draft-ietf-smime-key-wrap-00.txt | draft-ietf-smime-key-wrap-01.txt | |||
---|---|---|---|---|

S/MIME Working Group R. Housley | S/MIME Working Group R. Housley | |||

Internet Draft RSA Laboratories | Internet Draft RSA Laboratories | |||

expires in six months September 2001 | expires in six months September 2001 | |||

Triple-DES and RC2 Key Wrapping | Triple-DES and RC2 Key Wrapping | |||

<draft-ietf-smime-key-wrap-00.txt> | <draft-ietf-smime-key-wrap-01.txt> | |||

Status of this Memo | Status of this Memo | |||

This document is an Internet-Draft and is in full conformance with | This document is an Internet-Draft and is in full conformance with | |||

all provisions of Section 10 of RFC2026. Internet-Drafts are working | all provisions of Section 10 of RFC2026. Internet-Drafts are working | |||

documents of the Internet Engineering Task Force (IETF), its areas, | documents of the Internet Engineering Task Force (IETF), its areas, | |||

and its working groups. Note that other groups may also distribute | and its working groups. Note that other groups may also distribute | |||

working documents as Internet-Drafts. | working documents as Internet-Drafts. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

skipping to change at page 2, line 19 | skipping to change at page 2, line 19 | |||

wrap algorithms are commonly used in two situations. First, key | wrap algorithms are commonly used in two situations. First, key | |||

agreement algorithms (such as Diffie-Hellman [DH-X9.42]) generate a | agreement algorithms (such as Diffie-Hellman [DH-X9.42]) generate a | |||

pairwise key-encryption key, and a key wrap algorithm is used to | pairwise key-encryption key, and a key wrap algorithm is used to | |||

encrypt the content-encryption key or a multicast key with the | encrypt the content-encryption key or a multicast key with the | |||

pairwise key-encryption key. Second, a key wrap algorithm is used to | pairwise key-encryption key. Second, a key wrap algorithm is used to | |||

encrypt the content-encryption key, multicast key, or session key in | encrypt the content-encryption key, multicast key, or session key in | |||

a locally generated storage key-encryption key or a key-encryption | a locally generated storage key-encryption key or a key-encryption | |||

key that was distributed out-of-band. | key that was distributed out-of-band. | |||

This document specifies the algorithm for wrapping one Triple-DES key | This document specifies the algorithm for wrapping one Triple-DES key | |||

with another Triple-DES key [3DES] and specifies the algorithm for | with another Triple-DES key [3DES], and it specifies the algorithm | |||

wrapping one RC2 key with another RC2 key [RC2]. Encryption of a | for wrapping one RC2 key with another RC2 key [RC2]. Encryption of a | |||

Triple-DES key with another Triple-DES key uses the algorithm | Triple-DES key with another Triple-DES key uses the algorithm | |||

specified in section 3. Encryption of a RC2 key with another RC2 key | specified in section 3. Encryption of a RC2 key with another RC2 key | |||

uses the algorithm specified in section 4. Both of these algorithms | uses the algorithm specified in section 4. Both of these algorithms | |||

rely on the key checksum algorithm specified in section 2. Triple- | rely on the key checksum algorithm specified in section 2. Triple- | |||

DES and RC2 content-encryption keys are encrypted in Cipher Block | DES and RC2 content-encryption keys are encrypted in Cipher Block | |||

Chaining (CBC) mode [MODES]. | Chaining (CBC) mode [MODES]. | |||

In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, | In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, | |||

SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described | SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described | |||

by Scott Bradner in [STDWORDS]. | by Scott Bradner in [STDWORDS]. | |||

The same key wrap algorithm is used for both Two-key Triple-DES and | ||||

Three-key Triple-DES keys. When a Two-key Triple-DES key is to be | ||||

wrapped, a third DES key with the same value as the first DES key is | ||||

created. Thus, all wrapped Triple-DES keys include three DES keys. | ||||

However, a Two-key Triple-DES key MUST NOT be used to wrap a Three- | ||||

key Triple-DES key that is comprised of three unique DES keys. | ||||

RC2 supports variable length keys. RC2 128-bit keys MUST be used as | ||||

key-encryption keys; however, the wrapped RC2 key MAY be of any size. | ||||

2 Key Checksum | 2 Key Checksum | |||

The key checksum algorithm is used to provide a key integrity check | The key checksum algorithm is used to provide a key integrity check | |||

value. The algorithm is: | value. The algorithm is: | |||

1. Compute a 20 octet SHA-1 [SHA1] message digest on the key | 1. Compute a 20 octet SHA-1 [SHA1] message digest on the key | |||

that is to be wrapped. | that is to be wrapped. | |||

2. Use the most significant (first) eight octets of the message | 2. Use the most significant (first) eight octets of the message | |||

digest value as the checksum value. | digest value as the checksum value. | |||

3 Triple-DES Key Wrapping and Unwrapping | 3 Triple-DES Key Wrapping and Unwrapping | |||

This section specifies the algorithms for wrapping and unwrapping one | This section specifies the algorithms for wrapping and unwrapping one | |||

Triple-DES key with another Triple-DES key [3DES]. | Triple-DES key with another Triple-DES key [3DES]. | |||

The same key wrap algorithm is used for both Two-key Triple-DES and | ||||

Three-key Triple-DES keys. When a Two-key Triple-DES key is to be | ||||

wrapped, a third DES key with the same value as the first DES key is | ||||

created. Thus, all wrapped Triple-DES keys include three DES keys. | ||||

However, a Two-key Triple-DES key MUST NOT be used to wrap a Three- | ||||

key Triple-DES key that is comprised of three unique DES keys. | ||||

3.1 Triple-DES Key Wrap | 3.1 Triple-DES Key Wrap | |||

The Triple-DES key wrap algorithm encrypts a Triple-DES key with a | The Triple-DES key wrap algorithm encrypts a Triple-DES key with a | |||

Triple-DES key-encryption key. The Triple-DES key wrap algorithm is: | Triple-DES key-encryption key. The Triple-DES key wrap algorithm is: | |||

1. Set odd parity for each of the DES key octets comprising the | 1. Set odd parity for each of the DES key octets comprising the | |||

Three-Key Triple-DES key that is to be wrapped, call the result | Three-Key Triple-DES key that is to be wrapped, call the result | |||

CEK. | CEK. | |||

2. Compute an 8 octet key checksum value on CEK as described above | 2. Compute an 8 octet key checksum value on CEK as described above | |||

in Section 2, call the result ICV. | in Section 2, call the result ICV. | |||

skipping to change at page 4, line 30 | skipping to change at page 4, line 24 | |||

Some security protocols employ ASN.1 [X.208-88, X.209-88], and these | Some security protocols employ ASN.1 [X.208-88, X.209-88], and these | |||

protocols employ algorithm identifiers to name cryptographic | protocols employ algorithm identifiers to name cryptographic | |||

algorithms. To support these protocols, the Triple-DES key wrap | algorithms. To support these protocols, the Triple-DES key wrap | |||

algorithm has been assigned the following algorithm identifier: | algorithm has been assigned the following algorithm identifier: | |||

id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) | id-alg-CMS3DESwrap OBJECT IDENTIFIER ::= { iso(1) member-body(2) | |||

us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } | us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 6 } | |||

The AlgorithmIdentifier parameter field MUST be NULL. | The AlgorithmIdentifier parameter field MUST be NULL. | |||

