A set-key attribute for symmetric-key packages
MIT Lincoln Laboratory244 Wood St.LexingtonMA02144USAjherzog@ll.mit.eduMIT Lincoln Laboratory244 Wood St.LexingtonMA02144USArkh@ll.mit.edu
Security
set-keygroup-key A set-key is a symmetric key (or set of keys) associated
with an immutable set of participants. This document defines a
set-key attribute for use in the CMS-based symmetric-key package
structure .
This work is sponsored by the United States Air Force under
Air Force Contract FA8721-05-C-0002. Opinions, interpretations,
conclusions and recommendations are those of the authors and are
not necessarily endorsed by the United States Government.
This document defines a new set-key attribute for use in the
symmetric-key package structure defined in .
A 'set-key' is a symmetric key associated with (and to be
limited to) a specific set of participants (entities). The
exact definition of 'participant', in the context of a
particular key, will depend on the key's intended
application. Roughly speaking, however, the set of
participants corresponds to the collection of individual
agents which must possess and use the key for the key's
intended purpose. In practice, a 'participant' will often be
an entity with a certified public key, but other definitions
of 'participant' are possible.
A set-key can be used in many ways,
including:
To secure broadcast or multicasts of e.g., pay-per-view
movies,To secure group-communication such as chat rooms, orTo secure data-at-rest which belongs to a group (such as
on an encrypted file-system or on a server).
The only requirement of a set-key is that it be associated
with a specific and unchanging set of participants. That is,
this document draws a distinction between sets and
groups.
Sets are immutable structures: a set S of
participants is a mathematical entity and does not change.
A group, on the other hand, is a mutable structure that
might have a certain name or set of names; may be under
the control of a given administration; and may be mapped
to a sequence of sets over time according to the needs
of some particular application.
This document considers only sets, and therefore will not
consider issues such as group-administration, adding or
removing members, revoking keys, and so on. Set-keys can be
used to build group-keying protocols, but such issues are
outside the scope of this document.
By the 'participant-set' of a set-key, we mean the set of
participants associated with the set-key. We further note
that the participant-set of a set-key can be partitioned
into two sub-sets: the active participants and the passive
participants. In some set-key applications, such as
group-chat, all participants may be active: both sending and
receiving. In other applications, such as multicast of
pay-per-view movies, most participants are passive: only
receiving. Because it may be important in some applications
to know which partipants are active and which are passive,
we will allow these two sub-sets to be explicitly
distinguished from each other.
The Cryptographic Message Syntax (CMS) is a standard notation and representation
for cryptographic messages. CMS is based on ASN.1 , , , and uses that
notation to define a number of structures relevant to
cryptography such as certificates, encrypted or signed
messages, and so on.
uses CMS to define a structure for
symmetric key packages: collections of symmetric keys which
share common properties and are intended for the same
participants. The syntax for this structure follows:
A key-package (SymmetricKeyPackage) contains some
meta-information, including attributes (sKeyPkgAttrs) , and a sequence of
key-structures. Each individual key-structure
(OneSymmetricKey) contains some attributes (sKeyAttrs) and
some actual keying material (sKey). Attributes in the
sKeyPkgAttrs field apply to every key in the package, while
attributes in a sKeyAttrs field apply only to the key in the
containing OneSymmetricKey structure. The same attribute
cannot appear at both the package-level and the
key-level. That is, a given attribute can:
appear in the sKeyPkgAttrs field but not in the
sKeyAttrs field of any OneSymmetricKey structure,appear in the sKeyAttrs field of one or more
OneSymmetricKey structures but not the sKeyPkgAttrs
field, ornot be included in the key-package at all.
Also, it is not required that every attribute be applicable
at both levels. That is, allows a
given attribute to be valid for only the sKeyPkgAttrs field
or for only the sKeyAttrs field.
The grammar for attributes is quite complex and given in
. (We also reproduce the relevant
portion in .) We intend to use
only a small subset of this grammar, and therefore do not
consider the full definition of attributes in this document.
