draft-ietf-smime-hmac-key-wrap-01.txt | draft-ietf-smime-hmac-key-wrap-02.txt | |||
---|---|---|---|---|

S/MIME Working Group J. Schaad | S/MIME Working Group J. Schaad | |||

Internet Draft Soaring Hawk Consulting | Internet Draft Soaring Hawk Consulting | |||

draft-ietf-smime-hmac-key-wrap-01.txt R. Housley | draft-ietf-smime-hmac-key-wrap-02.txt R. Housley | |||

Category: Standards Vigil Security | Category: Standards Vigil Security | |||

February 2003 | February 2003 | |||

Wrapping an HMAC key with a Triple-DES Key or an AES Key | Wrapping an HMAC key with a Triple-DES Key or an AES Key | |||

Status of this Memo | Status of this Memo | |||

This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||

all provisions of Section 10 of [RFC2026]. | all provisions of Section 10 of [RFC2026]. | |||

skipping to change at line 30 | skipping to change at line 30 | |||

documents at any time. It is inappropriate to use Internet- Drafts | documents at any time. It is inappropriate to use Internet- Drafts | |||

as reference material or to cite them other than as "work in | as reference material or to cite them other than as "work in | |||

progress." | progress." | |||

The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||

http://www.ietf.org/ietf/1id-abstracts.txt | http://www.ietf.org/ietf/1id-abstracts.txt | |||

The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||

http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||

Abstract | Abstract | |||

The key wrap algorithms defined in [3DES-WRAP] and [AES-WRAP] cover | This document defines two methods for wrapping an HMAC (Hashed | |||

the of wrapping a Triple-DES key with another Triple-DES key and | Message Authentication Code) key. The first method defined uses a | |||

wrapping an AES key with another AES key, respectively. This | Triple DES (Data Encryption Standard) key to encrypt the HMAC key. | |||

document specifies two similar mechanisms. One specifies the | The second method defined uses an AES (Advanced Encryption Standard) | |||

mechanism for wrapping an HMAC key with a Triple-DES key, and the | key to encrypt the HMAC key. One place that such an algorithm is | |||

other specifies the mechanism for wrapping an HMAC key with an AES | used is for the Authenticated Data type in CMS (Cryptographic | |||

key. | Message Syntax). | |||

1. Introduction | 1. Introduction | |||

Standard methods exist for encrypting a Triple-DES (3DES) content- | Standard methods exist for encrypting a Triple-DES (3DES) content- | |||

encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES- | encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES- | |||

WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP]. | WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP]. | |||

Triple-DES key wrap imposes parity restrictions, and in both | Triple-DES key wrap imposes parity restrictions, and in both | |||

instances there are restrictions on the size of the key being | instances there are restrictions on the size of the key being | |||

wrapped that make the encryption of HMAC [HMAC] keying material | wrapped that make the encryption of HMAC [HMAC] keying material | |||

difficult. | difficult. | |||

skipping to change at line 77 | skipping to change at line 77 | |||

3. HMAC Key Wrapping and Unwrapping with Triple-DES | 3. HMAC Key Wrapping and Unwrapping with Triple-DES | |||

This section specifies the algorithms for wrapping and unwrapping an | This section specifies the algorithms for wrapping and unwrapping an | |||

HMAC key with a 3DES KEK [3DES]. | HMAC key with a 3DES KEK [3DES]. | |||

The 3DES wrapping of HMAC keys is based on the algorithm defined in | The 3DES wrapping of HMAC keys is based on the algorithm defined in | |||

Section 3 of [3DES-WRAP]. The major differences are due to the fact | Section 3 of [3DES-WRAP]. The major differences are due to the fact | |||

that an HMAC key is variable length and the HMAC key has no | that an HMAC key is variable length and the HMAC key has no | |||

particular parity. | particular parity. | |||

In the algorithm description, "a || b" is used to represent 'a' | ||||

concatenated with 'b'. | ||||

3.1 Wrapping an HMAC Key with a Triple-DES Key-Encryption Key | 3.1 Wrapping an HMAC Key with a Triple-DES Key-Encryption Key | |||

This algorithm encrypts an HMAC key with a 3DES KEK. The algorithm | This algorithm encrypts an HMAC key with a 3DES KEK. The algorithm | |||

is: | is: | |||

1. Let the HMAC key be called KEY, and let the length of KEY in | 1. Let the HMAC key be called KEY, and let the length of KEY in | |||

octets be called LENGTH. LENGTH is a single octet. | octets be called LENGTH. LENGTH is a single octet. | |||