3.4 Triple-DES Key Wrap Example | ||||

This section contains a Triple-DES Key Wrap example. Intermediate | ||||

values corresponding to the named items in section 3.1 are given in | ||||

hexadecimal. | ||||

CEK: 2923 bf85 e06d d6ae 5291 49f1 f1ba e9ea b3a7 da3d 860d 3e98 | ||||

KEK: 255e 0d1c 07b6 46df b313 4cc8 43ba 8aa7 1f02 5b7c 0838 251f | ||||

ICV: 181b 7e96 86e0 4a4e | ||||

CEKICV: 2923 bf85 e06d d6ae 5291 49f1 f1ba e9ea b3a7 da3d 860d 3e98 | ||||

181b 7e96 86e0 4a4e | ||||

IV: 5dd4 cbfc 96f5 453b | ||||

TEMP1: cfc1 a789 c675 dd2a b49a 3204 ef92 cc03 5c1f 3b97 7a79 60f6 | ||||

a44d cc5f 729d 8449 | ||||

TEMP2: 5dd4 cbfc 96f5 453b cfc1 a789 c675 dd2a b49a 3204 ef92 cc03 | ||||

5c1f 3b97 7a79 60f6 a44d cc5f 729d 8449 | ||||

TEMP3: 4984 9d72 5fcc 4da4 f660 797a 3b97 1f5c 03cc 92ef 0432 9ab4 | ||||

2add 75c6 89a7 c1cf 3b45 f596 fccb d45d | ||||

RESULT: 6901 0761 8ef0 92b3 b48c a179 6b23 4ae9 fa33 ebb4 1596 0403 | ||||

7db5 d6a8 4eb3 aac2 768c 6327 75a4 67d4 | ||||

4 RC2 Key Wrapping and Unwrapping | 4 RC2 Key Wrapping and Unwrapping | |||

This section specifies the algorithms for wrapping and unwrapping one | This section specifies the algorithms for wrapping and unwrapping one | |||

RC2 key with another RC2 key [RC2]. | RC2 key with another RC2 key [RC2]. | |||

RC2 supports variable length keys. RC2 128-bit keys MUST be used as | ||||

key-encryption keys; however, the wrapped RC2 key MAY be of any size. | ||||

4.1 RC2 Key Wrap | 4.1 RC2 Key Wrap | |||

The RC2 key wrap algorithm encrypts a RC2 key with a RC2 key- | The RC2 key wrap algorithm encrypts a RC2 key with a RC2 key- | |||

encryption key. The RC2 key wrap algorithm is: | encryption key. The RC2 key wrap algorithm is: | |||

1. Let the RC2 key be called CEK, and let the length of CEK in | 1. Let the RC2 key be called CEK, and let the length of CEK in | |||

octets be called LENGTH. LENGTH is a single octet. | octets be called LENGTH. LENGTH is a single octet. | |||

2. Let LCEK = LENGTH || CEK. | 2. Let LCEK = LENGTH || CEK. | |||

3. Let LCEKPAD = LCEK || PAD. If the length of LCEK is a multiple | 3. Let LCEKPAD = LCEK || PAD. If the length of LCEK is a multiple | |||

of 8, the PAD has a length of zero. If the length of LCEK is | of 8, the PAD has a length of zero. If the length of LCEK is | |||

skipping to change at page 6, line 21 | skipping to change at page 6, line 38 | |||

RC2ParameterVersion ::= INTEGER | RC2ParameterVersion ::= INTEGER | |||

The RC2 effective-key-bits (key size) greater than 32 and less than | The RC2 effective-key-bits (key size) greater than 32 and less than | |||

256 is encoded in the RC2ParameterVersion. For the effective-key- | 256 is encoded in the RC2ParameterVersion. For the effective-key- | |||

bits of 40, 64, and 128, the rc2ParameterVersion values are 160, 120, | bits of 40, 64, and 128, the rc2ParameterVersion values are 160, 120, | |||

and 58 respectively. These values are not simply the RC2 key length. | and 58 respectively. These values are not simply the RC2 key length. | |||

Note that the value 160 must be encoded as two octets (00 A0), | Note that the value 160 must be encoded as two octets (00 A0), | |||

because the one octet (A0) encoding represents a negative number. | because the one octet (A0) encoding represents a negative number. | |||

3.4 RC2 Key Wrap Example | ||||

This section contains a RC2 Key Wrap example. Intermediate values | ||||

corresponding to the named items in section 4.1 are given in | ||||

hexadecimal. | ||||

CEK: b70a 25fb c9d8 6a86 050c e0d7 11ea d4d9 | ||||

KEK: fd04 fd08 0607 07fb 0003 feff fd02 fe05 | ||||

LENGTH: 10 | ||||

LCEK: 10b7 0a25 fbc9 d86a 8605 0ce0 d711 ead4 d9 | ||||

PAD: 4845 cce7 fd12 50 | ||||

LCEKPAD: 10b7 0a25 fbc9 d86a 8605 0ce0 d711 ead4 | ||||

d948 45cc e7fd 1250 | ||||

ICV: 0a6f f19f db40 4988 | ||||

LCEKPADICV: 10b7 0a25 fbc9 d86a 8605 0ce0 d711 ead4 | ||||

d948 45cc e7fd 1250 0a6f f19f db40 4988 | ||||

IV: c7d9 0059 b29e 97f7 | ||||

TEMP1: a01d a259 3793 1260 e48c 55f5 04ce 70b8 | ||||

ac8c d79e ffe8 9932 9fa9 8a07 a31f f7a7 | ||||

TEMP2: c7d9 0059 b29e 97f7 a01d a259 3793 1260 | ||||

e48c 55f5 04ce 70b8 ac8c d79e ffe8 9932 | ||||

9fa9 8a07 a31f f7a7 | ||||

TEMP3: a7f7 1fa3 078a a99f 3299 8eff 9ed7 8cac | ||||

b870 ce04 f555 8ce4 6012 9337 59a2 1da0 | ||||

f797 9eb2 5900 d9c7 | ||||

RESULT: 70e6 99fb 5701 f783 3330 fb71 e87c 85a4 | ||||

20bd c99a f05d 22af 5a0e 48d3 5f31 3898 | ||||

6cba afb4 b28d 4f35 | ||||

References | References | |||

3DES American National Standards Institute. ANSI X9.52-1998, | 3DES American National Standards Institute. ANSI X9.52-1998, | |||

Triple Data Encryption Algorithm Modes of Operation. 1998. | Triple Data Encryption Algorithm Modes of Operation. 1998. | |||

CMS Housley, R., "Cryptographic Message Syntax", RFC 2630, | CMS Housley, R., "Cryptographic Message Syntax", RFC 2630, | |||

June 1999. | June 1999. | |||

DES American National Standards Institute. ANSI X3.106, | DES American National Standards Institute. ANSI X3.106, | |||

"American National Standard for Information Systems - Data | "American National Standard for Information Systems - Data | |||

skipping to change at page 7, line 46 | skipping to change at page 8, line 46 | |||

reviewed for use with Triple-DES and RC2, and they have not been | reviewed for use with Triple-DES and RC2, and they have not been | |||

reviewed for use with other encryption algorithms. Similarly, the | reviewed for use with other encryption algorithms. Similarly, the | |||

key wrap algorithms make use of CBC mode [MODES], and they have not | key wrap algorithms make use of CBC mode [MODES], and they have not | |||

been reviewed for use with other cryptographic modes. | been reviewed for use with other cryptographic modes. | |||

Acknowledgments | Acknowledgments | |||

This document is the result of contributions from many professionals. | This document is the result of contributions from many professionals. | |||

I appreciate the hard work of all members of the IETF S/MIME Working | I appreciate the hard work of all members of the IETF S/MIME Working | |||

Group. I extend a special thanks to Carl Ellison, Peter Gutmann, Bob | Group. I extend a special thanks to Carl Ellison, Peter Gutmann, Bob | |||

Jueneman, Don Johnson, and Burt Kaliski for their support in defining | Jueneman, Don Johnson, Burt Kaliski, John Pawling, and Jim Schaad for | |||

these algorithms. | their support in defining these algorithms and generating this | |||

specification. | ||||

Author Address | Author Address | |||

Russell Housley | Russell Housley | |||

RSA Laboratories | RSA Laboratories | |||

918 Spring Knoll Drive | 918 Spring Knoll Drive | |||

Herndon, VA 20170 | Herndon, VA 20170 | |||

USA | USA | |||

rhousley@rsasecurity.com | rhousley@rsasecurity.com | |||

End of changes. | ||||

This html diff was produced by rfcdiff 1.25, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ |