[Top] [All Lists]

Re: Fwd from sci.crypt: Error in RFC 3217

2007-10-03 16:45:30

On Wed, Oct 03, 2007 at 10:46:01AM +0200, Henrick Hellström wrote:
Firstly, RFC 3217 doesn't explicitly say that the test vectors are
generated using 40 effective key bits. Without that information the test
vectors are not unequivocally specified. You need that piece of
information in order to reproduce the values.

This observation is correct, based on my own testing here. In order to get the
example in section 4.4 of RFC 3217 to work correctly, you need to use an
effective key length parameter of 40 bits. The effective key length parameter
is not discussed, and it is an important input to the RC2 algorithm.

Secondly, RFC 3217 is now part of S/MIME Charter. This charter also
includes RFC 3370 (CMS algorithms) which refers to RFC 3217, but states
that RC2 Key Wrap keys MUST be used with 128 effective key bits
(parameter value 58).

I do not see this -- I see that the input key length must be 128 bits, but
there is no indication about any particular value for the effective key
length. The language I see in RFC 3370, section 4.1:

For key agreement of RC2 key-encryption keys, 128 bits MUST be
generated as input to the key expansion process used to compute the
RC2 effective key [RC2].

This language appears to be compatible with the language in RFC 3217. If you
have another concern in mind, let me know.

This is a potentially serious documentation bug. Say, for instance, that
you are programming against MS CryptoAPI in Windows 2000 or earlier,
which had 40 effective key bits as the default for RC2. In such case the
test vectors in RFC 3217 *will* check out OK with default settings, and
you might be mislead to believe you have implemented RFC 3370 correctly
even though you haven't. If the test vectors in RFC 3217 had been
generated using 128 effective key bits, or if RFC 3217 had explicitly
specified the use of 40 effective key bits, such errors would be a lot
more easy to spot during testing and code review.

I'm not sure, but I'd say "be careful of default parameters". Like I'm not
sure what the default IV is also, for instance.

The good news is that the test vector caught the ambiguity.

Blake Ramsdell | Sendmail, Inc. |

<Prev in Thread] Current Thread [Next in Thread>