IETF Logo Mail Archive

[Cfrg] Use of authenticated encryption for key wrapping

Brian Weis <bew@cisco.com> Fri, 15 March 2013 16:02 UTC

Return-Path: <bew@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026CA21F8803; Fri, 15 Mar 2013 09:02:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6mdtqJn8vSz; Fri, 15 Mar 2013 09:02:38 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 636D421F87EA; Fri, 15 Mar 2013 09:02:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=810; q=dns/txt; s=iport; t=1363363357; x=1364572957; h=from:content-transfer-encoding:subject:message-id:date: to:mime-version; bh=ha6RSLJEZDJEYxfk/4Yyx3vnhywEXMFDjgy5rKJqh6k=; b=LxQDfJplWHE34m/6OI/ZvJbL8h4wJMstOJfFOxie+uZsUGDvSi6wt606 N9lnQ2/c3b9fdzNYnMPTUixp8x0X2QgayAX0R49n6OM4GMBg8Ma9lvcOA 8WGXnmRHyUzMq/PygO5BG8RdRMH7NS1Oo/ZMMbcEb1VpXkDQ0qsf8c91Z E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAI1EQ1GrRDoG/2dsb2JhbABDh2y/FxZ0gi+COhuICg3DBpF7YQOWW4V9iwWDJiA
X-IronPort-AV: E=Sophos;i="4.84,850,1355097600"; d="scan'208";a="73044972"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-3.cisco.com with ESMTP; 15 Mar 2013 16:00:59 +0000
Received: from [10.21.119.81] ([10.21.119.81]) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r2FG0qA2029693; Fri, 15 Mar 2013 16:00:58 GMT
From: Brian Weis <bew@cisco.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Message-Id: <31556AB6-899F-4D81-9FBC-40708864EA55@cisco.com>
Date: Fri, 15 Mar 2013 11:42:52 -0400
To: jose@ietf.org, cfrg@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
Subject: [Cfrg] Use of authenticated encryption for key wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 16:02:39 -0000

Jim Schaad gave a presentation on JOSE to CFRG today (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question came up as to whether AES key wrap was necessarily the only method that was safe for key wrapping in JOSE. The other algorithm under consideration is AES-GCM. 

Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:

"Previously approved authenticated-encryption modes—as well as combinations of an approved encryption mode with an approved authentication method—are approved for the protection of cryptographic keys, in addition to general data."

So if one considers that to be good enough advice, AES-GCM would indeed be an acceptable method of key wrapping. The chairs asked me to cross-post this for discussion.

Brian

v2.23.0 | Report a Bug | By Email