ietf-smime
[Top] [All Lists]

Re: Key Wrap Algoritm

1998-12-08 08:52:26
Jim:

I did not accept al of your changes.  I had to filter them with discussion
going on with other threads.  So, attached is the Key Wrap Algorithm as
presently defined.  Note that this algorithm is limited to Triple-DES and RC2.

In addition, the following is added to the security considerations section:
Section 12.6 specifies a key wrap algorithm used to encrypt a Triple-DES [3DES]
or RC2 [RC2] content-encryption key with a Triple-DES or RC2 key-encryption key
using CBC mode [MODES].  This key wrap algorithm has been reviewed for use with
Triple-DES in CBC mode and RC2 in CBC mode; it has not been reviewed for use
with other algorithms or other modes.  Analysis has discovered concerns with
using this key wrap algorithm with stream ciphers or block ciphers in OFB mode
[MODES].  Therefore, if a CMS implementation wises to support ciphers in
addition to Triple-DES in CBC mode or RC2 in CBC mode, then additional key wrap
algorithms may need to be defined to support the additional ciphers.


Russ

= = = = = = = = = = 

12.6  Triple-DES and RC2 Key Wrap Algorithm

CMS implementations must include encryption of a Triple-DES content-encryption
key with a Triple-DES key-encryption key using the algorithm specified in this
section.  CMS implementations should include encryption of a RC2
content-encryption key with a RC2 key-encryption key.  Triple-DES and RC2
content-encryption keys are encrypted in Cipher Block Chaining (CBC) mode
[MODES].

Key Transport algorithms allow for the content-encryption key to be directly
encrypted; however, key agreement and symmetric key-encryption key algorithms
encrypt the content-encryption key with a second symmetric encryption
algorithm.  This section describes how the Triple-DES or RC2 content-encryption
key is formatted and encrypted.

Key agreement algorithms generate a pairwise key-encryption key, and a key wrap
algorithm is used to encrypt the content-encryption key with the pairwise
key-encryption key.  Similarly, a key wrap algorithm is used to encrypt the
content-encryption key in a previously distributed key-encryption key.

The key-encryption key is generated by the key agreement algorithm or
distributed out of band.  For key agreement of RC2 key-encryption keys, 128
bits must be generated as input to the key expansion process used to compute
the RC2 effective key [RC2].

The block size of the key-encryption algorithm must be implicitly determined
from the KeyEncryptionAlgorithmIdentifier field; however, both Triple-DES and
RC2 have a block size of eight octets.

The same algorithm identifier is used for both 2-key and 3-key Triple-DES. 
When the length of the wrapped content-encryption key is 16 octets, 2-key
Triple-DES is used for the content-encryption algorithm.  Similarly, when the
length of the wrapped content-encryption key is 24 octets, 3-key Triple-DES is
used for the content-encryption algorithm.

12.6.1  Key Checksum

The Fletcher checksum [SUM] algorithm is used to provide an integrity check
value.  The algorithm is:

1.  Initialize two 16 bit integers, sum1 and sum2, to zero.
2.  Loop through the octets of the content-encryption key, most
    significant (first) octet to least significant (last) octet.
    2a.  Create a 16 bit integer, called temp, by concatenating 
         eight zero bits and the key octet.
    2b.  sum1 = sum1 + temp.
    2c.  sum2 = sum2 + sum1.
3.  Use sum2 as the checksum value.

12.6.2  Key Wrap

1.  Modify the content-encryption key to meet any restrictions on the key.
    For example, adjust the parity bits for each DES key comprising a 
    Triple-DES key.
2.  Compute a 16-bit key checksum value on the content-encryption key as
    described Section 12.6.1 above.
3.  Generate a 32-bit random salt value.
4.  Concatenate the salt, content-encryption key, and key checksum value.
5.  Pad the result, using the technique specified in Section 6.3, so 
    that the padded result is a multiple of eight (the Triple-DES and
    RC2 block size).  Append the pad to the result.
6.  Encrypt in CBC mode the padded result using the key-encryption key.
    Use an IV with each octet equal to 'A5' hexadecimal.

12.6.3  Key Unwrap

The key unwrap algorithm is:

1.  Decrypt in CBC mode the ciphertext using the key-encryption key.  Use
    an IV with each octet equal to 'A5' hexadecimal.
2.  Decompose the result into the content-encryption key and key checksum
    values.  The salt and pad values are discarded.
3.  Compute a 16-bit key checksum value on the content-encryption key
    as described in Section 12.6.1 above.
4.  If the computed key checksum value does not match the decrypted key
    checksum value, then there is an error.
5.  If there are restrictions on keys, then check if the content-
    encryption key meets these restrictions.  For example, check for odd
    parity of each octet in each DES key that makes up a Triple-DES key.
    If any restriction is incorrect, then there is an error.


<Prev in Thread] Current Thread [Next in Thread>