Re: [Cfrg] Use of authenticated encryption for key wrapping

"Dan Harkins" <> Mon, 09 December 2013 02:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 057851AE1A2; Sun, 8 Dec 2013 18:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SglNYLCWMcYM; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7EC3A1AE0E3; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id CD85010224008; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Received: from (SquirrelMail authenticated user by with HTTP; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Message-ID: <>
In-Reply-To: <>
References: <>
Date: Sun, 8 Dec 2013 18:03:31 -0800 (PST)
From: "Dan Harkins" <>
To: "David McGrew (mcgrew)" <>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Brian Weis <>, "" <>, "" <>
Subject: Re: [Cfrg] Use of authenticated encryption for key wrapping
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Dec 2013 02:03:38 -0000


On Mon, March 18, 2013 5:24 am, David McGrew (mcgrew) wrote:
> Hi Brian,
> On 3/15/13 11:42 AM, "Brian Weis (bew)" <>; wrote:
>>Jim Schaad gave a presentation on JOSE to CFRG today
>>(<>). The
>>question came up as to whether AES key wrap was necessarily the only
>>method that was safe for key wrapping in JOSE. The other algorithm under
>>consideration is AES-GCM.
>>Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
>>"Previously approved authenticated-encryption modes¬čas well as
>>combinations of an approved encryption mode with an approved
>>authentication method¬čare approved for the protection of cryptographic
>>keys, in addition to general data."
>>So if one considers that to be good enough advice, AES-GCM would indeed
>>be an acceptable method of key wrapping. The chairs asked me to
>>cross-post this for discussion.
> Thanks for sending out the pointer.
> I think the biggest negative with using AES-GCM for key wrapping is that
> GCM is not designed to be misuse-resistant.   In contrast, the AES-KW
> algorithm does provide some misuse resistance: the AES-KW encryption
> algorithm does not require that the caller provide a distinct nonce for
> each invocation.

  AES-SIV was designed for key wrapping and provides misuse resistance.
Once can obtain authenticated encryption without providing a distinct
nonce each time. It is more efficient than AES-KW too.

> The biggest negative with requiring the use of AES-KW for key wrapping is
> that, it requires the implementation of the AES decryption operation
> (unlike GCM), it is yet another algorithm to implement/test/validate, and
> it takes up space that is precious in a constrained environment.

  AES-SIV does not require the AES decryption operation. So you get
that benefit and you still get misuse-resistant authenticated encryption.

  Another cool benefit to AES-SIV key wrapping is that it can accept AAD.
So you can bind in other data into the wrapping, such as a header of the
payload of the message containing the wrapped key.

> NIST is right to allow other authenticated encryption methods than AES-KW
> to be used for key wrapping.   But if AES-KW is available for JOSE, then
> it makes sense to use it for key wrapping.

  But they're not right in not allowing AES-SIV. I have raised this with them
on multiple occasions and the response is basically a catch-22-- NIST won't
bless it unless it's used in some major protocol but major protocols are
loath to specify some crypto mode that has not been blessed by NIST.

  AES-SIV is the right tool for this job. Consider using it. It's
specified in
RFC 5297 and there's a security proof in the paper that defined it:
"Deterministic Authenticated Encryption: A Provable-Security Treatment
of the Key-Wrap Problem" by Rogaway and Shrimpton.