Network Working Group R. Housley
Request for Comments: 5649 Vigil Security
Category: Informational M. Dworkin
NIST
August 2009
Network Working Group R. Housley
Request for Comments: 5649 Vigil Security
Category: Informational M. Dworkin
NIST
August 2009
Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm
带有填充算法的高级加密标准(AES)密钥封装
Abstract
摘要
This document specifies a padding convention for use with the AES Key Wrap algorithm specified in RFC 3394. This convention eliminates the requirement that the length of the key to be wrapped be a multiple of 64 bits, allowing a key of any practical length to be wrapped.
本文档指定了用于RFC3394中指定的AES密钥换行算法的填充约定。该约定消除了要包装的密钥长度为64位倍数的要求,允许包装任何实际长度的密钥。
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright and License Notice
版权及许可证公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括《信托法律条款》第4.e节中所述的简化BSD许可文本,并且提供BSD许可中所述的代码组件时不提供任何担保。
Management of cryptographic keys often leads to situations where one symmetric key is used to encrypt and integrity-protect another key, which can be either a symmetric key or an asymmetric key. The operation is often called key wrapping.
加密密钥的管理通常会导致使用一个对称密钥加密和保护另一个密钥(可以是对称密钥或非对称密钥)的情况。该操作通常称为密钥换行。
This document specifies an extension of the Advanced Encryption Standard (AES) Key Wrap algorithm [AES-KW1, AES-KW2]. Without this extension, the input to the AES Key Wrap algorithm, called the key data, must be a sequence of two or more 64-bit blocks.
本文件规定了高级加密标准(AES)密钥封装算法[AES-KW1,AES-KW2]的扩展。如果没有此扩展,AES密钥包裹算法的输入(称为密钥数据)必须是两个或更多64位块的序列。
The AES Key Wrap with Padding algorithm can be used to wrap a key of any practical size with an AES key. The AES key-encryption key (KEK) must be 128, 192, or 256 bits. The input key data may be as short as one octet, which will result in an output of two 64-bit blocks (or 16 octets). Although the AES Key Wrap algorithm does not place a maximum bound on the size of the key data that can be wrapped, this extension does so. The use of a 32-bit fixed field to carry the octet length of the key data bounds the size of the input at 2^32 octets. Most systems will have other factors that limit the practical size of key data to much less than 2^32 octets.
带填充的AES密钥包装算法可用于使用AES密钥包装任何实际大小的密钥。AES密钥加密密钥(KEK)必须为128、192或256位。输入密钥数据可能短至一个八位字节,这将导致两个64位块(或16个八位字节)的输出。虽然AES密钥包装算法没有对可以包装的密钥数据的大小设置最大限制,但此扩展确实如此。使用32位固定字段来携带关键数据的八位字节长度将输入的大小限制为2^32八位字节。大多数系统都会有其他因素将关键数据的实际大小限制在远小于2^32个八位字节的范围内。
A message length indicator (MLI) is defined as part of an "Alternative Initial Value" in keeping with the statement in Section 2.2.3.2 of [AES-KW1], which says:
根据[AES-KW1]第2.2.3.2节中的声明,将消息长度指示器(MLI)定义为“备选初始值”的一部分,其中规定:
Also, if the key data is not just an AES key, it may not always be a multiple of 64 bits. Alternative definitions of the initial value can be used to address such problems.
此外,如果密钥数据不仅仅是AES密钥,它可能并不总是64位的倍数。初始值的替代定义可用于解决此类问题。
The following notation is used in the algorithm descriptions:
算法描述中使用了以下符号:
MSB(j, W) Return the most significant j bits of W LSB(j, W) Return the least significant j bits of W ENC(K, B) AES Encrypt the 128-bit block B using key K DEC(K, B) AES Decrypt the 128-bit block B using key K V1 | V2 Concatenate V1 and V2 K The key-encryption key m The number of octets in the key data n The number of 64-bit blocks in the padded key data Q[i] The ith plaintext octet in the key data P[i] The ith 64-bit plaintext block in the padded key data C[i] The ith 64-bit ciphertext data block A The 64-bit integrity check register
MSB(j,W)返回W的最高有效j位LSB(j,W)返回W的最低有效j位ENC(K,B)AES使用密钥K DEC(K,B)加密128位块BAES使用密钥K对128位块B解密V1 | V2串联V1和V2 K密钥加密密钥m密钥数据中的八位字节数n填充密钥数据中的64位块数Q[i]密钥数据中的第i个明文八位字节P[i]填充密钥数据中的第i个64位明文块C[i]第i个64位密文数据块A位于64位完整性检查寄存器中
The Alternative Initial Value (AIV) required by this specification is a 32-bit constant concatenated to a 32-bit MLI. The constant is (in hexadecimal) A65959A6 and occupies the high-order half of the AIV. Note that this differs from the high order 32 bits of the default IV in Section 2.2.3.1 of [AES-KW1], so there is no ambiguity between the two. The 32-bit MLI, which occupies the low-order half of the AIV, is an unsigned binary integer equal to the octet length of the plaintext key data, in network order -- that is, with the most significant octet first. When the MLI is not a multiple of 8, the key data is padded on the right with the least number of octets sufficient to make the resulting octet length a multiple of 8. The value of each padding octet shall be 0 (eight binary zeros).
本规范要求的替代初始值(AIV)是连接到32位MLI的32位常量。该常数为(十六进制)A659A6,占据AIV的高阶一半。请注意,这与[AES-KW1]第2.2.3.1节中默认IV的高阶32位不同,因此两者之间没有歧义。占据AIV低阶一半的32位MLI是一个无符号二进制整数,等于明文密钥数据的八位字节长度(按网络顺序)——也就是说,最重要的八位字节排在第一位。当MLI不是8的倍数时,密钥数据在右侧填充最少数量的八位字节,足以使生成的八位字节长度为8的倍数。每个填充八位字节的值应为0(八个二进制零)。
Notice that for a given number of 64-bit plaintext blocks, there are only eight values of MLI that can have that outcome. For example, the only MLI values that are valid with four 64-bit plaintext blocks are 32 (with no padding octets), 31 (with one padding octet), 30, 29, 28, 27, 26, and 25 (with seven padding octets). When the unwrapping process specified below yields n 64-bit blocks of output data and an AIV, the eight valid values for the MLI are 8*n, (8*n)-1, ..., and (8*n)-7. Therefore, integrity checking of the AIV, which is contained in a 64-bit register called A, requires the following steps:
请注意,对于给定数量的64位明文块,只有8个MLI值可以产生该结果。例如,对四个64位明文块有效的MLI值只有32(不带填充八位字节)、31(带一个填充八位字节)、30、29、28、27、26和25(带七个填充八位字节)。当下面指定的展开过程产生n个64位输出数据块和AIV时,MLI的八个有效值为8*n、(8*n)-1、…、和(8*n)-7。因此,包含在称为a的64位寄存器中的AIV的完整性检查需要以下步骤:
1) Check that MSB(32,A) = A65959A6.
1) 检查MSB(32,A)=A659A6。
2) Check that 8*(n-1) < LSB(32,A) <= 8*n. If so, let MLI = LSB(32,A).
2) 检查8*(n-1)<LSB(32,A)<=8*n。如果是这样,那么让MLI=LSB(32,A)。
3) Let b = (8*n)-MLI, and then check that the rightmost b octets of
the output data are zero.
3) Let b = (8*n)-MLI, and then check that the rightmost b octets of
the output data are zero.
If all three checks pass, then the AIV is valid. If any of the checks fail, then the AIV is invalid and the unwrapping operation must return an error.
如果三项检查均通过,则AIV有效。如果任何检查失败,则AIV无效,展开操作必须返回错误。
The AES Key Wrap with Padding algorithm consists of a wrapping process and an unwrapping process, both based on the AES codebook [AES]. It provides an extension to the AES Key Wrap algorithm [AES-KW1, AES-KW2] that eliminates the requirement that the length of the key to be wrapped be a multiple of 64 bits. The next two sections specify the wrapping and unwrapping processes, called the
带填充的AES密钥包裹算法包括包裹过程和展开过程,两者都基于AES码本[AES]。它提供了对AES密钥包装算法[AES-KW1,AES-KW2]的扩展,消除了要包装的密钥长度为64位倍数的要求。接下来的两部分指定了包装和展开过程,称为
extended key wrapping process and the extended key unwrapping process, respectively. These names distinguish these processes from the ones specified in [AES-KW1] and [AES-KW2].
