[prev in list] [next in list] [prev in thread] [next in thread]
List: cfrg
Subject: Re: [Cfrg] Use of authenticated encryption for key wrapping
From: "David McGrew (mcgrew)" <mcgrew () cisco ! com>
Date: 2013-03-18 13:24:13
Message-ID: 747787E65E3FBD4E93F0EB2F14DB556B183EB276 () xmb-rcd-x04 ! cisco ! com
[Download RAW message or body]
Hi Brian,
On 3/15/13 11:42 AM, "Brian Weis (bew)" <bew@cisco.com> wrote:
>Jim Schaad gave a presentation on JOSE to CFRG today
>(<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The
>question came up as to whether AES key wrap was necessarily the only
>method that was safe for key wrapping in JOSE. The other algorithm under
>consideration is AES-GCM.
>
>Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
>
>"Previously approved authenticated-encryption modes‹as well as
>combinations of an approved encryption mode with an approved
>authentication method‹are approved for the protection of cryptographic
>keys, in addition to general data."
>
>So if one considers that to be good enough advice, AES-GCM would indeed
>be an acceptable method of key wrapping. The chairs asked me to
>cross-post this for discussion.
Thanks for sending out the pointer.
I think the biggest negative with using AES-GCM for key wrapping is that
GCM is not designed to be misuse-resistant. In contrast, the AES-KW
algorithm does provide some misuse resistance: the AES-KW encryption
algorithm does not require that the caller provide a distinct nonce for
each invocation.
The biggest negative with requiring the use of AES-KW for key wrapping is
that, it requires the implementation of the AES decryption operation
(unlike GCM), it is yet another algorithm to implement/test/validate, and
it takes up space that is precious in a constrained environment.
NIST is right to allow other authenticated encryption methods than AES-KW
to be used for key wrapping. But if AES-KW is available for JOSE, then
it makes sense to use it for key wrapping.
My $0.02.
David
>
>Brian
>_______________________________________________
>Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic