Symmetric key wrap algorithms are shared secret key encryption algorithms designed for encrypting and decrypting symmetric keys and providing an integrity check. They take, as implicit parameters, their keying material and the key to encrypt or decrypt. Their identifiers appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey, which is in turn a child of KeyInfo (see Figure 18-1). The type of key being wrapped is indicated by the Algorithm attribute of the EncryptionMethod child of the parent of the KeyInfo grandparent of the EncryptionMethod specifying the symmetric key wrap algorithm (see Figure 18-2). ## 18.8.1 CMS Key ChecksumSome key wrap algorithms use the Key Checksum defined in CMS [RFC 2630]. It provides an integrity check value for the key being wrapped. The algorithm follows: Compute the 20-octet SHA-1 hash of the key being wrapped [FIPS 180-1]. Use the first 8 octets of this hash as the checksum value.
## 18.8.2 Triple DES Key WrapTriple DES Key Wrap Identifiers: http://www.w3.org/2001/04/xmlenc#kw-tripledes Standards-conformant XML Encryption applications must support triple DES wrapping of triple DES keys and may optionally support triple DES wrapping of AES or other keys. An example of a Triple DES Key Wrap EncryptionMethod element follows: <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-tripledes"/> The following algorithm wraps (encrypts) a key (the wrapped key, WK) under a triple DES key-encrypting key (KEK): -
Represent the key being wrapped as a byte sequence. If it is a triple DES key, this byte sequence is 24 octets (192 bits) produced by inserting an odd parity bit as the bottom bit of each octet. -
Compute the key checksum defined in Section 19.12.1; call it CKS. -
Let WKCKS = WK || CKS, where || means concatenation. -
Generate eight random octets; call it IV [RFC 1750]. -
Encrypt WKCKS in CBC mode using KEK as the key and IV as the initialization vector. Call the result TEMP1. -
Let TEMP2 = IV || TEMP1. -
Reverse the order of the octets in TEMP2; call the result TEMP3. -
Encrypt TEMP3 in CBC mode using the KEK and an initialization vector of 0x4ADDA22C79E82105. The resulting cipher text is the desired result. It is 40 octets long if a triple DES key is being wrapped.
The following algorithm unwraps (decrypts) a key: -
Check whether the length of the cipher text is reasonable given the key type. It must be 40 bytes for a triple DES key and either 32, 40, or 48 bytes for an AES key. If the length is wrong, return an error. -
Decrypt the cipher text with triple DES in CBC mode using the KEK and an IV of 0x4ADDA22C79E82105. Call the output TEMP3. -
Reverse the order of the octets in TEMP3; call the result TEMP2. -
Decompose TEMP2 into IV, the first eight octets, and TEMP1, the remaining bytes. -
Decrypt TEMP1 using triple DES in CBC mode using the KEK and the IV found in Step 4. Call the result WKCKS. -
Decompose WKCKS. CKS is the last eight octets and WK, the wrapped key, consists of those octets before the CKS. -
Calculate a CMS Key Checksum over the WK, and compare it with the CKS extracted in Step 6. If they are not equal, return an error. -
WK is the wrapped key, now extracted for use in data decryption.
This specification matches that given in [RFC 2630]. ## 18.8.3 AES Key WrapAES Key Wrap Identifiers: http://www.w3.org/2001/04/xmlenc#kw-aes128 http://www.w3.org/2001/04/xmlenc#kw-aes192 http://www.w3.org/2001/04/xmlenc#kw-aes256 Implementation of AES key wrap is mandatory under XML Encryption only for 128- and 256-bit key-encrypting keys. None of the versions of AES key wrap takes any explicit parameters; all of them take the usual implicit parameters of encryption algorithms with no initialization vector. The AES key wrap algorithm described below, as suggested by NIST [AES, AES KMS], provides for confidentiality and integrity. It is defined only for parameters that are multiples of 64 bits. The information wrapped need not actually be a key. The algorithm is the same whatever the size of the AES key used in wrapping, called the key-encrypting key (KEK). Table 18-1 shows the detailed implementation requirements for various key-encrypting key sizes and wrapped data sizes.
## AES Key Wrap AlgorithmAssume that the data to be wrapped consist of N 64-bit data blocks. If N is 1, then 64 bits are appended, consisting of the repeated octet xA6, and a single AES operation is performed for wrap. Unwrap is also a single AES operation, followed by checking the 64-bit integrity constant and extracting the initial 64 bits of the wrapped quantity. If N > 1, then 6 * N AES operations are performed for wrap or unwrap. Definitions used in the pseudocode given below are as follows: The key to be wrapped is denoted as P(1), P(2), P(3), …, P(N). The result of wrapping will be N + 1 64-bit blocks denoted as C(0), C(1), C(2), …, C(N). K represents the key-encrypting key. Assume integer variables i, j, and t, an intermediate 64-bit register A, a 128-bit register B, and an array of 64-bit quantities R(1) through R(N). "|" represents concatenation, so "x | y", where x and y are 64-bit quantities, is the 128-bit quantity with x in the most significant bit positions and y in the least significant bit positions. "AES(K)enc(x)" is the operation of AES encrypting the 128-bit quantity x under the key K. "AES(K)dec(x)" is the corresponding decryption operation. "XOR(x, y)" is the bitwise exclusive OR of x and y. "MSB(x)" and "LSB(y)" are the most significant 64 bits and least significant 64 bits of x and y, respectively.
## WrapThe key wrap algorithm is as follows: If N is 1: B = AES(K)enc(0xA6A6A6A6A6A6A6A6 | P(1)) C(0) = MSB(B) C(1) = LSB(B) If N > 1, perform the following steps: Initialize variables: Set A to 0xA6A6A6A6A6A6A6A6 For i = 1 to N, R(i) = P(i) Calculate intermediate values: For j = 0 to 5, For i = 1 to N, t =i + j * N B = AES(K)enc(A | R(i)) A = XOR(t, MSB(B)) R(i) = LSB(B) Output the results: Set C(0) = A For i = 1 to N, C(i) = R(i)
## UnwrapThe key unwrap algorithm is as follows: If N is 1: B = AES(K)dec(C(0) | C(1)) P(1) = LSB(B) If MSB(B) is 0xA6A6A6A6A6A6A6A6, return success. Otherwise, return an integrity check failure error. If N > 1, perform the following steps: Initialize the variables: A = C(0) For i = 1 to N, R(i) = C(i) Calculate intermediate values: For j = 5 to 0, For i = N to 1, t =i + j * N B = AES(K)dec(XOR(t, A) | R(i)) A = MSB(B) R(i) = LSB(B) Output the results: For i = 1 to N, P(i) = R(i) If A is 0xA6A6A6A6A6A6A6A6, return success. Otherwise, return an integrity check failure error.
## ExampleFor example, wrapping the data 0x00112233445566778899AABBCCDDEEFF with the KEK 0x000102030405060708090A0B0C0D0E0F produces the cipher text of 0x1FA68B0A8112B447, 0xAEF34BD8FB5A7B82, 0x9D3E862371D2CFE5 |

Secure XML: The New Syntax for Signatures and Encryption

ISBN: 0201756056

EAN: 2147483647

EAN: 2147483647

Year: 2005

Pages: 186

Pages: 186

Authors: Donald E. Eastlake, Kitty Niles

flylib.com © 2008-2017.

If you may any questions please contact us: flylib@qtcs.net

If you may any questions please contact us: flylib@qtcs.net