Hi,

I've been reading this book, which I found very useful and detailed, and on page 102 , on the topic of Wrapping RSA Keys, it is said that we do not need a specific wrapping mechanism for RSA key wrapping, since "Unlike the situation with symmetric keys where getEncoded() method returns just bytes making up the key,in the case of an assymetric key, there is quite a lot of structural information in the encoding of the key in addition to the key material. .... If you attempt to use unwrap() on assymetric key with the wrong secret key, it will fail badly..."

Now I've got some questions regarding this , would be glad if anyone could help

1) Despite what is said I tried to modify the example to make use of AESWrap, changing the line
  Cipher cipher = Cipher.getInstance("AES/ECB/PKCS7Padding", "BC");
  to
  Cipher cipher = Cipher.getInstance("AESWrap", "BC");

 but it gives error saying "wrap data must be a multiple of 8 bytes"

  So in the book it is said " we do not need to use a specific wrapping mechanism " , but it seems we even can not (and must not?), or is there any way to specify padding for AESWrap ? since it seems to be padding issue

2) in chapter 2 , when doing symmetric key wrapping, we initialize the cipher as
  Cipher cipher = Cipher.getInstance("AESWrap", "BC");
  and then call wrap(), after that (for demonstration purpose, as is mentioned in one of the threads on this forum) we decrypt the wrapped key using AES/ECB/NoPadding with cipher set to decrypt mode, by calling doFinal() and passing the result to SecretKeySpec.

  In chapter 4, on the other hand, we use wrap() method, even if we initialized the cipher to "AES/ECB/PCKS7Padding" with the cipher mode set to WRAP.

  So my question is : could we use unwrap() method back in chapter 2 also with cipher initialized to "AES/ECB/NoPadding" with cipher mode set to UNWRAP ?

3) my last question is regarding the quote given in the beginning of the message, that does not seem too clear. Is the wrapping mechanism mandatory (or suggested) in case of symmetric key just because the key is raw bytes, and if that's the case what advantage does the structural information in the encoding of the asymmetric key brings, so that we do not need the special wrapping mechanism there ?

And what exactly "fail badly" supposed to mean here ? if we use wrong key to unwrap symmetric key will it not "fail badly" too ?

Sincerely
Ray

The AESWrap algorithm is specifically designed for AES keys and is documented in RFC 3394. ECB mode AES is quite different, as page 52 mentions, the purpose built key wrapping algorithm includes an integrity check, and yes, if you use a purpose built wrapping mechanism it will fail badly if the key used to unwrap is wrong - the reason for this is the integrity check. The use of ECB mode is simply to demonstrate the underlying process used to wrap and unwrap a key by turning it back into a key spec.

In the case of an asymmetric key the key data is presented as an ASN.1 encoded blob, consequently almost any attempt to decrypt it using the wrong symmetric key will result in a badly encoded blob which will fail to turn back into the original key.

Regards,

David

Thanks for prompt response,

AESWRap is to wrap AES keys only ?

So I understand that we can not wrap DES key for example using AESWrap, but AES only (different key sizes are possible I presume).

But does AESWrap implies that the key the cipher should use for wrapping should also be AES key ?

in short, on page 52, both the wrapping and to-be-wrapped keys are AES keys (though different sizes), does it have to be this way as a rule ?

Thanks

Sincerely
Ray

P.S : tiny typo mistake in chapter 3 Utils class code : method createKeyForAES(int bitLength, SecureRandom random) uses constant value of 256 instead of parameter passed (bitLength) for key generation.

AES Wrap can be used to wrap keys of 128, 192, and 256 bits. You'll find the full details in RFC 3394.

http://www.ietf.org/rfc/rfc3394.txt

Thanks for pointing out the typo.

Regards,

David