< draft-housley-aes-key-wrap-with-pad-03.txt   draft-housley-aes-key-wrap-with-pad-04.txt >
INTERNET DRAFT R. Housley INTERNET DRAFT R. Housley
Intended Status: Informational Vigil Security Intended Status: Informational Vigil Security
M. Dworkin M. Dworkin
NIST NIST
Expires: 15 January 2010 15 June 2009 Expires: 27 February 2010 27 July 2009
Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm
<draft-housley-aes-key-wrap-with-pad-03.txt> <draft-housley-aes-key-wrap-with-pad-04.txt>
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts. groups may also distribute working documents as Internet-Drafts.
skipping to change at page 2, line 4 skipping to change at page 2, line 6
and restrictions with respect to this document. and restrictions with respect to this document.
Abstract Abstract
This document specifies a padding convention for use with the AES Key This document specifies a padding convention for use with the AES Key
Wrap algorithm specified in RFC 3394. This convention eliminates the Wrap algorithm specified in RFC 3394. This convention eliminates the
requirement that the length of the key to be wrapped is a multiple of requirement that the length of the key to be wrapped is a multiple of
64 bits, allowing a key of any practical length to be wrapped. 64 bits, allowing a key of any practical length to be wrapped.
1. Introduction 1. Introduction
Management of cryptographic keys often leads to situations where a
Management of cryptographic keys often leads to situations where one
symmetric key is used to encrypt and integrity protect another key, symmetric key is used to encrypt and integrity protect another key,
which can be either a symmetric key or an asymmetric key. The which can be either a symmetric key or an asymmetric key. The
operation is often called key wrapping. operation is often called key wrapping.
This document specifies an extension of the Advanced Encryption This document specifies an extension of the Advanced Encryption
Standard (AES) Key Wrap algorithm [AES-KW1,AES-KW2]. Without this Standard (AES) Key Wrap algorithm [AES-KW1,AES-KW2]. Without this
extension, the input to the AES Key Wrap algorithm, called the key extension, the input to the AES Key Wrap algorithm, called the key
data, must be a sequence of two or more 64-bit blocks. data, must be a sequence of two or more 64-bit blocks.
The AES Key Wrap with Padding algorithm can be used to wrap a key of The AES Key Wrap with Padding algorithm can be used to wrap a key of
any practical size with an AES key. The AES key-encryption key (KEK) any practical size with an AES key. The AES key-encryption key (KEK)
must be 128, 192, or 256 bits. The input key data may be as short as must be 128, 192, or 256 bits. The input key data may be as short as
9 octets, which will result in an output of two 64-bit blocks or 16 one octet, which will result in an output of two 64-bit blocks or 16
octets. Although the AES Key Wrap algorithm does not place a maximum octets. Although the AES Key Wrap algorithm does not place a maximum
bound on the size of the key data that can be wrapped, this extension bound on the size of the key data that can be wrapped, this extension
does so. The use of a 32-bit fixed field to carry the octet length does so. The use of a 32-bit fixed field to carry the octet length
of the key data bounds the size of the input at 2^32 octets. Most of the key data bounds the size of the input at 2^32 octets. Most
systems will have other factors that limit the practical size of key systems will have other factors that limit the practical size of key
data to much less than 2^32 octets. data to much less than 2^32 octets.
A message length indicator (MLI) is defined as part of an A message length indicator (MLI) is defined as part of an
"Alternative Initial Value" in keeping with the statement in section "Alternative Initial Value" in keeping with the statement in section
2.2.3.2 of [AES-KW1], which says: 2.2.3.2 of [AES-KW1], which says:
skipping to change at page 2, line 39 skipping to change at page 2, line 42
Also, if the key data is not just an AES key, it may not always be Also, if the key data is not just an AES key, it may not always be
a multiple of 64 bits. Alternative definitions of the initial a multiple of 64 bits. Alternative definitions of the initial
value can be used to address such problems. value can be used to address such problems.
2. Notation and Definitions 2. Notation and Definitions
The following notation is used in the algorithm descriptions: The following notation is used in the algorithm descriptions:
MSB(j, W) Return the most significant j bits of W MSB(j, W) Return the most significant j bits of W
LSB(j, W) Return the least significant j bits of W LSB(j, W) Return the least significant j bits of W
B1 | B2 Concatenate B1 and B2 ENC(K, B) AES Encrypt the 128-bit block B using key K
DEC(K, B) AES Decrypt the 128-bit block B using key K
V1 | V2 Concatenate V1 and V2
K The key-encryption key K The key-encryption key
m The number of octets in the key data m The number of octets in the key data
n The number of 64-bit blocks in the padded key data n The number of 64-bit blocks in the padded key data
Q[i] The ith plaintext octet in the key data Q[i] The ith plaintext octet in the key data
P[i] The ith 64-bit plaintext block in the padded key data P[i] The ith 64-bit plaintext block in the padded key data
C[i] The ith 64-bit ciphertext data block C[i] The ith 64-bit ciphertext data block
A The 64-bit integrity check register A The 64-bit integrity check register
3. Alternative Initial Value 3. Alternative Initial Value
The Alternative Initial Value (AIV) required by this specification is The Alternative Initial Value (AIV) required by this specification is
a 32-bit constant concatenated to a 32-bit MLI. The constant is (in a 32-bit constant concatenated to a 32-bit MLI. The constant is (in
hexadecimal) A65959A6 and occupies the high-order half of the AIV. hexadecimal) A65959A6 and occupies the high-order half of the AIV.
Note that this differs from the high order 32 bits of the default IV Note that this differs from the high order 32 bits of the default IV
in [AES-KW1] Section 2.2.3.1, so there is no ambiguity between the in [AES-KW1] Section 2.2.3.1, so there is no ambiguity between the
two. The 32-bit MLI, which occupies the low-order half of the AIV, two. The 32-bit MLI, which occupies the low-order half of the AIV,
is an unsigned binary integer equal to the octet length of the is an unsigned binary integer equal to the octet length of the
plaintext key data, in network order, that is with the most plaintext key data, in network order, that is with the most
significant octet first. When the MLI is not a multiple of 8, the significant octet first. When the MLI is not a multiple of 8, the
key data is padded on the right with the least number of octets key data is padded on the right with the least number of octets
sufficient to make a multiple of 8. The value of each padding octet sufficient to make the resulting octet length a multiple of 8. The
shall be 0 (eight binary zeros). value of each padding octet shall be 0 (eight binary zeros).
Notice that for a given number of 64-bit plaintext blocks, there are Notice that for a given number of 64-bit plaintext blocks, there are
only eight values of MLI that can have that outcome. For example, only eight values of MLI that can have that outcome. For example,
the only MLI values that are valid with four 64-bit plaintext blocks the only MLI values that are valid with four 64-bit plaintext blocks
are 32 (with no padding octets), 31 (with one padding octet), 30, 29, are 32 (with no padding octets), 31 (with one padding octet), 30, 29,
28, 27, 26, and 25 (with seven padding octets). When the AES Key 28, 27, 26, and 25 (with seven padding octets). When the unwrapping
Unwrap yields n 64-bit blocks of key data with an AIV, the eight process specified below yields n 64-bit blocks of output data and an
valid values for the MLI are 8*n, (8*n)-1, ..., and (8*n)-7. AIV, the eight valid values for the MLI are 8*n, (8*n)-1, ..., and
Therefore, the integrity check for the AIV requires the following (8*n)-7. Therefore, integrity checking of the AIV, which is
contained in a 64-bit register called A, requires the following
steps: steps:
1) Check that MSB(32,A) = A65959A6. 1) Check that MSB(32,A) = A65959A6.
2) Check that 8*(n-1) < LSB(32,A) <= 8*n. If so, let 2) Check that 8*(n-1) < LSB(32,A) <= 8*n. If so, let
MLI = LSB(32,A). MLI = LSB(32,A).
3) Let b = (8*n)-MLI, and then check that the rightmost b octets of 3) Let b = (8*n)-MLI, and then check that the rightmost b octets of
the plaintext are zero. the output data are zero.
If all three checks pass, then the AIV is valid. If any of the If all three checks pass, then the AIV is valid. If any of the
checks fail, then the AIV is invalid and the AES Key Unwrap operation checks fail, then the AIV is invalid and the unwrapping operation
must return an error. must return an error.
