Network Working Group J. Peterson
Request for Comments: 3853 Neustar
Updates: 3261 July 2004
Category: Standards Track
Network Working Group J. Peterson
Request for Comments: 3853 Neustar
Updates: 3261 July 2004
Category: Standards Track
S/MIME Advanced Encryption Standard (AES) Requirement for the Session Initiation Protocol (SIP)
会话启动协议(SIP)的S/MIME高级加密标准(AES)要求
Status of this Memo
本备忘录的状况
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2004).
版权所有(C)互联网协会(2004年)。
Abstract
摘要
RFC 3261 currently specifies 3DES as the mandatory-to-implement ciphersuite for implementations of S/MIME in the Session Initiation Protocol (SIP). This document updates the normative guidance of RFC 3261 to require the Advanced Encryption Standard (AES) for S/MIME.
RFC 3261目前将3DES指定为在会话启动协议(SIP)中实现S/MIME的密码套件的强制要求。本文件更新了RFC 3261的规范性指南,要求S/MIME采用高级加密标准(AES)。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. S/MIME Ciphersuite Requirements for SIP . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 3
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . . 4
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4
7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 6
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. S/MIME Ciphersuite Requirements for SIP . . . . . . . . . . . . 3
4. Security Considerations . . . . . . . . . . . . . . . . . . . . 3
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . . 4
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 4
7. Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
8. Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 6
The Session Initiation Protocol (SIP) specification (RFC 3261 [1]) currently details optional support (a normative MAY) for the use of secure MIME, or S/MIME (RFC 2633 [8]). Since RFC 3261 was published, the S/MIME specification and the underlying Cryptographic Message Syntax (CMS, RFC 3369 [3]) have undergone some revision. Ongoing work has identified AES as a algorithm that might be used for content encryption in S/MIME.
会话初始化协议(SIP)规范(RFC 3261[1])目前详细说明了对使用安全MIME或S/MIME的可选支持(规范可能)。自RFC 3261发布以来,S/MIME规范和底层加密消息语法(CMS,RFC 3369[3])已经过一些修订。正在进行的工作已经确定AES是一种算法,可以用于S/MIME中的内容加密。
The Advanced Encryption Standard (AES [6]) is widely believed to be faster than Triple-DES (3DES, which has previously been mandated for usage with S/MIME) and to be comparably secure. AES is also believed to have comparatively low memory requirements, which makes it suitable for use in mobile or embedded devices, an important use-case for SIP.
人们普遍认为,高级加密标准(AES[6])比三重DES(3DES,之前被强制用于S/MIME)更快,并且具有相当的安全性。AES还被认为具有相对较低的内存需求,这使得它适合用于移动或嵌入式设备,这是SIP的一个重要用例。
As an additional consideration, the SIP specification has a recommendation (normative SHOULD) for support of Transport Layer Security (TLS, RFC 2246 [7]). TLS support in SIP requires the usage of AES. That means that currently, implementations that support both TLS and S/MIME must support both 3DES and AES. A similar duplication of effort exists with DSS in S/MIME as a digital signature algorithm (the mandatory TLS ciphersuite used by SIP requires RSA). Unifying the ciphersuite and signature algorithm requirements for TLS and S/MIME would simplify security implementations.
作为附加考虑,SIP规范中有一项支持传输层安全性的建议(规范性应)(TLS,RFC 2246[7])。SIP中的TLS支持需要使用AES。这意味着目前,同时支持TLS和S/MIME的实现必须同时支持3DES和AES。S/MIME中的DSS作为数字签名算法也存在类似的重复工作(SIP使用的强制TLS密码套件需要RSA)。统一TLS和S/MIME的密码套件和签名算法要求将简化安全实现。
It is therefore desirable to bring the S/MIME requirement for SIP into parity with ongoing work on the S/MIME standard, as well as to unify the algorithm requirements for TLS and S/MIME. To date, S/MIME has not yet seen widespread deployment in SIP user agents, and therefore the minimum ciphersuite for S/MIME could be updated without obsoleting any substantial deployments of S/MIME for SIP (in fact, these changes will probably make support for S/MIME easier). This document therefore updates the normative requirements for S/MIME in RFC 3261.
因此,希望SIP的S/MIME要求与正在进行的S/MIME标准工作保持一致,并统一TLS和S/MIME的算法要求。到目前为止,S/MIME尚未在SIP用户代理中广泛部署,因此可以更新S/MIME的最低密码套件,而不会淘汰任何实质性的S/MIME for SIP部署(事实上,这些更改可能会使对S/MIME的支持变得更容易)。因此,本文件更新了RFC 3261中S/MIME的规范性要求。
Note that work on these revisions in the S/MIME working group is still in progress. This document will continue to track that work as it evolves. By initiating this process in the SIP WG now, we provide an early opportunity for input into the proposed changes and give implementers some warning that the S/MIME requirements for SIP are potentially changing.
