- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Tue, 30 Oct 2001 20:21:49 +0100
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: XML Encryption WG <xml-encryption@w3.org>, Joseph Reagle <reagle@w3.org>
Hi Donald, --On Dienstag, 30. Oktober 2001 12:16 -0500 "Donald E. Eastlake 3rd" <dee3@torque.pothole.com> wrote: >> in [1], I did not find any information about what padding mechanism we >> use? PKCS7/PKCS5? > > This depends on which algorithm you are talking about. > > For TripleDES, and AES, I suppose we should continue to go with > whatever S/MIME does / will do. That exactly was my question. Especially, how do we pad "payload" inside an xenc:EncryptedData/xenc:CipherData element which is encrypted using #tripledes-cbc and #aesXXX-cbc. In chapter 5.1 Algorithm IDs, we make a distinction between "Block encryption" and "Symmetric KeyWrap" algorithms. It's obvious (but not stated explicitly if I'm right) that "Block encryption" refers to encrypting xenc:EncryptedData and that "Symmetric KeyWrap" is used for encrypting xenc:EncryptedKey. When we use EncryptedData to encrypt arbirary data which is in most cases not a multiple of 64 bit, we have to define a padding mechanism for block encryption. But even if we're talking about symmetric key wrap, there is no assurance that the wrapped key inside an EncryptedKey is a multiple of 64 bit. If I only used algorithms explicitly mentioned in the spec, it's not a problem. But we define a syntax for using stream ciphers which do not necessarily have a 64x key length, and user-defined block algorithms could be scalable, too. So we need padding for KeyWrap, too. > For key transport, the padding is explicitly given for RSA 1.5. It's > complicated for RSA-OAEP but is given in the referenced RFC. Yes, the padding for key transport is defined. > For Symmetric Key Wrap, the normal case of a TripleDES wrap of a > TripleDES key or any key that is a multile of 64 bit (i.e., all AES > keys) needs no padding and one would assume that NSA will define > appropriate padding for AES wrapping of AES keys. Since a TripleDES > key is the same size (192 bits) as an allowed AES key, it will > presumably be possible to AES wrap it like a 192 bit AES key. However, > I suppose, that we should either restrict TripleDES wrapping to keys > that are a multiple of 64 bits or say how to pad other lengths. For > AES, I'd prefer not to change any text until we see the NSA > recommendation. See above. Best regards, Christian
Received on Tuesday, 30 October 2001 14:19:26 UTC