Steve:
The X942-07 draft specifies how to generate RC2 KEKs of any length. It
uses 40 bits and 128 bits ans the explicit examples. CMS-12 syas that RC2
KEKs must be 128 bits.
I still do not see a problem.
Russ
At 06:13 PM 4/7/99 +0100, Dr Stephen Henson wrote:
Russ Housley wrote:
Steve:
CMS-12, Section 12.3.1 says:
For key agreement of RC2 key-encryption keys, 128 bits must be
generated as input to the key expansion process used to compute the
RC2 effective key [RC2].
X942-07, Section 2.1.3 says:
... For RC2-128, which
requires 128 bits of keying material, the algorithm is run once, with
a counter value of 1, and the left-most 128 bits are directly con-
verted to an RC2 key. Similarly, for RC2-40, which requires 40 bits
of keying material, the algorithm is run once, with a counter value
of 1, and the leftmost 40 bits are used as the key.
X942-07, Section 2.1.4 says:
RC2 effective key lengths are equal to RC2 real key lengths.
I think that we are consistent. CMS-12 is simply mandating that RC2 KEKs
be 128-bit keys, and X942-07 says that the effective key length cannot be
used to weaken the key.
Okay?
Hmmm I'm not so sure of this myself. I'm may have messed up the
interpretation here, in which case apologies in advance, but...
X942-07 2.1.4 appears to be saying that the effective key length and
real key length for RC2 are the same when used as a KEK algorithm. For
example 40 bit RC2 would have an effective key length of 40 bits and
have a real key length of 40 bits.
CMS 12.3.1 says 128 bits of keying material must be generated for RC2
when used as a KEK algorithm.
Combine the two and I'd interpret this to mean that the effective key
length of RC2 (and thus the actual key length) must be 128 bits when
used as a KEK algorithm. That is only 128 bit RC2 can be used as a KEK
algorithm.
That in itself isn't a problem but CMS 12.3.2 says:
12.3.3.2 RC2 Key Wrap
RC2 key encryption has the algorithm identifier:
id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
The AlgorithmIdentifier parameter field must be RC2wrapParameter:
RC2wrapParameter ::= RC2ParameterVersion
RC2ParameterVersion ::= INTEGER
The RC2 effective-key-bits (key size) greater than 32 and less than
256 is encoded in the RC2ParameterVersion. For the effective-key-
bits of 40, 64, and 128, the rc2ParameterVersion values are 160, 120,
and 58 respectively. These values are not simply the RC2 key length.
Note that the value 160 must be encoded as two octets (00 A0),
because the one octet (A0) encoding represents a negative number.
This seems to suggest that RC2 can be used as a KEK algorithm with
effective key lengths other than 128 bits.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: shenson(_at_)drh-consultancy(_dot_)demon(_dot_)co(_dot_)uk
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: drh(_at_)celocom(_dot_)com PGP key: via homepage.