I agree with the amount of time that it takes to implement with a good
library. It took me about 1.5 hours, but I was listing to A Prairie Home
Companion rather than watching a Jimmy Stewart movie.
The most difficult part of the process was convencing my decode routines
that PKCS#1 padding was not required to exist on the object.
Before you start producing test vectors, I want to see the expansion of the
algorithm to deal with the problems of encryption key material which does
not pad out to 8 byte boundries. What are you planning to do with lengths or
known padding for doing 40-bit RC2 keys.
From: Russ Housley [mailto:housley(_at_)spyrus(_dot_)com]
Sent: Saturday, February 20, 1999 1:18 PM
Right now, I am leaning toward the double encryption wrap algorithm. I
think it will be easy to implement, and it yeilds a shorter result that the
OAEP method. To convince myself that it was easy to implement, I did an
implementation. It took me about two hours while watching an old Jimmy
Stewart movie. Of course, I already have SHA-1 and Triple-DES CBC
routines. S/MIME v3 will require these algorithms for other capabilities
besides key wrapping.
If someone else is willing to do an implementation, I would like to compare
results. This will allow a test vector to be included with the algorithm
Does anyone have any strong objections to the double encryption wrap
algorithm being selected?
WRAP ALOGRITHM #1: DOUBLE ENCRYPTION
The CMS Checksum Algorithm is used to provide an content-encryption key
integrity check value. The algorithm is:
1. Compute a 20 octet SHA-1 message digest on the
2. Use the most significant (first) eight octets of the
message digest value as the checksum value.
Triple-DES Key Wrap
1. Set odd parity for each of the DES key octets comprising
the content-encryption key, call the result CEK.
2. Compute a 8 octet key checksum value on CEK as described above,
call the result ICV.
3. Let CEKICV = CEK || ICV.
4. Encrypt CEKICV in CBC mode using the key-encryption key. Use
an IV of 0xc302e3c1ad8bb738.
5. Reverse the order of the ciphertext octets. That is, the most
significant (first) octet is swapped with the least significant
(last) octet, and so on. Call the result TEMP.
6. Encrypt TEMP in CBC mode using the key-encryption key. Use
an IV of 0x61a197e5b132e196. The ciphertext is 32 octets long.