draft-ietf-smime-hmac-key-wrap-00.txt   draft-ietf-smime-hmac-key-wrap-01.txt 
S/MIME Working Group J. Schaad S/MIME Working Group J. Schaad
Internet Draft Soaring Hawk Consulting Internet Draft Soaring Hawk Consulting
draft-ietf-smime-hmac-key-wrap-00.txt R. Housley draft-ietf-smime-hmac-key-wrap-01.txt R. Housley
Category: Informational RSA Laboratories Category: Standards Vigil Security
January 2002 February 2003
Wrapping an HMAC key with a Triple-DES Key or an AES Key Wrapping an HMAC key with a Triple-DES Key or an AES Key
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC2026]. all provisions of Section 10 of [RFC2026].
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at line 51 skipping to change at line 51
encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES- encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES-
WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP]. WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP].
Triple-DES key wrap imposes parity restrictions, and in both Triple-DES key wrap imposes parity restrictions, and in both
instances there are restrictions on the size of the key being instances there are restrictions on the size of the key being
wrapped that make the encryption of HMAC [HMAC] keying material wrapped that make the encryption of HMAC [HMAC] keying material
difficult. difficult.
This document specifies a mechanism for the encryption of an HMAC This document specifies a mechanism for the encryption of an HMAC
key of arbitrary length by a 3DES KEK or an AES KEK. key of arbitrary length by a 3DES KEK or an AES KEK.
Schaad & Housley Informational - July 2002 1 Schaad & Housley Standards - July 2002 1
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [STDWORDS]. document are to be interpreted as described in RFC 2119 [STDWORDS].
2. HMAC Key Guidelines 2. HMAC Key Guidelines
[HMAC] suggests that the key be at least as long as the output (L) [HMAC] suggests that the key be at least as long as the output (L)
of the hash function being used. When keys longer than the block of the hash function being used. When keys longer than the block
skipping to change at line 103 skipping to change at line 103
7. Encrypt LKEYPADICV in CBC mode using the 3DES KEK. 7. Encrypt LKEYPADICV in CBC mode using the 3DES KEK.
Use the random value generated in the previous step as the Use the random value generated in the previous step as the
initialization vector (IV). Call the ciphertext TEMP1. initialization vector (IV). Call the ciphertext TEMP1.
8. Let TEMP2 = IV || TEMP1. 8. Let TEMP2 = IV || TEMP1.
9. Reverse the order of the octets in TEMP2. That is, the most 9. Reverse the order of the octets in TEMP2. That is, the most
significant (first) octet is swapped with the least significant significant (first) octet is swapped with the least significant
(last) octet, and so on. Call the result TEMP3. (last) octet, and so on. Call the result TEMP3.
10. Encrypt TEMP3 in CBC mode using the 3DES KEK. Use 10. Encrypt TEMP3 in CBC mode using the 3DES KEK. Use
an initialization vector (IV) of 0x4adda22c79e82105. an initialization vector (IV) of 0x4adda22c79e82105.
Schaad & Housley Informational - July 2002 2 Schaad & Housley Standards - July 2002 2
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
Note: When the same HMAC key is wrapped in different 3DES KEKs, a Note: When the same HMAC key is wrapped in different 3DES KEKs, a
fresh initialization vector (IV) must be generated for each fresh initialization vector (IV) must be generated for each
invocation of the HMAC key wrap algorithm. invocation of the HMAC key wrap algorithm.
3.2 Unwrapping an HMAC Key with a Triple-DES Key-Encryption Key 3.2 Unwrapping an HMAC Key with a Triple-DES Key-Encryption Key
This algorithm decrypts an HMAC key using a 3DES KEK. The algorithm This algorithm decrypts an HMAC key using a 3DES KEK. The algorithm
is: is:
skipping to change at line 160 skipping to change at line 160
smime(16) alg(3) 11 } smime(16) alg(3) 11 }
The AlgorithmIdentifier parameter field MUST be NULL. The AlgorithmIdentifier parameter field MUST be NULL.
3.4 HMAC Key Wrap with Triple-DES Test Vector 3.4 HMAC Key Wrap with Triple-DES Test Vector
KEK : 5840df6e 29b02af1 KEK : 5840df6e 29b02af1
: ab493b70 5bf16ea1 : ab493b70 5bf16ea1
: ae8338f4 dcc176a8 : ae8338f4 dcc176a8
Schaad & Housley Informational - July 2002 3 Schaad & Housley Standards - July 2002 3
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
HMAC_KEY : c37b7e64 92584340 HMAC_KEY : c37b7e64 92584340
: bed12207 80894115 : bed12207 80894115
: 5068f738 : 5068f738
IV : 050d8c79 e0d56b75 IV : 050d8c79 e0d56b75
PAD : 38be62 PAD : 38be62
skipping to change at line 216 skipping to change at line 216
This algorithm encrypts an HMAC key with an AES KEK. The algorithm This algorithm encrypts an HMAC key with an AES KEK. The algorithm
is: is:
1. Let the HMAC key be called KEY, and let the length of KEY in 1. Let the HMAC key be called KEY, and let the length of KEY in
octets be called LENGTH. LENGTH is a single octet. octets be called LENGTH. LENGTH is a single octet.
2. Let LKEY = LENGTH || KEY. 2. Let LKEY = LENGTH || KEY.
3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple 3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple
of 8, the PAD has a length of zero. If the length of LKEY is of 8, the PAD has a length of zero. If the length of LKEY is
Schaad & Housley Informational - July 2002 4 Schaad & Housley Standards - July 2002 4
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
not a multiple of 8, then PAD contains the fewest number of not a multiple of 8, then PAD contains the fewest number of
random octets to make the length of LKEYPAD a multiple of 8. random octets to make the length of LKEYPAD a multiple of 8.
