Home

AESKW

AES Key Wrap (AESKW) is a family of algorithms for securely wrapping cryptographic keys with a key-encryption key (KEK) using the AES block cipher. The design provides confidentiality and integrity protection for keys that are moved or stored. AESKW is defined in RFC 3394 (AES Key Wrap) and extended by RFC 5649 (AES Key Wrap with Padding).

How it works: The plaintext key to be wrapped is treated as a sequence of 64-bit blocks.

Variants and extensions: RFC 5649 introduces AES Key Wrap with Padding, which supports wrapping of keys whose

Usage and interoperability: AESKW is widely used in key management and secure storage systems to protect keys

Security considerations: The security of AESKW relies on the secrecy of the KEK and correct implementation

An
8-byte
initial
value
A,
set
to
a
fixed
constant
(0xA6A6A6A6A6A6A6A6),
is
combined
with
the
data
blocks
and
repeatedly
encrypted
under
the
KEK
through
six
rounds
of
AES-based
mixing.
The
wrapped
key
consists
of
the
final
A
and
the
data
blocks
B1
through
Bn.
Unwrapping
reverses
the
process
and
verifies
integrity
via
the
A
value.
The
scheme
provides
both
confidentiality
of
the
wrapped
key
and
an
integrity
check
through
the
structure
of
A.
length
is
not
a
multiple
of
8
bytes
by
adding
a
padding
mechanism
and
embedding
length
information
in
A.
This
makes
AESKW
applicable
to
a
wider
range
of
key
material.
at
rest
or
in
transit.
It
is
also
employed
in
JSON
Web
Encryption
(JWE)
as
the
Akw
algorithms
(for
example,
A128KW,
A256KW)
to
wrap
content-encryption
keys
(CEKs).
of
the
standard.
If
the
KEK
is
compromised,
all
wrapped
keys
are
exposed.
Proper
key
management,
adherence
to
RFC
3394/5649,
and
use
of
appropriate
KEK
lengths
(e.g.,
128,
192,
or
256
bits)
are
essential.