4. Specification of the AES Key Wrap with Padding Algorithm 4. Specification of the AES Key Wrap with Padding Algorithm
The AES Key Wrap with Padding algorithm consists of a wrapping The AES Key Wrap with Padding algorithm consists of a wrapping
process and an unwrapping process, both based on the AES codebook process and an unwrapping process, both based on the AES codebook
[AES]. It provides an extension to the AES Key Wrap algorithm [AES]. It provides an extension to the AES Key Wrap algorithm
[AES-KW1,AES-KW2] that eliminates the requirement that the length of [AES-KW1,AES-KW2] that eliminates the requirement that the length of
the key to be wrapped is a multiple of 64 bits. The next two the key to be wrapped is a multiple of 64 bits. The next two
sections specify the wrapping and unwrapping processes, called the sections specify the wrapping and unwrapping processes, called the
Extended Key Wrapping process and the Extended Key Unwrapping Extended Key Wrapping process and the Extended Key Unwrapping
process, respectively. These names distinguish these processes from process, respectively. These names distinguish these processes from
the ones specified in [AES-KW1,AES-KW2]. the ones specified in [AES-KW1,AES-KW2].
4.1. Extended Key Wrapping Process 4.1. Extended Key Wrapping Process
The inputs to the extended key wrapping process are the KEK and the The inputs to the extended key wrapping process are the KEK and the
plaintext to be wrapped. The plaintext consists of between 9 and plaintext to be wrapped. The plaintext consists of between one and
2^32 octets, containing the key data being wrapped. The key wrapping 2^32 octets, containing the key data being wrapped. The key wrapping
process is described below. process is described below.
Inputs: Plaintext, m octets {Q1, Q2, ..., Qm}, and Inputs: Plaintext, m octets {Q1, Q2, ..., Qm}, and
Key, K (the KEK). Key, K (the KEK).
Outputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}. Outputs: Ciphertext, (n+1) 64-bit values {C0, C1, ..., Cn}.
1) Append padding 1) Append padding
If m is not a multiple of 8, pad the plaintext octet string on If m is not a multiple of 8, pad the plaintext octet string on the
the right with octets {Qm+1, ..., Qr} of zeros, where r is the right with octets {Qm+1, ..., Qr} of zeros, where r is the
smallest multiple of 8 that is greater than m. If m is a smallest multiple of 8 that is greater than m. If m is a multiple
multiple of 8, then there is no padding, and r = m. of 8, then there is no padding, and r = m.
Set n = r/8, which is the same as CEILING(m/8). Set n = r/8, which is the same as CEILING(m/8).
For i = 1, ..., n For i = 1, ..., n
j = 8*(i-1) j = 8*(i-1)
P[i] = Q[j+1] | Q[j+2] | ... | Q[j+8] . P[i] = Q[j+1] | Q[j+2] | ... | Q[j+8] .
2) Wrapping 2) Wrapping
Apply the wrapping process specified in Section 2.2.1 of If the padded plaintext contains exactly eight octets, then
[AES-KW2] to the padded plaintext {P1, ..., Pn} and K (the KEK), prepend the AIV as defined in Section 3 above to P1 and encrypt
with the AIV as defined in Section 3 above as the initial value. the resulting 128-bit block using AES in ECB mode [Modes] with key
The result is n+1 64-bit blocks {C0, C1, ..., Cn}. K (the KEK). In this case the output is two 64-bit blocks C0 and
C1:
C0 | C1 = ENC(K, A | P1).
Otherwise, apply the wrapping process specified in Section 2.2.1
of [AES-KW2] to the padded plaintext {P1, ..., Pn} and K (the
KEK), with the AIV as defined in Section 3 above as the initial
value. The result is n+1 64-bit blocks {C0, C1, ..., Cn}.
4.2 Extended Key Unwrapping Process 4.2 Extended Key Unwrapping Process
The inputs to the extended key unwrapping process are the KEK and The inputs to the extended key unwrapping process are the KEK and
(n+1) 64-bit ciphertext blocks consisting of a previously wrapped (n+1) 64-bit ciphertext blocks consisting of a previously wrapped
key. If the ciphertext is a validly wrapped key, then the (original) key. If the ciphertext is a validly wrapped key, then the unwrapping
unwrapping process returns n 64-bit plaintext blocks, which are then process returns n 64-bit blocks of padded plaintext, which are then
mapped in this extension to m octets of decrypted key data, as mapped in this extension to m octets of decrypted key data, as
indicated by the MLI embedded in the AIV. indicated by the MLI embedded in the AIV.
