1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
|
<pre>Network Working Group R. Housley
Request for Comments: 5649 Vigil Security
Category: Informational M. Dworkin
NIST
August 2009
<span class="h1">Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm</span>
Abstract
This document specifies a padding convention for use with the AES Key
Wrap algorithm specified in <a href="./rfc3394">RFC 3394</a>. This convention eliminates the
requirement that the length of the key to be wrapped be a multiple of
64 bits, allowing a key of any practical length to be wrapped.
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright and License Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
<span class="grey">Housley & Dworkin Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Management of cryptographic keys often leads to situations where one
symmetric key is used to encrypt and integrity-protect another key,
which can be either a symmetric key or an asymmetric key. The
operation is often called key wrapping.
This document specifies an extension of the Advanced Encryption
Standard (AES) Key Wrap algorithm [<a href="#ref-AES-KW1" title="AES Key Wrap Specification">AES-KW1</a>, <a href="#ref-AES-KW2" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">AES-KW2</a>]. Without this
extension, the input to the AES Key Wrap algorithm, called the key
data, must be a sequence of two or more 64-bit blocks.
The AES Key Wrap with Padding algorithm can be used to wrap a key of
any practical size with an AES key. The AES key-encryption key (KEK)
must be 128, 192, or 256 bits. The input key data may be as short as
one octet, which will result in an output of two 64-bit blocks (or 16
octets). Although the AES Key Wrap algorithm does not place a
maximum bound on the size of the key data that can be wrapped, this
extension does so. The use of a 32-bit fixed field to carry the
octet length of the key data bounds the size of the input at 2^32
octets. Most systems will have other factors that limit the
practical size of key data to much less than 2^32 octets.
A message length indicator (MLI) is defined as part of an
"Alternative Initial Value" in keeping with the statement in <a href="#section-2.2.3.2">Section</a>
<a href="#section-2.2.3.2">2.2.3.2</a> of [<a href="#ref-AES-KW1" title="AES Key Wrap Specification">AES-KW1</a>], which says:
Also, if the key data is not just an AES key, it may not always be
a multiple of 64 bits. Alternative definitions of the initial
value can be used to address such problems.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Notation and Definitions</span>
The following notation is used in the algorithm descriptions:
MSB(j, W) Return the most significant j bits of W
LSB(j, W) Return the least significant j bits of W
ENC(K, B) AES Encrypt the 128-bit block B using key K
DEC(K, B) AES Decrypt the 128-bit block B using key K
V1 | V2 Concatenate V1 and V2
K The key-encryption key
m The number of octets in the key data
n The number of 64-bit blocks in the padded key data
Q[i] The ith plaintext octet in the key data
P[i] The ith 64-bit plaintext block in the padded key data
C[i] The ith 64-bit ciphertext data block
A The 64-bit integrity check register
<span class="grey">Housley & Dworkin Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Alternative Initial Value</span>
The Alternative Initial Value (AIV) required by this specification is
a 32-bit constant concatenated to a 32-bit MLI. The constant is (in
hexadecimal) A65959A6 and occupies the high-order half of the AIV.
Note that this differs from the high order 32 bits of the default IV
in Section 2.2.3.1 of [<a href="#ref-AES-KW1" title="AES Key Wrap Specification">AES-KW1</a>], so there is no ambiguity between the
two. The 32-bit MLI, which occupies the low-order half of the AIV,
is an unsigned binary integer equal to the octet length of the
plaintext key data, in network order -- that is, with the most
significant octet first. When the MLI is not a multiple of 8, the
key data is padded on the right with the least number of octets
sufficient to make the resulting octet length a multiple of 8. The
value of each padding octet shall be 0 (eight binary zeros).
Notice that for a given number of 64-bit plaintext blocks, there are
only eight values of MLI that can have that outcome. For example,
the only MLI values that are valid with four 64-bit plaintext blocks
are 32 (with no padding octets), 31 (with one padding octet), 30, 29,
28, 27, 26, and 25 (with seven padding octets). When the unwrapping
process specified below yields n 64-bit blocks of output data and an
AIV, the eight valid values for the MLI are 8*n, (8*n)-1, ..., and
(8*n)-7. Therefore, integrity checking of the AIV, which is
contained in a 64-bit register called A, requires the following
steps:
1) Check that MSB(32,A) = A65959A6.
2) Check that 8*(n-1) < LSB(32,A) <= 8*n. If so, let
MLI = LSB(32,A).
3) Let b = (8*n)-MLI, and then check that the rightmost b octets of
the output data are zero.