分别执行扩展密钥包装过程和扩展密钥展开过程。这些名称将这些过程与[AES-KW1]和[AES-KW2]中规定的过程区分开来。
The inputs to the extended key wrapping process are the KEK and the plaintext to be wrapped. The plaintext consists of between one and 2^32 octets, containing the key data being wrapped. The key wrapping process is described below.
扩展密钥包装过程的输入是KEK和要包装的明文。明文由1到2^32个八位字节组成,包含要包装的密钥数据。密钥包装过程如下所述。
Inputs: Plaintext, m octets {Q[1], Q[2], ..., Q[m]}, and Key, K (the KEK). Outputs: Ciphertext, (n+1) 64-bit values {C[0], C[1], ..., C[n]}.
输入:明文,m个八位字节{Q[1],Q[2],…,Q[m]},键,K(KEK)。输出:密文,(n+1)64位值{C[0],C[1],…,C[n]}。
1) Append padding
1) 附加填充
If m is not a multiple of 8, pad the plaintext octet string on the right with octets {Q[m+1], ..., Q[r]} of zeros, where r is the smallest multiple of 8 that is greater than m. If m is a multiple of 8, then there is no padding, and r = m.
如果m不是8的倍数,则将右侧的明文八位字节字符串填充为零的八位字节{Q[m+1],…,Q[r]},其中r是大于m的8的最小倍数。如果m是8的倍数,那么就没有填充,r=m。
Set n = r/8, which is the same as CEILING(m/8).
设置n=r/8,与天花板(m/8)相同。
For i = 1, ..., n j = 8*(i-1) P[i] = Q[j+1] | Q[j+2] | ... | Q[j+8].
对于i=1,…,nj=8*(i-1)P[i]=Q[j+1]| Q[j+2]|……|Q[j+8]。
2) Wrapping
2) 包装
If the padded plaintext contains exactly eight octets, then prepend the AIV as defined in Section 3 above to P[1] and encrypt the resulting 128-bit block using AES in ECB mode [Modes] with key K (the KEK). In this case, the output is two 64-bit blocks C[0] and C[1]:
如果填充的明文正好包含八个八位字节,则将上文第3节中定义的AIV前置到P[1],并使用密钥K(KEK)在ECB模式[Modes]中使用AES加密生成的128位块。在这种情况下,输出是两个64位块C[0]和C[1]:
C[0] | C[1] = ENC(K, A | P[1]).
C[0]| C[1]=ENC(K,A | P[1])。
Otherwise, apply the wrapping process specified in Section 2.2.1 of [AES-KW2] to the padded plaintext {P[1], ..., P[n]} with K (the KEK) and the AIV as defined in Section 3 above as the initial value. The result is n+1 64-bit blocks {C[0], C[1], ..., C[n]}.
否则,将[AES-KW2]第2.2.1节中规定的包装过程应用于填充明文{P[1],…,P[n]},K(KEK)和上文第3节中定义的AIV作为初始值。结果是n+1个64位块{C[0],C[1],…,C[n]}。
The inputs to the extended key unwrapping process are the KEK and (n+1) 64-bit ciphertext blocks consisting of a previously wrapped key. If the ciphertext is a validly wrapped key, then the unwrapping process returns n 64-bit blocks of padded plaintext, which are then mapped in this extension to m octets of decrypted key data, as indicated by the MLI embedded in the AIV.
扩展密钥展开过程的输入是KEK和(n+1)64位密文块,它们由先前包装的密钥组成。如果密文是有效包装的密钥,则解包装过程返回n个64位的填充明文块,然后在该扩展中映射到m个八位字节的解密密钥数据,如嵌入在AIV中的MLI所示。
Inputs: Ciphertext, (n+1) 64-bit blocks {C[0], C[1], ..., C[n]}, and Key, K (the KEK). Outputs: Plaintext, m octets {Q[1], Q[2], ..., Q[m]}, or an error.
输入:密文,(n+1)64位块{C[0],C[1],…,C[n]},以及密钥K(KEK)。输出:明文、m个八位字节{Q[1]、Q[2]、…、Q[m]},或一个错误。
1) Key unwrapping
1) 密钥展开
When n is one (n=1), the ciphertext contains exactly two 64-bit blocks (C[0] and C[1]), and they are decrypted as a single AES block using AES in ECB mode [Modes] with K (the KEK) to recover the AIV and the padded plaintext key:
当n为1(n=1)时,密文正好包含两个64位块(C[0]和C[1]),并在ECB模式[模式]下使用AES和K(KEK)将其解密为单个AES块,以恢复AIV和填充的明文密钥:
A | P[1] = DEC(K, C[0] | C[1]).
A | P[1]=DEC(K,C[0]| C[1])。
Otherwise, apply Steps 1 and 2 of the unwrapping process specified in Section 2.2.2 of [AES-KW2] to the n+1 64-bit ciphertext blocks, {C[0], C[1], ..., C[n]}, and to the KEK, K. Define the padded plaintext blocks, {P[1], ..., P[n]}, as specified in Step 3 of that process, with A[0] as the A value. Note that checking "If A[0] is an appropriate value" is slightly delayed to Step 2 below since the padded plaintext is needed to perform this verification when the AIV is used.
否则,将[AES-KW2]第2.2.2节中规定的解包裹过程的步骤1和2应用于n+1 64位密文块{C[0],C[1],…,C[n]},并应用于KEK,K。定义填充明文块{P[1],…,P[n]},如该过程的步骤3中规定,使用[0]作为A值。请注意,检查“如果[0]是适当的值”会稍微延迟到下面的步骤2,因为在使用AIV时,需要填充明文来执行此验证。
2) AIV verification
2) AIV验证
Perform the three checks described in Section 3 above on the padded plaintext and the A value. If any of the checks fail, then return an error.
对填充明文和A值执行上文第3节中所述的三项检查。如果任何检查失败,则返回一个错误。
3) Remove padding
3) 除去填充物
Let m = the MLI value extracted from A.
设m=从A中提取的MLI值。
Let P = P[1] | P[2] | ... | P[n].
设P=P[1]| P[2]|……|P[n]。
For i = 1, ... , m
Q[i] = LSB(8, MSB(8*i, P))
For i = 1, ... , m
Q[i] = LSB(8, MSB(8*i, P))
Some security protocols employ ASN.1 [X.680] and employ algorithm identifiers to name cryptographic algorithms. To support these protocols, the AES Key Wrap with Padding algorithm has been assigned the following algorithm identifiers, one for each AES KEK size. The AES Key Wrap (without padding) algorithm identifiers are also included here for convenience.
一些安全协议使用ASN.1[X.680]并使用算法标识符来命名加密算法。为了支持这些协议,AES密钥封装填充算法被分配了以下算法标识符,每个AES KEK大小一个。为方便起见,此处还包括AES密钥换行(无填充)算法标识符。
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) 1 }
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) 1 }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
In all cases, the AlgorithmIdentifier parameter field MUST be absent.
在所有情况下,AlgorithmIdentifier参数字段都必须不存在。
The examples in this section were generated using the index-based implementation of the AES Key Wrap algorithm along with the padding approach specified in Section 4 of this document. All values are shown in hexadecimal.
本节中的示例是使用AES密钥包裹算法的基于索引的实现以及本文档第4节中指定的填充方法生成的。所有值均以十六进制显示。
The first example wraps 20 octets of key data with a 192-bit KEK.
第一个示例用192位KEK封装了20个八位字节的密钥数据。
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
KEK:5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : c37b7e6492584340 bed1220780894115 5068f738
钥匙:c37b7e6492584340床1220780894115 5068f738
Wrap : 138bdeaa9b8fa7fc 61f97742e72248ee 5ae6ae5360d1ae6a : 5f54f373fa543b6a
包装:138bdeaa9b8fa7fc 61f97742e72248ee 5ae6ae5360d1ae6a:5f54f373fa543b6a
The second example wraps 7 octets of key data with a 192-bit KEK.
第二个示例用192位KEK封装了7个八位字节的密钥数据。
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
KEK:5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : 466f7250617369
关键字:466f7250617369
Wrap : afbeb0f07dfbf541 9200f2ccb50bb24f
包装:afbeb0f07dfbf541 9200f2ccb50bb24f
Implementations must protect the key-encryption key (KEK). Compromise of the KEK may result in the disclosure of all keys that have been wrapped with the KEK, which may lead to the compromise of all traffic protected with those wrapped keys.
实现必须保护密钥加密密钥(KEK)。KEK的泄露可能会导致泄露使用KEK包装的所有密钥,这可能会导致使用这些包装密钥保护的所有通信量泄露。
The KEK must be at least as good as the keying material it is protecting.
桶必须至少与其保护的键控材料一样好。
If the KEK and wrapped key are associated with different cryptographic algorithms, the effective security provided to data protected with the wrapped key is determined by the weaker of the two algorithms. If, for example, data is encrypted with 128-bit AES and that AES key is wrapped with a 256-bit AES key, then at most 128 bits of protection is provided to the data. If, for another example, a 128-bit AES key is used to wrap a 4096-bit RSA private key, then at most 128 bits of protection is provided to any data that depends on that private key. Thus, implementers must ensure that key-encryption algorithms are at least as strong as other cryptographic algorithms employed in an overall system.
如果KEK和包装密钥与不同的加密算法相关联,则为使用包装密钥保护的数据提供的有效安全性由两种算法中较弱的一种算法决定。例如,如果数据使用128位AES加密,并且AES密钥使用256位AES密钥包装,则最多为数据提供128位保护。例如,如果使用128位AES密钥包装4096位RSA私钥,则对依赖该私钥的任何数据提供最多128位的保护。因此,实现者必须确保密钥加密算法至少与整个系统中使用的其他加密算法一样强大。
The AES Key Wrap and the AES Key Wrap with Padding algorithms use different constants in the initial value. The use of different values ensures that the recipient of padded key data cannot successfully unwrap it as unpadded key data, or vice versa. This remains true when the key data is wrapped using the AES Key Wrap with Padding algorithm but no padding is needed.
AES密钥换行和带填充算法的AES密钥换行在初始值中使用不同的常量。使用不同的值可确保填充密钥数据的收件人无法将其作为未添加的密钥数据成功展开,反之亦然。当使用AES密钥包装带填充算法包装密钥数据,但不需要填充时,仍然是这样。
The AES Key Wrap with Padding algorithm provides almost the same amount of integrity protection as the AES Key Wrap algorithm.
带填充的AES密钥封装算法提供的完整性保护几乎与AES密钥封装算法相同。
A previous padding technique was specified for wrapping Hashed Message Authentication Code (HMAC) keys with AES [OLD-KW]. The technique in this document is more general; the technique in this document is not limited to wrapping HMAC keys.
以前指定了一种填充技术,用于用AES[OLD-KW]包装哈希消息身份验证码(HMAC)密钥。本文档中的技术更一般;本文档中的技术不限于包装HMAC密钥。
In the design of some high assurance cryptographic modules, it is desirable to segregate cryptographic keying material from other data. The use of a specific cryptographic mechanism solely for the protection of cryptographic keying material can assist in this goal. The AES Key Wrap and the AES Key Wrap with Padding are such mechanisms. System designers should not use these algorithms to encrypt anything other than cryptographic keying material.
在一些高保证密码模块的设计中,需要将密码密钥材料与其他数据分离。仅为保护加密密钥材料而使用特定加密机制有助于实现这一目标。AES密钥封装和带填充的AES密钥封装就是这样的机制。系统设计者不应使用这些算法加密加密密钥材料以外的任何内容。
[AES] National Institute of Standards and Technology, FIPS Pub 197: Advanced Encryption Standard (AES), 26 November 2001.
