This is a purely informative rendering of an RFC that includes verified errata. This rendering may not be used as a reference.
The following 'Verified' errata have been incorporated in this document:
EID 3671, EID 5777, EID 6942
Network Working Group J. Schaad
Request for Comments: 3394 Soaring Hawk Consulting
Category: Informational R. Housley
RSA Laboratories
September 2002
Advanced Encryption Standard (AES) Key Wrap Algorithm
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
The purpose of this document is to make the Advanced Encryption
Standard (AES) Key Wrap algorithm conveniently available to the
Internet community. The United States of America has adopted AES as
the new encryption standard. The AES Key Wrap algorithm will
probably be adopted by the USA for encryption of AES keys. The
authors took most of the text in this document from the draft AES Key
Wrap posted by NIST.
Table of Contents
1. Introduction................................................ 2
2. Overview.................................................... 2
2.1 Notation and Definitions................................... 3
2.2 Algorithms................................................. 4
2.2.1 Key Wrap................................................. 4
2.2.2 Key Unwrap............................................... 5
2.2.3 Key Data Integrity -- the Initial Value.................. 6
2.2.3.1 Default Initial Value.................................. 7
2.2.3.2 Alternative Initial Values............................. 7
3. Object Identifiers.......................................... 8
4. Test Vectors................................................ 8
4.1 Wrap 128 bits of Key Data with a 128-bit KEK............... 8
4.2 Wrap 128 bits of Key Data with a 192-bit KEK............... 11
4.3 Wrap 128 bits of Key Data with a 256-bit KEK............... 14
4.4 Wrap 192 bits of Key Data with a 192-bit KEK............... 17
4.5 Wrap 192 bits of Key Data with a 256-bit KEK............... 24
4.6 Wrap 256 bits of Key Data with a 256-bit KEK............... 30
5. Security Considerations..................................... 39
6. References.................................................. 39
7. Acknowledgments............................................. 39
8. Authors' Addresses.......................................... 39
9. Full Copyright Statement.................................... 40
1. Introduction
NOTE: Most of the following text is taken from [AES-WRAP], and the
assertions regarding the security of the AES Key Wrap algorithm are
made by the US Government, not by the authors of this document.
This specification is intended to satisfy the National Institute of
Standards and Technology (NIST) Key Wrap requirement to: Design a
cryptographic algorithm called a Key Wrap that uses the Advanced
Encryption Standard (AES) as a primitive to securely encrypt
plaintext key(s) with any associated integrity information and data,
such that the combination could be longer than the width of the AES
block size (128-bits). Each ciphertext bit should be a highly non-
linear function of each plaintext bit, and (when unwrapping) each
plaintext bit should be a highly non-linear function of each
ciphertext bit. It is sufficient to approximate an ideal
pseudorandom permutation to the degree that exploitation of
undesirable phenomena is as unlikely as guessing the AES engine key.
This key wrap algorithm needs to provide ample security to protect
keys in the context of prudently designed key management
architecture.
Throughout this document, any data being wrapped will be referred to
as the key data. It makes no difference to the algorithm whether the
data being wrapped is a key; in fact there is often good reason to
include other data with the key, to wrap multiple keys together, or
to wrap data that isn't strictly a key. So, the term "key data" is
used broadly to mean any data being wrapped, but particularly keys,
since this is primarily a key wrap algorithm. The key used to do the
wrapping will be referred to as the key-encryption key (KEK).
In this document a KEK can be any valid key supported by the AES
codebook. That is, a KEK can be a 128-bit key, a 192-bit key, or a
256-bit key.
2. Overview
The AES key wrap algorithm is designed to wrap or encrypt key data.
The key wrap operates on blocks of 64 bits. Before being wrapped,
the key data is parsed into n blocks of 64 bits.
The only restriction the key wrap algorithm places on n is that n be
at least two. (For key data with length less than or equal to 64
bits, the constant field used in this specification and the key data
form a single 128-bit codebook input making this key wrap
unnecessary.) The key wrap algorithm accommodates all supported AES
key sizes. However, other cryptographic values often need to be
wrapped. One such value is the seed of the random number generator
for DSS. This seed value requires n to be greater than four.
Undoubtedly other values require this type of protection. Therefore,
no upper bound is imposed on n.
