
|
|
1586 |
Certificate:" fields be included in an order corresponding to
|
|
1587 |
successive points in a certification path leading from the originator
|
|
1588 |
to a common point shared with the message's recipients (i.e., the
|
|
1589 |
Internet Certification Authority (ICA), unless a lower Policy
|
|
1590 |
Certification Authority (PCA) or CA is common to all recipients.)
|
|
1591 |
More information on certification paths can be found in RFC 1422.
|
|
1592 |
|
|
1593 |
The certificate is represented in the same manner as defined for the
|
|
1594 |
"Originator-Certificate:" field (transporting an encoded
|
|
1595 |
representation of the certificate in X.509 [7] DER form), and any
|
|
1596 |
"Issuer-Certificate:" fields will ordinarily follow the "Originator-
|
|
1597 |
Certificate:" field directly. Use of the "Issuer-Certificate:" field
|
|
1598 |
is optional even when asymmetric key management is employed, although
|
|
1599 |
its incorporation is strongly recommended in the absence of alternate
|
|
1600 |
directory server facilities from which recipients can access issuers'
|
|
1601 |
certificates.
|
|
1602 |
|
|
1603 |
4.6.4 Per-Recipient Encapsulated Header Fields
|
|
1604 |
|
|
1605 |
The encapsulated header fields in this group appear for each of an
|
|
1606 |
"ENCRYPTED" message's named recipients. For "MIC-ONLY" and "MIC-
|
|
1607 |
CLEAR" messages, these fields are omitted for recipients for whom
|
|
1608 |
asymmetric key management is employed in conjunction with a keyless
|
|
1609 |
MIC algorithm but the fields appear for recipients for whom symmetric
|
|
1610 |
key management or a keyed MIC algorithm is employed.
|
|
1611 |
|
|
1612 |
4.6.4.1 Recipient-ID Fields
|
|
1613 |
|
|
1614 |
A Recipient-ID encapsulated header field identifies a recipient and
|
|
1615 |
provides the recipient's IK identification component. One
|
|
1616 |
Recipient-ID field is included for each of a message's named
|
|
1617 |
recipients. Section 5.2, Interchange Keys, discusses the semantics of
|
|
1618 |
the subfields and specifies the alphabet from which they are chosen.
|
|
1619 |
Recipient-ID subfields are delimited by the comma character (","),
|
|
1620 |
optionally followed by whitespace.
|
|
1621 |
|
|
1622 |
|
|
1623 |
|
|
1624 |
|
|
1625 |
|
|
1626 |
Linn [Page 29]
|
|
1627 |
|
|
1628 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1629 |
|
|
1630 |
|
|
1631 |
For the symmetric case, all "Recipient-ID-Symmetric:" fields are
|
|
1632 |
interpreted in the context of the most recent preceding "Originator-
|
|
1633 |
ID-Symmetric:" field. It is illegal for a "Recipient-ID-Symmetric:"
|
|
1634 |
field to occur in a header before the occurrence of a corresponding
|
|
1635 |
"Originator-ID-Symmetric:" field. For the asymmetric case,
|
|
1636 |
"Recipient-ID-Asymmetric:" fields are logically independent of a
|
|
1637 |
message's "Originator-ID-Asymmetric:" and "Originator-Certificate:"
|
|
1638 |
fields. "Recipient-ID-Asymmetric:" fields, and their associated
|
|
1639 |
"Key-Info:" fields, are included following a header's originator-
|
|
1640 |
oriented fields.
|
|
1641 |
|
|
1642 |
4.6.4.1.1 Recipient-ID-Asymmetric Field
|
|
1643 |
|
|
1644 |
The "Recipient-ID-Asymmetric:" field contains, in order, an Issuing
|
|
1645 |
Authority subfield and a Version/Expiration subfield.
|
|
1646 |
|
|
1647 |
4.6.4.1.2 Recipient-ID-Symmetric Field
|
|
1648 |
|
|
1649 |
The "Recipient-ID-Symmetric:" field contains, in order, an Entity
|
|
1650 |
Identifier subfield, an (optional) Issuing Authority subfield, and an
|
|
1651 |
(optional) Version/Expiration subfield.
|
|
1652 |
|
|
1653 |
4.6.4.2 Key-Info Field
|
|
1654 |
|
|
1655 |
One "Key-Info:" field is included for each of a message's named
|
|
1656 |
recipients. In addition, it is recommended that PEM implementations
|
|
1657 |
support (as a locally-selectable option) the ability to include a
|
|
1658 |
"Key-Info:" field corresponding to a PEM message's originator,
|
|
1659 |
following an Originator-ID or "Originator-Certificate:" field and
|
|
1660 |
before any associated Recipient-ID fields, but inclusion of such a
|
|
1661 |
field is not a requirement for conformance with this RFC.
|
|
1662 |
|
|
1663 |
Each "Key-Info:" field is interpreted in the context of the most
|
|
1664 |
recent preceding Originator-ID, "Originator-Certificate:", or
|
|
1665 |
Recipient-ID field; normally, a "Key-Info:" field will immediately
|
|
1666 |
follow its associated predecessor field. The "Key-Info:" field's
|
|
1667 |
argument(s) differ depending on whether symmetric or asymmetric key
|
|
1668 |
management is used for a particular recipient.
|
|
1669 |
|
|
1670 |
4.6.4.2.1 Symmetric Key Management
|
|
1671 |
|
|
1672 |
When symmetric key management is employed for a given recipient, the
|
|
1673 |
"Key-Info:" encapsulated header field transfers four items, separated
|
|
1674 |
by commas: an IK Use Indicator, a MIC Algorithm Indicator, a DEK and
|
|
1675 |
a MIC. The IK Use Indicator identifies the algorithm and mode in
|
|
1676 |
which the identified IK was used for DEK and MIC encryption for a
|
|
1677 |
particular recipient. The MIC Algorithm Indicator identifies the MIC
|
|
1678 |
computation algorithm used for a particular recipient. The DEK and
|
|
1679 |
|
|
1680 |
|
|
1681 |
|
|
1682 |
Linn [Page 30]
|
|
1683 |
|
|
1684 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1685 |
|
|
1686 |
|
|
1687 |
MIC are symmetrically encrypted under the IK identified by a
|
|
1688 |
preceding "Recipient-ID-Symmetric:" field and/or prior "Originator-
|
|
1689 |
ID-Symmetric:" field.
|
|
1690 |
|
|
1691 |
Appropriate symmetric encryption algorithms, modes and identifiers,
|
|
1692 |
MIC computation algorithms and identifiers, and encrypted DEK and MIC
|
|
1693 |
formats are defined in RFC 1423.
|
|
1694 |
|
|
1695 |
4.6.4.2.2 Asymmetric Key Management
|
|
1696 |
|
|
1697 |
When asymmetric key management is employed for a given recipient, the
|
|
1698 |
"Key-Info:" field transfers two quantities, separated by a comma.
|
|
1699 |
The first argument is an IK Use Indicator identifying the algorithm
|
|
1700 |
and mode in which the DEK is asymmetrically encrypted. The second
|
|
1701 |
argument is a DEK, asymmetrically encrypted under the recipient's
|
|
1702 |
public component.
|
|
1703 |
|
|
1704 |
Appropriate asymmetric encryption algorithms and identifiers, and
|
|
1705 |
encrypted DEK formats are defined in RFC 1423.
|
|
1706 |
|
|
1707 |
5. Key Management
|
|
1708 |
|
|
1709 |
Several cryptographic constructs are involved in supporting the PEM
|
|
1710 |
message processing procedure. A set of fundamental elements is
|
|
1711 |
assumed. Data Encrypting Keys (DEKs) are used to encrypt message
|
|
1712 |
text and (for some MIC computation algorithms) in the message
|
|
1713 |
integrity check (MIC) computation process. Interchange Keys (IKs)
|
|
1714 |
are used to encrypt DEKs and MICs for transmission with messages. In
|
|
1715 |
a certificate-based asymmetric key management architecture,
|
|
1716 |
certificates are used as a means to provide entities' public
|
|
1717 |
components and other information in a fashion which is securely bound
|
|
1718 |
by a central authority. The remainder of this section provides more
|
|
1719 |
information about these constructs.
|
|
1720 |
|
|
1721 |
5.1 Data Encrypting Keys (DEKs)
|
|
1722 |
|
|
1723 |
Data Encrypting Keys (DEKs) are used for encryption of message text
|
|
1724 |
and (with some MIC computation algorithms) for computation of message
|
|
1725 |
integrity check quantities (MICs). In the asymmetric key management
|
|
1726 |
case, they are also used for encrypting signed MICs in ENCRYPTED PEM
|
|
1727 |
messages. It is strongly recommended that DEKs be generated and used
|
|
1728 |
on a one-time, per-message, basis. A transmitted message will
|
|
1729 |
incorporate a representation of the DEK encrypted under an
|
|
1730 |
appropriate interchange key (IK) for each of the named recipients.
|
|
1731 |
|
|
1732 |
DEK generation can be performed either centrally by key distribution
|
|
1733 |
centers (KDCs) or by endpoint systems. Dedicated KDC systems may be
|
|
1734 |
able to implement stronger algorithms for random DEK generation than
|
|
1735 |
|
|
1736 |
|
|
1737 |
|
|
1738 |
Linn [Page 31]
|
|
1739 |
|
|
1740 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1741 |
|
|
1742 |
|
|
1743 |
can be supported in endpoint systems. On the other hand,
|
|
1744 |
decentralization allows endpoints to be relatively self-sufficient,
|
|
1745 |
reducing the level of trust which must be placed in components other
|
|
1746 |
than those of a message's originator and recipient. Moreover,
|
|
1747 |
decentralized DEK generation at endpoints reduces the frequency with
|
|
1748 |
which originators must make real-time queries of (potentially unique)
|
|
1749 |
servers in order to send mail, enhancing communications availability.
|
|
1750 |
|
|
1751 |
When symmetric key management is used, one advantage of centralized
|
|
1752 |
KDC-based generation is that DEKs can be returned to endpoints
|
|
1753 |
already encrypted under the IKs of message recipients rather than
|
|
1754 |
providing the IKs to the originators. This reduces IK exposure and
|
|
1755 |
simplifies endpoint key management requirements. This approach has
|
|
1756 |
less value if asymmetric cryptography is used for key management,
|
|
1757 |
since per-recipient public IK components are assumed to be generally
|
|
1758 |
available and per-originator private IK components need not
|
|
1759 |
necessarily be shared with a KDC.
|
|
1760 |
|
|
1761 |
5.2 Interchange Keys (IKs)
|
|
1762 |
|
|
1763 |
Interchange Key (IK) components are used to encrypt DEKs and MICs.
