[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Clarifying Key Wrapping Sections of KMIP Spec
In reviewing the Key Wrapping related sections of the KMIP Spec and Usage Guide it's not obvious that we have accommodated for the use case where a symmetric key is encrypted using a public key of an asymmetric key pair. I think some clarifying text should be added to the KMIP Spec to indicate that this is a supported use case. Also if possible, another example showing how the Encrypt wrapping method can be used with an asymmetric public key should be added to the KMIP Usage Guide. On a related note, it is not always clear as to how the Wrapping Method 'MAC/Sign" should be interpreted. From descriptions of MAC/Sign Key Information it appears that one would either MAC the Key Value or Sign the Key Value but would not both MAC and Sign the Key Value. Text clarifying how this wrapping method should be interpreted should also be added to the KMIP Spec. I've gone through the Key Wrapping related sections of the KMIP Spec and compiled a set of editorial changes that will help to clarify these two topics. ********************************************************************* Section 2.1.3 * Line 94: Typo - please change 'Cryptogtaphic' to 'Cryptographic' * Lines 99/100: Suggest following revision to sentence: The Key Block may optionally contain Key Wrapping Data structure, which indicates that the key is wrapped (encrypted), MAC'ed, signed, wrapped and MAC'ed, or wrapped and signed. Section 2.1.5 * Lines 117/118: Suggest the following revision to the bullet (updates include aligning wording with section 2.1.6): An Encryption Key Information with the Unique Identifier value for the encryption key, used to wrap the Key Value, and associated cryptographic parameters. * Lines 119/120: Suggest the following revision to the bullet (updates include aligning wording with section 2.1.6): A MAC/Signature Key Information with the Unique Identifier value for the MAC'ing or signing key and associated cryptographic parameters. * Line 129/130: Suggest the following revision to the bullet: Encrypt only (Covers both wrapping performed using a symmetric key and wrapping performed using the public key of an asymmetric key pair. Possibly includes authenticated encryption algorithms that use a single key.) * Line 131: Change 'MAC/sign only' to 'MAC or sign only' * Line 132: Change 'Encrypt then MAC/sign' to 'Encrypt then MAC or sign' * Line 133: Change 'MAC/sign then encrypt' to 'MAC or sign then encrypt' * Table following Line 135, Encryption Key Information Row: Suggest that the following note is added into the Required Field column after 'No': Corresponds to the symmetric key or the asymmetric public key used to wrap (encrypt) the Key Value. * Table following Line 138, Unique Identifier Row: Suggest the following revisions to the text in the Required Field column: Yes. It can be the Unique Identifier of the symmetric key used to MAC the Key Value or the asymmetric public key used to sign the Key Value. Section 2.1.6 * Line 151/152: Suggest the following revision to the bullet: An Encryption Key Information with the Unique Identifier value of the encryption key, used to wrap the Key Value, and associated cryptographic parameters. * Table after Line 156: Suggest that you include the same notes in the Required Field column for Encryption Key Information and MAC/Signature Key Information as appears in the table following Line 135. (see comment above for added text for the Encryption Key Information row.) Section 9.1.3.2.3 * Table following Line 1575: Change instances of 'MAC/sign' to 'MAC or sign' ********************************************************************* For convenience I've also attached a Word document which includes the direct edit to the affected sections of the KMIP Spec. <<KMIPEditsforKeyWrap.doc>> Judy Judith Furlong | Principal Product Manager | EMC Product Security Office | RSA -The Security Division of EMC | t: 508 249 3698 | f: 508 249 6107 | e: Furlong_Judith@emc.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]