Advanced Encryption Standard (AES) Key Wrap Algorithm
RFC 3394

Document Type RFC - Informational (October 2002; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3394 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD Jeffrey Schiller
IESG note Responsible: RFC Editor
Send notices to <turners@ieca.com>, <blake@brutesquadlabs.com>
Network Working Group                                          J. Schaad
Request for Comments: 3394                       Soaring Hawk Consulting
Category: Informational                                       R. Housley
                                                        RSA Laboratories
                                                          September 2002

         Advanced Encryption Standard (AES) Key Wrap Algorithm

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2002).  All Rights Reserved.

Abstract

   The purpose of this document is to make the Advanced Encryption
   Standard (AES) Key Wrap algorithm conveniently available to the
   Internet community.  The United States of America has adopted AES as
   the new encryption standard.  The AES Key Wrap algorithm will
   probably be adopted by the USA for encryption of AES keys. The
   authors took most of the text in this document from the draft AES Key
   Wrap posted by NIST.

Table of Contents

   1. Introduction................................................  2
   2. Overview....................................................  2
   2.1 Notation and Definitions...................................  3
   2.2 Algorithms.................................................  4
   2.2.1 Key Wrap.................................................  4
   2.2.2 Key Unwrap...............................................  5
   2.2.3 Key Data Integrity -- the Initial Value..................  6
   2.2.3.1 Default Initial Value..................................  7
   2.2.3.2 Alternative Initial Values.............................  7
   3. Object Identifiers..........................................  8
   4. Test Vectors................................................  8
   4.1 Wrap 128 bits of Key Data with a 128-bit KEK...............  8
   4.2 Wrap 128 bits of Key Data with a 192-bit KEK............... 11
   4.3 Wrap 128 bits of Key Data with a 256-bit KEK............... 14
   4.4 Wrap 192 bits of Key Data with a 192-bit KEK............... 17
   4.5 Wrap 192 bits of Key Data with a 256-bit KEK............... 24
   4.6 Wrap 256 bits of Key Data with a 256-bit KEK............... 30

Schaad & Housley             Informational                      [Page 1]
RFC 3394                AES Key Wrap Algorithm            September 2002

   5. Security Considerations..................................... 39
   6. References.................................................. 39
   7. Acknowledgments............................................. 39
   8. Authors' Addresses.......................................... 39
   9. Full Copyright Statement.................................... 40

1. Introduction

   NOTE: Most of the following text is taken from [AES-WRAP], and the
   assertions regarding the security of the AES Key Wrap algorithm are
   made by the US Government, not by the authors of this document.

   This specification is intended to satisfy the National Institute of
   Standards and Technology (NIST) Key Wrap requirement to:  Design a
   cryptographic algorithm called a Key Wrap that uses the Advanced
   Encryption Standard (AES) as a primitive to securely encrypt
   plaintext key(s) with any associated integrity information and data,
   such that the combination could be longer than the width of the AES
   block size (128-bits).  Each ciphertext bit should be a highly non-
   linear function of each plaintext bit, and (when unwrapping) each
   plaintext bit should be a highly non-linear function of each
   ciphertext bit.  It is sufficient to approximate an ideal
   pseudorandom permutation to the degree that exploitation of
   undesirable phenomena is as unlikely as guessing the AES engine key.

   This key wrap algorithm needs to provide ample security to protect
   keys in the context of prudently designed key management
   architecture.

   Throughout this document, any data being wrapped will be referred to
   as the key data.  It makes no difference to the algorithm whether the
   data being wrapped is a key; in fact there is often good reason to
   include other data with the key, to wrap multiple keys together, or
   to wrap data that isn't strictly a key.  So, the term "key data" is
   used broadly to mean any data being wrapped, but particularly keys,
   since this is primarily a key wrap algorithm.  The key used to do the
   wrapping will be referred to as the key-encryption key (KEK).

   In this document a KEK can be any valid key supported by the AES
   codebook.  That is, a KEK can be a 128-bit key, a 192-bit key, or a
   256-bit key.

2. Overview
Show full document text