Advanced Encryption Standard (AES) Key Wrap Algorithm
RFC 3394
| Document | Type | RFC - Informational (October 2002; Errata) | |
|---|---|---|---|
| Authors | Russ Housley , Jim Schaad | ||
| Last updated | 2020-01-21 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized with errata bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 3394 (Informational) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Jeffrey Schiller | ||
| IESG note | Responsible: RFC Editor | ||
| Send notices to | <turners@ieca.com>, <blake@brutesquadlabs.com> | ||
Network Working Group J. Schaad
Request for Comments: 3394 Soaring Hawk Consulting
Category: Informational R. Housley
RSA Laboratories
September 2002
Advanced Encryption Standard (AES) Key Wrap Algorithm
Status of this Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
The purpose of this document is to make the Advanced Encryption
Standard (AES) Key Wrap algorithm conveniently available to the
Internet community. The United States of America has adopted AES as
the new encryption standard. The AES Key Wrap algorithm will
probably be adopted by the USA for encryption of AES keys. The
authors took most of the text in this document from the draft AES Key
Wrap posted by NIST.
Table of Contents
1. Introduction................................................ 2
2. Overview.................................................... 2
2.1 Notation and Definitions................................... 3
2.2 Algorithms................................................. 4
2.2.1 Key Wrap................................................. 4
2.2.2 Key Unwrap............................................... 5
2.2.3 Key Data Integrity -- the Initial Value.................. 6
2.2.3.1 Default Initial Value.................................. 7
2.2.3.2 Alternative Initial Values............................. 7
3. Object Identifiers.......................................... 8
4. Test Vectors................................................ 8
4.1 Wrap 128 bits of Key Data with a 128-bit KEK............... 8
4.2 Wrap 128 bits of Key Data with a 192-bit KEK............... 11
4.3 Wrap 128 bits of Key Data with a 256-bit KEK............... 14
4.4 Wrap 192 bits of Key Data with a 192-bit KEK............... 17
4.5 Wrap 192 bits of Key Data with a 256-bit KEK............... 24
4.6 Wrap 256 bits of Key Data with a 256-bit KEK............... 30
Schaad & Housley Informational [Page 1]
RFC 3394 AES Key Wrap Algorithm September 2002
5. Security Considerations..................................... 39
6. References.................................................. 39
7. Acknowledgments............................................. 39
8. Authors' Addresses.......................................... 39
9. Full Copyright Statement.................................... 40
1. Introduction
NOTE: Most of the following text is taken from [AES-WRAP], and the
assertions regarding the security of the AES Key Wrap algorithm are
made by the US Government, not by the authors of this document.
This specification is intended to satisfy the National Institute of
Standards and Technology (NIST) Key Wrap requirement to: Design a
cryptographic algorithm called a Key Wrap that uses the Advanced
Encryption Standard (AES) as a primitive to securely encrypt
plaintext key(s) with any associated integrity information and data,
such that the combination could be longer than the width of the AES
block size (128-bits). Each ciphertext bit should be a highly non-
linear function of each plaintext bit, and (when unwrapping) each
plaintext bit should be a highly non-linear function of each
ciphertext bit. It is sufficient to approximate an ideal
pseudorandom permutation to the degree that exploitation of
undesirable phenomena is as unlikely as guessing the AES engine key.
This key wrap algorithm needs to provide ample security to protect
keys in the context of prudently designed key management
architecture.
Throughout this document, any data being wrapped will be referred to
as the key data. It makes no difference to the algorithm whether the
data being wrapped is a key; in fact there is often good reason to
include other data with the key, to wrap multiple keys together, or
to wrap data that isn't strictly a key. So, the term "key data" is
used broadly to mean any data being wrapped, but particularly keys,
since this is primarily a key wrap algorithm. The key used to do the
wrapping will be referred to as the key-encryption key (KEK).
In this document a KEK can be any valid key supported by the AES
codebook. That is, a KEK can be a 128-bit key, a 192-bit key, or a
256-bit key.
2. Overview
The AES key wrap algorithm is designed to wrap or encrypt key data.
The key wrap operates on blocks of 64 bits. Before being wrapped,
the key data is parsed into n blocks of 64 bits.
Schaad & Housley Informational [Page 2]
Show full document text