The attribute defined in this document is meant to be embedded
in a SymmetricKeyPackage structure, perhaps with other
attributes as well. The resulting value will then hold a
set-key in a common and standard format. This format is
appropriate both for transporting set-keys and for holding
set-keys computed from some higher-level protocol. That is,
one could create and distribute set-keys in this format
through some distribution protocol, or one could use this
format to hold set-keys computed by some protocol as Logical
Key Hierarchy .
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in .
The set-key attribute is used to associate a participant-set
with a symmetric key-package, where the participant-set MAY be
divided into the active and passive participants. It has the
following syntax:
This attribute MUST NOT appear in both the sKeyPkgAttrs field
of a SymmetricKeyPackage structure and the sKeyAttrs field of
a OneSymmetricKey structure. Furthermore, the sKeyPkgAttrs
field of a SymmetricKeyPackage MUST contain either zero or one
instance of a set-key attribute.
The 'active' and 'passive' fields jointly identify the
participant-set of this set-key. The 'active' field identifies
the active members of this set, meaning those which may use
the key to protect data or messages. The 'passive' field
identifies the passive members of this set, meaning those
participants who are expected to have this key but never use
it to apply cryptographic protection to messages or
data. (They may use the key to process such protection,
however, such as to decrypt the data or verify its integrity.)
Both the 'active' and 'passive' field will be values of type
SetKeyParticipantSet, which has the following syntax:
These values can be any of:
A 'union' of other SetKeyParticipantSet values. The
sequence of SetKeyParticipantSet values MUST contain at
least two members. The semantics of this sequence is as
follows: a participant is in the union if and only if it is
in any of the SetKeyParticipantSet values of the sequence.
If any set in the sequence is non-empty, then the union will
be non-empty. If all sets in the union sequence are empty,
then the union is empty as well.The 'intersection' of other SetKeyParticipantSet
values. The sequence of SetKeyParticipantSet values MUST
contain at least two members.The semantics of this sequence
is as follows: a participant is in intersection if and only
if it is in all of the SetKeyParticipantSet values of the
sequence. If any set in the sequence is empty, the
intersection is empty, too. If all sets in the sequence are
non-empty, the intersection might still be empty (which it
would be if there is no element common to all sets in the
sequence).
The set-difference ('setdiff') of two other
SetKeyParticipantSet values. The semantics of this is as
follows: a participant is in the set-difference if and only
if it is in the set identified in the 'orig' field and not
in the set identified by the 'without' field. If the set
identified in the 'orig' field is empty, then the
set-difference will be empty. If the set identified in the
'orig' field is a subset of the set identified in the
'without' field, then the set-difference will be empty. If
neither of the two previous cases apply, the set-difference
will be non-empty.A community, which is used by the Trust Anchor Management
Protocol (TAMP) to identify a set
of 'cryptographic modules.' Community values used in set-key
attributes MUST represent unchanging sets of
participants.A 'groupID', which is interpreted in an
application-independent way. One possible use for this
option is to name pre-established groups such as
organizational departments or roles. The details of
establishing or using such a name-space are outside the
scope of this document. However, groupID values used in
set-key attributes MUST represent unchanging sets of
participants.An 'explicit' list of SetMember values. Order has no
meaning in this sequence. This sequence MUST NOT be
empty.
This structure may be expanded at a later date with additional
types.
A SetMember value, meant to identify a specific unique
participant, has the following syntax:
A SetMember value can be any of:
An IssuerAndSerialNumber value, defined in ,A SubjectPublicKeyInfo, defined in , orA free form ('participantID') octet-string, which is
interpreted in an application-dependent way. One possible
use of this option is to use pre-established names for
participants. However, such values MUST refer to a single
participant, and MUST have a static (unchanging)
meaning. The details of establishing or using such a
name-space are outside the scope of this document.
As above, this structure may be expanded at a later date with
additional types. Implementations SHOULD gracefully handle
values and types which they do not recognize.
A single entity can be identified in multiple different
ways. One example of this is that a certified key can be
identified using the IssuerAndSerialNumber option, the
SubjectPublicKeyInfo, or some application specific method (for
example, a common name) in the free form field. This can cause
ambiguity when evaluating a SetKeyParticipantSet. Suppose that
a given key is sometimes identified using the
IssuerAndSerialNumber form (value 'I') and sometimes
identified using the SubjectPublicKeyInfo form (value 'S'). If
these two distinct values are interpreted as identifying
distinct keys, then the following structures may be
misinterpreted:
The 'explicit' sequence ...I, S... may be interpreted as
having more elements than it actually does, due to the participant
in question being counted twice (one for the I value, one for
the S value).Similarly, the structure "union {...I...} {...S...}" may
be interpreted as containing one more participant than it
actually does.Likewise, the set "setdiff {...I...} {...S...}" may be
interpreted as being non-empty when it is empty.On the other hand, the set "intersection {...I...}
{...S...}" may be interpreted as being empty when it should
not. (It will always contain at least one element: the
participant indicated by both I and S.)
For these reasons, implementations SHOULD use a single method
for identification of a single individual or have a
well-established method of being able to compare the different
locations that an individual could be identified in. We expand
on this issue in .
When creating a set-key attribute, the attribute generator
(which will often also be the key source) begins with a set S
of participants compromising the participant-set of the
set-key. (This set MUST include the key-source.) The initial
representation of this set or its members is beyond the scope
of this document. The generator may also inherit, from context
or application, an environment in which some sets S1, S2,
S3... have been assigned names N1, N2, N3... Lastly, the
attribute generator may know, from context or application, that
some members of S will be passive users of the key. (That is,
they will use the key to process messages created by others but
not to create messages of their own using that key.)
First, the attribute generator must decide whether to use the
optional passive field of the SetKeyInformation structure:
If the generator knows that some members of S will be
passive users, then it collects these members into a set
P. The set P SHOULD only contain those participants in S
which are known to be passive.
The attribute generator then calculates the set A = S \ P
(i.e., members of S not in P). The set A MUST NOT be
empty. (This would indicate, absurdly, that the key will
never be used to apply cryptographic protection.) The
generator MUST ensure that the set A contains at least one
member. If the set A is computed to be empty, the generator
MUST NOT generate the set-key attribute.
The attibute generator will then create a representation of
P, generated as described below, and emplace it in the
passive field of the set-key attribute. The generator then
generates a representation of A as described below and
stores this representation in the active field.
Otherwise, the generator creates a representation of S as
described below, stores it in the active field. Also, the
generator MUST omit the passive field.
If the generator uses some other method to compute the sets to
be represented in the active and passive fields, then:
The generator SHOULD ensure that each element of S is
contained either in the active field or the passive field,
but not both.
The generator MUST ensure that the set represented in the
active field contains at least one member.
If the generator uses the optional passive field, it MUST
ensure that the value of that field represents a set
containing at least one element. That is, the passive field
MUST either be omitted or contain a value representing a
non-empty set.
To emplace a set in either the active or passive fields of the
set-key attribute, the attribute generator must construct a
SetKeyParticipantSet value which represents that set. In
general, the 'best' representation of a set S' (which may be S,
A or P) will depend on the higher-level application being
executed by the attribute generator. For example:
Suppose that the set S' is small, or there is no mapping
from names N1, N2, N3... to sets S1, S2, S3... available to
the attribute generator. In this case the generator can
create an explicit list of the set members. That is, the
attribute generator represents each member of S' by a
SetMember value as described above. It then collects these
SetMember values into a sequence of SetMember values, and
emplaces that sequence into a SetKeyParticipantSet value
(using the 'explicit' option).
As another example, suppose that purpose of the set-key is
to re-key a group which is changing over time. If the
current membership definition of this group has been given
a name, then the attribute generator can simply emplace
this name in a SetKeyParticipantValue (using the 'groupID'
option).
To elaborate on the previous example: Suppose that the
membership-set of a group had been given a name at some
point in the past, but the group's membership has changed
since then. Because the sets represented by
SetKeyParticipantSet values represent unchanging sets, the
name represents the prior membership-set, not the current
one. However, the name in question can be used to represent
the current membership set in a way which may be more
compact than the explicit list described in the first
example above. Suppose that the group's prior
membership-set was assigned the name N. Then the attribute
generator can create two explicit lists of participants:
In the first list, L1, the generator lists all
participants which are currently in the group but were
not in the group when it received the name N.