If all three checks pass, then the AIV is valid. If any of the
checks fail, then the AIV is invalid and the unwrapping operation
must return an error.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Specification of the AES Key Wrap with Padding Algorithm</span>
The AES Key Wrap with Padding algorithm consists of a wrapping
process and an unwrapping process, both based on the AES codebook
[<a href="#ref-AES" title="FIPS Pub 197: Advanced Encryption Standard (AES)">AES</a>]. It provides an extension to the AES Key Wrap algorithm
[<a href="#ref-AES-KW1" title="AES Key Wrap Specification">AES-KW1</a>, <a href="#ref-AES-KW2" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">AES-KW2</a>] that eliminates the requirement that the length of
the key to be wrapped be a multiple of 64 bits. The next two
sections specify the wrapping and unwrapping processes, called the
<span class="grey">Housley & Dworkin Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
extended key wrapping process and the extended key unwrapping
process, respectively. These names distinguish these processes from
the ones specified in [<a href="#ref-AES-KW1" title="AES Key Wrap Specification">AES-KW1</a>] and [<a href="#ref-AES-KW2" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">AES-KW2</a>].
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Extended Key Wrapping Process</span>
The inputs to the extended key wrapping process are the KEK and the
plaintext to be wrapped. The plaintext consists of between one and
2^32 octets, containing the key data being wrapped. The key wrapping
process is described below.
Inputs: Plaintext, m octets {Q[1], Q[2], ..., Q[m]}, and
Key, K (the KEK).
Outputs: Ciphertext, (n+1) 64-bit values {C[0], C[1], ..., C[n]}.
1) Append padding
If m is not a multiple of 8, pad the plaintext octet string on the
right with octets {Q[m+1], ..., Q[r]} of zeros, where r is the
smallest multiple of 8 that is greater than m. If m is a multiple
of 8, then there is no padding, and r = m.
Set n = r/8, which is the same as CEILING(m/8).
For i = 1, ..., n
j = 8*(i-1)
P[i] = Q[j+1] | Q[j+2] | ... | Q[j+8].
2) Wrapping
If the padded plaintext contains exactly eight octets, then
prepend the AIV as defined in <a href="#section-3">Section 3</a> above to P[1] and encrypt
the resulting 128-bit block using AES in ECB mode [<a href="#ref-Modes" title=""Recommendation for Block Cipher Modes of Operation -- Methods and Techniques"">Modes</a>] with key
K (the KEK). In this case, the output is two 64-bit blocks C[0]
and C[1]:
C[0] | C[1] = ENC(K, A | P[1]).
Otherwise, apply the wrapping process specified in Section 2.2.1
of [<a href="#ref-AES-KW2" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">AES-KW2</a>] to the padded plaintext {P[1], ..., P[n]} with K (the
KEK) and the AIV as defined in <a href="#section-3">Section 3</a> above as the initial
value. The result is n+1 64-bit blocks {C[0], C[1], ..., C[n]}.
<span class="grey">Housley & Dworkin Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Extended Key Unwrapping Process</span>
The inputs to the extended key unwrapping process are the KEK and
(n+1) 64-bit ciphertext blocks consisting of a previously wrapped
key. If the ciphertext is a validly wrapped key, then the unwrapping
process returns n 64-bit blocks of padded plaintext, which are then
mapped in this extension to m octets of decrypted key data, as
indicated by the MLI embedded in the AIV.
Inputs: Ciphertext, (n+1) 64-bit blocks {C[0], C[1], ..., C[n]}, and
Key, K (the KEK).
Outputs: Plaintext, m octets {Q[1], Q[2], ..., Q[m]}, or an error.
1) Key unwrapping
When n is one (n=1), the ciphertext contains exactly two 64-bit
blocks (C[0] and C[1]), and they are decrypted as a single AES
block using AES in ECB mode [<a href="#ref-Modes" title=""Recommendation for Block Cipher Modes of Operation -- Methods and Techniques"">Modes</a>] with K (the KEK) to recover
the AIV and the padded plaintext key:
A | P[1] = DEC(K, C[0] | C[1]).
Otherwise, apply Steps 1 and 2 of the unwrapping process specified
in Section 2.2.2 of [<a href="#ref-AES-KW2" title=""Advanced Encryption Standard (AES) Key Wrap Algorithm"">AES-KW2</a>] to the n+1 64-bit ciphertext blocks,
{C[0], C[1], ..., C[n]}, and to the KEK, K. Define the padded
plaintext blocks, {P[1], ..., P[n]}, as specified in Step 3 of
that process, with A[0] as the A value. Note that checking "If
A[0] is an appropriate value" is slightly delayed to Step 2 below
since the padded plaintext is needed to perform this verification
when the AIV is used.
2) AIV verification
Perform the three checks described in <a href="#section-3">Section 3</a> above on the
padded plaintext and the A value. If any of the checks fail, then
return an error.
3) Remove padding
Let m = the MLI value extracted from A.
