ietf-smime
[Top] [All Lists]

Re: Fwd from sci.crypt: Error in RFC 3217

2007-10-03 02:26:42

Hi,

The problem has two sides.

Firstly, RFC 3217 doesn't explicitly say that the test vectors are
generated using 40 effective key bits. Without that information the test
vectors are not unequivocally specified. You need that piece of
information in order to reproduce the values.

Secondly, RFC 3217 is now part of S/MIME Charter. This charter also
includes RFC 3370 (CMS algorithms) which refers to RFC 3217, but states
that RC2 Key Wrap keys MUST be used with 128 effective key bits
(parameter value 58).

This is a potentially serious documentation bug. Say, for instance, that
you are programming against MS CryptoAPI in Windows 2000 or earlier,
which had 40 effective key bits as the default for RC2. In such case the
test vectors in RFC 3217 *will* check out OK with default settings, and
you might be mislead to believe you have implemented RFC 3370 correctly
even though you haven't. If the test vectors in RFC 3217 had been
generated using 128 effective key bits, or if RFC 3217 had explicitly
specified the use of 40 effective key bits, such errors would be a lot
more easy to spot during testing and code review.

Hope that makes my case clear.

P.S. Why doesn't *this* list accept S/MIME signed email? ;) D.S.

Paul Hoffman wrote:
[[ Never hurts to ask the original poster ... ]]

At 4:37 PM -0400 10/2/07, Russ Housley wrote:
I asked a developer to take a look, and they are unable to figure out 
what the problem.  More information is needed to confirm.

Russ

At 11:21 PM 9/25/2007, Peter Gutmann wrote:

-- Snip --

From:  henrick(_at_)streamsec(_dot_)se
Newsgroups: sci.crypt
Subject: Error in RFC 3217
Date: Wed, 01 Aug 2007 11:54:13 -0700

There is an error in the test vectors for RC2 Key Wrap given in RFC
3217. The specification states that RC2 should be used with a 128 bit
key and 128 effective key bits. The test vectors are however generated
using RC2 with a 128 bit key but only 40 effective key bits (which BTW
was the default for MS CryptoAPI prior to Windows XP).

I don't know if R. Housley is reading these groups, but clearly this
is an error that should be corrected.

The algorithms specified in RFC 3217 are primarily used for S/MIME. If
you have ever used S/MIME for encrypting email using a certificate
with a DH public key and the RC2-CBC encryption algorithm, chances are
you only got 40 bits of security even if you opted for 128 bit
encryption.



<Prev in Thread] Current Thread [Next in Thread>