ietf-smime
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Key Wrap Algoritm

1998-12-10 08:29:21
from [Russ Housley] [Permanent Link] 
All:

In today's face-to-face working group meeting, we decided to replace the
Fletcher Checksum with the first 64 bits of a SHA-1 hash.

Russ




Date: Tue, 08 Dec 1998 10:36:11 -0500
To: jimsch(_at_)EXCHANGE(_dot_)MICROSOFT(_dot_)com
From: Russ Housley <housley(_at_)spyrus(_dot_)com>
Subject: Re: Key Wrap Algoritm


Jim:

I did not accept al of your changes.  I had to filter them with discussion
going on with other threads.  So, attached is the Key Wrap Algorithm as
presently defined.  Note that this algorithm is limited to Triple-DES and
RC2.

In addition, the following is added to the security considerations section:
Section 12.6 specifies a key wrap algorithm used to encrypt a Triple-DES
[3DES] or RC2 [RC2] content-encryption key with a Triple-DES or RC2
key-encryption key using CBC mode [MODES].  This key wrap algorithm has been
reviewed for use with Triple-DES in CBC mode and RC2 in CBC mode; it has not
been reviewed for use with other algorithms or other modes.  Analysis has
discovered concerns with using this key wrap algorithm with stream ciphers or
block ciphers in OFB mode [MODES].  Therefore, if a CMS implementation wises
to support ciphers in addition to Triple-DES in CBC mode or RC2 in CBC mode,
then additional key wrap algorithms may need to be defined to support the
additional ciphers.


Russ

= = = = = = = = = = 

12.6  Triple-DES and RC2 Key Wrap Algorithm

CMS implementations must include encryption of a Triple-DES
content-encryption key with a Triple-DES key-encryption key using the
algorithm specified in this section.  CMS implementations should include
encryption of a RC2 content-encryption key with a RC2 key-encryption key. 
Triple-DES and RC2 content-encryption keys are encrypted in Cipher Block
Chaining (CBC) mode [MODES].

Key Transport algorithms allow for the content-encryption key to be directly
encrypted; however, key agreement and symmetric key-encryption key algorithms
encrypt the content-encryption key with a second symmetric encryption
algorithm.  This section describes how the Triple-DES or RC2
content-encryption key is formatted and encrypted.

Key agreement algorithms generate a pairwise key-encryption key, and a key
wrap algorithm is used to encrypt the content-encryption key with the
pairwise key-encryption key.  Similarly, a key wrap algorithm is used to
encrypt the content-encryption key in a previously distributed key-encryption
key.

The key-encryption key is generated by the key agreement algorithm or
distributed out of band.  For key agreement of RC2 key-encryption keys, 128
bits must be generated as input to the key expansion process used to compute
the RC2 effective key [RC2].

The block size of the key-encryption algorithm must be implicitly determined
from the KeyEncryptionAlgorithmIdentifier field; however, both Triple-DES and
RC2 have a block size of eight octets.

The same algorithm identifier is used for both 2-key and 3-key Triple-DES. 
When the length of the wrapped content-encryption key is 16 octets, 2-key
Triple-DES is used for the content-encryption algorithm.  Similarly, when the
length of the wrapped content-encryption key is 24 octets, 3-key Triple-DES
is used for the content-encryption algorithm.

12.6.1  Key Checksum

The Fletcher checksum [SUM] algorithm is used to provide an integrity check
value.  The algorithm is:

1.  Initialize two 16 bit integers, sum1 and sum2, to zero.
2.  Loop through the octets of the content-encryption key, most
    significant (first) octet to least significant (last) octet.
    2a.  Create a 16 bit integer, called temp, by concatenating 
         eight zero bits and the key octet.
    2b.  sum1 = sum1 + temp.
    2c.  sum2 = sum2 + sum1.
3.  Use sum2 as the checksum value.

12.6.2  Key Wrap

1.  Modify the content-encryption key to meet any restrictions on the key.
    For example, adjust the parity bits for each DES key comprising a 
    Triple-DES key.
2.  Compute a 16-bit key checksum value on the content-encryption key as
    described Section 12.6.1 above.
3.  Generate a 32-bit random salt value.
4.  Concatenate the salt, content-encryption key, and key checksum value.
5.  Pad the result, using the technique specified in Section 6.3, so 
    that the padded result is a multiple of eight (the Triple-DES and
    RC2 block size).  Append the pad to the result.
6.  Encrypt in CBC mode the padded result using the key-encryption key.
    Use an IV with each octet equal to 'A5' hexadecimal.

12.6.3  Key Unwrap

The key unwrap algorithm is:

1.  Decrypt in CBC mode the ciphertext using the key-encryption key.  Use
    an IV with each octet equal to 'A5' hexadecimal.
2.  Decompose the result into the content-encryption key and key checksum
    values.  The salt and pad values are discarded.
3.  Compute a 16-bit key checksum value on the content-encryption key
    as described in Section 12.6.1 above.
4.  If the computed key checksum value does not match the decrypted key
    checksum value, then there is an error.
5.  If there are restrictions on keys, then check if the content-
    encryption key meets these restrictions.  For example, check for odd
    parity of each octet in each DES key that makes up a Triple-DES key.
    If any restriction is incorrect, then there is an error.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SignerInfo Change, Russ Housley
Next by Date:  Re: New X9.42 draft, EKR
Previous by Thread:  Re: Key Wrap Algoritm, Russ Housley
Next by Thread:  Re: Key Wrap Algoritm, Graham Klyne
Indexes:  [Date] [Thread] [Top] [All Lists]