Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping

Russ Housley <housley@vigilsec.com> Fri, 15 March 2013 18:42 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4709511E80D1; Fri, 15 Mar 2013 11:42:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.31
X-Spam-Level:
X-Spam-Status: No, score=-102.31 tagged_above=-999 required=5 tests=[AWL=0.289, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j485-DC6dAs9; Fri, 15 Mar 2013 11:42:38 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id EAF1811E80A3; Fri, 15 Mar 2013 11:42:37 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 9EADC9A4095; Fri, 15 Mar 2013 14:42:09 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id 2k4oZdOcieb9; Fri, 15 Mar 2013 14:41:52 -0400 (EDT)
Received: from dhcp-5419.meeting.ietf.org (dhcp-5419.meeting.ietf.org [130.129.84.25]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 110439A4094; Fri, 15 Mar 2013 14:42:08 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="windows-1252"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <31556AB6-899F-4D81-9FBC-40708864EA55@cisco.com>
Date: Fri, 15 Mar 2013 14:42:34 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <BDE5BBCC-D6B4-4A3F-890E-498079C6F9C5@vigilsec.com>
References: <31556AB6-899F-4D81-9FBC-40708864EA55@cisco.com>
To: Brian Weis <bew@cisco.com>
X-Mailer: Apple Mail (2.1085)
Cc: cfrg@ietf.org, jose@ietf.org
Subject: Re: [Cfrg] [jose] Use of authenticated encryption for key wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 18:42:39 -0000

There are some system design issues to be considered.  The use of different modes for encryption of user data and keying material makes it easier to prevent the decryption of keying material outside of the crypto module.

Russ

 
On Mar 15, 2013, at 11:42 AM, Brian Weis wrote:

> Jim Schaad gave a presentation on JOSE to CFRG today (<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The question came up as to whether AES key wrap was necessarily the only method that was safe for key wrapping in JOSE. The other algorithm under consideration is AES-GCM. 
> 
> Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
> 
> "Previously approved authenticated-encryption modes—as well as combinations of an approved encryption mode with an approved authentication method—are approved for the protection of cryptographic keys, in addition to general data."
> 
> So if one considers that to be good enough advice, AES-GCM would indeed be an acceptable method of key wrapping. The chairs asked me to cross-post this for discussion.
> 
> Brian