In the second list, L2, the generator lists all
participants which were in the group when it received
the name N but are not in the group currently.
In both cases, the attribute generator resolves each
participant in the list to a SetMember value as described
below, gathers all SetMember values into a sequence, and
emplaces the sequence into a SetKeyParticipantSet value
(using the 'explicit' option). The attribute generator can
then represent the current membership of the group by the
value:
That is, it first emplaces the name N in a
SetKeyParticipantSet value using the 'groupID' option. It
then creates a sequence compromised of this value and the
SetKeyParticipantSet representing L1, and emplaces that in
a SetKeyParticipantSet value (using the 'union' option). It
then creates a SetKeyParticipantSet value using the
'setdiff' option, where the previously-mentioned
SetKeyParticipantSet value is in the 'orig' field and the
SetKeyParticipantSet value representing L2 is in the
'without' field. In this way, the attribute-generator can
represent the current membership-set of the group by
describing the changes since it was given the name N, which
may be a more compact representation than explicitly
listing the entire current membership.
Regardless of how the attribute generator chooses to represent
the set:
If a representation includes a Community value (the
'community' option) or an octet string (the 'groupID'
option), then the attribute generator MUST know (through
some method beyond the scope of this document) that this
octet string unambiguously indicates the participant in
question to every participant in the set key's
participant-set.
If a representation requires that a participant be
explicitly described by a SetMember value, then it SHOULD
be represented by exactly one such value. That is, the
participant may be 'mentioned' multiple times in the
representation. In this case, though, the same value
should be used in each such instance. Specifically, the
attribute-generator SHOULD select a SetMember
representation for the participant in this order:
An IssuerAndSerialNumber value, if the participant
possesses a certificate. If more than one
IssuerAndSerialNumber value is associated with that
participant, the attribute generator MAY choose one
using any criteria it likes.
A SubjectPublicKeyInfo value. However, the
attribute-generator MUST know (though some method
beyond the scope of this document) that the associated
private key is known to the participant and only that
participant.
An octet string (the 'participantID' option). However,
the attribute generator MUST know (through some method
beyond the scope of this document) that this octet
string unambiguously indicates the participant in
question to every participant in the set key's
participant-set.
Although the sets represented by the 'active' and 'passive'
fields cannot be empty, sub-components of these values MAY
be empty. This is because resource-constrained entities may
wish to do the minimum processing required to verify that
the 'active' and 'passive' sets are non-empty. If the
'active' value is a 'union' value at the top level, for
example, the sender may wish to terminate processing when
it first finds a non-empty component of that union (as
opposed to confirming that every component represents a
non-empty set). Senders MAY invest the processing necessary
to ensure that no component of the 'active' and 'passive'
sets represent non-empty sets, but receivers of these
values MUST properly handle the case that a sub-component
represents an empty set.
As with attribute generation, attribute processing will be
heavily dependent on the intended application of the attribute
and the set key. However, we describe here two common cases:
reconstruction of the described set, and testing
set-membership.
Suppose the attribute processor wishes to reconstruct the
set represented in either the 'active' or 'passive'
field. The processor's final, internal representation of
this set is beyond the scope of this document. However,
one possible process for constructing this set mirrors the
semantics of the attribute:
If the SetKeyParticipantSet is of the 'union'
option, then the processor recursively resolves each
SetKeyParticipantSet value in the sequence into
participant sets. The final participant set is the
union of each set in the sequence.
If the SetKeyParticipantSet is of the 'intersection'
option, then the processor recursively resolves each
SetKeyParticipantSet value in the sequence into
participant sets. The final participant set is the
intersection of these sets.
If the SetKeyParticipantSet is of the 'setdiff'
option, then the processor recursively resolves the
SetKeyParticipantSet values of the 'orig' and
'without' fields into sets. The final participant set
contains exactly those participants in the 'orig' set
and not in the 'without' set.
If the SetKeyParticipantSet is of the 'community' or
'groupID' option, then the attribute processor
resolves the Community value or octet string,
respectively, into a participant set. The methods by
which the attribute-processor performs this operation
are beyond the scope of this document. However, if
the identifier in question cannot unambiguously be
resolved to a set of participants, then the attempt to
reconstruct the set represented by this attribute MUST
fail with an error.
If the SetKeyParticipantSet is of the 'explicit'
option, then the attribute processor resolves each
SetMember value in the sequence into a
participant. The resulting participant set contains
exactly those participants. To resolve a SetMember
value into a participant, the attribute processor
might use the following process:
If the SetMember value is of the
'issuerAndSerialNumber' option, then the
participant is the entity indicated in the name
field of the indicated certificate .
If the SetMember value is of the 'publicKey' option,
then the participant is the entity who knows the
associated private key. If the number of such
entities is other than exactly one, then the
attempt to reconstruct the set represented by this
attribute MUST fail with an error.
If the SetMember value of the 'participantID'
option, then the attribute processor resolves the
octet string into a participant. The method by
which the attribute-processor performs this
operation is beyond the scope of this
document. However, if the identifier in question
cannot unambiguously be resolved to exactly one
participant, then the attempt to reconstruct the
set represented by this attribute MUST fail with
an error.
This process SHOULD return an error if either the
'active' or 'passive' fields are resolved to empty
sets.
Suppose, on the other hand, the attribute processor wishes
test whether a particular participant is a member of the
indicated set. To do so, the processor must receive as
input both the SetKeyParticipantSet value and the
participant in question (the 'target' participant). The
representation of this participant is beyond the scope of
this document, so long as the attribute processor can
match it against SetMember values (see below).
To test set-membership of the target participant, the
attribute processor can again follow a process which
mirrors the underlying semantics of the attribute:
If the SetKeyParticipantSet is of the 'union' option,
then the processor iterates over the sequence. For
each SetKeyParticipantSet value in the sequence, the
attribute processor recursively tests the membership
of the target participant in the represented set. This
recursive test MAY return true, false, or an error. If
any recursive test returns true, then the current test
(for this 'union' value) will also return
true. Furthermore, the attribute processor MAY
immediately terminate iteration over the sequence upon
receiving a 'true' value from a recursive test. If the
attribute processor finishes iterating over the
sequence, however, and each recursive test returned
'false', then the current test returns 'false' as
well. If any recursive test returned 'error' and no
recursive test returned 'true', then the current test
also returns 'error'.
If the SetKeyParticipantSet is of the 'intersection'
option, then the processor iterates over the
sequence. For each SetKeyParticipantSet value in the
sequence, the attribute processor recursively tests
the membership of the target participant in the
represented set. This recursive test MAY return true,
false, or an error. If any recursive test returns
false, then the current test (for this 'intersection'
value) will also return false. Furthermore, the
attribute processor MAY immediately terminate
iteration over the sequence upon receiving a 'false'
value from a recursive test. If the attribute
processor finishes iterating over the sequence,
however, and each recursive test returned 'true',
then the current test returns 'true' as well. If any
recursive test returned 'error' and no recursive test
returned 'false', then the current test also returns
'error'.
If the SetKeyParticipantSet is of the 'setdiff'
option, then the processor recursively resolves the
SetKeyParticipantSet values of the 'orig' and
'without' fields into sets. It then recursively tests
membership of the target participant in these two
sets. It returns 'true' if the test of the 'orig' set
returns 'true' and the test for the 'without' set
returns 'false'. If either test returned 'error', then
the current test (for this 'setdiff' value) returns
'error' as well. Else, the current test returns
'false'.
If the SetKeyParticipantSet is of the 'community' or
'groupID' option, then the attribute processor
resolves the Community value or octet string,
respectively, into a participant set. It then returns
success if participant is the set, and failure if
not. The methods by which the attribute-processor
resolves the identifier into a set are beyond the
scope of this document. However, if the identifier in
question cannot unambiguously be resolved to a set of
participants, then the attempt to reconstruct the set
represented by this attribute MUST fail with an error.
