Network Working Group                                         R. Housley
Request for Comments: 3560                                Vigil Security
Category: Standards Track                                      July 2003
        
Network Working Group                                         R. Housley
Request for Comments: 3560                                Vigil Security
Category: Standards Track                                      July 2003
        

Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS)

在加密消息语法(CMS)中使用RSAES-OAEP密钥传输算法

Status of this Memo

本备忘录的状况

This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.

本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

Abstract

摘要

This document describes the conventions for using the RSAES-OAEP key transport algorithm with the Cryptographic Message Syntax (CMS). The CMS specifies the enveloped-data content type, which consists of an encrypted content and encrypted content-encryption keys for one or more recipients. The RSAES-OAEP key transport algorithm can be used to encrypt content-encryption keys for intended recipients.

本文档描述了使用带有加密消息语法(CMS)的RSAES-OAEP密钥传输算法的约定。CMS指定信封数据内容类型,该类型由加密内容和一个或多个收件人的加密内容加密密钥组成。RSAES-OAEP密钥传输算法可用于加密目标收件人的内容加密密钥。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Enveloped-data Conventions . . . . . . . . . . . . . . . . . .  3
       2.1.  EnvelopedData Fields . . . . . . . . . . . . . . . . . .  3
       2.2.  KeyTransRecipientInfo Fields . . . . . . . . . . . . . .  4
   3.  RSAES-OAEP Algorithm Identifiers and Parameters. . . . . . . .  4
   4.  Certificate Conventions. . . . . . . . . . . . . . . . . . . .  6
   5.  SMIMECapabilities Attribute Conventions. . . . . . . . . . . .  8
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . .  9
   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 11
   8.  Intellectual Property Rights Statement . . . . . . . . . . . . 11
   9.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 11
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       10.1.  Normative References. . . . . . . . . . . . . . . . . . 11
       10.2.  Informative References. . . . . . . . . . . . . . . . . 12
   Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 18
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Enveloped-data Conventions . . . . . . . . . . . . . . . . . .  3
       2.1.  EnvelopedData Fields . . . . . . . . . . . . . . . . . .  3
       2.2.  KeyTransRecipientInfo Fields . . . . . . . . . . . . . .  4
   3.  RSAES-OAEP Algorithm Identifiers and Parameters. . . . . . . .  4
   4.  Certificate Conventions. . . . . . . . . . . . . . . . . . . .  6
   5.  SMIMECapabilities Attribute Conventions. . . . . . . . . . . .  8
   6.  Security Considerations. . . . . . . . . . . . . . . . . . . .  9
   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 11
   8.  Intellectual Property Rights Statement . . . . . . . . . . . . 11
   9.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 11
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
       10.1.  Normative References. . . . . . . . . . . . . . . . . . 11
       10.2.  Informative References. . . . . . . . . . . . . . . . . 12
   Appendix A. ASN.1 Module . . . . . . . . . . . . . . . . . . . . . 14
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 18
        
1. Introduction
1. 介绍

PKCS #1 Version 1.5 [PKCS#1v1.5] specifies a widely deployed variant of the RSA key transport algorithm. PKCS #1 Version 1.5 key transport is vulnerable to adaptive chosen ciphertext attacks, especially when it is used to for key management in interactive applications. This attack is often referred to as the "Million Message Attack," and it explained in [RSALABS] and [CRYPTO98]. Exploitation of this vulnerability, which reveals the result of a particular RSA decryption, requires access to an oracle which will respond to hundreds of thousands of ciphertexts, which are constructed adaptively in response to previously received replies that provide information on the successes or failures of attempted decryption operations.

PKCS#1 1.5版[PKCS#1v1.5]指定了广泛部署的RSA密钥传输算法变体。PKCS#1 1.5版密钥传输易受自适应选择密文攻击的攻击,尤其是当它用于交互式应用程序中的密钥管理时。这种攻击通常被称为“百万消息攻击”,并在[RSALAB]和[CRYPTO98]中进行了解释。利用此漏洞(显示特定RSA解密的结果)需要访问oracle,该oracle将响应数十万个密文,这些密文是根据以前收到的答复自适应构造的,这些答复提供了尝试解密操作的成功或失败信息。

The attack is significantly less feasible in store-and-forward environments, such as S/MIME. RFC 3218 [MMA] discussed the countermeasures to this attack that are available when PKCS #1 Version 1.5 key transport is used in conjunction with the Cryptographic Message Syntax (CMS) [CMS].

这种攻击在存储转发环境(如S/MIME)中的可行性明显降低。RFC 3218[MMA]讨论了当PKCS#1 1.5版密钥传输与加密消息语法(CMS)[CMS]结合使用时,可采取的针对该攻击的对策。

When PKCS #1 Version 1.5 key transport is applied as an intermediate encryption layer within an interactive request-response communications environment, exploitation could be more feasible. However, Secure Sockets Layer (SSL) [SSL] and Transport Layer Security (TLS) [TLS] protocol implementations could include countermeasures that detect and prevent the Million Message Attack and other chosen-ciphertext attacks. These countermeasures are performed within the protocol level.

当PKCS#1 1.5版密钥传输作为交互式请求-响应通信环境中的中间加密层应用时,利用PKCS#1 1.5版密钥传输可能更可行。然而,安全套接字层(SSL)[SSL]和传输层安全(TLS)[TLS]协议实现可能包括检测和防止百万消息攻击和其他选定密文攻击的对策。这些对策在协议级别内执行。

In the interest of long-term security assurance, it is prudent to adopt an improved cryptographic technique rather than embedding countermeasures within protocols. To this end, an updated version of PKCS #1 has been published. PKCS #1 Version 2.1 [PKCS#1v2.1] supersedes RFC 2313. It preserves support for the PKCS #1 Version 1.5 encryption padding format, and it also defines a new one. To resolve the adaptive chosen ciphertext vulnerability, the PKCS #1 Version 2.1 specifies and recommends use of Optimal Asymmetric Encryption Padding (OAEP) for RSA key transport.

为了长期的安全保证,谨慎的做法是采用改进的密码技术,而不是在协议中嵌入反措施。为此,发布了PKCS#1的更新版本。PKCS#1版本2.1[PKCS#1v2.1]取代RFC 2313。它保留了对PKCS#1 1.5版加密填充格式的支持,并定义了一种新的加密填充格式。为了解决自适应选择密文漏洞,PKCS#1 2.1版规定并建议对RSA密钥传输使用最佳非对称加密填充(OAEP)。

This document specifies the use of RSAES-OAEP key transport algorithm in the CMS. The CMS can be used in either a store-and-forward or an interactive request-response environment.

本文件规定了在CMS中使用RSAES-OAEP密钥传输算法。CMS可用于存储转发或交互式请求-响应环境。

The CMS supports variety of architectures for certificate-based key management, particularly the one defined by the PKIX working group [PROFILE]. PKCS #1 Version 1.5 and PKCS #1 Version 2.1 require the same RSA public key information. Thus, a certified RSA public key may be used with either RSA key transport technique.

CMS支持各种基于证书的密钥管理体系结构,特别是PKIX工作组[PROFILE]定义的体系结构。PKCS#1 1.5版和PKCS#1 2.1版需要相同的RSA公钥信息。因此,经认证的RSA公钥可与任一RSA密钥传输技术一起使用。

The CMS uses ASN.1 [X.208-88], the Basic Encoding Rules (BER) [X.209-88], and the Distinguished Encoding Rules (DER) [X.509-88].

CMS使用ASN.1[X.208-88]、基本编码规则(BER)[X.209-88]和可分辨编码规则(DER)[X.509-88]。

Throughout this document, when the terms "MUST", "MUST NOT", "SHOULD", and "MAY" are used in capital letters, their use conforms to the definitions in RFC 2119 [STDWORDS]. These key word definitions help make the intent of standards documents as clear as possible. These key words are used in this document to help implementers achieve interoperability.

在本文件中,当术语“必须”、“不得”、“应该”和“可以”以大写字母使用时,其使用符合RFC 2119[STDWORDS]中的定义。这些关键词定义有助于使标准文档的意图尽可能清晰。本文档使用这些关键词来帮助实施者实现互操作性。

2. Enveloped-data Conventions
2. 封装数据约定

The CMS enveloped-data content type consists of an encrypted content and wrapped content-encryption keys for one or more recipients. The RSAES-OAEP key transport algorithm is used to wrap the content-encryption key for one recipient.

CMS信封数据内容类型由一个或多个收件人的加密内容和包装内容加密密钥组成。RSAES-OAEP密钥传输算法用于包装一个收件人的内容加密密钥。

Compliant software MUST meet the requirements for constructing an enveloped-data content type stated in [CMS] Section 6, "Enveloped-data Content Type".

合规软件必须满足[CMS]第6节“封装数据内容类型”中规定的构建封装数据内容类型的要求。

A content-encryption key MUST be randomly generated for each instance of an enveloped-data content type. The content-encryption key is used to encipher the content.

必须为封装数据内容类型的每个实例随机生成内容加密密钥。内容加密密钥用于对内容进行加密。

2.1. EnvelopedData Fields
2.1. 包络数据字段

The enveloped-data content type is ASN.1 encoded using the EnvelopedData syntax. The fields of the EnvelopedData syntax MUST be populated as described in this section when RSAES-OAEP key transport is employed for one or more recipients.

封装的数据内容类型是使用EnvelopedData语法进行ASN.1编码的。当一个或多个收件人使用RSAES-OAEP密钥传输时,必须按照本节所述填充EnvelopedData语法的字段。

The EnvelopedData version MUST be 0, 2, or 3.

EnvelopedData版本必须为0、2或3。

The EnvelopedData originatorInfo field is not used for the RSAES-OAEP key transport algorithm. However, this field MAY be present to support recipients using other key management algorithms.

EnvelopedData originatorInfo字段不用于RSAES-OAEP密钥传输算法。但是,此字段可能用于支持使用其他密钥管理算法的收件人。

The EnvelopedData recipientInfos CHOICE MUST be KeyTransRecipientInfo. See section 2.2 for further discussion of KeyTransRecipientInfo.

EnvelopedData RecipientInfo选项必须为KeyTransRecipientInfo。有关KeyTransRecipientInfo的进一步讨论,请参见第2.2节。

The EnvelopedData encryptedContentInfo contentEncryptionAlgorithm field MUST be a symmetric encryption algorithm identifier.

EnvelopedData encryptedContentInfo contentEncryptionAlgorithm字段必须是对称加密算法标识符。

The EnvelopedData unprotectedAttrs MAY be present.

可能存在未受保护的信封数据。

2.2. KeyTransRecipientInfo Fields
2.2. KeyTransRecipientInfo字段

The fields of the KeyTransRecipientInfo syntax MUST be populated as described in this section when RSAES-OAEP key transport is employed for one or more recipients.

当一个或多个收件人使用RSAES-OAEP密钥传输时,必须按照本节所述填充KeyTransRecipientInfo语法的字段。

The KeyTransRecipientInfo version MUST be 0 or 2. If the RecipientIdentifier uses the issuerAndSerialNumber alternative, then the version MUST be 0. If the RecipientIdentifier uses the subjectKeyIdentifier alternative, then the version MUST be 2.

KeyTransRecipientInfo版本必须为0或2。如果RecipientIdentifier使用issuerAndSerialNumber替代项,则版本必须为0。如果RecipientIdentifier使用subjectKeyIdentifier选项,则版本必须为2。

The KeyTransRecipientInfo RecipientIdentifier provides two alternatives for specifying the recipient's certificate, and thereby the recipient's public key. The recipient's certificate MUST contain a RSA public key. The content-encryption key is encrypted with the recipient's RSA public key. The issuerAndSerialNumber alternative identifies the recipient's certificate by the issuer's distinguished name and the certificate serial number; the subjectKeyIdentifier identifies the recipient's certificate by the X.509 subjectKeyIdentifier extension value.

KeyTransRecipientInfo RecipientIdentifier提供了两种方法来指定收件人的证书,从而指定收件人的公钥。收件人的证书必须包含RSA公钥。内容加密密钥使用收件人的RSA公钥加密。发卡机构序列号备选方案通过发卡机构的可分辨名称和证书序列号识别收件人的证书;subjectKeyIdentifier通过X.509 subjectKeyIdentifier扩展值标识收件人的证书。

The KeyTransRecipientInfo keyEncryptionAlgorithm specifies use of the RSAES-OAEP algorithm, and its associated parameters, to encrypt the content-encryption key for the recipient. The key-encryption process is described in [PKCS#1v2.1]. See section 3 of this document for the algorithm identifier and the parameter syntax.

KeyTransRecipientInfo keyEncryptionAlgorithm指定使用RSAES-OAEP算法及其相关参数来加密收件人的内容加密密钥。[PKCS#1v2.1]中描述了密钥加密过程。有关算法标识符和参数语法,请参见本文档第3节。

The KeyTransRecipientInfo encryptedKey is the result of encrypting the content-encryption key in the recipient's RSA public key using the RSAES-OAEP algorithm. The RSA public key MUST be at least 1024 bits in length. When using a Triple-DES [3DES] content-encryption key, implementations MUST adjust the parity bits to ensure odd parity for each octet of each DES key comprising the Triple-DES key prior to RSAES-OAEP encryption.

KeyTransRecipientInfo encryptedKey是使用RSAES-OAEP算法对收件人的RSA公钥中的内容加密密钥进行加密的结果。RSA公钥的长度必须至少为1024位。当使用三重DES[3DES]内容加密密钥时,实现必须调整奇偶校验位,以确保在RSAES-OAEP加密之前,构成三重DES密钥的每个DES密钥的每个八位组的奇偶校验。

3. RSAES-OAEP Algorithm Identifiers and Parameters
3. RSAES-OAEP算法标识符和参数

The RSAES-OAEP key transport algorithm is the RSA encryption scheme defined in RFC 3447 [PKCS#1v2.1], where the message to be encrypted is the content-encryption key. The algorithm identifier for RSAES-OAEP is:

RSAES-OAEP密钥传输算法是RFC 3447[PKCS#1v2.1]中定义的RSA加密方案,其中要加密的消息是内容加密密钥。RSAES-OAEP的算法标识符为:

   id-RSAES-OAEP  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 7 }
        
   id-RSAES-OAEP  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2)
     us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 7 }
        

The AlgorithmIdentifier parameters field MUST be present, and the parameters field MUST contain RSAES-OAEP-params. RSAES-OAEP-params has the following syntax:

AlgorithmIdentifier参数字段必须存在,并且参数字段必须包含RSAES OAEP参数。RSAES OAEP参数具有以下语法:

   RSAES-OAEP-params  ::=  SEQUENCE  {
     hashFunc    [0] AlgorithmIdentifier DEFAULT sha1Identifier,
     maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier,
     pSourceFunc [2] AlgorithmIdentifier DEFAULT
                         pSpecifiedEmptyIdentifier  }
        
   RSAES-OAEP-params  ::=  SEQUENCE  {
     hashFunc    [0] AlgorithmIdentifier DEFAULT sha1Identifier,
     maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier,
     pSourceFunc [2] AlgorithmIdentifier DEFAULT
                         pSpecifiedEmptyIdentifier  }
        
   sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
        
   sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
        
   mgf1SHA1Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha1Identifier }
        
   mgf1SHA1Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha1Identifier }
        
   pSpecifiedEmptyIdentifier  AlgorithmIdentifier ::=
                         { id-pSpecified, nullOctetString }
        
   pSpecifiedEmptyIdentifier  AlgorithmIdentifier ::=
                         { id-pSpecified, nullOctetString }
        
   nullOctetString  OCTET STRING (SIZE (0))  ::=  { ''H }
        
   nullOctetString  OCTET STRING (SIZE (0))  ::=  { ''H }
        
   id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)
                         identified-organization(3) oiw(14)
                         secsig(3) algorithms(2) 26 }
        
   id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)
                         identified-organization(3) oiw(14)
                         secsig(3) algorithms(2) 26 }
        
   pkcs-1  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2)
                         us(840) rsadsi(113549) pkcs(1) pkcs-1(1) }
        
   pkcs-1  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2)
                         us(840) rsadsi(113549) pkcs(1) pkcs-1(1) }
        
   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
        
   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
        
   id-pSpecified  OBJECT IDENTIFIER  ::=  { pkcs-1 9 }
        
   id-pSpecified  OBJECT IDENTIFIER  ::=  { pkcs-1 9 }
        

The fields within RSAES-OAEP-params have the following meanings:

RSAES OAEP参数中的字段具有以下含义:

hashFunc identifies the one-way hash function. Implementations MUST support SHA-1 [SHA1], and implementations MAY support other one-way hash functions. The SHA-1 algorithm identifier is comprised of the id-sha1 object identifier and a parameter of NULL. Implementations that perform encryption MUST omit the hashFunc field when SHA-1 is used, indicating that the default algorithm was used. Implementations that perform decryption MUST recognize both the id-sha1 object identifier and an absent hashFunc field as an indication that SHA-1 was used.

hashFunc标识单向散列函数。实现必须支持SHA-1[SHA1],并且实现可能支持其他单向散列函数。SHA-1算法标识符由id-sha1对象标识符和NULL参数组成。使用SHA-1时,执行加密的实现必须省略hashFunc字段,这表示使用了默认算法。执行解密的实现必须将id-sha1对象标识符和缺少的hashFunc字段识别为使用了SHA-1的指示。

maskGenFunc identifies the mask generation function. Implementations MUST support MFG1 [PKCS#1v2.1]. MFG1 requires a one-way hash function, and it is identified in the parameter field of the MFG1 algorithm identifier. Implementations MUST support SHA-1 [SHA1], and implementations MAY support other one-way hash functions. The MFG1 algorithm identifier is comprised of the id-mgf1 object identifier and a parameter that contains the algorithm identifier of the one-way hash function employed with MFG1. The SHA-1 algorithm identifier is comprised of the id-sha1 object identifier and a parameter of NULL. Implementations that perform encryption MUST omit the maskGenFunc field when MFG1 with SHA-1 is used, indicating that the default algorithm was used. Implementations that perform decryption MUST recognize both the id-mgf1 and id-sha1 object identifiers as well as an absent maskGenFunc field as an indication that MFG1 with SHA-1 was used.

maskGenFunc标识掩码生成函数。实现必须支持MFG1[PKCS#1v2.1]。MFG1需要一个单向散列函数,它在MFG1算法标识符的参数字段中标识。实现必须支持SHA-1[SHA1],并且实现可能支持其他单向散列函数。MFG1算法标识符由id-mgf1对象标识符和包含MFG1使用的单向散列函数的算法标识符的参数组成。SHA-1算法标识符由id-sha1对象标识符和NULL参数组成。使用带有SHA-1的MFG1时,执行加密的实现必须省略maskGenFunc字段,这表明使用了默认算法。执行解密的实现必须识别id-mgf1和id-sha1对象标识符以及缺少的maskGenFunc字段,以指示使用了带SHA-1的MFG1。

pSourceFunc identifies the source (and possibly the value) of the encoding parameters, commonly called P. Implementations MUST represent P by the algorithm identifier, id-pSpecified, indicating that P is explicitly provided as an OCTET STRING in the parameters. The default value for P is an empty string. In this case, pHash in EME-OAEP contains the hash of a zero length string. Implementations MUST support a zero length P value. Implementations that perform encryption MUST omit the pSourceFunc field when a zero length P value is used, indicating that the default value was used. Implementations that perform decryption MUST recognize both the id-pSpecified object identifier and an absent pSourceFunc field as an indication that a zero length P value was used.

pSourceFunc标识编码参数的源(可能还有值),通常称为P。实现必须通过算法标识符id pSpecified来表示P,表示P在参数中显式提供为八位字节字符串。P的默认值是空字符串。在这种情况下,EME-OAEP中的pHash包含零长度字符串的哈希。实现必须支持长度为零的P值。当使用零长度P值时,执行加密的实现必须省略pSourceFunc字段,这表示使用了默认值。执行解密的实现必须将id pSpecified对象标识符和缺少的pSourceFunc字段识别为使用了零长度P值的指示。

4. Certificate Conventions
4. 证书惯例

RFC 3280 [PROFILE] specifies the profile for using X.509 Certificates in Internet applications. When a RSA public key will be used for RSAES-OAEP key transport, the conventions specified in this section augment RFC 3280.

RFC 3280[PROFILE]指定在Internet应用程序中使用X.509证书的配置文件。当RSA公钥将用于RSAES-OAEP密钥传输时,本节中指定的约定将扩充RFC 3280。

Traditionally, the rsaEncryption object identifier is used to identify RSA public keys. However, to implement all of the recommendations described in the Security Considerations section of this document (see section 6), the certificate user needs to be able to determine the form of key transport that the RSA private key owner associates with the public key.

传统上,RSA加密对象标识符用于识别RSA公钥。但是,要实现本文档“安全注意事项”一节中描述的所有建议(请参见第6节),证书用户需要能够确定RSA私钥所有者与公钥关联的密钥传输形式。

The rsaEncryption object identifier continues to identify the subject public key when the RSA private key owner does not wish to limit the use of the public key exclusively to RSAES-OAEP. In this case, the

当RSA私钥所有者不希望将公钥的使用仅限于RSAES-OAEP时,RSAES加密对象标识符将继续标识主题公钥。在这种情况下

rsaEncryption object identifier MUST be used in the algorithm field within the subject public key information, and the parameters field MUST contain NULL.

RSA加密对象标识符必须在主题公钥信息的算法字段中使用,并且参数字段必须包含NULL。

      rsaEncryption  OBJECT IDENTIFIER  ::=  { pkcs-1 1 }
        
      rsaEncryption  OBJECT IDENTIFIER  ::=  { pkcs-1 1 }
        

Further discussion of the conventions associated with use of the rsaEncryption object identifier can be found in RFC 3279 (see [CERTALGS], section 2.3.1).

RFC 3279(参见[CERTALGS],第2.3.1节)中对使用RSA加密对象标识符相关约定的进一步讨论。

When the RSA private key owner wishes to limit the use of the public key exclusively to RSAES-OAEP, then the id-RSAES-OAEP object identifier MUST be used in the algorithm field within the subject public key information, and the parameters field MUST contain RSAES-OAEP-params. The id-RSAES-OAEP object identifier value and the RSAES-OAEP-params syntax are fully described in section 3 of this document.

当RSA私钥所有者希望将公钥的使用仅限于RSAES-OAEP时,则必须在主题公钥信息的算法字段中使用id RSAES OAEP对象标识符,并且参数字段必须包含RSAES OAEP参数。id RSAES OAEP对象标识符值和RSAES OAEP参数语法在本文件第3节中有详细说明。

Regardless of the object identifier used, the RSA public key is encoded in the same manner in the subject public key information. The RSA public key MUST be encoded using the type RSAPublicKey type:

不管所使用的对象标识符是什么,RSA公钥在主体公钥信息中的编码方式都是相同的。RSA公钥必须使用RSAPublicKey类型进行编码:

      RSAPublicKey ::= SEQUENCE {
         modulus            INTEGER,    -- n
         publicExponent     INTEGER  }  -- e
        
      RSAPublicKey ::= SEQUENCE {
         modulus            INTEGER,    -- n
         publicExponent     INTEGER  }  -- e
        

Here, the modulus is the modulus n, and publicExponent is the public exponent e. The DER encoded RSAPublicKey is carried in the subjectPublicKey BIT STRING within the subject public key information.

这里,模数是模数n,公共指数是公共指数e。DER编码的RSAPPublicKey携带在主题公钥信息内的主题公钥位字符串中。

The intended application for the key MAY be indicated in the key usage certificate extension (see [PROFILE], section 4.2.1.3). If the keyUsage extension is present in a certificate that conveys an RSA public key with the id-RSAES-OAEP object identifier, then the key usage extension MUST contain a combination of the following values:

密钥的预期用途可在密钥使用证书扩展中说明(见[配置文件],第4.2.1.3节)。如果密钥使用扩展存在于传送带有id RSAES OAEP对象标识符的RSA公钥的证书中,则密钥使用扩展必须包含以下值的组合:

keyEncipherment; and dataEncipherment.

密钥加密;和数据加密。

However, both keyEncipherment and dataEncipherment SHOULD NOT be present.

但是,密钥加密和数据加密都不应该存在。

When a certificate that conveys an RSA public key with the id-RSAES-OAEP object identifier, the certificate user MUST only use the certified RSA public key for RSAES-OAEP operations, and the certificate user MUST perform those operations using the parameters identified in the certificate.

当使用id为RSAES OAEP对象标识符传递RSA公钥的证书时,证书用户必须仅将经认证的RSA公钥用于RSAES-OAEP操作,并且证书用户必须使用证书中标识的参数执行这些操作。

5. SMIMECapabilities Attribute Conventions
5. SMIMECapabilities属性约定

RFC 2633 [MSG], Section 2.5.2 defines the SMIMECapabilities signed attribute (defined as a SEQUENCE of SMIMECapability SEQUENCEs) to be used to specify a partial list of algorithms that the software announcing the SMIMECapabilities can support. When constructing a signedData object, compliant software MAY include the SMIMECapabilities signed attribute announcing that it supports the RSAES-OAEP algorithm.

RFC 2633[MSG],第2.5.2节定义了SMIMECapabilities签名属性(定义为SMIMECapabilities序列),用于指定宣布SMIMECapabilities的软件可以支持的算法的部分列表。在构造signedData对象时,兼容软件可能会包含SMIMECapabilities signed属性,声明它支持RSAES-OAEP算法。

When all of the default settings are selected, the SMIMECapability SEQUENCE representing RSAES-OAEP MUST include the id-RSAES-OAEP object identifier in the capabilityID field and MUST include an empty SEQUENCE in the parameters field. In this case, RSAES-OAEP is represented by the rSAES-OAEP-Default-Identifier:

选择所有默认设置后,表示RSAES-OAEP的SMIMECapability序列必须在capabilityID字段中包含id RSAES OAEP对象标识符,并且必须在parameters字段中包含空序列。在这种情况下,RSAES-OAEP由RSAES OAEP默认标识符表示:

   rSAES-OAEP-Default-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha1Identifier,
                              mgf1SHA1Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-Default-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha1Identifier,
                              mgf1SHA1Identifier,
                              pSpecifiedEmptyIdentifier } }
        

The SMIMECapability SEQUENCE representing rSAES-OAEP-Default-Identifier MUST be DER-encoded as the following hexadecimal string:

表示rSAES OAEP默认标识符的SMIMECapability序列必须按以下十六进制字符串进行DER编码:

30 0D 06 09 2A 86 48 86 F7 0D 01 01 07 30 00

30 0D 06 09 2A 86 48 86 F7 0D 01 01 07 30 00

When settings other than the defaults are selected, the SMIMECapability SEQUENCE representing RSAES-OAEP MUST include the id-RSAES-OAEP object identifier in the capabilityID field and MUST include the RSAES-OAEP-params SEQUENCE that identifies the non-default settings in the parameters field.

选择默认设置以外的其他设置时,表示RSAES-OAEP的SMIMECapability序列必须在capabilityID字段中包含id RSAES OAEP对象标识符,并且必须在parameters字段中包含标识非默认设置的RSAES OAEP params序列。

When SHA-256 is used in the hashFunc and SHA-256 is used with MGF1 in the maskGenFunc, the SMIMECapability SEQUENCE representing RSAES-OAEP is the rSAES-OAEP-SHA256-Identifier, as specified in Appendix A. The SMIMECapability SEQUENCE representing rSAES-OAEP-SHA256-Identifier MUST be DER-encoded as the following hexadecimal string:

在hashFunc中使用SHA-256且在maskGenFunc中将SHA-256与MGF1一起使用时,表示RSAES-OAEP的SMIMECapability序列为RSAES-OAEP-SHA256-Identifier,如附录A所述。表示RSAES-OAEP-SHA256-Identifier的SMIMECapability序列必须按以下十六进制字符串顺序编码:

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 01 08 30 0D 06 09 60 86 48 01 65 03 04 02 01 05 00

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 01 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 08 30 0D 06 09 60 86 48 01 65 03 02 05 00

When SHA-384 is used in the hashFunc and SHA-384 is used with MGF1 in the maskGenFunc, the SMIMECapability SEQUENCE representing RSAES-OAEP is the rSAES-OAEP-SHA384-Identifier, as specified in Appendix A. The

当SHA-384在hashFunc中使用,而SHA-384在maskGenFunc中与MGF1一起使用时,表示RSAES-OAEP的SMIMECapability序列是RSAES-OAEP-SHA384-Identifier,如附录A中所述

SMIMECapability SEQUENCE representing rSAES-OAEP-SHA384-Identifier MUST be DER-encoded as the following hexadecimal string:

表示rSAES-OAEP-SHA384-Identifier的SMIMECapability序列必须按以下十六进制字符串进行DER编码:

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 02 02 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 01 08 30 0D 06 09 60 86 48 01 65 03 04 02 02 05 00

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 02 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 08 30 0D 06 09 60 86 48 01 65 03 02 05 00

When SHA-512 is used in the hashFunc and SHA-512 is used with MGF1 in the maskGenFunc, the SMIMECapability SEQUENCE representing RSAES-OAEP is the rSAES-OAEP-SHA512-Identifier, as specified in Appendix A. The SMIMECapability SEQUENCE representing rSAES-OAEP-SHA512-Identifier MUST be DER-encoded as the following hexadecimal string:

在hashFunc中使用SHA-512且在maskGenFunc中将SHA-512与MGF1一起使用时,表示RSAES-OAEP的SMIMECapability序列为RSAES-OAEP-SHA512-Identifier,如附录A所述。表示RSAES-OAEP-SHA512-Identifier的SMIMECapability序列必须按以下十六进制字符串顺序编码:

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 02 03 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 01 08 30 0D 06 09 60 86 48 01 65 03 04 02 03 05 00

30 38 06 09 2A 86 48 86 F7 0D 01 01 07 30 2B 30 0D 06 09 60 86 48 01 65 03 04 02 05 00 30 1A 06 09 2A 86 48 86 F7 0D 01 08 30 0D 06 09 60 86 48 01 65 03 02 05 00

6. Security Considerations
6. 安全考虑

Implementations must protect the RSA private key and the content-encryption key. Compromise of the RSA private key may result in the disclosure of all messages protected with that key. Compromise of the content-encryption key may result in disclosure of the associated encrypted content.

实施必须保护RSA私钥和内容加密密钥。RSA私钥的泄露可能会导致使用该密钥保护的所有消息被泄露。内容加密密钥的泄露可能导致相关加密内容的泄露。

The generation of RSA public/private key pairs relies on a random numbers. The use of inadequate pseudo-random number generators (PRNGs) to generate cryptographic keys can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys, searching the resulting small set of possibilities, rather than brute force searching the whole key space. The generation of quality random numbers is difficult. RFC 1750 [RANDOM] offers important guidance in this area.

RSA公钥/私钥对的生成依赖于随机数。使用不充分的伪随机数生成器(PRNG)生成加密密钥可能导致很少或没有安全性。攻击者可能会发现,复制生成密钥的PRNG环境、搜索生成的一小部分可能性比暴力搜索整个密钥空间要容易得多。生成高质量的随机数是困难的。RFC 1750[随机]在这方面提供了重要的指导。

Generally, good cryptographic practice employs a given RSA key pair in only one scheme. This practice avoids the risk that vulnerability in one scheme may compromise the security of the other, and may be essential to maintain provable security. While PKCS #1 Version 1.5 [PKCS#1v1.5] has been employed for both key transport and digital signature without any known bad interactions, such a combined use of an RSA key pair is not recommended in the future. Therefore, an RSA key pair used for RSAES-OAEP key transport should not also be used for other purposes. For similar reasons, one RSA key pair should always be used with the same RSAES-OAEP parameters.

通常,良好的密码实践仅在一个方案中使用给定的RSA密钥对。这种做法避免了一个方案中的漏洞可能会危及另一个方案的安全性的风险,并且对于维护可证明的安全性可能至关重要。虽然PKCS#1 1.5版[PKCS#1v1.5]已用于密钥传输和数字签名,且没有任何已知的不良交互,但今后不建议将RSA密钥对组合使用。因此,用于RSAES-OAEP密钥传输的RSA密钥对也不应用于其他目的。出于类似原因,一个RSA密钥对应始终与相同的RSAES-OAEP参数一起使用。

This specification requires implementation to support the SHA-1 one-way hash function for interoperability, but support for other one-way hash function is permitted. At the time of this writing, the best (known) collision attacks against SHA-1 are generic attacks with complexity 2^80, where 80 is one-half the bit length of the hash value. When a one-way hash function is used with a digital signature scheme, a collision attack is easily translated into a signature forgery. Therefore, the use of SHA-1 in a digital signature scheme provides a security level of no more than 80 bits. If a greater level of security is desired, then a secure one-way hash function with a longer hash value is needed. SHA-256, SHA-384, and SHA-512 are likely candidates [SHA2].

本规范要求实现支持SHA-1单向散列函数以实现互操作性,但允许支持其他单向散列函数。在撰写本文时,针对SHA-1的最(已知)的冲突攻击是复杂度为2^80的一般攻击,其中80是哈希值位长度的一半。当单向散列函数用于数字签名方案时,碰撞攻击很容易转化为签名伪造。因此,在数字签名方案中使用SHA-1可提供不超过80位的安全级别。如果需要更高级别的安全性,则需要具有更长散列值的安全单向散列函数。SHA-256、SHA-384和SHA-512可能是候选机型[SHA2]。

The metrics for choosing a one-way hash function for use in digital signatures do not directly apply to the RSAES-OAEP key transport algorithm, since a collision attack on the one-way hash function does not directly translate into an attack on the key transport algorithm, unless the encoding parameters P varies (in which case a collision the hash value for different encoding parameters might be exploited).

用于选择用于数字签名的单向散列函数的度量不直接应用于RSAES-OAEP密钥传输算法,因为对单向散列函数的冲突攻击不会直接转化为对密钥传输算法的攻击,除非编码参数P发生变化(在这种情况下,可能会利用不同编码参数的哈希值发生冲突)。

Nevertheless, for consistency with the practice for digital signature schemes, and in case the encoding parameters P is not the empty string, it is recommended that the same rule of thumb be applied to selection of a one-way hash function for use with RSAES-OAEP. That is, the one-way hash function should be selected so that the bit length of the hash value is at least twice as long as the desired security level in bits.

然而,为了与数字签名方案的实践保持一致,并且在编码参数P不是空字符串的情况下,建议将相同的经验法则应用于选择与RSAES-OAEP一起使用的单向散列函数。也就是说,应当选择单向散列函数,使得散列值的比特长度至少是以比特为单位的期望安全级别的两倍。

A 1024-bit RSA public key and SHA-1 both provide a security level of about 80 bits. In [NISTGUIDE], the National Institute of Standards and Technology suggests that a security level of 80 bits is adequate for most applications until 2015. If a security level greater than 80 bits is needed, then a longer RSA public key and a secure one-way hash function with a longer hash value are needed. Again, SHA-256, SHA-384, and SHA-512 are likely candidates for such a one-way hash function. For this reason, the algorithm identifiers for these one-way hash functions are included in the ASN.1 module in Appendix A.

1024位RSA公钥和SHA-1都提供了大约80位的安全级别。在[NISTGUIDE]中,美国国家标准与技术研究所(National Institute of Standards and Technology)建议,在2015年之前,80位的安全级别足以满足大多数应用。如果需要大于80位的安全级别,则需要更长的RSA公钥和具有更长散列值的安全单向散列函数。同样,SHA-256、SHA-384和SHA-512可能是这种单向散列函数的候选函数。因此,这些单向散列函数的算法标识符包含在附录A的ASN.1模块中。

The same one-way hash function should be employed for the hashFunc and the maskGenFunc, but it is not required. Using the same one-way hash function reduces the potential for implementation errors.

hashFunc和maskGenFunc应使用相同的单向散列函数,但不是必需的。使用相同的单向散列函数可以减少实现错误的可能性。

7. IANA Considerations
7. IANA考虑

Within the CMS, algorithms are identified by object identifiers (OIDs). All of the OIDs used in this document were assigned in Public-Key Cryptography Standards (PKCS) documents or by the National Institute of Standards and Technology (NIST). No further action by the IANA is necessary for this document or any anticipated updates.

在CMS中,算法由对象标识符(OID)标识。本文件中使用的所有OID均由公钥密码标准(PKCS)文件或国家标准与技术研究所(NIST)指定。IANA无需对本文件或任何预期更新采取进一步行动。

8. Intellectual Property Rights Statement
8. 知识产权声明

The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何努力来确定任何此类权利。有关IETF在标准跟踪和标准相关文件中权利的程序信息,请参见BCP-11。可从IETF秘书处获得可供发布的权利声明副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果。

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涉及实施本标准所需技术的专有权利。请将信息发送给IETF执行董事。

9. Acknowledgments
9. 致谢

This document is the result of contributions from many professionals. I appreciate the hard work of all members of the IETF S/MIME Working Group. Further, I extend a special thanks to Burt Kaliski, Jakob Jonsson, Francois Rousseau, and Jim Schaad.

本文件是许多专业人士贡献的成果。我感谢IETF S/MIME工作组所有成员的辛勤工作。此外,我还要特别感谢伯特·卡利斯基、雅各布·琼森、弗朗索瓦·卢梭和吉姆·沙德。

10. References
10. 工具书类

This section provides normative and informative references.

本节提供了规范性和信息性参考。

10.1. Normative References
10.1. 规范性引用文件

[3DES] American National Standards Institute. ANSI X9.52- 1998, Triple Data Encryption Algorithm Modes of Operation. 1998.

[3DES]美国国家标准协会。ANSI X9.52-1998,三重数据加密算法操作模式。1998

[CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002.

[CMS]Housley,R.,“加密消息语法(CMS)”,RFC 3369,2002年8月。

[MSG] Ramsdell, B., "S/MIME Version 3 Message Specification", RFC 2633, June 1999.

[MSG]Ramsdell,B.,“S/MIME版本3消息规范”,RFC 2633,1999年6月。

[PKCS#1v2.1] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications, Version 2.1", RFC 3447, February 2003.

[PKCS#1v2.1]Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范,版本2.1”,RFC 3447,2003年2月。

[PROFILE] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 Public Key Infrastructure: Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.

[简介]Housley,R.,Polk,W.,Ford,W.和D.Solo,“互联网X.509公钥基础设施:证书和证书撤销列表(CRL)简介”,RFC 32802002年4月。

[SHA1] National Institute of Standards and Technology. FIPS Pub 180-1: "Secure Hash Standard." April 1995.

[SHA1]国家标准与技术研究所。FIPS Pub 180-1:“安全哈希标准”,1995年4月。

[STDWORDS] Bradner, S., "Key Words for Use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[STDWORDS]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[X.208-88] CCITT. Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1). 1988.

[X.208-88]CCITT。建议X.208:抽象语法符号1(ASN.1)的规范。1988

[X.209-88] CCITT. Recommendation X.209: Specification of Basic Encoding Rules for Abstract Syntax Notation One (ASN.1). 1988.

[X.209-88]CCITT。建议X.209:抽象语法符号1(ASN.1)的基本编码规则规范。1988

[X.509-88] CCITT. Recommendation X.509: The Directory - Authentication Framework. 1988.

[X.509-88]CCITT。建议X.509:目录认证框架。1988

10.2. Informative References
10.2. 资料性引用

[CERTALGS] Bassham, L., Polk, W. and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.

[CERTALGS]Bassham,L.,Polk,W.和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,2002年4月。

[CRYPTO98] Bleichenbacher, D. "Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1", in H. Krawczyk (editor), Advances in Cryptology - CRYPTO '98 Proceedings, Lecture Notes in Computer Science 1462 (1998), Springer-Verlag, pp. 1-12.

[CRYPTO98]Bleichenbacher,D.“针对基于RSA加密标准PKCS#1的协议的选择密文攻击”,载于H.Krawczyk(编辑),《密码学进展-加密'98会议录》,计算机科学讲稿1462(1998),Springer Verlag,第1-12页。

[MMA] Rescorla, E., "Preventing the Million Message Attack on Cryptographic Message Syntax", RFC 3218, January 2002.

[MMA]Rescorla,E.“防止对加密消息语法的百万消息攻击”,RFC 3218,2002年1月。

   [NISTGUIDE]   National Institute of Standards and Technology.  Second
                 Draft: "Key Management Guideline, Part 1:  General
                 Guidance."  June 2002.
                 [http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
        
   [NISTGUIDE]   National Institute of Standards and Technology.  Second
                 Draft: "Key Management Guideline, Part 1:  General
                 Guidance."  June 2002.
                 [http://csrc.nist.gov/encryption/kms/guideline-1.pdf]
        

[PKCS#1v1.5] Kaliski, B., "PKCS #1: RSA Encryption, Version 1.5", RFC 2313, March 1998.

[PKCS#1v1.5]Kaliski,B.,“PKCS#1:RSA加密,1.5版”,RFC 2313,1998年3月。

[RANDOM] Eastlake, D., Crocker, S. and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994.

[随机]Eastlake,D.,Crocker,S.和J.Schiller,“安全的随机性建议”,RFC 1750,1994年12月。

   [RSALABS]     Bleichenbacher, D., B. Kaliski, and J. Staddon.  Recent
                 Results on PKCS #1: RSA Encryption Standard.  RSA
                 Laboratories' Bulletin No. 7, June 26, 1998.
                 [http://www.rsasecurity.com/rsalabs/bulletins]
        
   [RSALABS]     Bleichenbacher, D., B. Kaliski, and J. Staddon.  Recent
                 Results on PKCS #1: RSA Encryption Standard.  RSA
                 Laboratories' Bulletin No. 7, June 26, 1998.
                 [http://www.rsasecurity.com/rsalabs/bulletins]
        
   [SHA2]        National Institute of Standards and Technology.  Draft
                 FIPS Pub 180-2: "Specifications for the Secure Hash
                 Standard."  May 2001.
                 [http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf]
        
   [SHA2]        National Institute of Standards and Technology.  Draft
                 FIPS Pub 180-2: "Specifications for the Secure Hash
                 Standard."  May 2001.
                 [http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf]
        
   [SSL]         Freier, A., P. Karlton, and P. Kocher.  The SSL
                 Protocol, Version 3.0.  Netscape Communications.
                 November 1996.
                 [http://wp.netscape.com/eng/ssl3/draft302.txt]
        
   [SSL]         Freier, A., P. Karlton, and P. Kocher.  The SSL
                 Protocol, Version 3.0.  Netscape Communications.
                 November 1996.
                 [http://wp.netscape.com/eng/ssl3/draft302.txt]
        

[TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.

[TLS]Dierks,T.和C.Allen,“TLS协议版本1.0”,RFC 2246,1999年1月。

Appendix A. ASN.1 Module
附录A.ASN.1模块
   CMS-RSAES-OAEP
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) cms-rsaes-oaep(20) }
        
   CMS-RSAES-OAEP
      { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
        pkcs-9(9) smime(16) modules(0) cms-rsaes-oaep(20) }
        
   DEFINITIONS IMPLICIT TAGS ::= BEGIN
        
   DEFINITIONS IMPLICIT TAGS ::= BEGIN
        

-- EXPORTS ALL --

--全部出口--

   IMPORTS
      AlgorithmIdentifier
          FROM PKIX1Explicit88 -- RFC 3280
          { iso(1) identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) id-mod(0)
            id-pkix1-explicit(18) };
        
   IMPORTS
      AlgorithmIdentifier
          FROM PKIX1Explicit88 -- RFC 3280
          { iso(1) identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) id-mod(0)
            id-pkix1-explicit(18) };
        
   pkcs-1  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2) us(840)
                         rsadsi(113549) pkcs(1) pkcs-1(1) }
        
   pkcs-1  OBJECT IDENTIFIER  ::=  { iso(1) member-body(2) us(840)
                         rsadsi(113549) pkcs(1) pkcs-1(1) }
        
   rsaEncryption  OBJECT IDENTIFIER  ::=  { pkcs-1 1 }
        
   rsaEncryption  OBJECT IDENTIFIER  ::=  { pkcs-1 1 }
        
   id-RSAES-OAEP  OBJECT IDENTIFIER  ::=  { pkcs-1 7 }
        
   id-RSAES-OAEP  OBJECT IDENTIFIER  ::=  { pkcs-1 7 }
        
   RSAES-OAEP-params  ::=  SEQUENCE  {
      hashFunc    [0] AlgorithmIdentifier DEFAULT sha1Identifier,
      maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier,
      pSourceFunc [2] AlgorithmIdentifier DEFAULT
        
   RSAES-OAEP-params  ::=  SEQUENCE  {
      hashFunc    [0] AlgorithmIdentifier DEFAULT sha1Identifier,
      maskGenFunc [1] AlgorithmIdentifier DEFAULT mgf1SHA1Identifier,
      pSourceFunc [2] AlgorithmIdentifier DEFAULT
        

pSpecifiedEmptyIdentifier }

pSpecifiedEmptyIdentifier}

   sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
        
   sha1Identifier  AlgorithmIdentifier  ::=  { id-sha1, NULL }
        
   sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
        
   sha256Identifier  AlgorithmIdentifier  ::=  { id-sha256, NULL }
        
   sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
        
   sha384Identifier  AlgorithmIdentifier  ::=  { id-sha384, NULL }
        
   sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
        
   sha512Identifier  AlgorithmIdentifier  ::=  { id-sha512, NULL }
        
   mgf1SHA1Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha1Identifier }
        
   mgf1SHA1Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha1Identifier }
        
   mgf1SHA256Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha256Identifier }
        
   mgf1SHA256Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha256Identifier }
        
   mgf1SHA384Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha384Identifier }
        
   mgf1SHA384Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha384Identifier }
        
   mgf1SHA512Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha512Identifier }
        
   mgf1SHA512Identifier  AlgorithmIdentifier  ::=
                         { id-mgf1, sha512Identifier }
        
   pSpecifiedEmptyIdentifier  AlgorithmIdentifier ::=
                         { id-pSpecified, nullOctetString }
        
   pSpecifiedEmptyIdentifier  AlgorithmIdentifier ::=
                         { id-pSpecified, nullOctetString }
        
   nullOctetString  OCTET STRING (SIZE (0))  ::=  { ''H }
        
   nullOctetString  OCTET STRING (SIZE (0))  ::=  { ''H }
        
   id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)
                         identified-organization(3) oiw(14)
                         secsig(3) algorithms(2) 26 }
        
   id-sha1  OBJECT IDENTIFIER  ::=  { iso(1)
                         identified-organization(3) oiw(14)
                         secsig(3) algorithms(2) 26 }
        
   id-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 1 }
        
   id-sha256  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 1 }
        
   id-sha384  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 2 }
        
   id-sha384  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 2 }
        
   id-sha512  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 3 }
        
   id-sha512  OBJECT IDENTIFIER  ::=  { joint-iso-itu-t(2)
                         country(16) us(840) organization(1) gov(101)
                         csor(3) nistalgorithm(4) hashalgs(2) 3 }
        
   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
        
   id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
        
   id-pSpecified  OBJECT IDENTIFIER  ::=  { pkcs-1 9 }
        
   id-pSpecified  OBJECT IDENTIFIER  ::=  { pkcs-1 9 }
        
   rSAES-OAEP-Default-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha1Identifier,
                              mgf1SHA1Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-Default-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha1Identifier,
                              mgf1SHA1Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-SHA256-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha256Identifier,
                              mgf1SHA256Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-SHA256-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha256Identifier,
                              mgf1SHA256Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-SHA384-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha384Identifier,
                              mgf1SHA384Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-SHA384-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
                            { sha384Identifier,
                              mgf1SHA384Identifier,
                              pSpecifiedEmptyIdentifier } }
        
   rSAES-OAEP-SHA512-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
        
   rSAES-OAEP-SHA512-Identifier  AlgorithmIdentifier  ::=
                         { id-RSAES-OAEP,
        

{ sha512Identifier, mgf1SHA512Identifier, pSpecifiedEmptyIdentifier } }

{SHA512标识符,MGF1SHA512标识符,PSpecifiedemptyiIdentifier}

END

终止

Author's Address

作者地址

Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA

Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170

   EMail: housley@vigilsec.com
        
   EMail: housley@vigilsec.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2003). All Rights Reserved.

版权所有(C)互联网协会(2003年)。版权所有。

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English.

本文件及其译本可复制并提供给他人,对其进行评论或解释或协助其实施的衍生作品可全部或部分编制、复制、出版和分发,不受任何限制,前提是上述版权声明和本段包含在所有此类副本和衍生作品中。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非出于制定互联网标准的需要,在这种情况下,必须遵循互联网标准过程中定义的版权程序,或根据需要将其翻译成英语以外的其他语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。