Peter,
Sorry about taking so long to reply, but between the Olympics and
getting a house built I have running short on time.
It is true that the wrapping algorithm in RFC 3211 exists and could be
used for the HMAC wrapping process. However the pure Triple-DES wrap
algorithm was required to implement CMS, and it is still a required
algorithm for impliementing Diffie-Hellman key management in the cmsalg.
Given that it is a required algorithm, it seems to be a good base to
expand on.
The AES key wrap algorithm is currently on track to become the standard
key wrap algorithm for use with AES. Again, given that it is expected
to be the standard algorithm, it seems to be a good base to expand on.
I personally have some security reservations about the key wrap
algorithm given in RFC 3211. Triple-DES key wrap received significant
peer review. You may recall that Burt Kaliski found a flaw with the
algorithm that was originally proposed. The Triple-DES key wrap was the
result of about six months of discussion with many people in the crypto
community. I have seen numerous comments since it was published that
people don't like it for aestetic reasons, but nobody has attacked it on
security reasons. The AES key wrap algorithm was put out by NIST and
they have had a good track record of publishing secure algorithms.
I would like to hear of more security review on the the algorithm in RFC
3211 before I made any strong ties to it. I would actually be more
inclined to use the AES key wrap algorithm as a base for a general
algorithm that that in RFC 3211.
Jim
-----Original Message-----
From: owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-smime(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Peter
Gutmann
Sent: Thursday, February 07, 2002 8:08 PM
To: ietf-smime(_at_)imc(_dot_)org
Subject: Re: I-D ACTION:draft-ietf-smime-hmac-key-wrap-00.txt
The key wrap algorithms defined in [3DES-WRAP] and
[AES-WRAP] cover the of
wrapping a Triple-DES key with another Triple-DES key and
wrapping an AES key
with another AES key, respectively. This document specifies
two similar
mechanisms. One specifies the mechanism for wrapping an
HMAC key with a
Triple-DES key, and the other specifies the mechanism for
wrapping an HMAC key
with an AES key.
Given that RFC 3211 specifies a universal algorithm for
wrapping any key in any
other key, is there any need to create special-case x-in-y
wrap RFCs of this
kind? This draft seems entirely superfluous, since a
standards-track RFC
containing an algorithm which does what's in the draft already exists.
Peter.