Russ Housley wrote:
Steve & Eric:
The key-encryption key is generated by the key agreement algorithm or
distributed as a mail list key. With key agreement, the minimum
number of bits needed to form the key-encryption key must be used.
As an example, only the first 40 bits of Diffie-Hellman generated
keying material are used for a RC2/40 key-encryption key.
This appears to be the "RC2 key length X/8" option. This adds the
restriction that X/8 must always be used in mixed DH+RSA messages though
just RSA need not be restricted to X/8. Or am I misinterpreting this?
How about:
The key-encryption key is generated by the key agreement algorithm or
distributed as a mail list key. For key agrement of RC2 key-encryption keys,
128 bits must be generated as input to the key expansion process used to
compute the RC2 effective key [RFC 2268].
OK as far as it goes but a few more points need calrifying IMHO.
1. The message encryption key (MEK) length cannot be determined
unambiguously from the wrapping algorithm. Unless the wrapping algorithm
is suitably modified (e.g. use standard block padding) this means that
whenever RC2 is used to key aggreement the MEK key must also be 128 bits
in length. This must also apply to messages where at least one recipient
uses key agreement but need not apply to those where all use key
transport.
2. It is implied in the fixed key length that RC2 with >128 bits cannot
be used if at least one recipient uses key agreement.
Steve.
--
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
PGP key: via homepage.