请注意,S/MIME工作组中关于这些修订的工作仍在进行中。本文件将继续跟踪这项工作的进展。通过在SIP WG now中启动此过程,我们为建议的更改提供了早期输入机会,并向实现者发出一些警告,即SIP的S/MIME需求可能正在发生变化。
In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [2] and indicate requirement levels for compliant SIP implementations.
在本文件中,关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”将按照BCP 14、RFC 2119[2]中的描述进行解释,并指出合规SIP实施的要求级别。
The following updates the text of RFC 3261 Section 23.3, specifically the fifth bullet point. The text currently reads:
以下更新了RFC 3261第23.3节的内容,特别是第五个要点。目前案文如下:
o S/MIME implementations MUST at a minimum support SHA1 as a digital signature algorithm, and 3DES as an encryption algorithm. All other signature and encryption algorithms MAY be supported. Implementations can negotiate support for these algorithms with the "SMIMECapabilities" attribute.
o S/MIME实现必须至少支持SHA1作为数字签名算法,3DES作为加密算法。可能支持所有其他签名和加密算法。实现可以使用“SMIMECapabilities”属性协商对这些算法的支持。
This text is updated with the following:
此文本更新为以下内容:
S/MIME implementations MUST at a minimum support RSA as a digital signature algorithm and SHA1 as a digest algorithm [5], and AES as an encryption algorithm (as specified in [4]. For key transport, S/MIME implementations MUST support RSA key transport as specified in section 4.2.1. of [5]. S/MIME implementations of AES MUST support 128-bit AES keys, and SHOULD support 192 and 256-bit keys. Note that the S/MIME specification [8] mandates support for 3DES as an encryption algorithm, DH for key encryption and DSS as a signature algorithm. In the SIP profile of S/MIME, support for 3DES, DH and DSS is RECOMMENDED but not required. All other signature and encryption algorithms MAY be supported. Implementations can negotiate support for algorithms with the "SMIMECapabilities" attribute.
S/MIME实现必须至少支持RSA作为数字签名算法,SHA1作为摘要算法[5],AES作为加密算法(如[4]所述)。对于密钥传输,S/MIME实现必须支持RSA密钥传输,如[5]第4.2.1.节所述AES的.S/MIME实现必须支持128位AES密钥,并应支持192位和256位密钥。请注意,S/MIME规范[8]强制支持3DES作为加密算法,DH作为密钥加密,DSS作为签名算法。在S/MIME的SIP配置文件中,建议支持3DES、DH和DSS,但不是必需的。可能支持所有其他签名和加密算法。实现可以协商支持具有“SMIMECapabilities”的算法属性
Since SIP is 8-bit clean, all implementations MUST use 8-bit binary Content-Transfer-Encoding for S/MIME in SIP. Implementations MAY also be able to receive base-64 Content-Transfer-Encoding.
由于SIP是8位干净的,所以所有实现都必须在SIP中对S/MIME使用8位二进制内容传输编码。实现还可以接收base-64内容传输编码。
The migration of the S/MIME requirement from Triple-DES to AES is not known to introduce any new security considerations.
将S/MIME需求从三重DES迁移到AES并不知道会引入任何新的安全考虑因素。
[1] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.
[1] Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。
[2] Bradner, S., "Key words for use in RFCs to indicate requirement levels", BCP 14, RFC 2119, March 1997.
[2] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[3] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002.
[3] Housley,R.,“加密消息语法(CMS)”,RFC3369,2002年8月。
[4] Schaad, J., "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, July 2003.
[4] Schaad,J.,“在加密消息语法(CMS)中使用高级加密标准(AES)加密算法”,RFC 3565,2003年7月。
[5] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3394, August 2002.
[5] Housley,R.,“加密消息语法(CMS)算法”,RFC 33942002年8月。
[6] National Institute of Standards & Technology, "Advanced Encryption Standard (AES).", FIPS 197, November 2001.
[6] 国家标准与技术研究所,“高级加密标准(AES)”,FIPS 197,2001年11月。
[7] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", RFC 2246, January 1999.
[7] Dierks,T.和C.Allen,“TLS协议1.0版”,RFC 2246,1999年1月。
[8] Ramsdell, B., Ed., "S/MIME Version 3.1 Message Specification", RFC 3851, July 2004.
[8] Ramsdell,B.,编辑,“S/MIME版本3.1消息规范”,RFC 38512004年7月。
Thanks to Rohan Mahy, Gonzalo Camarillo, and Eric Rescorla for review of this document.
感谢Rohan Mahy、Gonzalo Camarillo和Eric Rescorla对本文件的审阅。
Jon Peterson NeuStar, Inc. 1800 Sutter St Suite 570 Concord, CA 94520 US
美国加利福尼亚州康科德市萨特街1800号570室Jon Peterson NeuStar,Inc.94520
Phone: +1 925/363-8720
EMail: jon.peterson@neustar.biz
URI: http://www.neustar.biz/
Phone: +1 925/363-8720
EMail: jon.peterson@neustar.biz
URI: http://www.neustar.biz/
Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。