RFC 3394 (rfc3394) - Page 2 of 41
Advanced Encryption Standard (AES) Key Wrap Algorithm
Alternative Format: Original Text Document
RFC 3394 AES Key Wrap Algorithm September 2002
5. Security Considerations..................................... 39
6. References.................................................. 39
7. Acknowledgments............................................. 39
8. Authors' Addresses.......................................... 39
9. Full Copyright Statement.................................... 40
1. Introduction
NOTE: Most of the following text is taken from [AES-WRAP], and the
assertions regarding the security of the AES Key Wrap algorithm are
made by the US Government, not by the authors of this document.
This specification is intended to satisfy the National Institute of
Standards and Technology (NIST) Key Wrap requirement to: Design a
cryptographic algorithm called a Key Wrap that uses the Advanced
Encryption Standard (AES) as a primitive to securely encrypt
plaintext key(s) with any associated integrity information and data,
such that the combination could be longer than the width of the AES
block size (128-bits). Each ciphertext bit should be a highly non-
linear function of each plaintext bit, and (when unwrapping) each
plaintext bit should be a highly non-linear function of each
ciphertext bit. It is sufficient to approximate an ideal
pseudorandom permutation to the degree that exploitation of
undesirable phenomena is as unlikely as guessing the AES engine key.
This key wrap algorithm needs to provide ample security to protect
keys in the context of prudently designed key management
architecture.
Throughout this document, any data being wrapped will be referred to
as the key data. It makes no difference to the algorithm whether the
data being wrapped is a key; in fact there is often good reason to
include other data with the key, to wrap multiple keys together, or
to wrap data that isn't strictly a key. So, the term "key data" is
used broadly to mean any data being wrapped, but particularly keys,
since this is primarily a key wrap algorithm. The key used to do the
wrapping will be referred to as the key-encryption key (KEK).
In this document a KEK can be any valid key supported by the AES
codebook. That is, a KEK can be a 128-bit key, a 192-bit key, or a
256-bit key.
2. Overview
The AES key wrap algorithm is designed to wrap or encrypt key data.
The key wrap operates on blocks of 64 bits. Before being wrapped,
the key data is parsed into n blocks of 64 bits.
Schaad & Housley Informational