Triple-DES and RC2 Key Wrapping
RFC 3217

Document Type RFC - Informational (December 2001; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 3217 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         R. Housley
Request for Comments: 3217                              RSA Laboratories
Category: Informational                                    December 2001

                    Triple-DES and RC2 Key Wrapping

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2001).  All Rights Reserved.

Abstract

   This document specifies the algorithm for wrapping one Triple-DES key
   with another Triple-DES key and the algorithm for wrapping one RC2
   key with another RC2 key.  These key wrap algorithms were originally
   published in section 12.6 of RFC 2630.  They are republished since
   these key wrap algorithms have been found to be useful in contexts
   beyond those supported by RFC 2630.

1  Introduction

   Management of symmetric cryptographic keys often leads to situations
   where one symmetric key is used to encrypt (or wrap) another.  Key
   wrap algorithms are commonly used in two situations.  First, key
   agreement algorithms (such as Diffie-Hellman [DH-X9.42]) generate a
   pairwise key-encryption key, and a key wrap algorithm is used to
   encrypt the content-encryption key or a multicast key with the
   pairwise key-encryption key.  Second, a key wrap algorithm is used to
   encrypt the content-encryption key, multicast key, or session key in
   a locally generated storage key-encryption key or a key-encryption
   key that was distributed out-of-band.

   This document specifies the algorithm for wrapping one Triple-DES key
   with another Triple-DES key [3DES], and it specifies the algorithm
   for wrapping one RC2 key with another RC2 key [RC2].  Encryption of a
   Triple-DES key with another Triple-DES key uses the algorithm
   specified in section 3.  Encryption of a RC2 key with another RC2 key
   uses the algorithm specified in section 4.  Both of these algorithms
   rely on the key checksum algorithm specified in section 2.  Triple-
   DES and RC2 content-encryption keys are encrypted in Cipher Block
   Chaining (CBC) mode [MODES].

Housley                      Informational                      [Page 1]
RFC 3217            Triple-DES and RC2 Key Wrapping        December 2001

   In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD,
   SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described
   by Scott Bradner in [STDWORDS].

2  Key Checksum

   The key checksum algorithm is used to provide a key integrity check
   value.  The algorithm is:

   1. Compute a 20 octet SHA-1 [SHA1] message digest on the key that is
      to be wrapped.
   2. Use the most significant (first) eight octets of the message
      digest value as the checksum value.

3  Triple-DES Key Wrapping and Unwrapping

   This section specifies the algorithms for wrapping and unwrapping one
   Triple-DES key with another Triple-DES key [3DES].

   The same key wrap algorithm is used for both Two-key Triple-DES and
   Three-key Triple-DES keys.  When a Two-key Triple-DES key is to be
   wrapped, a third DES key with the same value as the first DES key is
   created.  Thus, all wrapped Triple-DES keys include three DES keys.
   However, a Two-key Triple-DES key MUST NOT be used to wrap a Three-
   key Triple-DES key that is comprised of three unique DES keys.

3.1  Triple-DES Key Wrap

   The Triple-DES key wrap algorithm encrypts a Triple-DES key with a
   Triple-DES key-encryption key.  The Triple-DES key wrap algorithm is:

   1. Set odd parity for each of the DES key octets comprising the
      Three-Key Triple-DES key that is to be wrapped, call the result
      CEK.
   2. Compute an 8 octet key checksum value on CEK as described above in
      Section 2, call the result ICV.
   3. Let CEKICV = CEK || ICV.
   4. Generate 8 octets at random, call the result IV.
   5. Encrypt CEKICV in CBC mode using the key-encryption key.  Use the
      random value generated in the previous step as the initialization
      vector (IV).  Call the ciphertext TEMP1.
   6. Let TEMP2 = IV || TEMP1.
   7. Reverse the order of the octets in TEMP2.  That is, the most
      significant (first) octet is swapped with the least significant
      (last) octet, and so on.  Call the result TEMP3.
   8. Encrypt TEMP3 in CBC mode using the key-encryption key.  Use an
      initialization vector (IV) of 0x4adda22c79e82105.  The ciphertext
      is 40 octets long.

Housley                      Informational                      [Page 2]
RFC 3217            Triple-DES and RC2 Key Wrapping        December 2001

   Note:  When the same Three-Key Triple-DES key is wrapped in different
Show full document text