ietf-smime
[Top] [All Lists]

Re: A New Triple-DES Key Wrap Algorithm

1999-02-08 08:09:54
Russ,

To be fair, you should explicitly state the security attributes required by
the process, that is, if this attribute is not achieved, it should be
considered an attack and if a attribute is not mentioned, it is not
considered an attack if it is not achieved.  For example, confidentiality
so that no bit of the key can be guessed with substantially better than 50%
probability, detection of alteration with 1/x probability, plaintext
awareness, etc.

Don Johnson





Russ Housley <housley(_at_)spyrus(_dot_)com> on 02/07/99 04:07:18 PM

To:   ietf-smime(_at_)imc(_dot_)org
cc:   burt(_at_)RSA(_dot_)COM, djohnson(_at_)certicom(_dot_)ca, 
schneier(_at_)counterpane(_dot_)com,
      denny(_at_)tis(_dot_)com, 
denning(_at_)cs(_dot_)cosc(_dot_)georgetown(_dot_)edu, 
omura(_at_)cylink(_dot_)com,
      mhetzel(_at_)bell-labs(_dot_)com, benaloh(_at_)microsoft(_dot_)com, 
brickell(_at_)certco(_dot_)com,
      smatyas(_at_)us(_dot_)ibm(_dot_)com, paulv(_at_)entrust(_dot_)com, 
merkle(_at_)parc(_dot_)xerox(_dot_)com,
      berson(_at_)anagram(_dot_)com, desmedt(_at_)uwm(_dot_)edu, 
rivest(_at_)theory(_dot_)lcs(_dot_)mit(_dot_)edu,
      carlisle(_dot_)adams(_at_)entrust(_dot_)com, ams(_at_)terisa(_dot_)com, 
ekr(_at_)rtfm(_dot_)com,
      Blake(_dot_)greenlee(_at_)greenlee(_dot_)com, cme(_at_)ACM(_dot_)ORG, 
bfox(_at_)microsoft(_dot_)com,
      acc(_at_)tycho(_dot_)ncsc(_dot_)mil, bschanni(_at_)BayNetworks(_dot_)com, 
jhs(_at_)tycho(_dot_)ncsc(_dot_)mil,
      jis(_at_)mit(_dot_)edu, pcain(_at_)bbn(_dot_)com, 
kent(_at_)bbn(_dot_)com, BSnow(_at_)radium(_dot_)ncsc(_dot_)mil,
      cjwagne(_at_)missi(_dot_)ncsc(_dot_)mil, balenson(_at_)tis(_dot_)com, 
balenson(_at_)tis(_dot_)com,
      jlinn(_at_)securitydynamics(_dot_)com, 
smid(_at_)csmes(_dot_)ncsl(_dot_)nist(_dot_)gov,
      daw(_at_)cs(_dot_)berkeley(_dot_)edu (bcc: Don Johnson/Certicom)
Subject:  Re: A New Triple-DES Key Wrap Algorithm




All:

After a fair amount of open and public debate, I see three approahces to
Triple-DES key wrapping.  In this note, I list all three.  To keep this
note a
resonable lenght, I have omitted the unwrap algorithm description.  The
alternative algorithms are listed in my oreder of preference.  The
rationale
for my ordering is complexity.  The simplest is first, and the most complex
is
last.  If the simple wrap algorithm meets the requirements, then what value
does the complexity add?

The S/MIME v3 specifications will include the selected Triple-DES key wrap
algorithm as well as a variant for wrapping RC2 keys (40-128 bit keys).

Please review the algorithms.  Please do not propose improvements that are
covered by any issued or pending patents.

Thanks for your assistance,
  Russ


= = = = = = = = = =


WRAP ALOGRITHM #1:  DOUBLE ENCRYPTION

A.1  Key Checksum

The CMS Checksum Algorithm is used to provide an content-encryption key
integrity check value.  The algorithm is:

1.  Compute a 20 octet SHA-1 message digest on the
    content-encryption key.
2.  Use the most significant (first) eight octets of the
    message digest value as the checksum value.

A.2  Triple-DES Key Wrap

1.  Set odd parity for each of the DES key octets comprising
    the content-encryption key.
2.  Compute a 8 octet key checksum value on the content-encryption
    key as described above.
3.  Concatenate the key checksum value and the content-encryption key.
    The result is four 8 octet blocks: B1, B2, B3, and B4.
4.  Encrypt in CBC mode the four blocks using the key-encryption key.
    Use an IV of all zeros.
5.  Reverse the order of the four ciphertext blocks.  The resulting
    order is B4, B3, B2, and B1.
6.  Encrypt the four blocks a second time.  Encrypt in CBC mode
    using the key-encryption key.  Use an IV of all zeros.


WRAP ALOGRITHM #2:  MASK AND ENCRYPT

B.1  Key Checksum

The CMS Checksum Algorithm is used to provide an content-encryption key
integrity check value.  The algorithm is:

1.  Compute a 20 octet SHA-1 message digest on the
    content-encryption key.
2.  Use the most significant (first) eight octets of the
    message digest value as the checksum value.

B.2  Triple-DES Key Wrap

1.  Set odd parity for each of the DES key octets comprising
    the content-encryption key.
2.  Compute a 8 octet key checksum value on the content-encryption
    key as described above.
3.  Generate an 8 octet random number: RAND.
4.  Let H1 = SHA-1 ( RAND ).
5.  Let H2 = SHA-1 ( H1 ).
6.  Let MASK equal the most significant (first) 32 octets of H1 || H2.
7.  Let KEYICV equal the content-encryption key concatenated with
    the key checksum value.
8.  Let PLAIN = RAND || ( KEYICV XOR MASK ).
9.  Encrypt PLAIN in CBC mode using the key-encryption key.
    Use an IV of all zeros.


WRAP ALOGRITHM #3:  OAEP AND ENCRYPT

C.1  Key Checksum

No explicit ckecksum algoritm is needed.  The OAEP processing provides
the necessary integrity.

C.2  Triple-DES Key Wrap

1.  Set odd parity for each of the DES key octets comprising
    the content-encryption key, called CEK.
2.  Let CEKPAD = 0x18 || CEK || 0x0000000000000000000000.
3.  Generate a 160-bit random value, called RAND.
4.  Let H1 = SHA-1 ( RAND || 0x01 ).
5.  Let H2 = SHA-1 ( RAND || 0x02 ).
6.  Let MASK1 equal the most significant (first) 36 octets of H1 || H2.
7.  Let MKEY = CEKPAD XOR MASK1.
8.  Let MASK2 = SHA-1 ( MKEY ).
9.  Let MRAND = MASK2 XOR RAND.
10. Let MDATA = MRAND || MKEY.
11. Encrypt MDATA with the key-encryption key and CBC mode.  Use an IV
    with each octet equal to 0xA5.  The ciphertext is 56 octets long.