Given that key transport and key agreement (with arbitrary checksum) are
vulnerable to attacks at either a single or multiple recipients (some
undetectable except that garbage is received) I'm not completely
convinced that the checksum adds any useful security from tampering.
IMHO that's what signing should is used for.
I would suggest the simpler alternative of just encrypting the (padded)
content encryption key and having an additional
EncryptionAlgorithmIdentifier field to give the encryption algorithm and
IV used. That way a different encryption algorithm and IV can be used
for encrypting the content encryption key (though why this is useful is
not immediately obvious).
Steve.
--
Dr Stephen N. Henson.
UK based freelance Cryptographic Consultant. For info see homepage.
Homepage: http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)bigfoot(_dot_)com
PGP key: via homepage.