|
|
1764 |
In general, IK granularity is at the pairwise per-user level except
|
|
1765 |
for mail sent to address lists comprising multiple users. In order
|
|
1766 |
for two principals to engage in a useful exchange of PEM using
|
|
1767 |
conventional cryptography, they must first possess common IK
|
|
1768 |
components (when symmetric key management is used) or complementary
|
|
1769 |
IK components (when asymmetric key management is used). When
|
|
1770 |
symmetric cryptography is used, the IK consists of a single
|
|
1771 |
component, used to encrypt both DEKs and MICs. When asymmetric
|
|
1772 |
cryptography is used, a recipient's public component is used as an IK
|
|
1773 |
to encrypt DEKs (a transformation invertible only by a recipient
|
|
1774 |
possessing the corresponding private component), and the originator's
|
|
1775 |
private component is used to encrypt MICs (a transformation
|
|
1776 |
invertible by all recipients, since the originator's certificate
|
|
1777 |
provides all recipients with the public component required to perform
|
|
1778 |
MIC validation.
|
|
1779 |
|
|
1780 |
This RFC does not prescribe the means by which interchange keys are
|
|
1781 |
made available to appropriate parties; such means may be centralized
|
|
1782 |
(e.g., via key management servers) or decentralized (e.g., via
|
|
1783 |
pairwise agreement and direct distribution among users). In any
|
|
1784 |
case, any given IK component is associated with a responsible Issuing
|
|
1785 |
Authority (IA). When certificate-based asymmetric key management, as
|
|
1786 |
discussed in RFC [1422, is employed, the IA function is performed by
|
|
1787 |
a Certification Authority (CA).
|
|
1788 |
|
|
1789 |
When an IA generates and distributes an IK component, associated
|
|
1790 |
control information is provided to direct how it is to be used. In
|
|
1791 |
|
|
1792 |
|
|
1793 |
|
|
1794 |
Linn [Page 32]
|
|
1795 |
|
|
1796 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1797 |
|
|
1798 |
|
|
1799 |
order to select the appropriate IK(s) to use in message encryption,
|
|
1800 |
an originator must retain a correspondence between IK components and
|
|
1801 |
the recipients with which they are associated. Expiration date
|
|
1802 |
information must also be retained, in order that cached entries may
|
|
1803 |
be invalidated and replaced as appropriate.
|
|
1804 |
|
|
1805 |
Since a message may be sent with multiple IK components identified,
|
|
1806 |
corresponding to multiple intended recipients, each recipient's UA
|
|
1807 |
must be able to determine that recipient's intended IK component.
|
|
1808 |
Moreover, if no corresponding IK component is available in the
|
|
1809 |
recipient's database when a message arrives, the recipient must be
|
|
1810 |
able to identify the required IK component and identify that IK
|
|
1811 |
component's associated IA. Note that different IKs may be used for
|
|
1812 |
different messages between a pair of communicants. Consider, for
|
|
1813 |
example, one message sent from A to B and another message sent (using
|
|
1814 |
the IK-per-list method) from A to a mailing list of which B is a
|
|
1815 |
member. The first message would use IK components associated
|
|
1816 |
individually with A and B, but the second would use an IK component
|
|
1817 |
shared among list members.
|
|
1818 |
|
|
1819 |
When a PEM message is transmitted, an indication of the IK components
|
|
1820 |
used for DEK and MIC encryption must be included. To this end,
|
|
1821 |
Originator-ID and Recipient-ID encapsulated header fields provide
|
|
1822 |
(some or all of) the following data:
|
|
1823 |
|
|
1824 |
1. Identification of the relevant Issuing Authority (IA
|
|
1825 |
subfield)
|
|
1826 |
|
|
1827 |
2. Identification of an entity with which a particular IK
|
|
1828 |
component is associated (Entity Identifier or EI subfield)
|
|
1829 |
|
|
1830 |
3. Version/Expiration subfield
|
|
1831 |
|
|
1832 |
In the asymmetric case, all necessary information associated with an
|
|
1833 |
originator can be acquired by processing the certificate carried in
|
|
1834 |
an "Originator-Certificate:" field; to avoid redundancy in this case,
|
|
1835 |
no "Originator-ID-Asymmetric:" field is included if a corresponding
|
|
1836 |
"Originator-Certificate:" appears.
|
|
1837 |
|
|
1838 |
The comma character (",") is used to delimit the subfields within an
|
|
1839 |
Originator-ID or Recipient-ID. The IA, EI, and version/expiration
|
|
1840 |
subfields are generated from a restricted character set, as
|
|
1841 |
prescribed by the following BNF (using notation as defined in RFC
|
|
1842 |
822, Sections 2 and 3.3):
|
|
1843 |
|
|
1844 |
|
|
1845 |
|
|
1846 |
|
|
1847 |
|
|
1848 |
|
|
1849 |
|
|
1850 |
Linn [Page 33]
|
|
1851 |
|
|
1852 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1853 |
|
|
1854 |
|
|
1855 |
IKsubfld := 1*ia-char
|
|
1856 |
|
|
1857 |
ia-char := DIGIT / ALPHA / "'" / "+" / "(" / ")" /
|
|
1858 |
"." / "/" / "=" / "?" / "-" / "@" /
|
|
1859 |
"%" / "!" / '"' / "_" / "<" / ">"
|
|
1860 |
|
|
1861 |
|
|
1862 |
|
|
1863 |
An example Recipient-ID field for the symmetric case is as follows:
|
|
1864 |
|
|
1865 |
Recipient-ID-Symmetric: linn@zendia.enet.dec.com,ptf-kmc,2
|
|
1866 |
|
|
1867 |
This example field indicates that IA "ptf-kmc" has issued an IK
|
|
1868 |
component for use on messages sent to "linn@zendia.enet.dec.com",
|
|
1869 |
and that the IA has provided the number 2 as a version indicator for
|
|
1870 |
that IK component.
|
|
1871 |
|
|
1872 |
An example Recipient-ID field for the asymmetric case is as follows:
|
|
1873 |
|
|
1874 |
Recipient-ID-Asymmetric:
|
|
1875 |
MFExCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5j
|
|
1876 |
LjEPMA0GA1UECxMGQmV0YSAxMQ8wDQYDVQQLEwZOT1RBUlk=,66
|
|
1877 |
|
|
1878 |
This example field includes the printably encoded BER representation
|
|
1879 |
of a certificate's issuer distinguished name, along with the
|
|
1880 |
certificate serial number 66 as assigned by that issuer.
|
|
1881 |
|
|
1882 |
5.2.1 Subfield Definitions
|
|
1883 |
|
|
1884 |
The following subsections define the subfields of Originator-ID and
|
|
1885 |
Recipient-ID fields.
|
|
1886 |
|
|
1887 |
5.2.1.1 Entity Identifier Subfield
|
|
1888 |
|
|
1889 |
An entity identifier (used only for "Originator-ID-Symmetric:" and
|
|
1890 |
"Recipient-ID-Symmetric:" fields) is constructed as an IKsubfld.
|
|
1891 |
More restrictively, an entity identifier subfield assumes the
|
|
1892 |
following form:
|
|
1893 |
|
|
1894 |
<user>@<domain-qualified-host>
|
|
1895 |
|
|
1896 |
In order to support universal interoperability, it is necessary to
|
|
1897 |
assume a universal form for the naming information. For the case of
|
|
1898 |
installations which transform local host names before transmission
|
|
1899 |
into the broader Internet, it is strongly recommended that the host
|
|
1900 |
name as presented to the Internet be employed.
|
|
1901 |
|
|
1902 |
|
|
1903 |
|
|
1904 |
|
|
1905 |
|
|
1906 |
Linn [Page 34]
|
|
1907 |
|
|
1908 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1909 |
|
|
1910 |
|
|
1911 |
5.2.1.2 Issuing Authority Subfield
|
|
1912 |
|
|
1913 |
An IA identifier subfield is constructed as an IKsubfld. This RFC
|
|
1914 |
does not define this subfield's contents for the symmetric key
|
|
1915 |
management case. Any prospective IAs which are to issue symmetric
|
|
1916 |
keys for use in conjunction with this RFC must coordinate assignment
|
|
1917 |
of IA identifiers in a manner (centralized or hierarchic) which
|
|
1918 |
assures uniqueness.
|
|
1919 |
|
|
1920 |
For the asymmetric key management case, the IA identifier subfield
|
|
1921 |
will be formed from the ASN.1 BER representation of the distinguished
|
|
1922 |
name of the issuing organization or organizational unit. The
|
|
1923 |
distinguished encoding rules specified in Clause 8.7 of
|
|
1924 |
Recommendation X.509 ("X.509 DER") are to be employed in generating
|
|
1925 |
this representation. The encoded binary result will be represented
|
|
1926 |
for inclusion in a transmitted header using the procedure defined in
|
|
1927 |
Section 4.3.2.4 of this RFC.
|
|
1928 |
|
|
1929 |
5.2.1.3 Version/Expiration Subfield
|
|
1930 |
|
|
1931 |
A version/expiration subfield is constructed as an IKsubfld. For the
|
|
1932 |
symmetric key management case, the version/expiration subfield format
|
|
1933 |
is permitted to vary among different IAs, but must satisfy certain
|
|
1934 |
functional constraints. An IA's version/expiration subfields must be
|
|
1935 |
sufficient to distinguish among the set of IK components issued by
|
|
1936 |
that IA for a given identified entity. Use of a monotonically
|
|
1937 |
increasing number is sufficient to distinguish among the IK
|
|
1938 |
components provided for an entity by an IA; use of a timestamp
|
|
1939 |
additionally allows an expiration time or date to be prescribed for
|
|
1940 |
an IK component.
|
|
1941 |
|
|
1942 |
For the asymmetric key management case, the version/expiration
|
|
1943 |
subfield's value is the hexadecimal serial number of the certificate
|
|
1944 |
being used in conjunction with the originator or recipient specified
|
|
1945 |
in the "Originator-ID-Asymmetric:" or "Recipient-ID-Asymmetric:"
|
|
1946 |
field in which the subfield occurs.
|
|
1947 |
|
|
1948 |
5.2.2 IK Cryptoperiod Issues
|
|
1949 |
|
|
1950 |
An IK component's cryptoperiod is dictated in part by a tradeoff
|
|
1951 |
between key management overhead and revocation responsiveness. It
|
|
1952 |
would be undesirable to delete an IK component permanently before
|
|
1953 |
receipt of a message encrypted using that IK component, as this would
|
|
1954 |
render the message permanently undecipherable. Access to an expired
|
|
1955 |
IK component would be needed, for example, to process mail received
|
|
1956 |
by a user (or system) which had been inactive for an extended period
|
|
1957 |
of time. In order to enable very old IK components to be deleted, a
|
|
1958 |
message's recipient desiring encrypted local long term storage should
|
|
1959 |
|
|
1960 |
|
|
1961 |
|
|
1962 |
Linn [Page 35]
|
|
1963 |
|
|
1964 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
1965 |
|
|
1966 |
|
|
1967 |
transform the DEK used for message text encryption via re-encryption
|
|
1968 |
under a locally maintained IK, rather than relying on IA maintenance
|
|
1969 |
of old IK components for indefinite periods.
|
|
1970 |
|
|
1971 |
6. User Naming
|
|
1972 |
|
|
1973 |
Unique naming of electronic mail users, as is needed in order to
|
|
1974 |
select corresponding keys correctly, is an important topic and one
|
|
1975 |
which has received (and continues to receive) significant study. For
|
|
1976 |
the symmetric case, IK components are identified in PEM headers
|
|
1977 |
through use of mailbox specifiers in traditional Internet-wide form
|
|
1978 |
("user@domain-qualified-host"). Successful operation in this mode
|
|
1979 |
relies on users (or their PEM implementations) being able to
|
|
1980 |
determine the universal-form names corresponding to PEM originators
|
|
1981 |
and recipients. If a PEM implementation operates in an environment
|
|
1982 |
where addresses in a local form differing from the universal form are
|
|
1983 |
used, translations must be performed in order to map between the
|
|
1984 |
universal form and that local representation.
|
|
1985 |
|
|
1986 |
The use of user identifiers unrelated to the hosts on which the
|
|
1987 |
users' mailboxes reside offers generality and value. X.500
|
|
1988 |
distinguished names, as employed in the certificates of the
|
|
1989 |
recommended key management infrastructure defined in RFC 1422,
|
|
1990 |
provide a basis for such user identification. As directory services
|
|
1991 |
become more pervasive, they will offer originators a means to search
|
|
1992 |
for desired recipients which is based on a broader set of attributes
|
|
1993 |
than mailbox specifiers alone. Future work is anticipated in
|
|
1994 |
integration with directory services, particularly the mechanisms and
|
|
1995 |
naming schema of the Internet OSI directory pilot activity.
|
|
1996 |
|
|
1997 |
7. Example User Interface and Implementation
|
|
1998 |
|
|
1999 |
In order to place the mechanisms and approaches discussed in this RFC
|
|
2000 |
into context, this section presents an overview of a hypothetical
|
|
2001 |
prototype implementation. This implementation is a standalone
|
|
2002 |
program which is invoked by a user, and lies above the existing
|
|
2003 |
UA sublayer. In the UNIX system, and possibly in other environments
|
|
2004 |
as well, such a program can be invoked as a "filter" within an
|
|
2005 |
electronic mail UA or a text editor, simplifying the sequence of
|
|
2006 |
operations which must be performed by the user. This form of
|
|
2007 |
integration offers the advantage that the program can be used in
|
|
2008 |
conjunction with a range of UA programs, rather than being
|
|
2009 |
compatible only with a particular UA.
|
|
2010 |
|
|
2011 |
When a user wishes to apply privacy enhancements to an outgoing
|
|
2012 |
message, the user prepares the message's text and invokes the
|
|
2013 |
standalone program, which in turn generates output suitable for
|
|
2014 |
transmission via the UA. When a user receives a PEM message, the UA
|
|
2015 |
|
|
2016 |
|
|
2017 |
|
|
2018 |
Linn [Page 36]
|
|
2019 |
|
|
2020 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2021 |
|
|
2022 |
|
|
2023 |
delivers the message in encrypted form, suitable for decryption and
|
|
2024 |
associated processing by the standalone program.
|
|
2025 |
|
|
2026 |
In this prototype implementation, a cache of IK components is
|
|
2027 |
maintained in a local file, with entries managed manually based on
|
|
2028 |
information provided by originators and recipients. For the
|
|
2029 |
asymmetric key management case, certificates are acquired for a
|
|
2030 |
user's PEM correspondents; in advance and/or in addition to retrieval
|
|
2031 |
of certificates from directories, they can be extracted from the
|
|
2032 |
"Originator-Certificate:" fields of received PEM messages.
|
|
2033 |
|
|
2034 |
The IK/certificate cache is, effectively, a simple database indexed
|
|
2035 |
by mailbox names. IK components are selected for transmitted
|
|
2036 |
messages based on the originator's identity and on recipient names,
|
|
2037 |
and corresponding Originator-ID, "Originator-Certificate:", and
|
|
2038 |
Recipient-ID fields are placed into the message's encapsulated
|
|
2039 |
header. When a message is received, these fields are used as a basis
|
|
2040 |
for a lookup in the database, yielding the appropriate IK component
|
|
2041 |
entries. DEKs and cryptographic parameters (e.g., IVs) are generated
|
|
2042 |
dynamically within the program.
|
|
2043 |
|
|
2044 |
Options and destination addresses are selected by command line
|
|
2045 |
arguments to the standalone program. The function of specifying
|
|
2046 |
destination addresses to the privacy enhancement program is logically
|
|
2047 |
distinct from the function of specifying the corresponding addresses
|
|
2048 |
to the UA for use by the MTS. This separation results from the fact
|
|
2049 |
that, in many cases, the local form of an address as specified to a
|
|
2050 |
UA differs from the Internet global form as used in "Originator-ID-
|
|
2051 |
Symmetric:" and "Recipient-ID-Symmetric:" fields.
