All:
After a fair amount of open and public debate, I see three approahces to
Triple-DES key wrapping. In this note, I list all three. To keep this note a
resonable lenght, I have omitted the unwrap algorithm description. The
alternative algorithms are listed in my oreder of preference. The rationale
for my ordering is complexity. The simplest is first, and the most complex is
last. If the simple wrap algorithm meets the requirements, then what value
does the complexity add?
The S/MIME v3 specifications will include the selected Triple-DES key wrap
algorithm as well as a variant for wrapping RC2 keys (40-128 bit keys).
Please review the algorithms. Please do not propose improvements that are
covered by any issued or pending patents.
Thanks for your assistance,
Russ
= = = = = = = = = =
WRAP ALOGRITHM #1: DOUBLE ENCRYPTION
A.1 Key Checksum
The CMS Checksum Algorithm is used to provide an content-encryption key
integrity check value. The algorithm is:
1. Compute a 20 octet SHA-1 message digest on the
content-encryption key.
2. Use the most significant (first) eight octets of the
message digest value as the checksum value.
A.2 Triple-DES Key Wrap
1. Set odd parity for each of the DES key octets comprising
the content-encryption key.
2. Compute a 8 octet key checksum value on the content-encryption
key as described above.
3. Concatenate the key checksum value and the content-encryption key.
The result is four 8 octet blocks: B1, B2, B3, and B4.
4. Encrypt in CBC mode the four blocks using the key-encryption key.
Use an IV of all zeros.
5. Reverse the order of the four ciphertext blocks. The resulting
order is B4, B3, B2, and B1.
6. Encrypt the four blocks a second time. Encrypt in CBC mode
using the key-encryption key. Use an IV of all zeros.
WRAP ALOGRITHM #2: MASK AND ENCRYPT
B.1 Key Checksum
The CMS Checksum Algorithm is used to provide an content-encryption key
integrity check value. The algorithm is:
1. Compute a 20 octet SHA-1 message digest on the
content-encryption key.
2. Use the most significant (first) eight octets of the
message digest value as the checksum value.
B.2 Triple-DES Key Wrap
1. Set odd parity for each of the DES key octets comprising
the content-encryption key.
2. Compute a 8 octet key checksum value on the content-encryption
key as described above.
3. Generate an 8 octet random number: RAND.
4. Let H1 = SHA-1 ( RAND ).
5. Let H2 = SHA-1 ( H1 ).
6. Let MASK equal the most significant (first) 32 octets of H1 || H2.
7. Let KEYICV equal the content-encryption key concatenated with
the key checksum value.
8. Let PLAIN = RAND || ( KEYICV XOR MASK ).
9. Encrypt PLAIN in CBC mode using the key-encryption key.
Use an IV of all zeros.
WRAP ALOGRITHM #3: OAEP AND ENCRYPT
C.1 Key Checksum
No explicit ckecksum algoritm is needed. The OAEP processing provides
the necessary integrity.
C.2 Triple-DES Key Wrap
1. Set odd parity for each of the DES key octets comprising
the content-encryption key, called CEK.
2. Let CEKPAD = 0x18 || CEK || 0x0000000000000000000000.
3. Generate a 160-bit random value, called RAND.
4. Let H1 = SHA-1 ( RAND || 0x01 ).
5. Let H2 = SHA-1 ( RAND || 0x02 ).
6. Let MASK1 equal the most significant (first) 36 octets of H1 || H2.
7. Let MKEY = CEKPAD XOR MASK1.
8. Let MASK2 = SHA-1 ( MKEY ).
9. Let MRAND = MASK2 XOR RAND.
10. Let MDATA = MRAND || MKEY.
11. Encrypt MDATA with the key-encryption key and CBC mode. Use an IV
with each octet equal to 0xA5. The ciphertext is 56 octets long.