[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xcbf] XCBF Cryptographic Message Syntax (CMS)
Here's a first pass at a CMS schema for use by XCBF. I've more to do still, and it has not even been syntax checked yet, but it will give you a better idea of how the biometrics are enhanced using CMS security types in XCBF. I also hope to initiate discussion on which cryptographic algorithms we will support. So, I've started filling in the algorithm IOSets with what I believe is best. Of course, where there is more than one algorithm for a given use, we should probably choose one or more that must be supported. I'll post an updated version to the XCBF web site once I have something that is a little more clean. Phil -- -- Revised: Saturday, May 11, 2002 -- -- Last Modified: Saturday, May 11, 2002 -- -- The following ASN.1 is based on the module found in the -- ANS X9.84 Biometric Information Management and Security -- standard. It has been modified for use in the OASIS XML -- Common Biometric Standard (XCBF) and provides a simplified -- cryptographic message syntax based in part on definitions -- from X9.73 for the CMS types AuthenticatedData, EncryptedData, -- EnvelopedData, and SignedData initially defined in RSA PKCS #7. XCBF-CMS -- { Need OID here } -- DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS All; IMPORTS -- X.501 Directory Information Framework -- ATTRIBUTE, Name FROM InformationFramework { joint-iso-itu-t ds(5) modules(1) informationFramework(1) 3 } -- X.509 Directory Authentication Framework -- AttributeCertificate, Certificate, CertificateList FROM AuthenticationFramework { joint-iso-itu-t ds(5) module(1) authenticationFramework(7) 3 } -- X9.68 Domain Certificate Syntax -- DomainCertificate FROM DomainCertificate { iso(1) identified-organization(3) tc68(133) country(16) x9(840) x9Standards(9) x9-68(68) modules(0) domainCertificate(1) } dhpublicnumber, dsa-with-sha1, ecdsa-with-SHA1, ellipticCurve, sha1, rsaEncryption, sha1WithRSAEncryption FROM XCBF-OIDs -- { Need OID here } -- ; SignedData ::= SEQUENCE { version Version (v1), digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] CertificateSet OPTIONAL, crls [1] CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } Version ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) } DigestAlgorithmIdentifiers ::= SET SIZE(1) OF DigestAlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier {{DigestAlgorithms}} DigestAlgorithms ALGORITHM ::= { { OID sha1 PARMS NoIV }, ... -- Expect others -- } NoIV ::= NULL -- No initialization vector ContentInfo ::= SEQUENCE { contentType ContentType } ContentType ::= CONTENTS.&id({Contents}) CONTENTS ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998, Annex A Contents CONTENTS ::= { { SignedData IDENTIFIED BY id-signedData } | { EnvelopedData IDENTIFIED BY id-envelopedData } | { AuthenticatedData IDENTIFIED BY id-ct-authData } | { EncryptedData IDENTIFIED BY id-encryptedData }, ... -- Expect additional objects -- } CertificateSet ::= SET SIZE(1..MAX) OF CertificateChoices CertificateChoices ::= CHOICE { certificate Certificate, attrCert [1] AttributeCertificate, domainCert [2] DomainCertificate, -- X9.68:2 otherCert [3] OtherCertificate } -- PHG Maybe XCBF should not suppport OtherCertificate -- For that matter, maybe we should not support -- AttributeCertificate and just focus on X.509 -- certificates and DomainCertificate for constrained -- environment use??? OtherCertificate ::= INSTANCE OF OTHER-CERT({CertSet}) OTHER-CERT ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998, Annex A CertSet OTHER-CERT ::= { ... -- defined as needed -- } CertificateRevocationLists ::= SET SIZE(1..MAX) OF CertificateList SignerInfos ::= SET SIZE(1) OF SignerInfo SignerInfo ::= SEQUENCE { version Version (v1), sid IssuerAndSerialNumber, digestAlgorithm DigestAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier, signature SignatureValue } IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber } CertificateSerialNumber ::= INTEGER -- Expect large values SignatureAlgorithmIdentifier ::= AlgorithmIdentifier {{SignatureAlgorithms}} SignatureAlgorithms ALGORITHM ::= { -- { OID dsa-with-sha1 PHG need to define parms -- -- { OID ecdsa-with-SHA1 PHG need to define parms -- { OID sha1WithRSAEncryption PARMS NoIV }, ... -- Expect others -- } SignatureValue ::= OCTET STRING EncryptedData ::= SEQUENCE { version Version (v0), encryptedContentInfo EncryptedContentInfo } EncryptedContentInfo ::= SEQUENCE { contentType ContentType, contentEncryptionAlgorithm ContentEncryptionAlgorithmIdentifier, encryptedContent [0] EncryptedContent OPTIONAL } ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier {{ContentEncryptionAlgorithms}} ContentEncryptionAlgorithms ALGORITHM ::= { ... -- any X9-approved algorithm -- } EncryptedContent ::= OCTET STRING EnvelopedData ::= SEQUENCE { version Version, recipientInfos RecipientInfos, encryptedContentInfo EncryptedContentInfo } RecipientInfos ::= SET SIZE(1) OF RecipientInfo RecipientInfo ::= CHOICE { ktri KeyTransRecipientInfo, kari [1] KeyAgreeRecipientInfo, mlri [2] KEKRecipientInfo, ekmri [3] ExtendedKeyMgmtRecipientInfo } KeyTransRecipientInfo ::= SEQUENCE { version Version (v0|v2), rid EntityIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } EntityIdentifier ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, subjectKeyIdentifier [0] SubjectKeyIdentifier } SubjectKeyIdentifier ::= OCTET STRING KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier {{KeyEncryptionAlgorithms}} KeyEncryptionAlgorithms ALGORITHM ::= { ... -- any X9-approved algorithm -- } EncryptedKey ::= OCTET STRING KeyAgreeRecipientInfo ::= SEQUENCE { version Version (v3), originatorCert [0] EXPLICIT EntityIdentifier, ukm [1] EXPLICIT UserKeyingMaterial OPTIONAL, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, recipientEncryptedKeys RecipientEncryptedKeys } UserKeyingMaterial ::= OCTET STRING RecipientEncryptedKeys ::= SEQUENCE SIZE(1..MAX) OF RecipientEncryptedKey RecipientEncryptedKey ::= SEQUENCE { rid RecipientIdentifier, encryptedKey EncryptedKey } RecipientIdentifier ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, rKeyId [0] RecipientKeyIdentifier } RecipientKeyIdentifier ::= SEQUENCE { subjectKeyIdentifier SubjectKeyIdentifier, date GeneralizedTime OPTIONAL, other OtherKeyAttribute OPTIONAL } OtherKeyAttribute ::= AttributeTypeAndValue AttributeTypeAndValue ::= SEQUENCE { type ATTRIBUTE.&id({OtherAttributes}), value ATTRIBUTE.&Type({OtherAttributes}{@type}) } OtherAttributes ATTRIBUTE ::= { ... } KEKRecipientInfo ::= SEQUENCE { version Version (v4), kekid KEKIdentifier, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } KEKIdentifier ::= SEQUENCE { kekIdentifier OCTET STRING, date GeneralizedTime OPTIONAL, other OtherKeyAttribute OPTIONAL } ExtendedKeyMgmtRecipientInfo ::= INSTANCE OF EXTENDED-KEY-MGMT-INFO({EKMIOSet}) EXTENDED-KEY-MGMT-INFO ::= TYPE-IDENTIFIER -- ISO/IEC 8824-2:1998, Annex A EKMIOSet EXTENDED-KEY-MGMT-INFO ::= { -- PHG Need to decide if we want to explicitly support -- Constructive Key Management in this OASIS XCBF -- work. I think this complexity is best avoided, -- but cutting it out - what a nasty hack ... -- as defined in X9.73 -- } AuthenticatedData ::= SEQUENCE { version Version (v0), recipientInfos RecipientInfos, macAlgorithm MACAlgorithmIdentifier, contentInfo ContentInfo, mac MessageAuthenticationCode } MACAlgorithmIdentifier ::= AlgorithmIdentifier {{MACAlgorithms}} MACAlgorithms ALGORITHM ::= { -- PHG Need X9.71 HMAC OID here ... -- any X9-approved MAC or HMAC algorithm -- } MessageAuthenticationCode ::= OCTET STRING -- Cryptographic algorithm identification -- ALGORITHM ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Type OPTIONAL } WITH SYNTAX { OID &id [PARMS &Type] } AlgorithmIdentifier { ALGORITHM:IOSet } ::= SEQUENCE { algorithm ALGORITHM.&id( {IOSet} ), parameters ALGORITHM.&Type( {IOSet}{@algorithm} ) OPTIONAL } END -- XCBF-CMS --
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC