> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn > Sent: Monday, 19 March, 2012 09:17
> I have a requirement of wrapping a 512-bit DEK witk 256 bit > KEK. I picked up > openssl API and figured out that it provides AES_wrap_key() > to do the job. I OpenSSL's AES_{wrap,unwrap}_key does *a* key wrapping, but not the only possible one. You need to make sure the unwrap matches it (easy if you do the unwrap yourself). > wrote a small program (snippet below) to get the job done but > when i check > out the values in "dek", i see all values as zero. Not sure what i am > missing? > See below. > Also is their anyway i can extract the "IV" when i do the > reverse of above > logic using AES_unwrap_key()? > No, as with other chain modes you must transmit the IV used at encrypt to decrypt -- unless you always make it the same which should be okay here, since the wrappee (data) keys should be unique so duplicate IV (+key) doesn't risk identifying repeats as it would for more generic data. Although internally it is used differently; instead of chaining forward in both encrypt and decrypt, this decrypt (unwrap) chains backward and then verifies the IV; if it extracted the IV instead it would probably be vulnerable to some tampering attacks. > #define KEY_LEN 32 > u8 dek[KEY_LEN + 8]; > static const unsigned char default_iv[] = { > 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, > }; > > for(n = 0; n < KEY_LEN; n++) > actx.rd_key[n] = kek[n]; > I assume actx is an AES_KEY (struct aes_key_st) since you pass it to AES_wrap_key below. This is NOT how you initialize an AES_KEY structure; in fact, in general you should never directly write elements in any OpenSSL-defined structure, and usually you should avoid reading them where OpenSSL provides getters (although it doesn't do that everywhere). Use AES_set_encrypt_key (and _decrypt_ for unwrap). > /* Here KEK is got as a function parameter > Byte contains DEK key > I am able to successfully print KEK and DEK values and they > are as expected > */ > > ret = AES_wrap_key(&actx, default_iv, dek, byte, KEY_LEN - 1); > for(n = 0; n < (KEY_LEN + 8); n++) > printf(" %02x", dek[n]); // this prints all zeros > Check ret before printing or otherwise using dek[]. It can and here did indicate an error, and the output buffer isn't set. Although on checking I see these routines don't fill in the error queue like most (other) OpenSSL routines. KEY_LEN-1 is 31 bytes. You can't wrap a 31-byte value; as I said before it must be a multiple of 8 bytes. You say your requirement is 512 bits; that's 64 bytes (not 32 as your code #define's and allocates). (And as before a 512-bit key if used for a symmetric algorithm usually indicates uninformed design, but I assume that's not your responsibility.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org