Let P = P[1] | P[2] | ... | P[n].
For i = 1, ... , m
Q[i] = LSB(8, MSB(8*i, P))
<span class="grey">Housley & Dworkin Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Algorithm Identifiers</span>
Some security protocols employ ASN.1 [<a href="#ref-X.680">X.680</a>] and employ algorithm
identifiers to name cryptographic algorithms. To support these
protocols, the AES Key Wrap with Padding algorithm has been assigned
the following algorithm identifiers, one for each AES KEK size. The
AES Key Wrap (without padding) algorithm identifiers are also
included here for convenience.
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) 1 }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
In all cases, the AlgorithmIdentifier parameter field MUST be absent.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Padded Key Wrap Examples</span>
The examples in this section were generated using the index-based
implementation of the AES Key Wrap algorithm along with the padding
approach specified in <a href="#section-4">Section 4</a> of this document. All values are
shown in hexadecimal.
The first example wraps 20 octets of key data with a 192-bit KEK.
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : c37b7e6492584340 bed1220780894115 5068f738
Wrap : 138bdeaa9b8fa7fc 61f97742e72248ee 5ae6ae5360d1ae6a
: 5f54f373fa543b6a
The second example wraps 7 octets of key data with a 192-bit KEK.
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : 466f7250617369
Wrap : afbeb0f07dfbf541 9200f2ccb50bb24f
<span class="grey">Housley & Dworkin Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
Implementations must protect the key-encryption key (KEK).
Compromise of the KEK may result in the disclosure of all keys that
have been wrapped with the KEK, which may lead to the compromise of
all traffic protected with those wrapped keys.
The KEK must be at least as good as the keying material it is
protecting.
If the KEK and wrapped key are associated with different
cryptographic algorithms, the effective security provided to data
protected with the wrapped key is determined by the weaker of the two
algorithms. If, for example, data is encrypted with 128-bit AES and
that AES key is wrapped with a 256-bit AES key, then at most 128 bits
of protection is provided to the data. If, for another example, a
128-bit AES key is used to wrap a 4096-bit RSA private key, then at
most 128 bits of protection is provided to any data that depends on
that private key. Thus, implementers must ensure that key-encryption
algorithms are at least as strong as other cryptographic algorithms
employed in an overall system.
The AES Key Wrap and the AES Key Wrap with Padding algorithms use
different constants in the initial value. The use of different
values ensures that the recipient of padded key data cannot
successfully unwrap it as unpadded key data, or vice versa. This
remains true when the key data is wrapped using the AES Key Wrap with
Padding algorithm but no padding is needed.
The AES Key Wrap with Padding algorithm provides almost the same
amount of integrity protection as the AES Key Wrap algorithm.
A previous padding technique was specified for wrapping Hashed
Message Authentication Code (HMAC) keys with AES [<a href="#ref-OLD-KW" title=""Wrapping a Hashed Message Authentication Code (HMAC) key with a Triple-Data Encryption Standard (DES) Key or an Advanced Encryption Standard (AES) Key"">OLD-KW</a>]. The
technique in this document is more general; the technique in this
document is not limited to wrapping HMAC keys.
In the design of some high assurance cryptographic modules, it is
desirable to segregate cryptographic keying material from other data.
The use of a specific cryptographic mechanism solely for the
protection of cryptographic keying material can assist in this goal.
The AES Key Wrap and the AES Key Wrap with Padding are such
mechanisms. System designers should not use these algorithms to
encrypt anything other than cryptographic keying material.
<span class="grey">Housley & Dworkin Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-AES">AES</a>] National Institute of Standards and Technology, FIPS Pub
197: Advanced Encryption Standard (AES), 26 November 2001.
[<a id="ref-AES-KW1">AES-KW1</a>] National Institute of Standards and Technology, AES Key
Wrap Specification, 17 November 2001.
<a href="http://csrc.nist.gov/groups/ST/toolkit/documents/kms/AES_key_wrap.pdf">http://csrc.nist.gov/groups/ST/toolkit/documents/kms/</a>
<a href="http://csrc.nist.gov/groups/ST/toolkit/documents/kms/AES_key_wrap.pdf">AES_key_wrap.pdf</a>
[<a id="ref-AES-KW2">AES-KW2</a>] Schaad, J. and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", <a href="./rfc3394">RFC 3394</a>, September 2002.
[<a id="ref-Modes">Modes</a>] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation -- Methods and Techniques", NIST Special
Publication 800-38A, 2001.
[<a id="ref-X.680">X.680</a>] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
Information technology - Abstract Syntax Notation One
(ASN.1): Specification of basic notation.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-AES-CMS">AES-CMS</a>] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax
(CMS)", <a href="./rfc3565">RFC 3565</a>, July 2003.
