[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cfrg
Subject:    Re: [Cfrg] Use of authenticated encryption for key wrapping
From:       "Dan Harkins" <dharkins () lounge ! org>
Date:       2013-12-09 2:03:31
Message-ID: 5592752071777e5b279de4ab96af73e3.squirrel () www ! trepanning ! net
[Download RAW message or body]

  Hello,

On Mon, March 18, 2013 5:24 am, David McGrew (mcgrew) wrote:
> Hi Brian,
>
> On 3/15/13 11:42 AM, "Brian Weis (bew)" <bew@cisco.com> wrote:
>
>>Jim Schaad gave a presentation on JOSE to CFRG today
>>(<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The
>>question came up as to whether AES key wrap was necessarily the only
>>method that was safe for key wrapping in JOSE. The other algorithm under
>>consideration is AES-GCM.
>>
>>Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
>>
>>"Previously approved authenticated-encryption modes‹as well as
>>combinations of an approved encryption mode with an approved
>>authentication method‹are approved for the protection of cryptographic
>>keys, in addition to general data."
>>
>>So if one considers that to be good enough advice, AES-GCM would indeed
>>be an acceptable method of key wrapping. The chairs asked me to
>>cross-post this for discussion.
>
> Thanks for sending out the pointer.
>
> I think the biggest negative with using AES-GCM for key wrapping is that
> GCM is not designed to be misuse-resistant.   In contrast, the AES-KW
> algorithm does provide some misuse resistance: the AES-KW encryption
> algorithm does not require that the caller provide a distinct nonce for
> each invocation.

  AES-SIV was designed for key wrapping and provides misuse resistance.
Once can obtain authenticated encryption without providing a distinct
nonce each time. It is more efficient than AES-KW too.

> The biggest negative with requiring the use of AES-KW for key wrapping is
> that, it requires the implementation of the AES decryption operation
> (unlike GCM), it is yet another algorithm to implement/test/validate, and
> it takes up space that is precious in a constrained environment.

  AES-SIV does not require the AES decryption operation. So you get
that benefit and you still get misuse-resistant authenticated encryption.

  Another cool benefit to AES-SIV key wrapping is that it can accept AAD.
So you can bind in other data into the wrapping, such as a header of the
payload of the message containing the wrapped key.

> NIST is right to allow other authenticated encryption methods than AES-KW
> to be used for key wrapping.   But if AES-KW is available for JOSE, then
> it makes sense to use it for key wrapping.

  But they're not right in not allowing AES-SIV. I have raised this with them
on multiple occasions and the response is basically a catch-22-- NIST won't
bless it unless it's used in some major protocol but major protocols are
loath to specify some crypto mode that has not been blessed by NIST.

  AES-SIV is the right tool for this job. Consider using it. It's
specified in
RFC 5297 and there's a security proof in the paper that defined it:
"Deterministic Authenticated Encryption: A Provable-Security Treatment
of the Key-Wrap Problem" by Rogaway and Shrimpton.

  regards,

  Dan.




[prev in list] [next in list] [prev in thread] [next in thread]