Open in app

Sign in

Write

Sign in

Key Wrapping and Keeping Your CISO Awake at Night

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice
6 min readDec 16, 2023

--

And, so, as a CISO, you wake up in the middle of the night, and strange thoughts run through your head, “What if our Cloud provider stops our Cloud provision because of an unpaid bill? What will happen to our encryption keys that are stored in the KMS (Key Management System)?” and “What about those keys we store in our secure enclave? What happens if there’s a power fail on that device?” The solution to this is key wrapping, which allows you to back up your key in a (fairly) secure manner. Overall, we can use AES or RSA encryption to achieve this. In this article, we will use AES encryption with a password.

The protection of encryption keys is important, and they often have to be protected. This is especially important for symmetric keys and the private key of a public key pair. Two standards for this are RFC3394 and RFC 5649 [here]. These support the Advanced Encryption Standard (AES) Key Wrap algorithm [AES-KW1, AES-KW2].

We then use an AES key-encryption key (KEK) with a length of 128, 192, or 256 bits, and where we will get 64-bit blocks as an output. We can then encrypt data with a key (K1) and which will then be wrapped to give WRAP(K1). To decrypt, we then need the KEK to recover K1. The unwrapping process also checks the integrity of the key. One method is to perhaps use a production environment, and where the keys are stored and wrapped within a Cloud-based system. The KEK will then be protected from accessing and used to produce the actual encryption key.

The protection of the keys by the KEK means that the wrapped keys could then be stored within a Cloud-based system (the red key in Figure 1), but where the KEK will then be protected from access. When the symmetric keys are required to be unwrapped, the KEK can be revealed within a trusted environment, and then produce the actual encryption key. Thus the actual encryption keys are never stored anywhere in the core form.

Figure 1: Key wrapping

In Figure 1, we use OpenSSL to generate the wrapped key. With this, a random salt value is generated for the wrapped key, along with a passphrase for the KEK. The wrapped key is then stored along with its salt value. To unwrap the key, we need the salt value and the passphrase.

In OpenSSL, there are six main wrapping options for AES. These are “-aes-128-wrap-pad”, “-aes-128-wrap”, “-aes-128-wrap”, “-aes-128-wrap”, “-aes-128-wrap” and “-aes-128-wrap”.

In OpenSSL we can generate a random key with the “openssl rand” command, and then can wrap this key using a password of “Qwerty123” and for 128-bit AES [here]:

Commands:
openssl rand 128 > 1.key
openssl enc -aes128-wrap -in 1.key  -out 1.key.wrp -pass pass:Qwerty123 -pbkdf2

Generating random 128-bit
00000000: d6f8 171a 2d00 820c 543c 503c 4654 1b5f  ....-...T<P<FT._
00000010: 524f 67fc 40f7 4569 a619 d926 028c 3ddb  ROg.@.Ei...&..=.
00000020: 4944 c194 bb3a 9475 bf39 d5ac 1158 d9c8  ID...:.u.9...X..
00000030: 86b4 19a7 5000 77ce 003f b83b 007e 78e1  ....P.w..?.;.~x.
00000040: afe0 7b84 02fc f8be 5aa4 5309 0e61 8fcc  ..{.....Z.S..a..
00000050: 15f4 5ac2 c9d7 221b c82d 83c8 48cc d1dc  ..Z..."..-..H...
00000060: 2268 7a53 4fa9 0ef1 bdea b672 414d a4c4  "hzSO......rAM..
00000070: 7233 6362 f24e 7aa8 f723 c896 94b3 f6a5  r3cb.Nz..#......
====  
Wrapping the key with "Qwerty123"
00000000: 5361 6c74 6564 5f5f f8ad 63dc e14f d4da  Salted__..c..O..
00000010: 0698 974d aaa2 1878 3aa0 e933 07d1 f3f6  ...M...x:..3....
00000020: 79ac dfab c854 57c1 f7ca 0b8e 17ef 0d53  y....TW........S
00000030: 2c67 8a60 b073 8fb9 9b92 3efc e042 490f  ,g.`.s....>..BI.
00000040: 4a94 907f 5c6a 646e ad47 4ed7 5c31 2a02  J...\jdn.GN.\1*.
00000050: 48de cc0f 496f d0f9 928a 52df f09f 72e3  H...Io....R...r.
00000060: aa4e 83a5 5b13 7058 e90d eab5 1790 b047  .N..[.pX.......G
00000070: 121c f2a4 2ef4 e655 f506 3d03 866c 7f91  .......U..=..l..
00000080: 69c3 3671 92fd 07d8 ef42 dc56 cea2 3294  i.6q.....B.V..2.
00000090: 73fd 9ba2 80d0 a95d                      s......]

