RFC 3394 (rfc3394) - Page 2 of 41


Advanced Encryption Standard (AES) Key Wrap Algorithm



Alternative Format: Original Text Document



RFC 3394                AES Key Wrap Algorithm            September 2002


   5. Security Considerations..................................... 39
   6. References.................................................. 39
   7. Acknowledgments............................................. 39
   8. Authors' Addresses.......................................... 39
   9. Full Copyright Statement.................................... 40

1. Introduction

   NOTE: Most of the following text is taken from [AES-WRAP], and the
   assertions regarding the security of the AES Key Wrap algorithm are
   made by the US Government, not by the authors of this document.

   This specification is intended to satisfy the National Institute of
   Standards and Technology (NIST) Key Wrap requirement to:  Design a
   cryptographic algorithm called a Key Wrap that uses the Advanced
   Encryption Standard (AES) as a primitive to securely encrypt
   plaintext key(s) with any associated integrity information and data,
   such that the combination could be longer than the width of the AES
   block size (128-bits).  Each ciphertext bit should be a highly non-
   linear function of each plaintext bit, and (when unwrapping) each
   plaintext bit should be a highly non-linear function of each
   ciphertext bit.  It is sufficient to approximate an ideal
   pseudorandom permutation to the degree that exploitation of
   undesirable phenomena is as unlikely as guessing the AES engine key.

   This key wrap algorithm needs to provide ample security to protect
   keys in the context of prudently designed key management
   architecture.

   Throughout this document, any data being wrapped will be referred to
   as the key data.  It makes no difference to the algorithm whether the
   data being wrapped is a key; in fact there is often good reason to
   include other data with the key, to wrap multiple keys together, or
   to wrap data that isn't strictly a key.  So, the term "key data" is
   used broadly to mean any data being wrapped, but particularly keys,
   since this is primarily a key wrap algorithm.  The key used to do the
   wrapping will be referred to as the key-encryption key (KEK).

   In this document a KEK can be any valid key supported by the AES
   codebook.  That is, a KEK can be a 128-bit key, a 192-bit key, or a
   256-bit key.

2. Overview

   The AES key wrap algorithm is designed to wrap or encrypt key data.
   The key wrap operates on blocks of 64 bits.  Before being wrapped,
   the key data is parsed into n blocks of 64 bits.




Schaad & Housley             Informational