Inputs: Ciphertext, (n+1) 64-bit blocks {C0, C1, ..., Cn}, and Inputs: Ciphertext, (n+1) 64-bit blocks {C0, C1, ..., Cn}, and
Key, K (the KEK). Key, K (the KEK).
Outputs: Plaintext, m octets {Q1, Q2, ..., Qm}, or an error. Outputs: Plaintext, m octets {Q1, Q2, ..., Qm}, or an error.
1) Key unwrapping 1) Key unwrapping
Apply Steps 1 and 2 of the unwrapping process specified in When n is one (n=1), the ciphertext contains exactly two 64-bit
Section 2.2.2 of [AES-KW2] to the n+1 64-bit ciphertext blocks, blocks (C0 and C1), and they are decrypted as a single AES block
{C0, C1, ..., Cn}, and the KEK, K. Define the padded plaintext using AES in ECB mode [Modes] and K (the KEK) to recover the AIV
blocks, {P1, ..., Pn}, as specified in Step 3 of that process, and the padded plaintext key:
with A[0] as the A value. Note that checking "If A[0] is an
appropriate value" is slightly delayed to Step 2 below since the A | P1 = DEC(K, C0 | C1).
padded plaintext is needed to perform this verification when the
AIV is used. Otherwise, apply Steps 1 and 2 of the unwrapping process specified
in Section 2.2.2 of [AES-KW2] to the n+1 64-bit ciphertext blocks,
{C0, C1, ..., Cn}, and the KEK, K. Define the padded plaintext
blocks, {P1, ..., Pn}, as specified in Step 3 of that process,
with A[0] as the A value. Note that checking "If A[0] is an
appropriate value" is slightly delayed to Step 2 below since the
padded plaintext is needed to perform this verification when the
AIV is used.
2) AIV verification 2) AIV verification
Perform the three checks described in Section 3 above on the Perform the three checks described in Section 3 above on the
padded plaintext and the A value. If any of the checks fail, padded plaintext and the A value. If any of the checks fail, then
then return an error. return an error.
3) Remove padding 3) Remove padding
Let m = the MLI value extracted from A. Let m = the MLI value extracted from A.
Let P = P1 | P2 | ... | Pn. Let P = P1 | P2 | ... | Pn.
For i = 1, ... , m For i = 1, ... , m
Q[i] = LSB(8, MSB(8*i, P)) Q[i] = LSB(8, MSB(8*i, P))
5. Algorithm Identifiers 5. Algorithm Identifiers
Some security protocols employ ASN.1 [X.690], and these protocols Some security protocols employ ASN.1 [X.680], and these protocols
employ algorithm identifiers to name cryptographic algorithms. To employ algorithm identifiers to name cryptographic algorithms. To
support these protocols, the AES Key Wrap with Padding algorithm has support these protocols, the AES Key Wrap with Padding algorithm has
been assigned the following algorithm identifiers, one for each AES been assigned the following algorithm identifiers, one for each AES
KEK size. The AES Key Wrap (without padding) algorithm identifiers KEK size. The AES Key Wrap (without padding) algorithm identifiers
are also included here for convenience. are also included here for convenience.
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) 1 } nistAlgorithm(4) 1 }
skipping to change at page 6, line 4 skipping to change at page 6, line 14
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16)
us(840) organization(1) gov(101) csor(3) us(840) organization(1) gov(101) csor(3)
nistAlgorithm(4) 1 } nistAlgorithm(4) 1 }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 } id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 } id-aes128-wrap-pad OBJECT IDENTIFIER ::= { aes 8 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 } id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 } id-aes192-wrap-pad OBJECT IDENTIFIER ::= { aes 28 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 } id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 } id-aes256-wrap-pad OBJECT IDENTIFIER ::= { aes 48 }
In all cases, the AlgorithmIdentifier parameter field MUST be absent. In all cases, the AlgorithmIdentifier parameter field MUST be absent.
6. Padded Key Wrap Example 6. Padded Key Wrap Examples
The example in this section was generated using the index-based The examples in this section were generated using the index-based
implementation of the AES Key Wrap algorithm along with the padding implementation of the AES Key Wrap algorithm along with the padding
approach specified in Section 4 of this document. The example wraps approach specified in Section 4 of this document. All values are
20 octets of Key Data with a 192-bit KEK. All values are shown in shown in hexadecimal.
hexadecimal.
The first example wraps 20 octets of Key Data with a 192-bit KEK.
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8 KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : c37b7e6492584340 bed1220780894115 5068f738 Key : c37b7e6492584340 bed1220780894115 5068f738
Wrap : 138bdeaa9b8fa7fc 61f97742e72248ee 5ae6ae5360d1ae6a Wrap : 138bdeaa9b8fa7fc 61f97742e72248ee 5ae6ae5360d1ae6a
: 5f54f373fa543b6a : 5f54f373fa543b6a
The second example wraps 7 octets of Key Data with a 192-bit KEK.
KEK : 5840df6e29b02af1 ab493b705bf16ea1 ae8338f4dcc176a8
Key : 466f7250617369
Wrap : afbeb0f07dfbf541 9200f2ccb50bb24f
7. Security Considerations 7. Security Considerations
Implementations must protect the key-encryption key (KEK). Implementations must protect the key-encryption key (KEK).
Compromise of the KEK may result in the disclosure of all keys that Compromise of the KEK may result in the disclosure of all keys that
have been wrapped with the KEK, which may lead to the compromise of have been wrapped with the KEK, which may lead to the compromise of
all traffic protected with those wrapped keys. all traffic protected with those wrapped keys.
The KEK must be at least as good as the keying material it is The KEK must be at least as good as the keying material it is
protecting. protecting.
If the KEK and wrapped key are associated with different If the KEK and wrapped key are associated with different
cryptographic algorithms, the effective security provided to data cryptographic algorithms, the effective security provided to data
protected with the wrapped key is determined by the weaker of the two protected with the wrapped key is determined by the weaker of the two
algorithms. If, for example, data is encrypted with 128-bit AES and algorithms. If, for example, data is encrypted with 128-bit AES and
that AES key is wrapped with a 256-bit AES key, then at most 128 bits that AES key is wrapped with a 256-bit AES key, then at most 128 bits
of protection is provided to the data. If, for another example, a of protection is provided to the data. If, for another example, a
128-bit AES key is used to wrap a 4096-bit RSA private key, then at 128-bit AES key is used to wrap a 4096-bit RSA private key, then at
most 128 bits of protection is provided to any data that depends on most 128 bits of protection is provided to any data that depends on
that private key. Thus, implementers must ensure that key-encryption that private key. Thus, implementers must ensure that key-encryption
algorithms are as strong or stronger than other cryptographic algorithms are at least as strong as other cryptographic algorithms
algorithms employed in an overall system. employed in an overall system.
The AES Key Wrap and the AES Key Wrap with Padding algorithms use The AES Key Wrap and the AES Key Wrap with Padding algorithms use
different constants in the initial value. The use of different different constants in the initial value. The use of different
values ensures that the recipient of padded key data cannot values ensures that the recipient of padded key data cannot
successfully unwrap it as unpadded key data, or vice versa. This successfully unwrap it as unpadded key data, or vice versa. This
remains true when the key data is wrapped using the AES Key Wrap with remains true when the key data is wrapped using the AES Key Wrap with
Padding algorithm but no padding is needed. Padding algorithm but no padding is needed.
The AES Key Wrap with Padding algorithm provides almost the same The AES Key Wrap with Padding algorithm provides almost the same
amount of integrity protection as the AES Key Wrap algorithm. amount of integrity protection as the AES Key Wrap algorithm.
A previous padding technique was specified for wrapping HMAC keys A previous padding technique was specified for wrapping HMAC keys
with AES [OLD-KW]. The technique in this document is preferred, and with AES [OLD-KW]. The technique in this document is more general;
the technique in this document is not limited to wrapping HMAC keys. the technique in this document is not limited to wrapping HMAC keys.
The key wrapping technique specified in this document requires the
length of the key data to be at least nine octets because a single
application of the AES codebook is sufficient to protect up to eight
octets of key data. In particular, if the key data consists of eight
or fewer octets, then a 64-bit integrity check value could be
prepended to the key data to form a single 128-bit block. For
example, the integrity check value could consist of a fixed seven
octet value followed by a single octet length value. The wrapping
and unwrapping processes employing such an integrity check value and
a single AES codebook operation could be defined analogous to those
in Section 4 if there is a need to wrap keys that are smaller than
nine octets.
In the design of some high assurance cryptographic modules, it is In the design of some high assurance cryptographic modules, it is
desirable to segregate cryptographic keying material from other data. desirable to segregate cryptographic keying material from other data.
The use of a specific cryptographic mechanism solely for the The use of a specific cryptographic mechanism solely for the
protection of cryptographic keying material can assist in this goal. protection of cryptographic keying material can assist in this goal.
The AES Key Wrap and the AES Key Wrap with Pad are such mechanisms. The AES Key Wrap and the AES Key Wrap with Pad are such mechanisms.
System designers should not use these algorithms to encrypt anything System designers should not use these algorithms to encrypt anything
other than cryptographic keying material. other than cryptographic keying material.
8. IANA Considerations 8. IANA Considerations
skipping to change at page 8, line 5 skipping to change at page 8, line 10
9.1. Normative References 9.1. Normative References
[AES] National Institute of Standards and Technology. FIPS Pub [AES] National Institute of Standards and Technology. FIPS Pub
197: Advanced Encryption Standard (AES). 26 November 2001. 197: Advanced Encryption Standard (AES). 26 November 2001.
[AES-KW1] National Institute of Standards and Technology. AES Key [AES-KW1] National Institute of Standards and Technology. AES Key
Wrap Specification. 17 November 2001. Wrap Specification. 17 November 2001.
[http://csrc.nist.gov/groups/ST/toolkit/documents/kms/ [http://csrc.nist.gov/groups/ST/toolkit/documents/kms/
AES_key_wrap.pdf] AES_key_wrap.pdf]
[AES-KW2] J. Schaad and R. Housley, "Advanced Encryption Standard [AES-KW2] Schaad, J., and R. Housley, "Advanced Encryption Standard
(AES) Key Wrap Algorithm", RFC 3394, September 2002. (AES) Key Wrap Algorithm", RFC 3394, September 2002.
[Modes] Dworkin, M., "Recommendation for Block Cipher Modes of
Operation -- Methods and Techniques", NIST Special
Publication 800-38A, 2001.
[X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002, [X.680] ITU-T Recommendation X.680 (2002) | ISO/IEC 8824-1:2002,
Information technology - Abstract Syntax Notation One Information technology - Abstract Syntax Notation One
(ASN.1): Specification of basic notation. (ASN.1): Specification of basic notation.
9.2. Informative References 9.2. Informative References
[AES-CMS] J. Schaad, "Use of the Advanced Encryption Standard (AES) [AES-CMS] Schaad, J., "Use of the Advanced Encryption Standard (AES)
Encryption Algorithm in Cryptographic Message Syntax Encryption Algorithm in Cryptographic Message Syntax
(CMS)", RFC 3565, July 2003. (CMS)", RFC 3565, July 2003.
[CMS-ASN] J. Schaad and P. Hoffman, "New ASN.1 Modules for CMS and [CMS-ASN] Schaad, J., and P. Hoffman, "New ASN.1 Modules for CMS and
S/MIME", draft-smime-newasn1-05.txt, work-in-progress. S/MIME", draft-smime-newasn1-05.txt, work-in-progress.
[OLD-KW] J. Schaad and R. Housley, "Wrapping a Hashed Message [OLD-KW] Schaad, J., and R. Housley, "Wrapping a Hashed Message
Authentication Code (HMAC) key with a Triple-Data Authentication Code (HMAC) key with a Triple-Data
Encryption Standard (DES) Key or an Advanced Encryption Standard (DES) Key or an Advanced
Encryption Standard (AES) Key", RFC 3537, May 2003. Encryption Standard (AES) Key", RFC 3537, May 2003.
[X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002, [X.681] ITU-T Recommendation X.681 (2002) | ISO/IEC 8824-2:2002,
Information Technology - Abstract Syntax Notation One: Information Technology - Abstract Syntax Notation One:
Information Object Specification. Information Object Specification.
[X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002, [X.682] ITU-T Recommendation X.682 (2002) | ISO/IEC 8824-3:2002,
Information Technology - Abstract Syntax Notation One: Information Technology - Abstract Syntax Notation One:
 End of changes. 35 change blocks. 
70 lines changed or deleted 90 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/