[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] comments on AES Key Wrap with Pad

To: Russ Housley <housley at vigilsec.com>
Subject: [Cfrg] comments on AES Key Wrap with Pad
From: David McGrew <mcgrew at cisco.com>
Date: Wed, 1 Apr 2009 09:40:16 -0700
Authentication-results: sj-dkim-3; header.From=mcgrew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: Morris Dworkin <dworkin at nist.gov>, cfrg at irtf.org
Delivered-to: cfrg at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=2811; t=1238604018; x=1239468018; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew at cisco.com; z=From:=20David=20McGrew=20<mcgrew at cisco.com> |Subject:=20comments=20on=20AES=20Key=20Wrap=20with=20Pad |Sender:=20; bh=k87TIes/VvqhqzWKSimMGixQYT7mEZYFRTuuryB6ARY=; b=mMZJ18K+5Gx8S1atSFHbOkr3+0kF6ICX8GyEUTcaVBAD/LRw2DqyQYLkhy eV3ltDUhmdGJsj9LFIEp85MOMZ77N1B+n3tFtfiENqOeII2j8GayXE7IcQix HRyd2ofOzY;
In-reply-to: <20090328172818.1F6759A47B3 at odin.smetech.net>
List-archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-help: <mailto:cfrg-request@irtf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.irtf.org>
List-post: <mailto:cfrg@irtf.org>
List-subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
List-unsubscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
References: <20090328172818.1F6759A47B3 at odin.smetech.net>

Hi Russ,

this draft makes it possible to use the keywrap algorithm in moreapplications, by removing length restrictions on its inputs, but itdoesn't provide any guidance on where or how the keywrap algorithmshould be used. I suggest that some guidance be added on thissubject. The biggest question is: given that the keywrap algorithmprovides encryption and integrity protection, in what cases should itbe used instead of an authenticated encryption algorithm, or an AEADalgorithm, as in RFC 5116? I will take a guess at the answer in thehope of being constructive:


<guidance>

If it is not possible or desirable to meet the requirements on noncegeneration in RFC 5116, Section 3.1., then the keywrap algorithmshould be used.

If there is additional data associated with the key, which should beauthenticated but not encrypted, then an AEAD algorithm should beused. This type of data could include information on how theencrypted data is to be processed; this data needs to be unencryptedin order to allow the system to function.

If high data rates need to be supported, then an AEAD algorithm shouldbe used.

</guidance>

It is important that the key-wrap document doesn't inadvertentlycreate an expectation that every protocol in which key material getstransported needs to be re-designed to incorporate a key-wrapalgorithm. My preference would be to have a statement like this: Ifa protocol is already encrypting and authenticating data using strongalgorithms, it is not necessary to use key-wrap to provide anadditional layer of encryption and authentication/integrity-protection.

My understanding of the motivation for the keywrap algorithm (which Iwill admit has been incomplete) is that it provides a way to encryptAES-256 keys using AES-256, and thus provides functionality similar tothat of using AES-128-ECB to encrypt an AES-128 key. If that's right,would it be worthwhile to add this example usage?

I suggest adding guidance on key usage. I would assume that the KEKwould need to be generated uniformly at random, or by a process thatit indistinguishable from a random process, and that each KEK shouldbe used to encrypt no more than 2^64 distinct key-data inputs (thoughperhaps a lower bound would be more sensible) and decrypt no more thanthe same number of ciphertexts.


best regards,

David

On Mar 28, 2009, at 10:28 AM, Russ Housley wrote:

http://www.ietf.org/internet-drafts/draft-housley-aes-key-wrap-with-pad-02.txt

I want to make sure that the CFRG is aware of this document.

Russ
_______________________________________________
Cfrg mailing list
Cfrg at irtf.org
http://www.irtf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] comments on AES Key Wrap with Pad
  - From: Russ Housley
- Re: [Cfrg] comments on AES Key Wrap with Pad
  - From: Dan Harkins

References:
- [Cfrg] AES Key Wrap with Pad
  - From: Russ Housley

Prev by Date: Re: [Cfrg] AES Key Wrap with Pad
Next by Date: Re: [Cfrg] comments on AES Key Wrap with Pad
Previous by thread: Re: [Cfrg] AES Key Wrap with Pad
Next by thread: Re: [Cfrg] comments on AES Key Wrap with Pad
Index(es):
- Date
- Thread