Re: CMS-12 Error???

Russ Housley <housley@spyrus.com> Fri, 09 April 1999 14:52 UTC

Message-Id: <4.1.19990409095018.0092eb80@mail.spyrus.com>
Date: Fri, 09 Apr 1999 09:56:06 -0400
To: Dr Stephen Henson <drh@celocom.com>
From: Russ Housley <housley@spyrus.com>
Subject: Re: CMS-12 Error???
Cc: "ietf-smime@imc.org" <ietf-smime@imc.org>
In-Reply-To: <370B924B.D339C918@celocom.com>
References: <4.1.19990407093601.00a34ec0@mail.spyrus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-ietf-smime@imc.org
Precedence: bulk

Steve:

The X942-07 draft specifies how to generate RC2 KEKs of any length.  It
uses 40 bits and 128 bits ans the explicit examples.  CMS-12 syas that RC2
KEKs must be 128 bits.

I still do not see a problem.

Russ


At 06:13 PM 4/7/99 +0100, Dr Stephen Henson wrote:
>Russ Housley wrote:
>> 
>> Steve:
>> 
>> CMS-12, Section 12.3.1 says:
>>    For key agreement of RC2 key-encryption keys, 128 bits must be
>>    generated as input to the key expansion process used to compute the
>>    RC2 effective key [RC2].
>> 
>> X942-07, Section 2.1.3 says:
>>    ... For RC2-128, which
>>    requires 128 bits of keying material, the algorithm is run once, with
>>    a counter value of 1, and the left-most 128 bits are directly con-
>>    verted to an RC2 key. Similarly, for RC2-40, which requires 40 bits
>>    of keying material, the algorithm is run once, with a counter value
>>    of 1, and the leftmost 40 bits are used as the key.
>> 
>> X942-07, Section 2.1.4 says:
>>    RC2 effective key lengths are equal to RC2 real key lengths.
>> 
>> I think that we are consistent.  CMS-12 is simply mandating that RC2 KEKs
>> be 128-bit keys, and X942-07 says that the effective key length cannot be
>> used to weaken the key.
>> 
>> Okay?
>> 
>
>Hmmm I'm not so sure of this myself. I'm may have messed up the
>interpretation here, in which case apologies in advance, but...
>
>X942-07 2.1.4 appears to be saying that the effective key length and
>real key length for RC2 are the same when used as a KEK algorithm. For
>example 40 bit RC2 would have an effective key length of 40 bits and
>have a real key length of 40 bits.
>
>CMS 12.3.1 says 128 bits of keying material must be generated for RC2
>when used as a KEK algorithm.
>
>Combine the two and I'd interpret this to mean that the effective key
>length of RC2 (and thus the actual key length) must be 128 bits when
>used as a KEK algorithm. That is only 128 bit RC2 can be used as a KEK
>algorithm.
>
>That in itself isn't a problem but CMS 12.3.2 says:
>
>12.3.3.2  RC2 Key Wrap
>
>   RC2 key encryption has the algorithm identifier:
>
>      id-alg-CMSRC2wrap OBJECT IDENTIFIER ::= { iso(1) member-body(2)
>          us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) alg(3) 7 }
>
>   The AlgorithmIdentifier parameter field must be RC2wrapParameter:
>
>      RC2wrapParameter ::= RC2ParameterVersion
>
>      RC2ParameterVersion ::= INTEGER
>
>   The RC2 effective-key-bits (key size) greater than 32 and less than
>   256 is encoded in the RC2ParameterVersion.  For the effective-key-
>   bits of 40, 64, and 128, the rc2ParameterVersion values are 160, 120,
>   and 58 respectively.  These values are not simply the RC2 key length.
>   Note that the value 160 must be encoded as two octets (00 A0),
>   because the one octet (A0) encoding represents a negative number.
>
>This seems to suggest that RC2 can be used as a KEK algorithm with
>effective key lengths other than 128 bits.
>
>Steve.
>-- 
>Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
>Personal Email: shenson@drh-consultancy.demon.co.uk 
>Senior crypto engineer, Celo Communications: http://www.celocom.com/
>Core developer of the   OpenSSL project: http://www.openssl.org/
>Business Email: drh@celocom.com PGP key: via homepage.
>

CMS-12 Error??? Russ Housley
Re: CMS-12 Error??? Dr Stephen Henson
Re: CMS-12 Error??? Russ Housley