Advanced Encryption Standard (AES) Key Wrap Algorithm
RFC 3394
Document | Type | RFC - Informational (October 2002; Errata) | |
---|---|---|---|
Authors | Russ Housley , Jim Schaad | ||
Last updated | 2020-01-21 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 3394 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Jeffrey Schiller | ||
IESG note | Responsible: RFC Editor | ||
Send notices to | <turners@ieca.com>, <blake@brutesquadlabs.com> |
Network Working Group J. Schaad Request for Comments: 3394 Soaring Hawk Consulting Category: Informational R. Housley RSA Laboratories September 2002 Advanced Encryption Standard (AES) Key Wrap Algorithm Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract The purpose of this document is to make the Advanced Encryption Standard (AES) Key Wrap algorithm conveniently available to the Internet community. The United States of America has adopted AES as the new encryption standard. The AES Key Wrap algorithm will probably be adopted by the USA for encryption of AES keys. The authors took most of the text in this document from the draft AES Key Wrap posted by NIST. Table of Contents 1. Introduction................................................ 2 2. Overview.................................................... 2 2.1 Notation and Definitions................................... 3 2.2 Algorithms................................................. 4 2.2.1 Key Wrap................................................. 4 2.2.2 Key Unwrap............................................... 5 2.2.3 Key Data Integrity -- the Initial Value.................. 6 2.2.3.1 Default Initial Value.................................. 7 2.2.3.2 Alternative Initial Values............................. 7 3. Object Identifiers.......................................... 8 4. Test Vectors................................................ 8 4.1 Wrap 128 bits of Key Data with a 128-bit KEK............... 8 4.2 Wrap 128 bits of Key Data with a 192-bit KEK............... 11 4.3 Wrap 128 bits of Key Data with a 256-bit KEK............... 14 4.4 Wrap 192 bits of Key Data with a 192-bit KEK............... 17 4.5 Wrap 192 bits of Key Data with a 256-bit KEK............... 24 4.6 Wrap 256 bits of Key Data with a 256-bit KEK............... 30 Schaad & Housley Informational [Page 1] RFC 3394 AES Key Wrap Algorithm September 2002 5. Security Considerations..................................... 39 6. References.................................................. 39 7. Acknowledgments............................................. 39 8. Authors' Addresses.......................................... 39 9. Full Copyright Statement.................................... 40 1. Introduction NOTE: Most of the following text is taken from [AES-WRAP], and the assertions regarding the security of the AES Key Wrap algorithm are made by the US Government, not by the authors of this document. This specification is intended to satisfy the National Institute of Standards and Technology (NIST) Key Wrap requirement to: Design a cryptographic algorithm called a Key Wrap that uses the Advanced Encryption Standard (AES) as a primitive to securely encrypt plaintext key(s) with any associated integrity information and data, such that the combination could be longer than the width of the AES block size (128-bits). Each ciphertext bit should be a highly non- linear function of each plaintext bit, and (when unwrapping) each plaintext bit should be a highly non-linear function of each ciphertext bit. It is sufficient to approximate an ideal pseudorandom permutation to the degree that exploitation of undesirable phenomena is as unlikely as guessing the AES engine key. This key wrap algorithm needs to provide ample security to protect keys in the context of prudently designed key management architecture. Throughout this document, any data being wrapped will be referred to as the key data. It makes no difference to the algorithm whether the data being wrapped is a key; in fact there is often good reason to include other data with the key, to wrap multiple keys together, or to wrap data that isn't strictly a key. So, the term "key data" is used broadly to mean any data being wrapped, but particularly keys, since this is primarily a key wrap algorithm. The key used to do the wrapping will be referred to as the key-encryption key (KEK). In this document a KEK can be any valid key supported by the AES codebook. That is, a KEK can be a 128-bit key, a 192-bit key, or a 256-bit key. 2. Overview The AES key wrap algorithm is designed to wrap or encrypt key data. The key wrap operates on blocks of 64 bits. Before being wrapped, the key data is parsed into n blocks of 64 bits. Schaad & Housley Informational [Page 2]Show full document text