| Cryptographic Token Interface Standard |
PKCS#11
|
LYNKS key wrapping
The LYNKS key wrapping mechanism, denoted CKM_WRAP_LYNKS, is a mechanism for wrapping and unwrapping secret keys with DES keys. It can wrap any 8-byte secret key, and it produces a 10-byte wrapped key, containing a cryptographic checksum.
It does not have a parameter.
To wrap a 8-byte secret key K with a DES key W, this mechanism performs the following steps:
- Initialize two 16-bit integers, sum1 and sum2 , to 0.
- Loop through the bytes of K from first to last.
- Set sum1 = sum1 +the key byte (treat the key byte as a number in the range 0-255).
- Set sum2 = sum2+ sum1 .
- Encrypt K with W in ECB mode, obtaining an encrypted key, E.
- Concatenate the last 6 bytes of E with sum2 , representing sum2 most-significant bit first. The result is an 8-byte block, T.
- Encrypt T with W in ECB mode, obtaining an encrypted checksum, C.
- Concatenate E with the last 2 bytes of C to obtain the wrapped key.
When unwrapping a key with this mechanism, if the cryptographic checksum does not check out properly, an error is returned. In addition, if a DES key or CDMF key is unwrapped with this mechanism, the parity bits on the wrapped key must be set appropriately. If they are not set properly, an error is returned.
RSA Security Inc. Public-Key Cryptography Standards -
PKCS#11 - v211