> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn
> Sent: Monday, 19 March, 2012 09:17
> I have a requirement of wrapping a 512-bit DEK witk 256 bit
> KEK. I picked up
> openssl API and figured out that it provides AES_wrap_key()
> to do the job. I
OpenSSL's AES_{wrap,unwrap}_key does *a* key wrapping,
but not the only possible one. You need to make sure the
unwrap matches it (easy if you do the unwrap yourself).
> wrote a small program (snippet below) to get the job done but
> when i check
> out the values in "dek", i see all values as zero. Not sure what i am
> missing?
>
See below.
> Also is their anyway i can extract the "IV" when i do the
> reverse of above
> logic using AES_unwrap_key()?
>
No, as with other chain modes you must transmit the IV used
at encrypt to decrypt -- unless you always make it the same
which should be okay here, since the wrappee (data) keys
should be unique so duplicate IV (+key) doesn't risk
identifying repeats as it would for more generic data.
Although internally it is used differently; instead of
chaining forward in both encrypt and decrypt, this decrypt
(unwrap) chains backward and then verifies the IV;
if it extracted the IV instead it would probably be
vulnerable to some tampering attacks.
> #define KEY_LEN 32
> u8 dek[KEY_LEN + 8];
> static const unsigned char default_iv[] = {
> 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
> };
>
> for(n = 0; n < KEY_LEN; n++)
> actx.rd_key[n] = kek[n];
>
I assume actx is an AES_KEY (struct aes_key_st) since you
pass it to AES_wrap_key below. This is NOT how you initialize
an AES_KEY structure; in fact, in general you should never
directly write elements in any OpenSSL-defined structure,
and usually you should avoid reading them where OpenSSL
provides getters (although it doesn't do that everywhere).
Use AES_set_encrypt_key (and _decrypt_ for unwrap).
> /* Here KEK is got as a function parameter
> Byte contains DEK key
> I am able to successfully print KEK and DEK values and they
> are as expected
> */
>
> ret = AES_wrap_key(&actx, default_iv, dek, byte, KEY_LEN - 1);
> for(n = 0; n < (KEY_LEN + 8); n++)
> printf(" %02x", dek[n]); // this prints all zeros
>
Check ret before printing or otherwise using dek[]. It can
and here did indicate an error, and the output buffer isn't set.
Although on checking I see these routines don't fill in
the error queue like most (other) OpenSSL routines.
KEY_LEN-1 is 31 bytes. You can't wrap a 31-byte value;
as I said before it must be a multiple of 8 bytes.
You say your requirement is 512 bits; that's 64 bytes
(not 32 as your code #define's and allocates).
(And as before a 512-bit key if used for a symmetric
algorithm usually indicates uninformed design, but
I assume that's not your responsibility.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