If the SetKeyParticipantSet is of the 'explicit'
option, then processor iterates over the
sequence. That is, the attribute processor attempts to
match the target participant against each SetMember
value in the sequence. This matching can return true,
false, or an error. If any matching returns true, then
the current test (for this 'explicit' value) will also
return true. Furthermore, the attribute processor MAY
immediately terminate iteration over the sequence upon
receiving a 'true' value from a matching. If the
attribute processor finishes iterating over the
sequence, however, and each matching returned 'false',
then the current test returns 'false' as well. If any
matching returned 'error' and no recursive test
returned 'true', then the current test also returns
'error'.
If the attribute processor further wishes to determine
whether the target participant is active or passive, it
recursively tests whether the target participant is in the
set represented by the SetKeyParticipantSet value in the
'active' field of the attribute. If so, the target
participant MUST be considered active. If not, the
attribute processor tests whether the target participant
is in the set represented by the SetKeyParticipantSet
value in the 'passive' field of the attribute. If so, the
participant MUST be considered passive. If not, the target
participant is not in the participant set of the key.
If the attribute processor uses some other method to process
the set-key attribute, then:
An attribute processor MUST gracefully handle the case
where a given participant is the set represented by the
SetKeyParticipantSet value of the 'active' field and the
value of the 'passive' field. In this case, the
participant in question MUST be considered to be active.
The attribute processor MUST gracefully handle
SetKeyParticipantSet values in which a given participant
is represented by two different values. Specifically, if
the attribute processor ever fails to resolve a SetMember
value unambiguously to a single participant, it MUST
produce an error that it either handles itself or returns
to a higher-level caller. Furthermore, the attribute
processor MUST NOT use purely syntactic equality-tests for
participants. That is, attribute processors must
internally represent participants in such a way that two
different SetMember values will be recognized as
representing the same participant (if, in fact, they do).
If the SetKeyParticipantSet value of either the 'active'
or 'passive' field is resolved as representing an empty
set, the attribute processor MUST consider this to be an
invalid value and return an error.
The attribute processor SHOULD gracefully handle values
and types which they do not recognize (for sets and
members).
As with the entire symmetric-key package, the set-key
attribute is not protected. The symmetric key package content
type can be combined with a security protocol to protect the
contents of the attribute.
This document makes use of object identifiers. These object
identifiers are defined in an arc delegated to the IETF S/MIME
Working Group. This arc and its registration procedures will
be transferred to IANA soon. No further action by IANA is
necessary for this document. Future extensions may require
action by IANA, but such actions will be described at the time
of extension.
The authors would like to thank Jim Schaad, Russ Housley, Sean
Turner, Carl Wallace, Menachem Dodge, and Alexey Melnikov for
their helpful comments and suggestions.
Key words for use in RFCs to Indicate Requirement Levels
Harvard UniversityCryptographic Message Syntax (CMS)Vigil Security
Security
S/MIME Main SecurityNew ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIMEVPN ConsortiumSoaring Hawk Consulting
Security
Network Working GroupNew ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)VPN ConsortiumSoaring Hawk Consulting
Security
Network Working GroupCryptographic Message Syntax (CMS) Symmetric Key Package Content TypeIECAVigil SecurityTrust Anchor Management Protocol (TAMP)Vigil Security, LLCNational Security AgencyCygnacom SolutionsPublic-Key Infrastructure (X.509) (pkix)Internet X.509 Public Key Infrastructure Certificate
and Certificate Revocation List (CRL) ProfileNISTMicrosoftTrinity College DublinEntrustVigil SecurityNIST
Security
Public-Key Infrastructure (X.509)Information Technology - Abstract Syntax Notation OneITU-TInformation Technology - Abstract Syntax Notation
One: Information Object SpecificationITU-TInformation Technology - Abstract Syntax Notation
One: Constraint SpecificationITU-TInformation Technology - Abstract Syntax Notation
One: Parameterization of ASN.1 SpecificationsITU-TKey Management for Multicast: Issues and ArchitecturesNational Security AgencyNational Security AgencyNational Security Agency
This appendix provides the normative ASN.1 definitions for the
structures described in this specification using ASN.1 as defined in
through .
ATTRIBUTE values are defined in the ASN.1 module PKIX-CommonTypes-2009
of . For information purposes, we
reproduce the relevant portion of this module here: