Topic: AES Keywrap Alogrithm

I am trying to implement the key wrap AES Key Wrap Specification described in csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf

I am just trying to get the "encrypt" part to work right now with wolfSSL embedded SSL, and am using the "alternate algorithm."

The key wrap algorithm contains multiple AES encrypting iterations.  The document gives you known values for the example inputs (located at the end of the document), but I am having no success getting it to work for the first iteration.

In the key wrap document, they say:

B = AES K (A | Ri )

Which is basically saying do an AES encryption with key K on the concatenated data, A (the initialization vector) and the i-th 64 bit data block of the data.  So for the first iteration, the i-th data would be the first 64 bits of the data to be wrapped.  And then put the encrypted data in B.

I see when I call AesSetKey(...) I am passing it the Initialize Vector (A).  And when I call Aes...Encrypt(...) I do not pass it the IV.

Does the code automatically concatenate the IV onto the beginning of the data when you call Aes...Encrypt(...)?  Or do I still need to handle that concatenation myself?  If the latter, how does the IV get used in Aes...Encrypt(...)?

Also, I'm not sure which Aes...Encrypt(...) to use (CBC, CTR, GCM, etc) for this.  It says "codebook" which is another kind you apparently don't support, but it also say it isn't a good one to use on the wikipedia page.

Thanks

Share

Re: AES Keywrap Alogrithm

I dug into the code a bit and found AesEncryptDirect(...);

The only thing is that I had to enable the precomplier switch for WOLFSSL_AES_DIRECT.

Also, the functions seem to be a bit outdated because they were returning the return value from a function that returned void, in a function that returns void.

I simply removed the return in the function and everything compiles correctly and I got the right value from the AES encryption.  So, problem solved.  I think.  Unless there is some issue with me using these direct functions.  They aren't in the documentation but it appears it is just a direct call to the base AES function itself, which is used in the code, so I suspect it is fine.

Share

Re: AES Keywrap Alogrithm

Hi ctb,

Yes, the AesEncryptDirect() and AesDecryptDirect() functions just do a direct ECB-mode AES operation.  These are left out of the documentation because ECB (Electronic codebook) mode is not regarded as very secure.  If you take a look at the penguin image on the following Wikipedia page under the "ECB" section, you will see that it doesn't hide patterns very well:

https://en.wikipedia.org/wiki/Block_cip … _operation

Best Regards,
Chris

Re: AES Keywrap Alogrithm

Gotcha, Chris.

However, using this in a keywrap is still part of the DNP Secure Authentication v5 protocol, so I have to go ahead and implement it.  I think it does make it a bit more secure because the keywrap function actually used previous values to generate the IV for the next AES operation.

Share