Blake Ramsdell wrote:
This observation is correct, based on my own testing here. In order to get the
example in section 4.4 of RFC 3217 to work correctly, you need to use an
effective key length parameter of 40 bits. The effective key length parameter
is not discussed, and it is an important input to the RC2 algorithm.
Thanks for confirming this.
I do not see this -- I see that the input key length must be 128 bits, but
there is no indication about any particular value for the effective key
length. The language I see in RFC 3370, section 4.1:
For key agreement of RC2 key-encryption keys, 128 bits MUST be
generated as input to the key expansion process used to compute the
RC2 effective key [RC2].
This language appears to be compatible with the language in RFC 3217. If you
have another concern in mind, let me know.
Wrong section. You should be looking at RFC 3370, section 4.3.2:
RC2 128-bit keys MUST be used as key-encryption keys, and they MUST be
used with the RC2ParameterVersion parameter set to 58.
The RC2ParameterVersion parameter value of 58 is the encoding of 128
Effective Key Bits. Hence, this is mandatory.
I'm not sure, but I'd say "be careful of default parameters". Like I'm not
sure what the default IV is also, for instance.
The good news is that the test vector caught the ambiguity.
I strongly disagree. The test vectors did absolutely not catch the
ambiguity. The test vectors increased the ambiguity because they didn't
say that they would only work with implementations that used 40
effective key bits by default. In fact, the only ones who have
successfully implemented RC Key Wrap so far are likely to be developers
who were programming against older versions of MS CryptoAPI and were
blissfully oblivious about the EKBParameter of RC2.
Programmers like me and a bunch of others who were aware of all details
of the RC2 algorithm, as well as the necessity of testing
implementations against test vectors and reading RFCs to the letter,
have not caught the ambiguity but simply left the RC2 Key Wrap algorithm
unimplemented. You can't find it in our library. You can't find it in
Crypto++. You can't find it in OpenSSL. You can however find it in some
libraries that link to the MS CryptoAPI.