## Triple-DES and RC2 Key Wrapping

RFC 3217

Document | Type | RFC - Informational (December 2001; Errata) | |
---|---|---|---|

Author | Russ Housley | ||

Last updated | 2020-01-21 | ||

Stream | Internent Engineering Task Force (IETF) | ||

Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||

Stream | WG state | (None) | |

Document shepherd | No shepherd assigned | ||

IESG | IESG state | RFC 3217 (Informational) | |

Consensus Boilerplate | Unknown | ||

Telechat date | |||

Responsible AD | (None) | ||

Send notices to | (None) |

Network Working Group R. Housley Request for Comments: 3217 RSA Laboratories Category: Informational December 2001 Triple-DES and RC2 Key Wrapping Status of this Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract This document specifies the algorithm for wrapping one Triple-DES key with another Triple-DES key and the algorithm for wrapping one RC2 key with another RC2 key. These key wrap algorithms were originally published in section 12.6 of RFC 2630. They are republished since these key wrap algorithms have been found to be useful in contexts beyond those supported by RFC 2630. 1 Introduction Management of symmetric cryptographic keys often leads to situations where one symmetric key is used to encrypt (or wrap) another. Key wrap algorithms are commonly used in two situations. First, key agreement algorithms (such as Diffie-Hellman [DH-X9.42]) generate a pairwise key-encryption key, and a key wrap algorithm is used to encrypt the content-encryption key or a multicast key with the pairwise key-encryption key. Second, a key wrap algorithm is used to encrypt the content-encryption key, multicast key, or session key in a locally generated storage key-encryption key or a key-encryption key that was distributed out-of-band. This document specifies the algorithm for wrapping one Triple-DES key with another Triple-DES key [3DES], and it specifies the algorithm for wrapping one RC2 key with another RC2 key [RC2]. Encryption of a Triple-DES key with another Triple-DES key uses the algorithm specified in section 3. Encryption of a RC2 key with another RC2 key uses the algorithm specified in section 4. Both of these algorithms rely on the key checksum algorithm specified in section 2. Triple- DES and RC2 content-encryption keys are encrypted in Cipher Block Chaining (CBC) mode [MODES]. Housley Informational [Page 1] RFC 3217 Triple-DES and RC2 Key Wrapping December 2001 In this document, the key words MUST, MUST NOT, REQUIRED, SHOULD, SHOULD NOT, RECOMMENDED, and MAY are to be interpreted as described by Scott Bradner in [STDWORDS]. 2 Key Checksum The key checksum algorithm is used to provide a key integrity check value. The algorithm is: 1. Compute a 20 octet SHA-1 [SHA1] message digest on the key that is to be wrapped. 2. Use the most significant (first) eight octets of the message digest value as the checksum value. 3 Triple-DES Key Wrapping and Unwrapping This section specifies the algorithms for wrapping and unwrapping one Triple-DES key with another Triple-DES key [3DES]. The same key wrap algorithm is used for both Two-key Triple-DES and Three-key Triple-DES keys. When a Two-key Triple-DES key is to be wrapped, a third DES key with the same value as the first DES key is created. Thus, all wrapped Triple-DES keys include three DES keys. However, a Two-key Triple-DES key MUST NOT be used to wrap a Three- key Triple-DES key that is comprised of three unique DES keys. 3.1 Triple-DES Key Wrap The Triple-DES key wrap algorithm encrypts a Triple-DES key with a Triple-DES key-encryption key. The Triple-DES key wrap algorithm is: 1. Set odd parity for each of the DES key octets comprising the Three-Key Triple-DES key that is to be wrapped, call the result CEK. 2. Compute an 8 octet key checksum value on CEK as described above in Section 2, call the result ICV. 3. Let CEKICV = CEK || ICV. 4. Generate 8 octets at random, call the result IV. 5. Encrypt CEKICV in CBC mode using the key-encryption key. Use the random value generated in the previous step as the initialization vector (IV). Call the ciphertext TEMP1. 6. Let TEMP2 = IV || TEMP1. 7. Reverse the order of the octets in TEMP2. That is, the most significant (first) octet is swapped with the least significant (last) octet, and so on. Call the result TEMP3. 8. Encrypt TEMP3 in CBC mode using the key-encryption key. Use an initialization vector (IV) of 0x4adda22c79e82105. The ciphertext is 40 octets long. Housley Informational [Page 2] RFC 3217 Triple-DES and RC2 Key Wrapping December 2001 Note: When the same Three-Key Triple-DES key is wrapped in different key-encryption keys, a fresh initialization vector (IV) must be generated for each invocation of the key wrap algorithm. 3.2 Triple-DES Key Unwrap The Triple-DES key unwrap algorithm decrypts a Triple-DES key using aShow full document text