draft-ietf-smime-hmac-key-wrap-01.txt   draft-ietf-smime-hmac-key-wrap-02.txt 
S/MIME Working Group J. Schaad S/MIME Working Group J. Schaad
Internet Draft Soaring Hawk Consulting Internet Draft Soaring Hawk Consulting
draft-ietf-smime-hmac-key-wrap-01.txt R. Housley draft-ietf-smime-hmac-key-wrap-02.txt R. Housley
Category: Standards Vigil Security Category: Standards Vigil Security
February 2003 February 2003
Wrapping an HMAC key with a Triple-DES Key or an AES Key Wrapping an HMAC key with a Triple-DES Key or an AES Key
Status of this Memo Status of this Memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of [RFC2026]. all provisions of Section 10 of [RFC2026].
skipping to change at line 30 skipping to change at line 30
documents at any time. It is inappropriate to use Internet- Drafts documents at any time. It is inappropriate to use Internet- Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
Abstract Abstract
The key wrap algorithms defined in [3DES-WRAP] and [AES-WRAP] cover This document defines two methods for wrapping an HMAC (Hashed
the of wrapping a Triple-DES key with another Triple-DES key and Message Authentication Code) key. The first method defined uses a
wrapping an AES key with another AES key, respectively. This Triple DES (Data Encryption Standard) key to encrypt the HMAC key.
document specifies two similar mechanisms. One specifies the The second method defined uses an AES (Advanced Encryption Standard)
mechanism for wrapping an HMAC key with a Triple-DES key, and the key to encrypt the HMAC key. One place that such an algorithm is
other specifies the mechanism for wrapping an HMAC key with an AES used is for the Authenticated Data type in CMS (Cryptographic
key. Message Syntax).
1. Introduction 1. Introduction
Standard methods exist for encrypting a Triple-DES (3DES) content- Standard methods exist for encrypting a Triple-DES (3DES) content-
encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES- encryption key (CEK) with a 3DES key-encryption key (KEK) [3DES-
WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP]. WRAP] and for encrypting an AES CEK with an AES KEK [AES-WRAP].
Triple-DES key wrap imposes parity restrictions, and in both Triple-DES key wrap imposes parity restrictions, and in both
instances there are restrictions on the size of the key being instances there are restrictions on the size of the key being
wrapped that make the encryption of HMAC [HMAC] keying material wrapped that make the encryption of HMAC [HMAC] keying material
difficult. difficult.
skipping to change at line 77 skipping to change at line 77
3. HMAC Key Wrapping and Unwrapping with Triple-DES 3. HMAC Key Wrapping and Unwrapping with Triple-DES
This section specifies the algorithms for wrapping and unwrapping an This section specifies the algorithms for wrapping and unwrapping an
HMAC key with a 3DES KEK [3DES]. HMAC key with a 3DES KEK [3DES].
The 3DES wrapping of HMAC keys is based on the algorithm defined in The 3DES wrapping of HMAC keys is based on the algorithm defined in
Section 3 of [3DES-WRAP]. The major differences are due to the fact Section 3 of [3DES-WRAP]. The major differences are due to the fact
that an HMAC key is variable length and the HMAC key has no that an HMAC key is variable length and the HMAC key has no
particular parity. particular parity.
In the algorithm description, "a || b" is used to represent 'a'
concatenated with 'b'.
3.1 Wrapping an HMAC Key with a Triple-DES Key-Encryption Key 3.1 Wrapping an HMAC Key with a Triple-DES Key-Encryption Key
This algorithm encrypts an HMAC key with a 3DES KEK. The algorithm This algorithm encrypts an HMAC key with a 3DES KEK. The algorithm
is: is:
1. Let the HMAC key be called KEY, and let the length of KEY in 1. Let the HMAC key be called KEY, and let the length of KEY in
octets be called LENGTH. LENGTH is a single octet. octets be called LENGTH. LENGTH is a single octet.
2. Let LKEY = LENGTH || KEY. 2. Let LKEY = LENGTH || KEY.
3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple 3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple
of 8, the PAD has a length of zero. If the length of LKEY is of 8, the PAD has a length of zero. If the length of LKEY is
skipping to change at line 158 skipping to change at line 161
id-alg-HMACwith3DESwrap OBJECT IDENTIFIER ::= { iso(1) id-alg-HMACwith3DESwrap OBJECT IDENTIFIER ::= { iso(1)
member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) alg(3) 11 } smime(16) alg(3) 11 }
The AlgorithmIdentifier parameter field MUST be NULL. The AlgorithmIdentifier parameter field MUST be NULL.
3.4 HMAC Key Wrap with Triple-DES Test Vector 3.4 HMAC Key Wrap with Triple-DES Test Vector
KEK : 5840df6e 29b02af1 KEK : 5840df6e 29b02af1
: ab493b70 5bf16ea1 : ab493b70 5bf16ea1
: ae8338f4 dcc176a8
Schaad & Housley Standards - July 2002 3 Schaad & Housley Standards - July 2002 3
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
: ae8338f4 dcc176a8
HMAC_KEY : c37b7e64 92584340 HMAC_KEY : c37b7e64 92584340
: bed12207 80894115 : bed12207 80894115
: 5068f738 : 5068f738
IV : 050d8c79 e0d56b75 IV : 050d8c79 e0d56b75
PAD : 38be62 PAD : 38be62
ICV : 1f363a31 cdaa9037 ICV : 1f363a31 cdaa9037
skipping to change at line 205 skipping to change at line 209
4. HMAC Key Wrapping and Unwrapping with AES 4. HMAC Key Wrapping and Unwrapping with AES
This section specifies the algorithms for wrapping and unwrapping an This section specifies the algorithms for wrapping and unwrapping an
HMAC key with an AES KEK [AES-WRAP]. HMAC key with an AES KEK [AES-WRAP].
The AES wrapping of HMAC keys is based on the algorithm defined in The AES wrapping of HMAC keys is based on the algorithm defined in
[AES-WRAP]. The major difference is inclusion of padding due to the [AES-WRAP]. The major difference is inclusion of padding due to the
fact that the length of an HMAC key may not be a multiple of 64 fact that the length of an HMAC key may not be a multiple of 64
bits. bits.
In the algorithm description, "a || b" is used to represent 'a'
concatenated with 'b'.
4.1 Wrapping an HMAC Key with an AES Key-Encryption Key 4.1 Wrapping an HMAC Key with an AES Key-Encryption Key
This algorithm encrypts an HMAC key with an AES KEK. The algorithm This algorithm encrypts an HMAC key with an AES KEK. The algorithm
is: is:
1. Let the HMAC key be called KEY, and let the length of KEY in 1. Let the HMAC key be called KEY, and let the length of KEY in
octets be called LENGTH. LENGTH is a single octet.
2. Let LKEY = LENGTH || KEY.
3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple
of 8, the PAD has a length of zero. If the length of LKEY is
Schaad & Housley Standards - July 2002 4 Schaad & Housley Standards - July 2002 4
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
octets be called LENGTH. LENGTH is a single octet.
2. Let LKEY = LENGTH || KEY.
3. Let LKEYPAD = LKEY || PAD. If the length of LKEY is a multiple
of 8, the PAD has a length of zero. If the length of LKEY is
not a multiple of 8, then PAD contains the fewest number of not a multiple of 8, then PAD contains the fewest number of
random octets to make the length of LKEYPAD a multiple of 8. random octets to make the length of LKEYPAD a multiple of 8.
4. Encrypt LKEYPAD using the AES key wrap algorithm specified in 4. Encrypt LKEYPAD using the AES key wrap algorithm specified in
section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption section 2.2.1 of [AES-WRAP], using the AES KEK as the encryption
key. The result is 8 octets longer than LKEYPAD. key. The result is 8 octets longer than LKEYPAD.
4.2 Unwrapping an HMAC Key with an AES Key 4.2 Unwrapping an HMAC Key with an AES Key
The AES key unwrap algorithm decrypts an HMAC key using an AES KEK. The AES key unwrap algorithm decrypts an HMAC key using an AES KEK.
The AES key unwrap algorithm is: The AES key unwrap algorithm is:
skipping to change at line 268 skipping to change at line 275
: ae8338f4 dcc176a8 : ae8338f4 dcc176a8
HMAC_KEY : c37b7e64 92584340 HMAC_KEY : c37b7e64 92584340
: bed12207 80894115 : bed12207 80894115
: 5068f738 : 5068f738
PAD : 050d8c PAD : 050d8c
LKEYPAD : 14c37b7e 64925843 LKEYPAD : 14c37b7e 64925843
: 40bed122 07808941 : 40bed122 07808941
: 155068f7 38050d8c
Wrapped Key : 9fa0c146 5291ea6d
: b55360c6 cb95123c
Schaad & Housley Standards - July 2002 5 Schaad & Housley Standards - July 2002 5
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
: 155068f7 38050d8c
Wrapped Key : 9fa0c146 5291ea6d
: b55360c6 cb95123c
: d47b38cc e84dd804 : d47b38cc e84dd804
: fbcec5e3 75c3cb13 : fbcec5e3 75c3cb13
5. Security Considerations 5. Security Considerations
Implementations must protect the key-encryption key (KEK). Implementations must protect the key-encryption key (KEK).
Compromise of the KEK may result in the disclosure of all HMAC keys Compromise of the KEK may result in the disclosure of all HMAC keys
that have been wrapped with the KEK, which may lead to loss of data that have been wrapped with the KEK, which may lead to loss of data
integrity protection. integrity protection.
skipping to change at line 322 skipping to change at line 329
Triple Data Encryption Algorithm Modes of Operation. Triple Data Encryption Algorithm Modes of Operation.
1998. 1998.
3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217. 3DES-WRAP Housley, R., Triple-DES and RC2 Key Wrapping. RFC 3217.
December 2001. December 2001.
AES National Institute of Standards and Technology. AES National Institute of Standards and Technology.
FIPS Pub 197: Advanced Encryption Standard (AES). FIPS Pub 197: Advanced Encryption Standard (AES).
26 November 2001. 26 November 2001.
AES-WRAP Schaad, J., R. Housley, AES Key Wrap Algorithm, AES-WRAP Schaad, J., R. Housley, Advanced Encryption Standard (AES)
draft-ietf-smime-aes-wrap-00.txt. Key Wrap Algorithm, RFC 3394, September 2002.
HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed- HMAC Krawczyk, H., M. Bellare, and R. Canetti. HMAC: Keyed-
Hashing for Message Authentication. RFC 2104.
February 1997.
STDWORDS Bradner, S., "Key words for use in RFCs to Indicate
Schaad & Housley Standards - July 2002 6 Schaad & Housley Standards - July 2002 6
HMAC Key Wrap February 2002 HMAC Key Wrap February 2002
Hashing for Message Authentication. RFC 2104.
February 1997.
STDWORDS Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997 Requirement Levels", BCP 14, RFC 2119, March 1997
6.2 Informative References 6.2 Informative References
DSS National Institute of Standards and Technology. DSS National Institute of Standards and Technology.
FIPS Pub 186: Digital Signature Standard. 19 May 1994. FIPS Pub 186: Digital Signature Standard. 19 May 1994.
RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness RANDOM Eastlake, D., S. Crocker, and J. Schiller. Randomness
Recommendations for Security. RFC 1750. December 1994. Recommendations for Security. RFC 1750. December 1994.
 End of changes. 

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/