If we analyse the wrapped key we get the word : “Salted__” as “5361 6c74 6564 5f5f”

5361 6c74 6564 5f5f Salted__

and then followed by the salt value (which has 16 bytes — 128 bits):

f8ad 63dc e14f d4da 0698 974d aaa2 1878

and then the key (128-bits):

                    3aa0 e933 07d1 f3f6  ...M...x:..3....
79ac dfab c854 57c1 f7ca 0b8e 17ef 0d53  y....TW........S
2c67 8a60 b073 8fb9 9b92 3efc e042 490f  ,g.`.s....>..BI.
4a94 907f 5c6a 646e ad47 4ed7 5c31 2a02  J...\jdn.GN.\1*.
48de cc0f 496f d0f9 928a 52df f09f 72e3  H...Io....R...r.
aa4e 83a5 5b13 7058 e90d eab5 1790 b047  .N..[.pX.......G
121c f2a4 2ef4 e655 f506 3d03 866c 7f91  .......U..=..l..
69c3 3671 92fd 07d8 ef42 dc56 cea2 3294  i.6q.....B.V..2.
3fd 9ba2 80d0 a95d

For 256-bit wrapping we can have [here]:

Commands:
openssl rand 128 > 1.key
openssl enc -aes-256-wrap -in 1.key  -out 1.key.wrp -pass pass:Qwerty123 -pbkdf2

Generating random 128-bit
00000000: f72e 632b 4d2c c5d5 3b6d 2baa 6546 95d8  ..c+M,..;m+.eF..
00000010: a065 8bae af47 fec7 a698 cf4a 107f 4369  .e...G.....J..Ci
00000020: 3bf3 a43e 5614 93b6 7b17 60ee 9e3b e802  ;..>V...{.`..;..
00000030: 46da a5ec f093 364c 329d 37c2 db16 50b8  F.....6L2.7...P.
00000040: dd3e 2566 4e1b 952c e39f 8435 6768 68a8  .>%fN..,...5ghh.
00000050: c53a 4457 0e7b 81f1 3ccb c6b1 6e9c d373  .:DW.{..<...n..s
00000060: 328f 5755 afdc fe6b aefc a72e 173c f4c3  2.WU...k.....<..
00000070: a19f 8706 ba7b ca36 7d9c e227 4e29 d1d2  .....{.6}..'N)..
====  
Wrapping the key with "Qwerty123"
00000000: 5361 6c74 6564 5f5f e445 7590 9cf5 76ce  Salted__.Eu...v.
00000010: 24eb e1d5 45bd a97c 5162 6113 3fb1 8723  $...E..|Qba.?..#
00000020: 8dd1 b0ae d878 8896 cd34 94d9 f00d ec0f  .....x...4......
00000030: b2f6 d20e 6a2b 8afd 8e55 e4ac 322f f2dc  ....j+...U..2/..
00000040: deb0 1db5 5a20 5e55 ade8 b085 0073 0167  ....Z ^U.....s.g
00000050: 9e6e 2b2a a2df 14e6 0e35 7743 8bb9 ee37  .n+*.....5wC...7
00000060: bcee 185a 3aaa a15f ae0b e7d0 3e89 c27d  ...Z:.._....>..}
00000070: b075 7363 1432 a9b3 7c19 71a6 5964 106a  .usc.2..|.q.Yd.j
00000080: 4e44 694d 8bd8 b08f 889f 9f2a 1662 ac33  NDiM.......*.b.3
00000090: 1fed 2f42 9cb9 bb87                      ../B....

