[Top] [All Lists]

Re: Protocol Action: Wrapping an HMAC key with a Triple-DES Key or an AES Key to Proposed Standard

2003-04-10 10:01:09


>This document defines a mechanism for "wrapping" (aka encrypting) an HMAC key
>with either Triple-DES or the Advanced Encryption Standard (AES). Standards
>already exist for wrapping Triple-DES keys in Triple-DES and AES keys in AES. >However no standard exists for wrapping HMAC keys, which is what this document

Actually a standard does exist for wrapping HMAC keys with any kind of key,
formerly RFC 3211, now a part of RFC 3369.  This was pointed out over a year
ago during the draft process, but ignored by the RFC authors.  So now we have
two incompatible ways to wrap HMAC keys, one in RFC 3369, the other in this
new RFC.

Ignored is not a correct characterization. I recall a discussion on the S/MIME list.

The protocol includes an algorithm identifier that tells the recipient which of the algorithms was employed by the originator. So, I take issue with your characterization of the incompatibility. Certainly, the two algorithms generate different outputs, and both the originator and the recipient need to implement the same algorithm to achieve interoperability.

As I recall, without searching the mail list archive, no one else voiced a concern about publishing a second wrapping technique. Several people voiced approval for alignment with the NIST AES Key Wrap algorithm. And, as is often the case in these matters, many people voiced no opinion one way or the other.

As working group chair at the time, I made the decision to proceed, after a brief verbal consultation with the Security Area Director. I still believe that the right decision was made.