RFC 3537 (rfc3537) - Page 2 of 9


Wrapping a Hashed Message Authentication Code (HMAC) key with a Triple-Data Encryption Standard (DES) Key or an Advanced Encryption Standard (AES) Key



Alternative Format: Original Text Document



RFC 3537                     HMAC Key Wrap                      May 2003


   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP 14, RFC 2119
   [STDWORDS].

2. HMAC Key Guidelines

   [HMAC] suggests that the key be at least as long as the output (L) of
   the hash function being used.  When keys longer than the block size
   of the hash algorithm are used, they are hashed and the resulting
   hash value is used.  Using keys much longer than L provides no
   security benefit, unless the random function used to create the key
   has low entropy output.

3. HMAC Key Wrapping and Unwrapping with Triple-DES

   This section specifies the algorithms for wrapping and unwrapping an
   HMAC key with a 3DES KEK [3DES].

   The 3DES wrapping of HMAC keys is based on the algorithm defined in
   Section 3 of [3DES-WRAP].  The major differences are due to the fact
   that an HMAC key is of variable length and the HMAC key has no
   particular parity.

   In the algorithm description, "a || b" is used to represent 'a'
   concatenated with 'b'.

3.1 Wrapping an HMAC Key with a Triple-DES Key-Encryption Key

   This algorithm encrypts an HMAC key with a 3DES KEK.  The algorithm
   is:

   1.  Let the HMAC key be called KEY, and let the length of KEY in
       octets be called LENGTH.  LENGTH is a single octet.

   2.  Let LKEY = LENGTH || KEY.

   3.  Let LKEYPAD = LKEY || PAD.  If the length of LKEY is a multiple
       of 8, the PAD has a length of zero.  If the length of LKEY is not
       a multiple of 8, then PAD contains the fewest number of random
       octets to make the length of LKEYPAD a multiple of 8.

   4.  Compute an 8 octet key checksum value on LKEYPAD as described in
       Section 2 of [3DES-WRAP], call the result ICV.

   5.  Let LKEYPADICV = LKEYPAD || ICV.

   6.  Generate 8 octets at random, call the result IV.



Schaad & Housley            Standards Track