[<a id="ref-CMS-ASN">CMS-ASN</a>] Schaad, J. and P. Hoffman, "New ASN.1 Modules for CMS and
S/MIME", Work in Progress, August 2009.
[<a id="ref-OLD-KW">OLD-KW</a>] Schaad, J. and R. Housley, "Wrapping a Hashed Message
Authentication Code (HMAC) key with a Triple-Data
Encryption Standard (DES) Key or an Advanced Encryption
Standard (AES) Key", <a href="./rfc3537">RFC 3537</a>, May 2003.
[<a id="ref-X.681">X.681</a>] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002,
Information Technology - Abstract Syntax Notation One:
Information Object Specification.
[<a id="ref-X.682">X.682</a>] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002,
Information Technology - Abstract Syntax Notation One:
Constraint Specification.
[<a id="ref-X.683">X.683</a>] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002,
Information Technology - Abstract Syntax Notation One:
Parameterization of ASN.1 Specifications.
<span class="grey">Housley & Dworkin Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Acknowledgments</span>
Paul Timmel should be credited with the MLI and padding technique
described in this document.
<span class="grey">Housley & Dworkin Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. ASN.1 Modules</span>
This appendix includes two ASN.1 modules. The first one makes use of
the 1988 syntax, and the second one makes use of the 2002 ASN.1
syntax.
<a href="#appendix-A.1">Appendix A.1</a> provides the normative ASN.1 definitions for the
algorithm identifiers included in this specification using ASN.1 as
defined in [<a href="#ref-X.680">X.680</a>] using the 1988 ASN.1 syntax.
<a href="#appendix-A.2">Appendix A.2</a> provides informative ASN.1 definitions for the algorithm
identifiers included in this specification using ASN.1 as defined in
[<a href="#ref-X.680">X.680</a>], [<a href="#ref-X.681">X.681</a>], [<a href="#ref-X.682">X.682</a>], and [<a href="#ref-X.683">X.683</a>] using the 2002 ASN.1 syntax.
This appendix contains the same information as <a href="#appendix-A.1">Appendix A.1</a>; however,
<a href="#appendix-A.1">Appendix A.1</a> takes precedence in case of conflict. The content
encryption and key wrap algorithm objects are defined in [<a href="#ref-CMS-ASN" title=""New ASN.1 Modules for CMS and S/MIME"">CMS-ASN</a>].
The id-aes128-wrap, id-aes192-wrap, and id-aes256-wrap algorithm
identifiers are defined in [<a href="#ref-AES-CMS" title=""Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)"">AES-CMS</a>].
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. 1988 ASN.1 Module</span>
AESKeyWrapWithPad-88 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 47 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
-- IMPORTS NONE --
-- AES information object identifiers --
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
-- AES Key Wrap With Padding Algorithm Identifiers are to be used
-- with the Parameter field absent
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
END
<span class="grey">Housley & Dworkin Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. 2002 ASN.1 Module</span>
AESKeyWrapWithPad-02 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 48 }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
IMPORTS
AlgorithmIdentifier{}, CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009 -- [<a href="#ref-CMS-ASN" title=""New ASN.1 Modules for CMS and S/MIME"">CMS-ASN</a>]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) };
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-wrap-pad |
cea-aes192-wrap-pad |
cea-aes256-wrap-pad,
... }
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap-pad |
kwa-aes192-wrap-pad |
kwa-aes256-wrap-pad,
... }
SMimeCaps SMIME-CAPS ::= {
cea-aes128-wrap-pad.&smimeCaps |
cea-aes192-wrap-pad.&smimeCaps |
cea-aes256-wrap-pad.&smimeCaps |
kwa-aes128-wrap-pad.&smimeCaps |
kwa-aes192-wrap-pad.&smimeCaps |
kwa-aes256-wrap-pad.&smimeCaps,
... }
-- AES object identifier
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) csor(3) nistAlgorithms(4) 1 }
<span class="grey">Housley & Dworkin Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
-- Content Encryption Algorithms
cea-aes128-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
cea-aes192-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
cea-aes256-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
-- Key Wrap Algorithms
kwa-aes128-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
kwa-aes192-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
kwa-aes256-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
END
<span class="grey">Housley & Dworkin Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5649">RFC 5649</a> AES Key Wrap with Padding Algorithm August 2009</span>
Authors' Addresses
Russell Housley
Vigil Security, LLC
918 Spring Knoll Drive
Herndon, VA 20170
USA
EMail: housley@vigilsec.com
Morris Dworkin
National Institute of Standards and Technology
100 Bureau Drive, Mail Stop 8930
Gaithersburg, MD 20899-8930
USA
EMail: dworkin@nist.gov
Housley & Dworkin Informational [Page 13]
</pre>
|
