Network Working Group J. Schaad Internet-Draft Soaring Hawk Consulting Intended status: Experimental December 17, 2009 Expires: June 20, 2010 Experiment: Hash functions with parameters in CMS and S/MIME draft-schaad-smime-hash-experiment-01 Abstract New hash algorithms are being developed and these algorithms may include parameters. CMS has not currently defined any hash algorithms with parameters, but anecdotic evidence suggests that defining one could cause major problems. In this document we define just such an algorithm and describe how to use it so that we can run experiments to find out how bad including hash parameters will be. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on June 20, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Schaad Expires June 20, 2010 [Page 1] Internet-Draft CMS Paramertized Hash December 2009 (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Schaad Expires June 20, 2010 [Page 2] Internet-Draft CMS Paramertized Hash December 2009 1. Introduction At the present time, all hash algorithms that are used in Cryptographic Message Syntax [CMS] implementations are defined as having no parameters. Anecdotal evidence suggests that if a hash algorithm is defined that does require the presence of parameters there may be extensive problems. This document describes presents the details needed to run an experiment so that we can find out just how bad the situation really is and if we need to either make drastic changes in implementations or make sure that any hash algorithms chosen do not have parameters. In CMS data structures, hash algorithms current exist in the following locations: - SignerInfo.digestAlgorithm -- holds the digest algorithm actually used to compute the hash value over the content. - DigestedData.digestAlgorithm -- holds the digest algorithm actually used to compute the hash value over the content - AuthenticatedData.digestAlgorithm -- holds the digest algorithm actually used to compute the hash value over the content - SignedData.digestAlgorithms -- an optional location to place information about the set of digest algorithms used in computing the hash value over the content. - multipart/signed micalg - Holds a textual indicator of the hash algorithm for multipart signed MIME messages. The first three locations hold the identification of a single hash, and would hold the parameters for that hash. These fields are mandatory to be filled in. DigestedData and AthenticatedData are defined such that in the case of encapsulated data, these fields are parsed before the content is parsed and thus the data is not needed until the parameters have been seen. SignedData is defined such that even for the encapsulated data case, the value of SignerInfo.digestedAlgorithm is not seen until the content has been processed. This is the reason for the existence of the SignedData.digestAlgorithms field, so that the set of all digest algorithms used can be seen prior to the content being processed. For the case of detached content, the ASN.1 structures need to be procssed prior to processing the detached content in order to obtain Schaad Expires June 20, 2010 [Page 3] Internet-Draft CMS Paramertized Hash December 2009 the parameters of the hash function. In