The AES key wrap can be configured to use any of the three key sizes
supported by the AES codebook. The choice of a key size affects the
overall security provided by the key wrap, but it does not alter the
description of the key wrap algorithm. Therefore, in the description
that follows, the key wrap is described generically; no key size is
specified for the KEK.
2.1 Notation and Definitions
The following notation is used in the description of the key wrapping
algorithms:
AES(K, W) Encrypt W using the AES codebook with key K
AES-1(K, W) Decrypt W using the AES codebook with key K
MSB(j, W) Return the most significant j bits of W
LSB(j, W) Return the least significant j bits of W
B1 ^ B2 The bitwise exclusive or (XOR) of B1 and B2
B1 | B2 Concatenate B1 and B2
K The key-encryption key K
n The number of 64-bit key data blocks
s The number of steps in the wrapping process, s = 6n
P[i] The ith plaintext key data block
C[i] The ith ciphertext data block
A The 64-bit integrity check register
R[i] An array of 64-bit registers where
i = 1, 2, ..., n
A[t], R[t][i] The contents of registers A and R[i] after encryption
step t.
EID 6942 (Verified) is as follows:Section: 2.1
Original Text:
R[i] An array of 64-bit registers where
i = 0, 1, 2, ..., n
A[t], R[i][t] The contents of registers A and R[i] after encryption
step t.
Corrected Text:
R[i] An array of 64-bit registers where
i = 1, 2, ..., n
A[t], R[t][i] The contents of registers A and R[i] after encryption
step t.
Notes:
1) There are n 64-bit registers indexed R[1] to R[n] in the algorithms in section 2.2. 2) The notation of the algorithms in section 2.2 dereference R[][] using the step as the first index, and the index of the register from 1 to n as the second index
Paul Wouters(AD): There was some talk of a better fix, but that would require new text for whole sections, which is more that what should be done in an errata.
IV The 64-bit initial value used during the wrapping
process.
In the key wrap algorithm, the concatenation function will be used to
concatenate 64-bit quantities to form the 128-bit input to the AES
codebook. The extraction functions will be used to split the 128-bit
output from the AES codebook into two 64-bit quantities.
2.2 Algorithms
The specification of the key wrap algorithm requires the use of the
AES codebook [AES]. The next three sections will describe the key
wrap algorithm, the key unwrap algorithm, and the inherent data
integrity check.
2.2.1 Key Wrap
The inputs to the key wrapping process are the KEK and the plaintext
to be wrapped. The plaintext consists of n 64-bit blocks, containing
the key data being wrapped. The key wrapping process is described
below.
Inputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}, and
Key, K (the KEK).
Outputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}.
1) Initialize variables.
Set A[0] to an initial value (see 2.2.3)
For i = 1 to n
R[0][i] = P[i]
EID 5777 (Verified) is as follows:Section: 2.2.1
Original Text:
1) Initialize variables.
Set A0 to an initial value (see 2.2.3)
For i = 1 to n
R[0][i] = P[i]
Corrected Text:
1) Initialize variables.
Set A[0] to an initial value (see 2.2.3)
For i = 1 to n
R[0][i] = P[i]
Notes:
An array subscript notation should be used for A[]
2) Calculate intermediate values.
For t = 1 to s, where s = 6n
A[t] = MSB(64, AES(K, A[t-1] | R[t-1][1])) ^ t
For i = 1 to n-1
R[t][i] = R[t-1][i+1]
R[t][n] = LSB(64, AES(K, A[t-1] | R[t-1][1]))
3) Output the results.
Set C[0] = A[t]
For i = 1 to n
C[i] = R[t][i]
An alternative description of the key wrap algorithm involves
indexing rather than shifting. This approach allows one to calculate
the wrapped key in place, avoiding the rotation in the previous
description. This produces identical results and is more easily
implemented in software.
Inputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}, and
Key, K (the KEK).
Outputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}.
1) Initialize variables.
Set A = IV, an initial value (see 2.2.3)
For i = 1 to n
R[i] = P[i]
2) Calculate intermediate values.
For j = 0 to 5
For i=1 to n
B = AES(K, A | R[i])
A = MSB(64, B) ^ t where t = (n*j)+i
R[i] = LSB(64, B)
3) Output the results.
Set C[0] = A
For i = 1 to n
C[i] = R[i]
2.2.2 Key Unwrap
The inputs to the unwrap process are the KEK and (n+1) 64-bit blocks
of ciphertext consisting of previously wrapped key. It returns n
blocks of plaintext consisting of the n 64-bit blocks of the
decrypted key data.
Inputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}, and
Key, K (the KEK).
Outputs: Plaintext, n 64-bit values {P1, P2, ..., Pn}.
1) Initialize variables.
Set A[s] = C[0] where s = 6n
For i = 1 to n
R[s][i] = C[i]
2) Calculate the intermediate values.
For t = s to 1
A[t-1] = MSB(64, AES-1(K, ((A[t] ^ t) | R[t][n]))
R[t-1][1] = LSB(64, AES-1(K, ((A[t]^t) | R[t][n]))
For i = 2 to n
R[t-1][i] = R[t][i-1]
3) Output the results.
If A[0] is an appropriate initial value (see 2.2.3),
Then
For i = 1 to n
P[i] = R[0][i]
Else
Return an error
The unwrap algorithm can also be specified as an index based
operation, allowing the calculations to be carried out in place.
Again, this produces the same results as the register shifting
approach.
Inputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}, and
Key, K (the KEK).
Outputs: Plaintext, n 64-bit values {P0, P1, K, Pn}.
1) Initialize variables.
Set A = C[0]
For i = 1 to n
R[i] = C[i]
2) Compute intermediate values.
For j = 5 to 0
For i = n to 1
B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
A = MSB(64, B)
R[i] = LSB(64, B)
3) Output results.
If A is an appropriate initial value (see 2.2.3),
Then
For i = 1 to n
P[i] = R[i]
Else
Return an error
2.2.3 Key Data Integrity -- the Initial Value
The initial value (IV) refers to the value assigned to A[0] in the
first step of the wrapping process. This value is used to obtain an
integrity check on the key data. In the final step of the unwrapping
process, the recovered value of A[0] is compared to the expected
value of A[0]. If there is a match, the key is accepted as valid,
and the unwrapping algorithm returns it. If there is not a match,
then the key is rejected, and the unwrapping algorithm returns an
error.
The exact properties achieved by this integrity check depend on the
definition of the initial value. Different applications may call for
somewhat different properties; for example, whether there is need to
determine the integrity of key data throughout its lifecycle or just
when it is unwrapped. This specification defines a default initial
value that supports integrity of the key data during the period it is
wrapped (2.2.3.1). Provision is also made to support alternative
initial values (in 2.2.3.2).
2.2.3.1 Default Initial Value
The default initial value (IV) is defined to be the hexadecimal
constant:
A[0] = IV = A6A6A6A6A6A6A6A6
The use of a constant as the IV supports a strong integrity check on
the key data during the period that it is wrapped. If unwrapping
produces A[0] = A6A6A6A6A6A6A6A6, then the chance that the key data
is corrupt is 2^-64. If unwrapping produces A[0] equal to any other value,
EID 3671 (Verified) is as follows:Section: 2.2.3.1
Original Text:
If unwrapping produces A[0] any other value,
Corrected Text:
If unwrapping produces A[0] equal to any other value,
Notes:
This resembles a copy-paste typo, where the last portion of "If unwrapping produces A[0]" was not removed in the second of two sentences.
I edited this based on comments from the authors.
then the unwrap must return an error and not return any key data.
2.2.3.2 Alternative Initial Values
When the key wrap is used as part of a larger key management protocol
or system, the desired scope for data integrity may be more than just
the key data or the desired duration for more than just the period
that it is wrapped. Also, if the key data is not just an AES key, it
may not always be a multiple of 64 bits. Alternative definitions of
the initial value can be used to address such problems. NIST will
define alternative initial values in future key management
publications as needed. In order to accommodate a set of
alternatives that may evolve over time, key wrap implementations that
are not application-specific will require some flexibility in the way
that the initial value is set and tested.
3. Object Identifiers
NIST has assigned the following object identifiers to identify the
key wrap algorithm with the default initial value specified in
2.2.3.1. One object identifier is assigned for use with each of the
KEK AES key sizes.
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
4. Test Vectors
The examples in this section were generated using the index-based
implementation of the key wrap algorithm. The use of this approach
allows a straightforward software implementation of the key wrap
algorithm.
4.1 Wrap 128 bits of Key Data with a 128-bit KEK
Input:
KEK: 000102030405060708090A0B0C0D0E0F
Key Data: 00112233445566778899AABBCCDDEEFF
Wrap:
Step t A R1 R2
1
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
Enc F4740052E82A2251 74CE86FBD7B805E7 8899AABBCCDDEEFF
XorT F4740052E82A2250 74CE86FBD7B805E7 8899AABBCCDDEEFF
2
In F4740052E82A2250 74CE86FBD7B805E7 8899AABBCCDDEEFF
Enc 06BA4EBDE7768D0B 74CE86FBD7B805E7 D132EE38147E76F8
XorT 06BA4EBDE7768D09 74CE86FBD7B805E7 D132EE38147E76F8
3
In 06BA4EBDE7768D09 74CE86FBD7B805E7 D132EE38147E76F8
Enc FC967627BE937208 FE6E8D679C5D3460 D132EE38147E76F8
XorT FC967627BE93720B FE6E8D679C5D3460 D132EE38147E76F8
4
In FC967627BE93720B FE6E8D679C5D3460 D132EE38147E76F8
Enc 5896EA9028EE203B FE6E8D679C5D3460 07B2BD973E36A6FC
XorT 5896EA9028EE203F FE6E8D679C5D3460 07B2BD973E36A6FC
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
4.2 Wrap 128 bits of Key Data with a 192-bit KEK
Input:
KEK: 000102030405060708090A0B0C0D0E0F1011121314151617
Key Data: 00112233445566778899AABBCCDDEEFF
Wrap:
Step t A R1 R21
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
Enc DFE8FD5D1A3786A7 351D385096CCFB29 8899AABBCCDDEEFF
XorT DFE8FD5D1A3786A6 351D385096CCFB29 8899AABBCCDDEEFF
2
In DFE8FD5D1A3786A6 351D385096CCFB29 8899AABBCCDDEEFF
Enc 9D9B32B9ED742E02 351D385096CCFB29 51F22F3286758A2D
XorT 9D9B32B9ED742E00 351D385096CCFB29 51F22F3286758A2D
3
In 9D9B32B9ED742E00 351D385096CCFB29 51F22F3286758A2D
Enc 7B8E343CA51CF8AB BC164F51E20CC983 51F22F3286758A2D
XorT 7B8E343CA51CF8A8 BC164F51E20CC983 51F22F3286758A2D
4
In 7B8E343CA51CF8A8 BC164F51E20CC983 51F22F3286758A2D
Enc 02A97C5897140595 BC164F51E20CC983 05FC2D8F8FF4B919
XorT 02A97C5897140591 BC164F51E20CC983 05FC2D8F8FF4B919
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
4.3 Wrap 128 bits of Key Data with a 256-bit KEK
Input:
KEK:000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
Key Data: 00112233445566778899AABBCCDDEEFF
Wrap:
Step t A R1 R2
1
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
Enc 794314D454E3FDE1 F661BD9F31FBFA31 8899AABBCCDDEEFF
XorT 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
2
In 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
Enc D450EA5C5BBCB561 F661BD9F31FBFA31 F60E0CDB7F429FE8
XorT D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
3
In D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
Enc 85DBDF1879D5C0A5 5602001BFA07AD8B F60E0CDB7F429FE8
XorT 85DBDF1879D5C0A6 5602001BFA07AD8B F60E0CDB7F429FE8
4
In 85DBDF1879D5C0A6 5602001BFA07AD8B F60E0CDB7F429FE8
Enc 738C291128B7226D 5602001BFA07AD8B 58924F777C3F678C
XorT 738C291128B72269 5602001BFA07AD8B 58924F777C3F678C
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
4.4 Wrap 192 bits of Key Data with a 192-bit KEK
Input:
KEK: 000102030405060708090A0B0C0D0E0F1011121314151617
Key Data: 00112233445566778899AABBCCDDEEFF0001020304050607
Wrap:
Step t A/R3 R1 R2
1
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
0001020304050607
Enc DFE8FD5D1A3786A7 351D385096CCFB29 8899AABBCCDDEEFF
0001020304050607
XorT DFE8FD5D1A3786A6 351D385096CCFB29 8899AABBCCDDEEFF
0001020304050607
2
In DFE8FD5D1A3786A6 351D385096CCFB29 8899AABBCCDDEEFF
0001020304050607
Enc 9D9B32B9ED742E02 351D385096CCFB29 51F22F3286758A2D
0001020304050607
XorT 9D9B32B9ED742E00 351D385096CCFB29 51F22F3286758A2D
0001020304050607
3
In 9D9B32B9ED742E00 351D385096CCFB29 51F22F3286758A2D
0001020304050607
Enc 2C8E19A519025B7C 351D385096CCFB29 51F22F3286758A2D
FF540E514DE120A3
XorT 2C8E19A519025B7F 351D385096CCFB29 51F22F3286758A2D
FF540E514DE120A3
4
In 2C8E19A519025B7F 351D385096CCFB29 51F22F3286758A2D
FF540E514DE120A3
Enc E727C7BDF822602E A08DAA041D17BBBA 51F22F3286758A2D
FF540E514DE120A3
XorT E727C7BDF822602A A08DAA041D17BBBA 51F22F3286758A2D
FF540E514DE120A3
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
4.5 Wrap 192 bits of Key Data with a 256-bit KEK
Input:
KEK:
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
Key Data: 00112233445566778899AABBCCDDEEFF0001020304050607
Wrap:
Step t A/R3 R1 R2
1
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
0001020304050607
Enc 794314D454E3FDE1 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607
XorT 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607
2
In 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607
Enc D450EA5C5BBCB561 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607
XorT D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607
3
In D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607
Enc 9DF8F5405FBC00C1 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154
XorT 9DF8F5405FBC00C2 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154
4
In 9DF8F5405FBC00C2 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154
Enc F1D28EA6295891EC 0CC86A4D9B9C6A31 F60E0CDB7F429FE8
6CA405593A3B5154
XorT F1D28EA6295891E8 0CC86A4D9B9C6A31 F60E0CDB7F429FE8
6CA405593A3B5154
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
4.6 Wrap 256 bits of Key Data with a 256-bit KEK
Input:
KEK:
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
Key Data:
00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F
Wrap:
Step t A/R3 R1/R4 R2
1
In A6A6A6A6A6A6A6A6 0011223344556677 8899AABBCCDDEEFF
0001020304050607 08090A0B0C0D0E0F
Enc 794314D454E3FDE1 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607 08090A0B0C0D0E0F
XorT 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607 08090A0B0C0D0E0F
2
In 794314D454E3FDE0 F661BD9F31FBFA31 8899AABBCCDDEEFF
0001020304050607 08090A0B0C0D0E0F
Enc D450EA5C5BBCB561 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607 08090A0B0C0D0E0F
XorT D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607 08090A0B0C0D0E0F
3
In D450EA5C5BBCB563 F661BD9F31FBFA31 F60E0CDB7F429FE8
0001020304050607 08090A0B0C0D0E0F
Enc 9DF8F5405FBC00C1 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154 08090A0B0C0D0E0F
XorT 9DF8F5405FBC00C2 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154 08090A0B0C0D0E0F
4
In 9DF8F5405FBC00C2 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154 08090A0B0C0D0E0F
Enc 564408FDD0DD2EA4 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154 E5923CB9FDB56FBC
XorT 564408FDD0DD2EA0 F661BD9F31FBFA31 F60E0CDB7F429FE8
6CA405593A3B5154 E5923CB9FDB56FBC
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
5. Security Considerations
The key wrap algorithm includes a strong integrity check on the key
data. If unwrapping produces the expected check value in A[0], then
the chance that the key data is corrupt is 2^-64. If unwrapping
produces an unexpected value, then the algorithm implementation MUST
return an error, and it MUST NOT return any key data.
Implementations must protect the KEK from disclosure. Compromise of
the KEK may result in the disclosure of all key data protected with
that KEK.
6. References
AES National Institute of Standards and Technology. FIPS Pub
197: Advanced Encryption Standard (AES). 26 November 2001.
AES-WRAP National Institute of Standards and Technology. AES Key
Wrap Specification. 17 November 2001.
[http://csrc.nist.gov/encryption/kms/key-wrap.pdf]
7. Acknowledgments
Most of the text in this document is taken from [AES-WRAP]. The
authors of that document are responsible for the development of the
AES key wrap algorithm.
8. Authors' Addresses
Jim Schaad
Soaring Hawk Consulting
EMail: jimsch@exmsft.com
Russell Housley
RSA Laboratories
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: rhousley@rsasecurity.com
9. Full Copyright Statement
Copyright (C) The Internet Society (2002). All Rights Reserved.
This document and translations of it may be copied and furnished to
others provided that the above copyright notice and this paragraph
are included on all such copies. However, this document itself may
not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet
organizations, except as required to translate it into languages
other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.