OK -- here is the text I would prefer
12.4 Key Wrapping Algorithm
Key Transport algorithms allow for the content-encryption key to be directly
encrypted. Key agreement and mail list key exchange algorithms encrypt the
content-encryption key with a second (possibly different) block encryption
algorithm. This section describes how the content-encryption key is
formatted and encrypted.
The bits used for the key-encryption key are generated by the key agreement
algorithm or are distributed as the mail list key. When obtaining the bits
of the key-encryption key the minimal number of bits needed to form the
key-encryption key must be used. As an example only the first 40 bits of
key material would be used when using RC2/40-bit as a key-encryption
algorithm even though one may use more as RC2 starts by compressing the
input bits down to the algorithm size.
The block size of the key-encryption algorithm can be determined from the
CMS
KeyEncryptionAlgorithmIdentifier protocol field. Likewise, the size of the
content-encryption key can be determined from the CMS
ContentEncryptionAlgorithmIdentifier protocol field. Triple-DES may be an
exception here; the same identifier is used for both 2-key and 3-key Triple
DES. This is probably easily handled by always wrapping three keys, even if
the first and third keys match.
The key checksum algorithm is:
1. Initialize two 16 bit integers, sum1 and sum2, to zero.
2. Loop through the octets of the content-encryption key, most
significant octet to least significant octet.
2a. Create a 16 bit integer, called temp, by concatenating
8 zero bits and the key octet.
2b. sum1 = sum1 + temp.
2c. sum2 = sum2 + sum1.
3. Use sum2 as the checksum value.
The key wrap algorithm is:
1. Modify the content-encryption key to meet any restrictions on the key.
An example of this would be modifying parity bits for DES and tripleDES
keys.
2. Compute a 16-bit key checksum value on the content-encryption key as
described above.
3. Generate a 4-octet random salt value.
4. Concatenate the salt, content-encryption key, and key checksum value.
5. Randomly generate the number of pad octets necessary to make the result
a multiple of block size of the key-encryption algorithm (the Triple-DES
algorithm block size is 8 bytes), then append them to the result. [JLS - I
am going to assume that this was suppose to be a random padding.]
6. Encrypt the result with the key-encryption algorithm key. Use an IV
with each octet equal to 'A5' hexadecimal. (Some key-encryption algorithms
encode the IV as part of the parameters. The IV must still be the constant
octet string.)
The key unwrap algorithm is:
1. Decrypt the wrapped ciphertext using the key-encryption key. Use an IV
with each octet equal to 'A5' hexadecimal.
2. Decompose the result into the content-encryption key and key checksum
values
3. Compute a 16-bit key checksum value on the content-encryption key as
described above.
4. If computed key checksum value does not match the decrypted key checksum
value, then there is an error.
5. If there are restrictions on keys, then check if the content encryption
key meets these restrictions. An example of this would be to check the
parity bits for DES and tripleDES keys. If any restriction is incorrect
then there is an error.