the case of MIME, this is the purpose of the micalg field on the multipart/signature content- type. When processing multipart/signed messages two paths exists: 1. Process the content before the ASN.1. The steps involved are: - Get a set of hash functions by looking at the micalg parameter and potentially add a set of generic algorithms - Create a hasher for each of those algorithms - Hash the content (the first part of the multipart) - Process the ASN.1 and have a potential failure point if a hash algorithm is required which was not computed. 2. Process the content after the ASN.1. The steps involved are: - Save the content for later processing - Parse the ASN.1 and build a list of hash functions based on it's content - Create a hasher for each of those algorithms - Hash the saved content - Perform the signature validation. The first path allows for single pass processing, but has the potential that a fallback path needs to be added in some cases. The second path does not need a fallback path, but does not allow for single pass processing. The fallback path above may also be needed for the encapsulated content case. Since it is optional to place hash algorithms in the SignedData.digestAlgorithms field, the content will be completely parsed before the set of hash algorithms in the SignerInfos are determined. It may be that we need to require population of the SignedData.digestAlgorithms field if we adopt a parameterized hash field. In this document a new hash function is created that is based on the XOR operator and on MD5. MD5 was deliberately used as the basis of this digest algorithm since it is known to be insecure and I do not want to make any statements that the hash algorithm designed here is Schaad Expires June 20, 2010 [Page 4] Internet-Draft CMS Paramertized Hash December 2009 in any way secure. This hash function MUST NOT be released as shipping code, it is designed only for use in experimentation. Schaad Expires June 20, 2010 [Page 5] Internet-Draft CMS Paramertized Hash December 2009 2. XOR-MD5 Digest Algorithm The XOR-MD5 digest algorithm has been designed to use two existing operators, XOR and the MD5 hash algorithm [MD5]. The hash algorithm works as follows: 1. A random XOR string consisting of exactly 64 bytes is created. 2. The input content is broken up into 64 byte blocks. The last block may be less that 64 bytes. 3. Each block is XOR-ed with the random string. The last block uses the same number of bits from the random string as it contains. 4. The resulting string is run through the MD5 hash function. The length of the XOR string was designed to match the barrel size of the MD5 hash function. Schaad Expires June 20, 2010 [Page 6] Internet-Draft CMS Paramertized Hash December 2009 3. ASN.1 Encoding The following ASN.1 is used to define the algorithm: mda-xor-md5 DIGEST-ALGORITHM ::= { IDENTIFIER {tbd} PARAMS OCTET STRING (64) ARE required } The octet string holds the value of the random XOR string. Schaad Expires June 20, 2010 [Page 7] Internet-Draft CMS Paramertized Hash December 2009 4. CMS ASN.1 Handling The algorithm is added to the DigestAlgorithmSet in [CMS]. When this algorithm is used in a signed message, it is REQUIRED that the algorithm be placed in