4. Encrypt LKEYPAD using the AES key wrap algorithm specified in 4. Encrypt LKEYPAD using the AES key wrap algorithm specified in
section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption
key. The result is 8 octets longer than LKEYPAD. key. The result is 8 octets longer than LKEYPAD.
4.2 Unwrapping an HMAC Key with an AES Key 4.2 Unwrapping an HMAC Key with an AES Key
skipping to change at line 273 skipping to change at line 273
PAD : 050d8c PAD : 050d8c
LKEYPAD : 14c37b7e 64925843 LKEYPAD : 14c37b7e 64925843
: 40bed122 07808941 : 40bed122 07808941
: 155068f7 38050d8c : 155068f7 38050d8c
Wrapped Key : 9fa0c146 5291ea6d Wrapped Key : 9fa0c146 5291ea6d
: b55360c6 cb95123c : b55360c6 cb95123c
Schaad & Housley Informational - July 2002 5 Schaad & Housley Standards - July 2002 5
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
: d47b38cc e84dd804 : d47b38cc e84dd804
: fbcec5e3 75c3cb13 : fbcec5e3 75c3cb13
5. Security Considerations 5. Security Considerations
Implementations must protect the key-encryption key (KEK). Implementations must protect the key-encryption key (KEK).
Compromise of the KEK may result in the disclosure of all HMAC keys Compromise of the KEK may result in the disclosure of all HMAC keys
that have been wrapped with the KEK, which may lead to loss of data that have been wrapped with the KEK, which may lead to loss of data
skipping to change at line 307 skipping to change at line 307
RFC 1750 [RANDOM] offers important guidance in this area, and RFC 1750 [RANDOM] offers important guidance in this area, and
Appendix 3 of FIPS Pub 186 [DSS] provides one quality PRNG Appendix 3 of FIPS Pub 186 [DSS] provides one quality PRNG
technique. technique.
The key wrap algorithms specified in this document have been The key wrap algorithms specified in this document have been
reviewed for use with Triple-DES and AES, and they have not been reviewed for use with Triple-DES and AES, and they have not been
reviewed for use with other encryption algorithms. reviewed for use with other encryption algorithms.
6. References 6. References
This section provides normative and informative references.
6.1 Normative References
3DES American National Standards Institute. ANSI X9.52-1998, 3DES American National Standards Institute. ANSI X9.52-1998,
Triple Data Encryption Algorithm Modes of Operation. Triple Data Encryption Algorithm Modes of Operation.
1998. 1998.
3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217. 3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217.
December 2001. December 2001.
AES National Institute of Standards and Technology. AES National Institute of Standards and Technology.
FIPS Pub 197: Advanced Encryption Standard (AES). FIPS Pub 197: Advanced Encryption Standard (AES).
26 November 2001. 26 November 2001.
AES-WRAP Schaad, J., R. Housley, AES Key Wrap Algorithm, AES-WRAP Schaad, J., R. Housley, AES Key Wrap Algorithm,
draft-ietf-smime-aes-wrap-00.txt. draft-ietf-smime-aes-wrap-00.txt.
DSS National Institute of Standards and Technology.
FIPS Pub 186: Digital Signature Standard. 19 May 1994.
HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed- HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed-
Hashing for Message Authentication. RFC 2104. Hashing for Message Authentication. RFC 2104.
February 1997. February 1997.
RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness STDWORDS Bradner, S., "Key words for use in RFCs to Indicate
Recommendations for Security. RFC 1750. December 1994.
Schaad & Housley Informational - July 2002 6 Schaad & Housley Standards - July 2002 6
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
Requirement Levels", BCP 14, RFC 2119, March 1997
6.2 Informative References
DSS National Institute of Standards and Technology.
FIPS Pub 186: Digital Signature Standard. 19 May 1994.
RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness
Recommendations for Security. RFC 1750. December 1994.
RFC2026 Bradner, S., "The Internet Standards Process - Revision RFC2026 Bradner, S., "The Internet Standards Process - Revision
3", BCP 9, RFC 2026, October 1996. 3", BCP 9, RFC 2026, October 1996.
STDWORDS Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997
X.208-88 CCITT. Recommendation X.208: Specification of Abstract X.208-88 CCITT. Recommendation X.208: Specification of Abstract
Syntax Notation One (ASN.1). 1988. Syntax Notation One (ASN.1). 1988.
X.209-88 CCITT. Recommendation X.209: Specification of Basic X.209-88 CCITT. Recommendation X.209: Specification of Basic
Encoding Rules for Abstract Syntax Notation One (ASN.1). Encoding Rules for Abstract Syntax Notation One (ASN.1).
1988. 1988.
7. Author's Addresses 7. Author's Addresses
Jim Schaad Jim Schaad
Soaring Hawk Consulting Soaring Hawk Consulting
Email: jimsch@exmsft.com Email: jimsch@exmsft.com
Russell Housley Russell Housley
RSA Laboratories Vigil Security
918 Spring Knoll Drive 918 Spring Knoll Drive
Herndon, VA 20170 Herndon, VA 20170
USA USA
Email: rhousley@rsasecurity.com Email: housley@vigilsec.com
Schaad & Housley Informational - July 2002 7 Schaad & Housley Standards - July 2002 7
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
Full Copyright Statement Full Copyright Statement
"Copyright (C) The Internet Society 2002. All Rights Reserved. "Copyright (C) The Internet Society 2002. All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
skipping to change at line 386 skipping to change at line 393
the copyright notice or references to the Internet Society or other the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than followed, or as required to translate it into languages other than
English. English.
The limited permissions granted above are perpetual and will not be The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. revoked by the Internet Society or its successors or assigns.
Schaad & Housley Informational - July 2002 8 Schaad & Housley Standards - July 2002 8
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/