[AES]国家标准与技术研究所,FIPS Pub 197:高级加密标准(AES),2001年11月26日。
[AES-KW1] National Institute of Standards and Technology, AES Key
Wrap Specification, 17 November 2001.
http://csrc.nist.gov/groups/ST/toolkit/documents/kms/
AES_key_wrap.pdf
[AES-KW1] National Institute of Standards and Technology, AES Key
Wrap Specification, 17 November 2001.
http://csrc.nist.gov/groups/ST/toolkit/documents/kms/
AES_key_wrap.pdf
[AES-KW2] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, September 2002.
[AES-KW2]Schaad,J.和R.Housley,“高级加密标准(AES)密钥封装算法”,RFC 33942002年9月。
[Modes] Dworkin, M., "Recommendation for Block Cipher Modes of Operation -- Methods and Techniques", NIST Special Publication 800-38A, 2001.
[模式]德沃金,M.“分组密码操作模式的建议——方法和技术”,NIST特别出版物800-38A,2001年。
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation.
[X.680]ITU-T建议X.680(2002)| ISO/IEC 8824-1:2002,信息技术-抽象语法符号1(ASN.1):基本符号规范。
[AES-CMS] Schaad, J., "Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)", RFC 3565, July 2003.
[AES-CMS]Schaad,J.“在加密消息语法(CMS)中使用高级加密标准(AES)加密算法”,RFC 3565,2003年7月。
[CMS-ASN] Schaad, J. and P. Hoffman, "New ASN.1 Modules for CMS and S/MIME", Work in Progress, August 2009.
[CMS-ASN]Schaad,J.和P.Hoffman,“CMS和S/MIME的新ASN.1模块”,正在进行的工作,2009年8月。
[OLD-KW] Schaad, J. and R. Housley, "Wrapping a Hashed Message Authentication Code (HMAC) key with a Triple-Data Encryption Standard (DES) Key or an Advanced Encryption Standard (AES) Key", RFC 3537, May 2003.
[OLD-KW]Schaad,J.和R.Housley,“用三重数据加密标准(DES)密钥或高级加密标准(AES)密钥包装散列消息认证码(HMAC)密钥”,RFC 3537,2003年5月。
[X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002, Information Technology - Abstract Syntax Notation One: Information Object Specification.
[X.681]ITU-T建议X.681(2002)| ISO/IEC 8824-2:2002,信息技术-抽象语法符号1:信息对象规范。
[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002, Information Technology - Abstract Syntax Notation One: Constraint Specification.
[X.682]ITU-T建议X.682(2002)| ISO/IEC 8824-3:2002,信息技术-抽象语法符号1:约束规范。
[X.683] ITU-T Recommendation X.683 (2002) | ISO/IEC 8824-4:2002, Information Technology - Abstract Syntax Notation One: Parameterization of ASN.1 Specifications.
[X.683]ITU-T建议X.683(2002)| ISO/IEC 8824-4:2002,信息技术-抽象语法符号1:ASN.1规范的参数化。
Paul Timmel should be credited with the MLI and padding technique described in this document.
保罗·蒂梅尔(Paul Timmel)在本文档中所描述的MLI和填充技术方面值得称赞。
This appendix includes two ASN.1 modules. The first one makes use of the 1988 syntax, and the second one makes use of the 2002 ASN.1 syntax.
本附录包括两个ASN.1模块。第一个使用1988语法,第二个使用2002 ASN.1语法。
Appendix A.1 provides the normative ASN.1 definitions for the algorithm identifiers included in this specification using ASN.1 as defined in [X.680] using the 1988 ASN.1 syntax.
附录A.1使用[X.680]中使用1988 ASN.1语法定义的ASN.1,为本规范中包含的算法标识符提供了规范性ASN.1定义。
Appendix A.2 provides informative ASN.1 definitions for the algorithm identifiers included in this specification using ASN.1 as defined in [X.680], [X.681], [X.682], and [X.683] using the 2002 ASN.1 syntax. This appendix contains the same information as Appendix A.1; however, Appendix A.1 takes precedence in case of conflict. The content encryption and key wrap algorithm objects are defined in [CMS-ASN].