the SignedData.digestAlgorithms sequence. The algorithm MUST appear in the sequence at least once for each unique set of parameters. The algorithm SHOULD NOT appear multiple times with the same set of parameters. Schaad Expires June 20, 2010 [Page 8] Internet-Draft CMS Paramertized Hash December 2009 5. MIME handling This section defines the string that appears in the micalg parameter. The algorithm is identified by the string xor-md5. The parameters for the algorithm are the hex encoded DER ASN.1 encoding. The parameters and the identifier string are separated by a colon. Arbitrary amounts of white space may be inserted between any two characters in the hex encoded string. An example content-type string would be: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1, xor-md5:04400102030405060708090a0b0c0d0e0f00111213141 5161718191a1b1c1d1e1f102122232425262728292a2b2c2d2e2f2031323334353 63738393a3b3c3d3e3f30; boundary=boundar42 Arguments could be made that the string should be base64 encoded rather than hex encoding the string. The advantage is that the resulting encoding is shorter. This could be significant if there are a substantial number of parameters and of a substantial size. Even with the above example we needed to break the encoding across multiple lines. The downside would be the requirement that the micalg parameter always be quoted. It may be reasonable to require that whitespace be inserted only on encoding boundaries, but it seems to be overly restrictive. Schaad Expires June 20, 2010 [Page 9] Internet-Draft CMS Paramertized Hash December 2009 6. Security Considerations The algorithm XOR-MD5 is not designed for general purpose use. The hash algorithm included here is designed for running this experiment and nothing more. This document makes no representation that XOR-MD5 is a secure digest algorithm. I believe that the algorithm is no more secure than MD5, and I consider MD5 to be a broken hash algorithm for many purposes. One known issue with the algorithm as present is the fact that the xor pattern is always 64 bytes long, even if the data is shorter. This means that there is a section of the data than can be manipulated without changing the hash. In a real algorithm this should either be truncated or forced to a known value. Schaad Expires June 20, 2010 [Page 10] Internet-Draft CMS Paramertized Hash December 2009 7. Informational References [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, July 2004. [RFC4134] Hoffman, P., "Examples of S/MIME Messages", RFC 4134, July 2005. Schaad Expires June 20, 2010 [Page 11] Internet-Draft CMS Paramertized Hash December 2009 Appendix A. Examples Provided here are a set of examples that are provided for testing. The content used is the same as that found in Section 2.1 of [RFC4134]. The The certificates and key pairs found in [RFC4134] are also used here. The perl script in [RFC4134] can be used to extract the binary examples from this file. The mime examples can be extracted with a standard text editor. NOTE: THESE EXAMPLES ARE NOT CORRECT AS THE FINAL OIDS HAVE NOT BEEN ASSIGNED. THE KEYS WERE NOT USED AT THIS POINT. Appendix A.1. Encapsulated Signed Data Example This section contains a detached signed data example. The content was hashed with the md5-xor algorithm defined in this document. The signature is performed using RSA with MD5. The signature is wrapped as an embedded signed mime message. Schaad Expires June 20, 2010 [Page 12] Internet-Draft CMS Paramertized Hash December 2009 MIME-Version: 1.0 To: BobRSA@examples.com From: AliceDss@examples.com Subject: MD5-XOR example message Message-Id: >34567809323489fd.esc@examples.com< Date: Wed, 16 Dec 2009 23:13:00 -0500 Content-Type: application/pkcs7-mime; smime-type=signed-data; name=smime.p7m; micalg=xor-md5: 0440010203405060708090a0b0c0d0e0f10 111213415161718191a1b1c1d1e1f20212223425262728292a2b2c2d2e2f30 313233435363738393a3b3c3d3e3f40 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m MIICeQYJKoZIhvcNAQcCoIICajCCAmYCAQAxUjBQBgwqhkiG9w0BCRADh2cEQAECAwQFBg cICQoLDA0ODxAREhMEFRYXGBkaGxwdHh8gISIjBCUmJygpKissLS4vMDEyMwQ1Njc4OTo7 PD0+P0AwKwYJKoZIhvcNAQcBoB4EHFRoaXMgaXMgc29tZSBzYW1wbGUgY29udGVudC4xgg HeMIIB2gIBADAmMBIxEDAOBgNVBAMMB0NhcmxSU0ECEEY0a8eAAFa8EdNuLs1dcdAwUAYM KoZIhvcNAQkQA4dnBEABAgMEBQYHCAkKCwwNDg8QERITBBUWFxgZGhscHR4fICEiIwQlJi coKSorLC0uLzAxMjMENTY3ODk6Ozw9Pj9AoIHKMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTA5MTIxMDIzMjUwMFowHwYJKoZIhvcNAQkEMRIEEJZprm EbV56D6hAra0ndwPkwbwYKKoZIhvcNAQmHXTFhMF8wUAYMKoZIhvcNAQkQA4dnBEABAgME BQYHCAkKCwwNDg8QERITBBUWFxgZGhscHR4fICEiIwQlJicoKSorLC0uLzAxMjMENTY3OD k6Ozw9Pj9AoQsGCSqGSIb3DQEBBDALBgkqhkiG9w0BAQQEgYDMzMzMzMzMzMzMzMzMzMzM zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM zMzMzMzMzA== |>sd.bin |MIICeQYJKoZIhvcNAQcCoIICajCCAmYCAQAxUjBQBgwqhkiG9w0BCRADh2cEQAECAwQFBg |cICQoLDA0ODxAREhMEFRYXGBkaGxwdHh8gISIjBCUmJygpKissLS4vMDEyMwQ1Njc4OTo7 |PD0+P0AwKwYJKoZIhvcNAQcBoB4EHFRoaXMgaXMgc29tZSBzYW1wbGUgY29udGVudC4xgg |HeMIIB2gIBADAmMBIxEDAOBgNVBAMMB0NhcmxSU0ECEEY0a8eAAFa8EdNuLs1dcdAwUAYM |KoZIhvcNAQkQA4dnBEABAgMEBQYHCAkKCwwNDg8QERITBBUWFxgZGhscHR4fICEiIwQlJi |coKSorLC0uLzAxMjMENTY3ODk6Ozw9Pj9AoIHKMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B |BwEwHAYJKoZIhvcNAQkFMQ8XDTA5MTIxMDIzMjUwMFowHwYJKoZIhvcNAQkEMRIEEJZprm |EbV56D6hAra0ndwPkwbwYKKoZIhvcNAQmHXTFhMF8wUAYMKoZIhvcNAQkQA4dnBEABAgME |BQYHCAkKCwwNDg8QERITBBUWFxgZGhscHR4fICEiIwQlJicoKSorLC0uLzAxMjMENTY3OD |k6Ozw9Pj9AoQsGCSqGSIb3DQEBBDALBgkqhkiG9w0BAQQEgYDMzMzMzMzMzMzMzMzMzMzM |zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM |zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM |zMzMzMzMzA== |091218002550300.249@examples.com< Date: Fri, 18 Dec 2009 00:25:21 -0300 Content-Type: multipart/signed; micalg=xor-md5: 0440010203405060708090a0b0c0d0e0f10 111213415161718191a1b1c1d1e1f20212223425262728292a2b2c2d2e2f30 313233435363738393a3b3c3d3e3f40 boundary="----=_NextBoundry____Fri,_18_Dec_2009_00:25:21"; protocol="application/pkcs7-signature" This is a multi-part message in MIME format. ------=_NextBoundry____Fri,_18_Dec_2009_00:25:21 This is some sample content. ------=_NextBoundry____Fri,_18_Dec_2009_00:25:21 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s MIIDdwYJKoZIhvcNAQcCoIIDaDCCA2QCAQExCTAHBgUrDgMCGjALBgkqhkiG9w0BBwGgggL gMIIC3DCCApugAwIBAgICAMgwCQYHKoZIzjgEAzASMRAwDgYDVQQDEwdDYXJsRFNTMB4XDT k5MDgxNzAxMTA0OVoXDTM5MTIzMTIzNTk1OVowEzERMA8GA1UEAxMIQWxpY2VEU1MwggG2M IIBKwYHKoZIzjgEATCCAR4CgYEAgY3N7YPqCp45PsJIKKPkR5PdDteoDuxTxauECE//lOFz SH4M1vNESNH+n6+koYkv4dkwyDbeP5u/t0zcX2mK5HXQNwyRCJWb3qde+fz0ny/dQ6iLVPE /sAcIR01diMPDtbPjVQh11Tl2EMR4vf+dsISXN/LkURu15AmWXPN+W9sCFQDiR6YaRWa4E8 baj7g3IStii/eTzQKBgCY40BSJMqo5+z5t2UtZakx2IzkEAjVc8ssaMMMeUF3dm1nizaoFP VjAe6I2uG4Hr32KQiWn9HXPSgheSz6Q+G3qnMkhijt2FOnOLl2jB80jhbgvMAF8bUmJEYk2 RL34yJVKU1a14vlz7BphNh8Rf8K97dFQ/5h0wtGBSmA5ujY5A4GEAAKBgFzjuVp1FJYLqXr d4z+p7Kxe3L23ExE0phaJKBEj2TSGZ3V1ExI9Q1tv5VG/+onyohs+JH09B41bY8i7RaWgSu OF1s4GgD/oI34a8iSrUxq4Jw0e7wi/ZhSAXGKsZfoVi/G7NNTSljf2YUeyxDKE8H5BQP1Gp 2NOM/Kl4vTyg+W4o4GBMH8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwHwYDVR0j BBgwFoAUcEQ+gi5vh95K03XjPSC8QyuT8R8wHQYDVR0OBBYEFL5sobPjwfftQ3CkzhMB4v3 jl/7NMB8GA1UdEQQYMBaBFEFsaWNlRFNTQGV4YW1wbGUuY29tMAkGByqGSM44BAMDMAAwLQ IUVQykGR9CK4lxIjONg2q1PWdrv0UCFQCfYVNSVAtcst3a53Yd4hBSW0NevTFjMGECAQEwG DASMRAwDgYDVQQDEwdDYXJsRFNTAgIAyDAHBgUrDgMCGjAJBgcqhkjOOAQDBC4wLAIUM/mG f6gkgp9Z0XtRdGimJeB/BxUCFGFFJqwYRt1WYcIOQoGiaowqGzVI Schaad Expires June 20, 2010 [Page 14] Internet-Draft CMS Paramertized Hash December 2009 ------=_NextBoundry____Fri,_18_Dec_2009_00:25:21-- Appendix A.3. Autenticated Data Example This section contains an authenticated data example. The content was hashed with the md5-xor algorithm defined in this document. The authentication was done with the HMAC-SHA1 algorithm. The key is transported using RSA encryption to BobRSASignByCarl certificate. MIME-Version: 1.0 To: BobRSA@examples.com From: AliceDss@examples.com Subject: MD5-XOR example message Message-Id: <34567809323489fd.esc@examples.com> Date: Wed, 16 Dec 2009 23:13:00 -0500 Content-Type: application/pkcs7-mime; smime-type=authenticated-data; name=smime.p7m; micalg=xor-md5: 0440010203405060708090a0b0c0d0e0f10 111213415161718191a1b1c1d1e1f20212223425262728292a2b2c2d2e2f30 313233435363738393a3b3c3d3e3f40 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m MIAGCyqGSIb3DQEJEAECoIAwgAIBADGAMIACAQAwgDCAMYAwgAYDVQQDDAdDYXJsUlNBAA AAAAAAAhBGNGvHgABWvBHTbi7NXXHQAAAwgAYJKoZIhvcNAQEBAAAECszMzMzMzMzMzMwA AAAAMIAGCCsGAQUFCAECAAChgAYMKoZIhvcNAQkQA4dnBEABAgMEBQYHCAkKCwwNDg8QER ITBBUWFxgZGhscHR4fICEiIwQlJicoKSorLC0uLzAxMjMENTY3ODk6Ozw9Pj9AAAAwgAYJ KoZIhvcNAQcBoIAEHFRoaXMgaXMgc29tZSBzYW1wbGUgY29udGVudC4AAAAAooAwgAYJKo ZIhvcNAQkDMYAGCSqGSIb3DQEHAQAAAAAwgAYJKoZIhvcNAQkFMYAXDTA5MTIxMDIzMjUw MFoAAAAAMIAGCSqGSIb3DQEJBDGABBCWaa5hG1eeg+oQK2tJ3cD5AAAAADCABgoqhkiG9w 0BCYddMYAwgDCABgwqhkiG9w0BCRADh2cEQAECAwQFBgcICQoLDA0ODxAREhMEFRYXGBka GxwdHh8gISIjBCUmJygpKissLS4vMDEyMwQ1Njc4OTo7PD0+P0AAAKKABggrBgEFBQgBAg AAAAAAAAAAAAAECszMzMzMzMzMzMwAAAAAAAA= |>ad.bin |MIAGCyqGSIb3DQEJEAECoIAwgAIBADGAMIACAQAwgDCAMYAwgAYDVQQDDAdDYXJsUlNBAA |AAAAAAAhBGNGvHgABWvBHTbi7NXXHQAAAwgAYJKoZIhvcNAQEBAAAECszMzMzMzMzMzMwA |AAAAMIAGCCsGAQUFCAECAAChgAYMKoZIhvcNAQkQA4dnBEABAgMEBQYHCAkKCwwNDg8QER |ITBBUWFxgZGhscHR4fICEiIwQlJicoKSorLC0uLzAxMjMENTY3ODk6Ozw9Pj9AAAAwgAYJ |KoZIhvcNAQcBoIAEHFRoaXMgaXMgc29tZSBzYW1wbGUgY29udGVudC4AAAAAooAwgAYJKo |ZIhvcNAQkDMYAGCSqGSIb3DQEHAQAAAAAwgAYJKoZIhvcNAQkFMYAXDTA5MTIxMDIzMjUw |MFoAAAAAMIAGCSqGSIb3DQEJBDGABBCWaa5hG1eeg+oQK2tJ3cD5AAAAADCABgoqhkiG9w |0BCYddMYAwgDCABgwqhkiG9w0BCRADh2cEQAECAwQFBgcICQoLDA0ODxAREhMEFRYXGBka |GxwdHh8gISIjBCUmJygpKissLS4vMDEyMwQ1Njc4OTo7PD0+P0AAAKKABggrBgEFBQgBAg |AAAAAAAAAAAAAECszMzMzMzMzMzMwAAAAAAAA= |