Key Wrapping and Unwrapping in Message Authentication CODE

 Background  

This uses AES or triple DES as the underlying encryption algorithm. The purpose of key wrapping is to securely exchange a symmetric key to be shared by two parties using a symmetric key already by those parties. The latter key is called a key encryption key (kek).

The Key Wrapping Algorithm

The key wrapping algorithm operates on blocks of 64 bits. The input to the algorithm consists a 64-bit constant, discussed subsequently, and a plaintext key that is divided into blocks of 64 bits. We use the following notation:

MSB64(W) = most significant 64 bits of W.

LSB64(W) = least significant 64 bits of W.

W = temporary value; output of encryption function

|| = concatenation

K = key encryption key

n = number of 64-bit key data blocks.

s = number of stages in the wrapping process; s = 6n

Pi = ith plaintext key data block; 1<=i<=n

Ci = ith ciphertext data block; 0<=i<=n

A(t) = 64-bit integrity check register after encryption stage t; 1<=t<=s

A(0) = initial integrity check value (ICV); in hexadecimal: A6A6A6A6A6A6A6A6

R(t,i) = 64-bit register i after encryption stage t; 1<=t<=s; 1<=i<=n

We now describe the key wrapping algorithm:

Inputs : Plaintext, n 64-bit values (P1, P2, P3,----,Pn) ; Key Encryption Key, K

Outputs : Ciphertext, (n+1) 64-bit values (C0,C1,C2,…,Cn)

1. Initialize variables

     A(0) = A6A6A6A6A6A6A6A6

         for i = 1 to n

            R(0, i) = Pi

2. Calculate intermediate values

     for t=1 to s

     W = E(K, [A(t-1) || R(t-1, 1)])

     A(t) = t xor MSB64(W)

     R(t,n) = LSB64(W)

     for i = 1 to n-1

           R(t, i) = R(t-1, i+1)

3. Output results

     C0 = A(s)

     for i = 1 to n

     Ci = R(s, i)

Here Fig.1 explains the key wrapping operation on 256-bit key value. 


Fig. 1: Key Wrapping Operation for 256-bit Key

If we want to see the the key operation at t step then don't be panic see the below Fig. 2. Your doubt will be clear. 😇


Fig. 2 : Key Wrapping Operation for 256-Bit key: Stage t

Note 1 : Ciphertext is one block larger than the plaintext key to accommodate the ICV. Upon wrapping (decryption), both 64 bit ICV and plaintext key are recovered. If recovered ICV differs from the input value of hexadecimal A6A6A6A6A6A6A6A6, then an error on alteration has been detected and the plaintext key is rejected. 

Key Unwrapping 

The key Unwrapping algorithm can be defined as follows:

Inputs : Ciphertext, (n+1) 64-bit values (C0,C1,C2,---Cn) ; Key encryption Key, K

Outputs : Plaintext, n 64-bit values (P1,P2,----,Pn), ICV

1. Initialize variables

     A(s) = C0

         for i = 1 to n

            R(s, i) = Ci

2. Calculate intermediate values

     for t = s to 1

     W = D(K, [A(t) xor t) || R(t, n)])

     A(t-1) = MSB64(W)

     R(t-1,1) = LSB64(W)

     for i = 2 to n

           R(t-1, i) = R(t, i-1)

3. Output results

     if A(0) = A6A6A6A6A6A6A6A6

     then

         for i  = 1 to n

             P(i) = R(0, i)

     else

         return error

*************************************************************************************************************

Comments

Post a Comment

Popular posts from this blog

Homomorphic Encryption: A Basic Idea

Image
Homomorphic encryption has the same aim as other encryption-decryption mechanisms: maintaining confidentiality, security, privacy, etc.  In this blog, we will see homomorphic encryption and its type.  Homomorphic Encryption (HE):  It is an encryption that computes operations over encrypted data without decrypting it (or without the need for a secret key).  Mathematically speaking in a client-server architecture: client has message 'm' and function f. The task of client is to compute f(m). Due to computational expensiveness (maybe one of the reason) client sends encryption of message (say Enc(m)) and 'f' to the server. Server will compute function over encrypted message, that is, f(Enc(m)), and return the result to the client, that is, Enc(f(m)). Client will decrypt it Dec(Enc(f(m)), that is, f(m). Hence, client achieves f(m).  Let's understand HE with our daily life (Tea making process): Figure 1. Here m is message, Enc is encryption, f is function, and Eval in...
Read more

Fast Base Conversion and Its Application

Image
Fast Base Conversion (FBC) is a technique used to convert a number from one modulus space to another. For example, if we have 14 m o d     77 14 \mod 77  and want to convert it to x m o d     390 x \mod 390 , FBC is widely used. Mathematically, it can be represented as follows: Here, the above equation represents an integer x x  in modulus q q , and FBC converts this integer into the modulus space t t . The modulus q q  is the product of small coprime moduli (i.e., q = q 1 q 2 … q k q = q_1 q_2 \dots q_k ​ ), and x x  is an integer such that x ∈ [ 0 , q ) x \in [0, q) . We also note that q q  and t t  are coprime numbers. Here, we remark that it is not necessary for the above equation to produce the exact result for x x . Instead of x m o d     t x \mod t , it will provide x ′ m o d     t x' \mod t . Thus, the output of the above equation is as follows: FBC ( x , q , t )  =  x  +  A q  mod  t , where A ∈ [ 0 , k − 1 ] A \in [0,...
Read more

Brakerski-Fan-Vercauteren (BFV) Homomorphic Encryption

Image
Homomorphic encryption means computation over encrypted data without secret key.  How this is possible  ?? 😴 In this blog, we will explore the types of Homomorphic Encryption and demonstrate how computations can be performed on encrypted data without the secret key. In 2009, Gentry proposed Fully Homomorphic Encryption. In 2012, Brakerski proposed a leveled homomorphic encryption scheme that works over integer arithmetic, which later became known as the BFV scheme. BFV is an encryption scheme. Thus, as an encryption scheme, it is expected to be secure. To date, under certain conditions, it is assumed that the scheme is safe, and its security is based on the Learning With Errors (LWE) assumption.. Learning-with-error (LWE): Given a pair of a, b and the task is to recover secret key (s), such that b = a.s  + e  Here e is error mostly picked from gaussian distribution, and a, s are selected from Rq (known as ring module R) The above problem is HARD. The proof is not si...
Read more