Thales Key Block对 ANS TR-31 规范进行了改进和扩展。我们使用这些key block的最终目的都是为了保护密钥的安全性和完整性。
以下是一个使用3DES KBPK;Key Block Header为0029602RB00E0003的计算Thales Key Block的示例:
一、准备
有3des kbpk:
0123456789ABCDEF8080808080808080FEDCBA9876543220
有包含rsa信息的明文(Plain Key):(270byte)
3082010a0282010100ab23cb3664426d2fedb0890c0cd135e8d44f5c9b0583bcf9d0b5bc078c9920f9148aace581f95e30d264d78ba1959c6395dbe451cca3e15a6ac9cd49b8b6b507eb9fbdc811bea7bdff4337c71a5ffa06fcdb77956a01164181e84e3169f571852275db565533f6bcbb81a13bef8f2c61f752261b796b2698b089e90a000b9dc845654fb2e525380fc1061971208fc6c94a5938f276f3ee470c6eb879af2fdf06ad344e1854e441c981d80c769be213d42402d7565d1b2c45662252e1ce77f196ca901b9206ed789e6ef4dedc93d398e511a1a44fb09f516988950ac566e328fdfb993763fbd3779c6193a2579ac1783fe820d461c5c8b40c47a0ab23947315550203010001
把Plain Key填充到8字节的倍数(272byte)(比如这里填充d5 55):
3082010a0282010100ab23cb3664426d2fedb0890c0cd135e8d44f5c9b0583bcf9d0b5bc078c9920f9148aace581f95e30d264d78ba1959c6395dbe451cca3e15a6ac9cd49b8b6b507eb9fbdc811bea7bdff4337c71a5ffa06fcdb77956a01164181e84e3169f571852275db565533f6bcbb81a13bef8f2c61f752261b796b2698b089e90a000b9dc845654fb2e525380fc1061971208fc6c94a5938f276f3ee470c6eb879af2fdf06ad344e1854e441c981d80c769be213d42402d7565d1b2c45662252e1ce77f196ca901b9206ed789e6ef4dedc93d398e511a1a44fb09f516988950ac566e328fdfb993763fbd3779c6193a2579ac1783fe820d461c5c8b40c47a0ab23947315550203010001d555
按需求组装Key Block Header:
0029602RB00E0003
(30303239363032524230304530303033)
二、计算Thales Key Block的过程:
1.派生KBEK、KBAK
KBPK XOR 24字节的45 45得KBEK:
44660022CCEE88AAC5C5C5C5C5C5C5C5BB99FFDD33117765
KBPK XOR 24字节的4D 4D得KBAK:
4C6E082AC4E680A2CDCDCDCDCDCDCDCDB391F7D53B197F6D
2.计算Encrypted key:
KBEK用3des cbc 对Plain Key 加密,用Key Block Header的前8个字节做IV:
DES/3DES operation finishedKey: 44660022CCEE88AAC5C5C5C5C5C5C5C5BB99FFDD33117765
Algorithm: 3DES CBC
IV: 3030323936303252
Crypto operation: Encryption
Data: 3082010a0282010100ab23cb3664426d2fedb0890c0cd135e8d44f5c9b0583bcf9d0b5bc078c9920f9148aace581f95e30d264d78ba1959c6395dbe451cca3e15a6ac9cd49b8b6b507eb9fbdc811bea7bdff4337c71a5ffa06fcdb77956a01164181e84e3169f571852275db565533f6bcbb81a13bef8f2c61f752261b796b2698b089e90a000b9dc845654fb2e525380fc1061971208fc6c94a5938f276f3ee470c6eb879af2fdf06ad344e1854e441c981d80c769be213d42402d7565d1b2c45662252e1ce77f196ca901b9206ed789e6ef4dedc93d398e511a1a44fb09f516988950ac566e328fdfb993763fbd3779c6193a2579ac1783fe820d461c5c8b40c47a0ab23947315550203010001d555
Padding Method: None
Encrypted data: 8543934674F285120FB48D87CB6D7B1D8008492EBC9EF9E82DC105E5C88FE9B5BAF50AE561D264F97680A58CB610F40B5A302C479381C92479FD59E997EE55830C81092EF0C55D957C45F70EFF67EC31C6A0F4E0D3B37CD011BD5AE3D0E4EEC2CA8100BEC45FD1487FE36B26AF4FEB5FC8B7699F32A0EA991F53CFEF050546E4728E27645B70762635955A5C3968DFBAE6C1A0F32538FAADDC1002C921B081E228D1967E6E38376C12C88B7831C75095AE6462D9B861AE25FF1B2C6057B9FC8CA5556CDFC1C3E712D64D5121430058ED78AE49A4E02691A645E53B184BE4FD885A44D9A8BF71B5FFA24E353CD921C6231544C9A44611A58C29CE38B9FB7C87F980F1373C8A94EADAABB3A3127C04E136
3.计算MAC
KBAK 用TDES CBC-MAC 对Key Block Header + Encrypted key 加密,取前4字节作MAC:
TDES MAC operation finished
Algorithm: TDES CBC-MAC
Key (K): 4C6E082AC4E680A2CDCDCDCDCDCDCDCDB391F7D53B197F6D
Padding: ISO9797-1 (Padding method 1)
Data: 303032393630325242303045303030338543934674F285120FB48D87CB6D7B1D8008492EBC9EF9E82DC105E5C88FE9B5BAF50AE561D264F97680A58CB610F40B5A302C479381C92479FD59E997EE55830C81092EF0C55D957C45F70EFF67EC31C6A0F4E0D3B37CD011BD5AE3D0E4EEC2CA8100BEC45FD1487FE36B26AF4FEB5FC8B7699F32A0EA991F53CFEF050546E4728E27645B70762635955A5C3968DFBAE6C1A0F32538FAADDC1002C921B081E228D1967E6E38376C12C88B7831C75095AE6462D9B861AE25FF1B2C6057B9FC8CA5556CDFC1C3E712D64D5121430058ED78AE49A4E02691A645E53B184BE4FD885A44D9A8BF71B5FFA24E353CD921C6231544C9A44611A58C29CE38B9FB7C87F980F1373C8A94EADAABB3A3127C04E136
Data (padded): 303032393630325242303045303030338543934674F285120FB48D87CB6D7B1D8008492EBC9EF9E82DC105E5C88FE9B5BAF50AE561D264F97680A58CB610F40B5A302C479381C92479FD59E997EE55830C81092EF0C55D957C45F70EFF67EC31C6A0F4E0D3B37CD011BD5AE3D0E4EEC2CA8100BEC45FD1487FE36B26AF4FEB5FC8B7699F32A0EA991F53CFEF050546E4728E27645B70762635955A5C3968DFBAE6C1A0F32538FAADDC1002C921B081E228D1967E6E38376C12C88B7831C75095AE6462D9B861AE25FF1B2C6057B9FC8CA5556CDFC1C3E712D64D5121430058ED78AE49A4E02691A645E53B184BE4FD885A44D9A8BF71B5FFA24E353CD921C6231544C9A44611A58C29CE38B9FB7C87F980F1373C8A94EADAABB3A3127C04E136
Truncation: 4
MAC: FC9B0FF74A760B0B
Truncated MAC: FC9B0FF7 (46 43 39 42 30 46 46 37)
三、组合Key Block Header(hex) + Encrypted key + MAC (hex)得
Thales Key Block [HEX]: 303032393630325242303045303030338543934674F285120FB48D87CB6D7B1D8008492EBC9EF9E82DC105E5C88FE9B5BAF50AE561D264F97680A58CB610F40B5A302C479381C92479FD59E997EE55830C81092EF0C55D957C45F70EFF67EC31C6A0F4E0D3B37CD011BD5AE3D0E4EEC2CA8100BEC45FD1487FE36B26AF4FEB5FC8B7699F32A0EA991F53CFEF050546E4728E27645B70762635955A5C3968DFBAE6C1A0F32538FAADDC1002C921B081E228D1967E6E38376C12C88B7831C75095AE6462D9B861AE25FF1B2C6057B9FC8CA5556CDFC1C3E712D64D5121430058ED78AE49A4E02691A645E53B184BE4FD885A44D9A8BF71B5FFA24E353CD921C6231544C9A44611A58C29CE38B9FB7C87F980F1373C8A94EADAABB3A3127C04E1364643394230464637
发表回复