Now for a 256-bit key, and with 128-bit wrapping:

Commands:
openssl rand 256 > 1.key
openssl enc -aes-128-wrap -in 1.key  -out 1.key.wrp -pass pass:Qwerty123 -pbkdf2

Generating random 256-bit
00000000: 5500 af9a 3ef5 f78f 9ba1 9561 3a1f d85e  U...>......a:..^
00000010: 7765 124a 0aa0 d858 8fa9 a9dc 8c63 4f9a  we.J...X.....cO.
00000020: a638 c787 059c 6e60 0e49 3eda 7674 3a1c  .8....n`.I>.vt:.
00000030: 6da7 684f 7f1f 647b b939 b949 d50c 1650  m.hO..d{.9.I...P
00000040: c7aa 01cd 468c 2538 3c5b 59e9 eb41 1806  ....F.%8<[Y..A..
00000050: 7fbc 4353 eff1 3915 f20b 1176 869f 6606  ..CS..9....v..f.
00000060: 19d6 5e60 66ea 40d6 cf26 664a bab6 c82d  ..^`f.@..&fJ...-
00000070: a87d 2060 ec90 22f8 eb74 f331 f676 87b4  .} `.."..t.1.v..
00000080: f439 49c2 824b 5eb8 4415 3299 52cc 8d5a  .9I..K^.D.2.R..Z
00000090: e22e fcac 4b29 8edd c7d9 24ff e662 8d43  ....K)....$..b.C
000000a0: 9692 35fe a62c 45cf 2eab 81cf 92d4 c926  ..5..,E........&
000000b0: c561 cfa6 60e9 f6ab 18ef 44d9 1fd9 7d88  .a..`.....D...}.
000000c0: 956a 9a67 a54d daa8 c0a9 7ea9 c048 d36b  .j.g.M....~..H.k
000000d0: 2aa6 4b29 534b 336b abca b74a 5ec7 1d85  *.K)SK3k...J^...
000000e0: e895 a55b df0f aafa 0d1d 69af 1db7 0777  ...[......i....w
000000f0: 1d0d 2a29 46d5 1604 b817 a1d5 5c5d 1915  ..*)F.......\]..
====  
Wrapping the key with "Qwerty123"
00000000: 5361 6c74 6564 5f5f 7ea0 06f5 686a 3a47  Salted__~...hj:G
00000010: 9eb8 a682 4a03 1190 730e 055b 9911 213b  ....J...s..[..!;
00000020: c4e6 9907 b416 e7da f60a a1d3 1ef8 3495  ..............4.
00000030: f37c fdc6 5ab4 eeaa cc62 c30c 000f b922  .|..Z....b....."
00000040: 63b1 02c0 637f 9344 838b 3ac7 9764 5949  c...c..D..:..dYI
00000050: 19e6 0bb2 0bb1 7c3f 53f6 1297 e6b6 3bcd  ......|?S.....;.
00000060: 11c5 42cd 9adb 62cf 1a0d 2ece 51bc 581c  ..B...b.....Q.X.
00000070: a978 ef91 6e58 2ce9 4b51 7d3f 9256 54c8  .x..nX,.KQ}?.VT.
00000080: 1340 ac54 e01b 4354 6a1b 85ec 090a 4aaf  .@.T..CTj.....J.
00000090: 9fbc dd52 9106 6516 9609 6feb a92f 6fcf  ...R..e...o../o.
000000a0: aeee 3758 133b cb20 046c e9ed ba35 cd88  ..7X.;. .l...5..
000000b0: 224c c232 e7a2 4e86 5c3d dac4 003d 8fa4  "L.2..N.\=...=..
000000c0: ccdf 50d7 cece 2c8f 7dde e75e 916c 2e17  ..P...,.}..^.l..
000000d0: 7a2c 816e 1c74 c785 9d50 f731 8a6e feed  z,.n.t...P.1.n..
000000e0: 3217 615e 3c98 34f6 2b2b d75e 0d50 2890  2.a^<.4.++.^.P(.
000000f0: aca1 d61e 6d19 45c7 9016 05d4 4637 07ff  ....m.E.....F7..
00000100: 1859 8134 1d2b 1402 1c3f 3051 d3f1 cd3d  .Y.4.+...?0Q...=
00000110: 96ba b9be 4fea 3c71                      ....O.<q

The OpenSSL implementation is here:

https://asecuritysite.com/openssl/openssl_keywrap

and more details here:

https://asecuritysite.com/wrap/

Obviously, the strength of the security of the wrapped key relates to the strength of the password, so beware of weak passwords on your wrapped keys. The usage of PBKDF2 gives good protection against brute force, but not so much against weak passwords.

Cryptography
Cybersecurity

--

--

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Written by Prof Bill Buchanan OBE FRSE

30K Followers
Editor for

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams