[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] AES Key Wrap with Pad

Some people are interested in using AES Key Wrap when the inputs are not a multiple of 64 bits. This was previously addressed in RFC 3537 in a way that does not scale to all key types that one might want to wrap. This one does the job with very little code modification. I did the code the generate the test vectors in a few hours, including checking against code from someone else, and I have not written code as a primary aspect of my job in a very long time. 

Russ

At 02:50 PM 3/28/2009, Dan Harkins wrote:


  Hi Russ,

  This draft addresses a shortcoming in AES Key Wrap (RFC 3394) but I
still have to ask "why?"

  Using this new version of AES Key Wrap will require a new code point
and if that's the case why not just use AES-SIV (RFC 5297)? It allows
for wrapping of arbitrarily-sized keys (which is the enhancement your
new I-D adds to AES Key Wrap) but also has the ability to accept
associated data.

  A key wrapping algorithm that accepts associated data is valuable to
protocols which need to distribute wrapped keys. They can bind the
message containing the key to the wrapping and/or include shared state
to prevent against cut-and-paste attacks. And itt obviates the need to
do an additional HMAC-foo over the entire message.

  While this I-D provides an improvement on AES Key Wrap, it seems to
me that it's putting a turbo-charger on a Volkswagon Bug when you could
drive a Ferrari instead.

  regards,

  Dan.

On Sat, March 28, 2009 10:28 am, Russ Housley wrote:
> http://www.ietf.org/internet-drafts/draft-housley-aes-key-wrap-with-pad-02.txt 
>
> I want to make sure that the CFRG is aware of this document.
>
> Russ
>
> _______________________________________________
> Cfrg mailing list
> Cfrg at irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>