|
|
2052 |
|
|
2053 |
8. Minimum Essential Requirements
|
|
2054 |
|
|
2055 |
This section summarizes particular capabilities which an
|
|
2056 |
implementation must provide for full conformance with this RFC.
|
|
2057 |
|
|
2058 |
RFC 1422 specifies asymmetric, certificate-based key management
|
|
2059 |
procedures to support the message processing procedures defined in
|
|
2060 |
this document; PEM implementation support for these key management
|
|
2061 |
procedures is strongly encouraged. Implementations supporting these
|
|
2062 |
procedures must also be equipped to display the names of originator
|
|
2063 |
and recipient PEM users in the X.500 DN form as authenticated by the
|
|
2064 |
procedures of RFC 1422.
|
|
2065 |
|
|
2066 |
The message processing procedures defined here can also be used with
|
|
2067 |
symmetric key management techniques, though no RFCs analogous to RFC
|
|
2068 |
1422 are currently available to provide correspondingly detailed
|
|
2069 |
description of suitable symmetric key management procedures. A
|
|
2070 |
complete PEM implementation must support at least one of these
|
|
2071 |
|
|
2072 |
|
|
2073 |
|
|
2074 |
Linn [Page 37]
|
|
2075 |
|
|
2076 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2077 |
|
|
2078 |
|
|
2079 |
asymmetric and/or symmetric key management modes.
|
|
2080 |
|
|
2081 |
A full implementation of PEM is expected to be able to send and
|
|
2082 |
receive ENCRYPTED, MIC-ONLY, and MIC-CLEAR messages, and to receive
|
|
2083 |
CRL messages. Some level of support for generating and processing
|
|
2084 |
nested and annotated PEM messages (for forwarding purposes) is to be
|
|
2085 |
provided, and an implementation should be able to reduce ENCRYPTED
|
|
2086 |
messages to MIC-ONLY or MIC-CLEAR for forwarding. Fully-conformant
|
|
2087 |
implementations must be able to emit Certificate and Issuer-
|
|
2088 |
Certificate fields, and to include a Key-Info field corresponding to
|
|
2089 |
the originator, but users or configurers of PEM implementations may
|
|
2090 |
be allowed the option of deactivating those features.
|
|
2091 |
|
|
2092 |
9. Descriptive Grammar
|
|
2093 |
|
|
2094 |
This section provides a grammar describing the construction of a PEM
|
|
2095 |
message.
|
|
2096 |
|
|
2097 |
; PEM BNF representation, using RFC 822 notation.
|
|
2098 |
|
|
2099 |
; imports field meta-syntax (field, field-name, field-body,
|
|
2100 |
; field-body-contents) from RFC-822, sec. 3.2
|
|
2101 |
; imports DIGIT, ALPHA, CRLF, text from RFC-822
|
|
2102 |
; Note: algorithm and mode specifiers are officially defined
|
|
2103 |
; in RFC 1423
|
|
2104 |
|
|
2105 |
<pemmsg> ::= <preeb>
|
|
2106 |
<pemhdr>
|
|
2107 |
[CRLF <pemtext>] ; absent for CRL message
|
|
2108 |
<posteb>
|
|
2109 |
|
|
2110 |
<preeb> ::= "-----BEGIN PRIVACY-ENHANCED MESSAGE-----" CRLF
|
|
2111 |
<posteb> ::= "-----END PRIVACY-ENHANCED MESSAGE-----" CRLF / <preeb>
|
|
2112 |
|
|
2113 |
<pemtext> ::= <encbinbody> ; for ENCRYPTED or MIC-ONLY messages
|
|
2114 |
/ *(<text> CRLF) ; for MIC-CLEAR
|
|
2115 |
|
|
2116 |
<pemhdr> ::= <normalhdr> / <crlhdr>
|
|
2117 |
|
|
2118 |
<normalhdr> ::= <proctype>
|
|
2119 |
|
|
2120 |
<contentdomain>
|
|
2121 |
[<dekinfo>] ; needed if ENCRYPTED
|
|
2122 |
(1*(<origflds> *<recipflds>)) ; symmetric case --
|
|
2123 |
; recipflds included for all proc types
|
|
2124 |
/ ((1*<origflds>) *(<recipflds>)) ; asymmetric case --
|
|
2125 |
; recipflds included for ENCRYPTED proc type
|
|
2126 |
|
|
2127 |
|
|
2128 |
|
|
2129 |
|
|
2130 |
Linn [Page 38]
|
|
2131 |
|
|
2132 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2133 |
|
|
2134 |
|
|
2135 |
<crlhdr> ::= <proctype>
|
|
2136 |
1*(<crl> [<cert>] *(<issuercert>))
|
|
2137 |
|
|
2138 |
<asymmorig> ::= <origid-asymm> / <cert>
|
|
2139 |
|
|
2140 |
<origflds> ::= <asymmorig> [<keyinfo>] *(<issuercert>)
|
|
2141 |
<micinfo> ; asymmetric
|
|
2142 |
/ <origid-symm> [<keyinfo>] ; symmetric
|
|
2143 |
|
|
2144 |
<recipflds> ::= <recipid> <keyinfo>
|
|
2145 |
|
|
2146 |
; definitions for PEM header fields
|
|
2147 |
|
|
2148 |
<proctype> ::= "Proc-Type" ":" "4" "," <pemtypes> CRLF
|
|
2149 |
<contentdomain> ::= "Content-Domain" ":" <contentdescrip> CRLF
|
|
2150 |
<dekinfo> ::= "DEK-Info" ":" <dekalgid> [ "," <dekparameters> ] CRLF
|
|
2151 |
<symmid> ::= <IKsubfld> "," [<IKsubfld>] "," [<IKsubfld>]
|
|
2152 |
<asymmid> ::= <IKsubfld> "," <IKsubfld>
|
|
2153 |
<origid-asymm> ::= "Originator-ID-Asymmetric" ":" <asymmid> CRLF
|
|
2154 |
<origid-symm> ::= "Originator-ID-Symmetric" ":" <symmid> CRLF
|
|
2155 |
<recipid> ::= <recipid-asymm> / <recipid-symm>
|
|
2156 |
<recipid-asymm> ::= "Recipient-ID-Asymmetric" ":" <asymmid> CRLF
|
|
2157 |
<recipid-symm> ::= "Recipient-ID-Symmetric" ":" <symmid> CRLF
|
|
2158 |
<cert> ::= "Originator-Certificate" ":" <encbin> CRLF
|
|
2159 |
<issuercert> ::= "Issuer-Certificate" ":" <encbin> CRLF
|
|
2160 |
<micinfo> ::= "MIC-Info" ":" <micalgid> "," <ikalgid> ","
|
|
2161 |
<asymsignmic> CRLF
|
|
2162 |
<keyinfo> ::= "Key-Info" ":" <ikalgid> "," <micalgid> ","
|
|
2163 |
<symencdek> "," <symencmic> CRLF ; symmetric case
|
|
2164 |
/ "Key-Info" ":" <ikalgid> "," <asymencdek>
|
|
2165 |
CRLF ; asymmetric case
|
|
2166 |
<crl> ::= "CRL" ":" <encbin> CRLF
|
|
2167 |
|
|
2168 |
<pemtypes> ::= "ENCRYPTED" / "MIC-ONLY" / "MIC-CLEAR" / "CRL"
|
|
2169 |
|
|
2170 |
<encbinchar> ::= ALPHA / DIGIT / "+" / "/" / "="
|
|
2171 |
<encbingrp> ::= 4*4<encbinchar>
|
|
2172 |
<encbin> ::= 1*<encbingrp>
|
|
2173 |
<encbinbody> ::= *(16*16<encbingrp> CRLF) [1*16<encbingrp> CRLF]
|
|
2174 |
<IKsubfld> ::= 1*<ia-char>
|
|
2175 |
; Note: "," removed from <ia-char> set so that Orig-ID and Recip-ID
|
|
2176 |
; fields can be delimited with commas (not colons) like all other
|
|
2177 |
; fields
|
|
2178 |
<ia-char> ::= DIGIT / ALPHA / "'" / "+" / "(" / ")" /
|
|
2179 |
"." / "/" / "=" / "?" / "-" / "@" /
|
|
2180 |
"%" / "!" / '"' / "_" / "<" / ">"
|
|
2181 |
<hexchar> ::= DIGIT / "A" / "B" / "C" / "D" / "E" / "F"
|
|
2182 |
; no lower case
|
|
2183 |
|
|
2184 |
|
|
2185 |
|
|
2186 |
Linn [Page 39]
|
|
2187 |
|
|
2188 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2189 |
|
|
2190 |
|
|
2191 |
; This specification defines one value ("RFC822") for
|
|
2192 |
; <contentdescrip>: other values may be defined in future in
|
|
2193 |
; separate or successor documents
|
|
2194 |
;
|
|
2195 |
<contentdescrip> ::= "RFC822"
|
|
2196 |
|
|
2197 |
; The following items are defined in RFC 1423
|
|
2198 |
; <dekalgid>
|
|
2199 |
; <dekparameters>
|
|
2200 |
; <micalgid>
|
|
2201 |
; <ikalgid>
|
|
2202 |
; <asymsignmic>
|
|
2203 |
; <symencdek>
|
|
2204 |
; <symencmic>
|
|
2205 |
; <asymencdek>
|
|
2206 |
|
|
2207 |
|
|
2208 |
NOTES:
|
|
2209 |
|
|
2210 |
[1] Key generation for MIC computation and message text encryption
|
|
2211 |
may either be performed by the sending host or by a
|
|
2212 |
centralized server. This RFC does not constrain this design
|
|
2213 |
alternative. Section 5.1 identifies possible advantages of a
|
|
2214 |
centralized server approach if symmetric key management is
|
|
2215 |
employed.
|
|
2216 |
|
|
2217 |
[2] Postel, J., "Simple Mail Transfer Protocol", STD 10,
|
|
2218 |
RFC 821, August 1982.
|
|
2219 |
|
|
2220 |
[3] This transformation should occur only at an SMTP endpoint, not
|
|
2221 |
at an intervening relay, but may take place at a gateway
|
|
2222 |
system linking the SMTP realm with other environments.
|
|
2223 |
|
|
2224 |
[4] Use of a canonicalization procedure similar to that of SMTP
|
|
2225 |
was selected because its functions are widely used and
|
|
2226 |
implemented within the Internet mail community, not for
|
|
2227 |
purposes of SMTP interoperability with this intermediate
|
|
2228 |
result.
|
|
2229 |
|
|
2230 |
[5] Crocker, D., "Standard for the Format of ARPA Internet Text
|
|
2231 |
Messages", STD 11, RFC 822, August 1982.
|
|
2232 |
|
|
2233 |
[6] Rose, M. T. and Stefferud, E. A., "Proposed Standard for
|
|
2234 |
Message Encapsulation", RFC 934, January 1985.
|
|
2235 |
|
|
2236 |
[7] CCITT Recommendation X.509 (1988), "The Directory -
|
|
2237 |
Authentication Framework".
|
|
2238 |
|
|
2239 |
|
|
2240 |
|
|
2241 |
|
|
2242 |
Linn [Page 40]
|
|
2243 |
|
|
2244 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2245 |
|
|
2246 |
|
|
2247 |
[8] Throughout this RFC we have adopted the terms "private
|
|
2248 |
component" and "public component" to refer to the quantities
|
|
2249 |
which are, respectively, kept secret and made publicly
|
|
2250 |
available in asymmetric cryptosystems. This convention is
|
|
2251 |
adopted to avoid possible confusion arising from use of the
|
|
2252 |
term "secret key" to refer to either the former quantity or to
|
|
2253 |
a key in a symmetric cryptosystem.
|
|
2254 |
|
|
2255 |
Patent Statement
|
|
2256 |
|
|
2257 |
This version of Privacy Enhanced Mail (PEM) relies on the use of
|
|
2258 |
patented public key encryption technology for authentication and
|
|
2259 |
encryption. The Internet Standards Process as defined in RFC 1310
|
|
2260 |
requires a written statement from the Patent holder that a license
|
|
2261 |
will be made available to applicants under reasonable terms and
|
|
2262 |
conditions prior to approving a specification as a Proposed, Draft or
|
|
2263 |
Internet Standard.
|
|
2264 |
|
|
2265 |
The Massachusetts Institute of Technology and the Board of Trustees
|
|
2266 |
of the Leland Stanford Junior University have granted Public Key
|
|
2267 |
Partners (PKP) exclusive sub-licensing rights to the following
|
|
2268 |
patents issued in the United States, and all of their corresponding
|
|
2269 |
foreign patents:
|
|
2270 |
|
|
2271 |
Cryptographic Apparatus and Method
|
|
2272 |
("Diffie-Hellman")............................... No. 4,200,770
|
|
2273 |
|
|
2274 |
Public Key Cryptographic Apparatus
|
|
2275 |
and Method ("Hellman-Merkle").................... No. 4,218,582
|
|
2276 |
|
|
2277 |
Cryptographic Communications System and
|
|
2278 |
Method ("RSA")................................... No. 4,405,829
|
|
2279 |
|
|
2280 |
Exponential Cryptographic Apparatus
|
|
2281 |
and Method ("Hellman-Pohlig").................... No. 4,424,414
|
|
2282 |
|
|
2283 |
These patents are stated by PKP to cover all known methods of
|
|
2284 |
practicing the art of Public Key encryption, including the variations
|
|
2285 |
collectively known as El Gamal.
|
|
2286 |
|
|
2287 |
Public Key Partners has provided written assurance to the Internet
|
|
2288 |
Society that parties will be able to obtain, under reasonable,
|
|
2289 |
nondiscriminatory terms, the right to use the technology covered by
|
|
2290 |
these patents. This assurance is documented in RFC 1170 titled
|
|
2291 |
"Public Key Standards and Licenses". A copy of the written assurance
|
|
2292 |
dated April 20, 1990, may be obtained from the Internet Assigned
|
|
2293 |
Number Authority (IANA).
|
|
2294 |
|
|
2295 |
|
|
2296 |
|
|
2297 |
|
|
2298 |
Linn [Page 41]
|
|
2299 |
|
|
2300 |
RFC 1421 Privacy Enhancement for Electronic Mail February 1993
|
|
2301 |
|
|
2302 |
|
|
2303 |
The Internet Society, Internet Architecture Board, Internet
|
|
2304 |
Engineering Steering Group and the Corporation for National Research
|
|
2305 |
Initiatives take no position on the validity or scope of the patents
|
|
2306 |
and patent applications, nor on the appropriateness of the terms of
|
|
2307 |
the assurance. The Internet Society and other groups mentioned above
|
|
2308 |
have not made any determination as to any other intellectual property
|
|
2309 |
rights which may apply to the practice of this standard. Any further
|
|
2310 |
consideration of these matters is the user's own responsibility.
|
|
2311 |
|
|
2312 |
Security Considerations
|
|
2313 |
|
|
2314 |
This entire document is about security.
|
|
2315 |
|
|
2316 |
Author's Address
|
|
2317 |
|
|
2318 |
John Linn
|
|
2319 |
|
|
2320 |
EMail: 104-8456@mcimail.com
|
|
2321 |
|
|
2322 |
|
|
2323 |
|
|
2324 |
|
|
2325 |
|
|
2326 |
|
|
2327 |
|
|
2328 |
|
|
2329 |
|
|
2330 |
|
|
2331 |
|
|
2332 |
|
|
2333 |
|
|
2334 |
|
|
2335 |
|
|
2336 |
|
|
2337 |
|
|
2338 |
|
|
2339 |
|
|
2340 |
|
|
2341 |
|
|
2342 |
|
|
2343 |
|
|
2344 |
|
|
2345 |
|
|
2346 |
|
|
2347 |
|
|
2348 |
|
|
2349 |
|
|
2350 |
|
|
2351 |
|
|
2352 |
|
|
2353 |
|
|
2354 |
Linn [Page 42]
|
|
2355 |
|