RE: PKCS#7 and algorithm identifiers

[Mike Markowitz <markowitz@xxxxxxxxxxxxxxx>]

At 02:11 AM 1/30/2007, SIEVANEN Markku wrote:

> 1.
> I didn't find registered OIDs for other Triple DES modes, like for
> example DES-EDE3 (ECB mode)? Is it so, that other Triple-DES modes
> doesn't have registered OIDs and are not used in current
> implementations?

Markku:

DES-EDE3-ECB appears to be registered under {iso(1)
identified-organization(3) oiw(14) secsig(3) algorithms(2) desEDE(17)}
("1.3.14.3.2.17"). It's used for voice encryption and
specified
in ITU-T Recommendation H.325.

Other variations:

3DesECB: {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) 4929 1 7}
("1.3.6.1.4.1.4929.1.7")

DES_3ECB_pad: {iso(1) identified-organization(3) teletrust(36)
algorithm(3) encryptionAlgorithm(1) des-3(3) 1 1}
("1.3.36.3.1.3.1.1")

e.g.:

DES_3ECB_ISOpad: {iso(1) identified-organization(3) teletrust(36)
algorithm(3) encryptionAlgorithm(1) des-3(3) 1 1 1}
("1.3.36.3.1.3.1.1.1")

And other modes from our Russian friends:

3DesCBC: {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) 4929 1 8}
("1.3.6.1.4.1.4929.1.8")

3DesCFB: {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) 4929 1 10}
("1.3.6.1.4.1.4929.1.10")

3DesOFB: {iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) 4929 1 9}
("1.3.6.1.4.1.4929.1.9")


> 2.
> The RFC 3370 indicates, that this same OID
> ("1.2.840.113549.3.7") is used also for DES-EDE2-CBC, two key
> version Triple-DES? So, what is the common practice: use three key or two
> key schemes in current implementations (PKCS#7 envelopes, S/MIME) under
> this OID?

Not sure there is any "common practice," except for maybe
choosing one scheme for output
and making sure you're able to handle anything on input... assuming
you're worried
about compatibility.

-mjm