附录A.2使用[X.680]、[X.681]、[X.682]和[X.683]中定义的ASN.1语法,为本规范中包含的算法标识符提供了信息性ASN.1定义。本附录包含与附录A.1相同的信息;但是,如果发生冲突,以附录A.1为准。内容加密和密钥包裹算法对象在[CMS-ASN]中定义。
The id-aes128-wrap, id-aes192-wrap, and id-aes256-wrap algorithm identifiers are defined in [AES-CMS].
id-aes128-wrap、id-aes192-wrap和id-aes256-wrap算法标识符在[AES-CMS]中定义。
AESKeyWrapWithPad-88 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 47 }
AESKeyWrapWithPad-88 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 47 }
DEFINITIONS IMPLICIT TAGS ::=
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
-- IMPORTS NONE --
--没有进口--
-- AES information object identifiers --
--AES信息对象标识符--
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 }
-- AES Key Wrap With Padding Algorithm Identifiers are to be used
-- with the Parameter field absent
-- AES Key Wrap With Padding Algorithm Identifiers are to be used
-- with the Parameter field absent
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
END
终止
AESKeyWrapWithPad-02 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 48 }
AESKeyWrapWithPad-02 { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) 48 }
DEFINITIONS IMPLICIT TAGS ::=
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
开始
-- EXPORTS ALL --
--全部出口--
IMPORTS
AlgorithmIdentifier{}, CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009 -- [CMS-ASN]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) };
IMPORTS
AlgorithmIdentifier{}, CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation-2009 -- [CMS-ASN]
{ iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58) };
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-wrap-pad |
cea-aes192-wrap-pad |
cea-aes256-wrap-pad,
... }
AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-wrap-pad |
cea-aes192-wrap-pad |
cea-aes256-wrap-pad,
... }
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap-pad |
kwa-aes192-wrap-pad |
kwa-aes256-wrap-pad,
... }
AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap-pad |
kwa-aes192-wrap-pad |
kwa-aes256-wrap-pad,
... }
SMimeCaps SMIME-CAPS ::= {
cea-aes128-wrap-pad.&smimeCaps |
cea-aes192-wrap-pad.&smimeCaps |
cea-aes256-wrap-pad.&smimeCaps |
kwa-aes128-wrap-pad.&smimeCaps |
kwa-aes192-wrap-pad.&smimeCaps |
kwa-aes256-wrap-pad.&smimeCaps,
... }
SMimeCaps SMIME-CAPS ::= {
cea-aes128-wrap-pad.&smimeCaps |
cea-aes192-wrap-pad.&smimeCaps |
cea-aes256-wrap-pad.&smimeCaps |
kwa-aes128-wrap-pad.&smimeCaps |
kwa-aes192-wrap-pad.&smimeCaps |
kwa-aes256-wrap-pad.&smimeCaps,
... }
-- AES object identifier
--AES对象标识符
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) csor(3) nistAlgorithms(4) 1 }
aes OBJECT IDENTIFIER ::= {
joint-iso-itu-t(2) country(16) us(840) organization(1)
gov(101) csor(3) nistAlgorithms(4) 1 }
-- Content Encryption Algorithms
--内容加密算法
cea-aes128-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
cea-aes128-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
cea-aes192-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
cea-aes192-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
cea-aes256-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
cea-aes256-wrap-pad CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
-- Key Wrap Algorithms
--密钥包裹算法
kwa-aes128-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
kwa-aes128-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes128-wrap-pad } }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
kwa-aes192-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
kwa-aes192-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes192-wrap-pad } }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
kwa-aes256-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
kwa-aes256-wrap-pad KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap-pad
PARAMS ARE absent
SMIME-CAPS { IDENTIFIED BY id-aes256-wrap-pad } }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
END
终止
Authors' Addresses
作者地址
Russell Housley Vigil Security, LLC 918 Spring Knoll Drive Herndon, VA 20170 USA
Russell Housley Vigil Security,LLC 918 Spring Knoll Drive Herndon,弗吉尼亚州,邮编20170
EMail: housley@vigilsec.com
EMail: housley@vigilsec.com
Morris Dworkin National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA
美国马里兰州盖瑟斯堡市邮政站8930号莫里斯·德沃金国家标准与技术研究所100号局道20899-8930
EMail: dworkin@nist.gov
EMail: dworkin@nist.gov