2. Let LKEY = LENGTH || KEY. | 2. Let LKEY = LENGTH || KEY. | |||

3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple | 3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple | |||

of 8, the PAD has a length of zero. If the length of LKEY is | of 8, the PAD has a length of zero. If the length of LKEY is | |||

skipping to change at line 158 | skipping to change at line 161 | |||

id-alg-HMACwith3DESwrap OBJECT IDENTIFIER ::= { iso(1) | id-alg-HMACwith3DESwrap OBJECT IDENTIFIER ::= { iso(1) | |||

member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) | |||

smime(16) alg(3) 11 } | smime(16) alg(3) 11 } | |||

The AlgorithmIdentifier parameter field MUST be NULL. | The AlgorithmIdentifier parameter field MUST be NULL. | |||

3.4 HMAC Key Wrap with Triple-DES Test Vector | 3.4 HMAC Key Wrap with Triple-DES Test Vector | |||

KEK : 5840df6e 29b02af1 | KEK : 5840df6e 29b02af1 | |||

: ab493b70 5bf16ea1 | : ab493b70 5bf16ea1 | |||

: ae8338f4 dcc176a8 | ||||

Schaad & Housley Standards - July 2002 3 | Schaad & Housley Standards - July 2002 3 | |||

HMAC Key Wrap February 2002 | HMAC Key Wrap February 2002 | |||

: ae8338f4 dcc176a8 | ||||

HMAC_KEY : c37b7e64 92584340 | HMAC_KEY : c37b7e64 92584340 | |||

: bed12207 80894115 | : bed12207 80894115 | |||

: 5068f738 | : 5068f738 | |||

IV : 050d8c79 e0d56b75 | IV : 050d8c79 e0d56b75 | |||

PAD : 38be62 | PAD : 38be62 | |||

ICV : 1f363a31 cdaa9037 | ICV : 1f363a31 cdaa9037 | |||

skipping to change at line 205 | skipping to change at line 209 | |||

4. HMAC Key Wrapping and Unwrapping with AES | 4. HMAC Key Wrapping and Unwrapping with AES | |||

This section specifies the algorithms for wrapping and unwrapping an | This section specifies the algorithms for wrapping and unwrapping an | |||

HMAC key with an AES KEK [AES-WRAP]. | HMAC key with an AES KEK [AES-WRAP]. | |||

The AES wrapping of HMAC keys is based on the algorithm defined in | The AES wrapping of HMAC keys is based on the algorithm defined in | |||

[AES-WRAP]. The major difference is inclusion of padding due to the | [AES-WRAP]. The major difference is inclusion of padding due to the | |||

fact that the length of an HMAC key may not be a multiple of 64 | fact that the length of an HMAC key may not be a multiple of 64 | |||

bits. | bits. | |||

In the algorithm description, "a || b" is used to represent 'a' | ||||

concatenated with 'b'. | ||||

4.1 Wrapping an HMAC Key with an AES Key-Encryption Key | 4.1 Wrapping an HMAC Key with an AES Key-Encryption Key | |||

This algorithm encrypts an HMAC key with an AES KEK. The algorithm | This algorithm encrypts an HMAC key with an AES KEK. The algorithm | |||

is: | is: | |||

1. Let the HMAC key be called KEY, and let the length of KEY in | 1. Let the HMAC key be called KEY, and let the length of KEY in | |||

octets be called LENGTH. LENGTH is a single octet. | ||||

2. Let LKEY = LENGTH || KEY. | ||||

3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple | ||||

of 8, the PAD has a length of zero. If the length of LKEY is | ||||

Schaad & Housley Standards - July 2002 4 | Schaad & Housley Standards - July 2002 4 | |||

HMAC Key Wrap February 2002 | HMAC Key Wrap February 2002 | |||

octets be called LENGTH. LENGTH is a single octet. | ||||

2. Let LKEY = LENGTH || KEY. | ||||

3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple | ||||

of 8, the PAD has a length of zero. If the length of LKEY is | ||||

not a multiple of 8, then PAD contains the fewest number of | not a multiple of 8, then PAD contains the fewest number of | |||

random octets to make the length of LKEYPAD a multiple of 8. | random octets to make the length of LKEYPAD a multiple of 8. | |||

4. Encrypt LKEYPAD using the AES key wrap algorithm specified in | 4. Encrypt LKEYPAD using the AES key wrap algorithm specified in | |||

section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption | section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption | |||

key. The result is 8 octets longer than LKEYPAD. | key. The result is 8 octets longer than LKEYPAD. | |||

4.2 Unwrapping an HMAC Key with an AES Key | 4.2 Unwrapping an HMAC Key with an AES Key | |||

The AES key unwrap algorithm decrypts an HMAC key using an AES KEK. | The AES key unwrap algorithm decrypts an HMAC key using an AES KEK. | |||

The AES key unwrap algorithm is: | The AES key unwrap algorithm is: | |||

skipping to change at line 268 | skipping to change at line 275 | |||

: ae8338f4 dcc176a8 | : ae8338f4 dcc176a8 | |||

HMAC_KEY : c37b7e64 92584340 | HMAC_KEY : c37b7e64 92584340 | |||

: bed12207 80894115 | : bed12207 80894115 | |||

: 5068f738 | : 5068f738 | |||

PAD : 050d8c | PAD : 050d8c | |||

LKEYPAD : 14c37b7e 64925843 | LKEYPAD : 14c37b7e 64925843 | |||

: 40bed122 07808941 | : 40bed122 07808941 | |||

: 155068f7 38050d8c | ||||

Wrapped Key : 9fa0c146 5291ea6d | ||||

: b55360c6 cb95123c | ||||

Schaad & Housley Standards - July 2002 5 | Schaad & Housley Standards - July 2002 5 | |||

HMAC Key Wrap February 2002 | HMAC Key Wrap February 2002 | |||

: 155068f7 38050d8c | ||||

Wrapped Key : 9fa0c146 5291ea6d | ||||

: b55360c6 cb95123c | ||||

: d47b38cc e84dd804 | : d47b38cc e84dd804 | |||

: fbcec5e3 75c3cb13 | : fbcec5e3 75c3cb13 | |||

5. Security Considerations | 5. Security Considerations | |||

Implementations must protect the key-encryption key (KEK). | Implementations must protect the key-encryption key (KEK). | |||

Compromise of the KEK may result in the disclosure of all HMAC keys | Compromise of the KEK may result in the disclosure of all HMAC keys | |||

that have been wrapped with the KEK, which may lead to loss of data | that have been wrapped with the KEK, which may lead to loss of data | |||

integrity protection. | integrity protection. | |||

skipping to change at line 322 | skipping to change at line 329 | |||

Triple Data Encryption Algorithm Modes of Operation. | Triple Data Encryption Algorithm Modes of Operation. | |||

1998. | 1998. | |||

3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217. | 3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217. | |||

December 2001. | December 2001. | |||

AES National Institute of Standards and Technology. | AES National Institute of Standards and Technology. | |||

FIPS Pub 197: Advanced Encryption Standard (AES). | FIPS Pub 197: Advanced Encryption Standard (AES). | |||

26 November 2001. | 26 November 2001. | |||

AES-WRAP Schaad, J., R. Housley, AES Key Wrap Algorithm, | AES-WRAP Schaad, J., R. Housley, Advanced Encryption Standard (AES) | |||

draft-ietf-smime-aes-wrap-00.txt. | Key Wrap Algorithm, RFC 3394, September 2002. | |||

HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed- | HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed- | |||

Hashing for Message Authentication. RFC 2104. | ||||

February 1997. | ||||

STDWORDS Bradner, S., "Key words for use in RFCs to Indicate | ||||

Schaad & Housley Standards - July 2002 6 | Schaad & Housley Standards - July 2002 6 | |||

HMAC Key Wrap February 2002 | HMAC Key Wrap February 2002 | |||

Hashing for Message Authentication. RFC 2104. | ||||

February 1997. | ||||

STDWORDS Bradner, S., "Key words for use in RFCs to Indicate | ||||

Requirement Levels", BCP 14, RFC 2119, March 1997 | Requirement Levels", BCP 14, RFC 2119, March 1997 | |||

6.2 Informative References | 6.2 Informative References | |||

DSS National Institute of Standards and Technology. | DSS National Institute of Standards and Technology. | |||

FIPS Pub 186: Digital Signature Standard. 19 May 1994. | FIPS Pub 186: Digital Signature Standard. 19 May 1994. | |||

RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness | RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness | |||

Recommendations for Security. RFC 1750. December 1994. | Recommendations for Security. RFC 1750. December 1994. | |||

End of changes. | ||||

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |