Re: [Cfrg] Use of authenticated encryption for key wrapping

"Dan Harkins" <dharkins@lounge.org> Mon, 09 December 2013 02:03 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057851AE1A2; Sun, 8 Dec 2013 18:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Level:
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SglNYLCWMcYM; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC3A1AE0E3; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id CD85010224008; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Message-ID: <5592752071777e5b279de4ab96af73e3.squirrel@www.trepanning.net>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B183EB276@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B183EB276@xmb-rcd-x04.cisco.com>
Date: Sun, 8 Dec 2013 18:03:31 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Brian Weis <bew@cisco.com>, "cfrg@ietf.org" <cfrg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] Use of authenticated encryption for key wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 02:03:38 -0000

  Hello,

On Mon, March 18, 2013 5:24 am, David McGrew (mcgrew) wrote:
> Hi Brian,
>
> On 3/15/13 11:42 AM, "Brian Weis (bew)" <bew@cisco.com>; wrote:
>
>>Jim Schaad gave a presentation on JOSE to CFRG today
>>(<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The
>>question came up as to whether AES key wrap was necessarily the only
>>method that was safe for key wrapping in JOSE. The other algorithm under
>>consideration is AES-GCM.
>>
>>Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says:
>>
>>"Previously approved authenticated-encryption modes¬čas well as
>>combinations of an approved encryption mode with an approved
>>authentication method¬čare approved for the protection of cryptographic
>>keys, in addition to general data."
>>
>>So if one considers that to be good enough advice, AES-GCM would indeed
>>be an acceptable method of key wrapping. The chairs asked me to
>>cross-post this for discussion.
>
> Thanks for sending out the pointer.
>
> I think the biggest negative with using AES-GCM for key wrapping is that
> GCM is not designed to be misuse-resistant.   In contrast, the AES-KW
> algorithm does provide some misuse resistance: the AES-KW encryption
> algorithm does not require that the caller provide a distinct nonce for
> each invocation.

  AES-SIV was designed for key wrapping and provides misuse resistance.
Once can obtain authenticated encryption without providing a distinct
nonce each time. It is more efficient than AES-KW too.

> The biggest negative with requiring the use of AES-KW for key wrapping is
> that, it requires the implementation of the AES decryption operation
> (unlike GCM), it is yet another algorithm to implement/test/validate, and
> it takes up space that is precious in a constrained environment.

  AES-SIV does not require the AES decryption operation. So you get
that benefit and you still get misuse-resistant authenticated encryption.

  Another cool benefit to AES-SIV key wrapping is that it can accept AAD.
So you can bind in other data into the wrapping, such as a header of the
payload of the message containing the wrapped key.

> NIST is right to allow other authenticated encryption methods than AES-KW
> to be used for key wrapping.   But if AES-KW is available for JOSE, then
> it makes sense to use it for key wrapping.

  But they're not right in not allowing AES-SIV. I have raised this with them
on multiple occasions and the response is basically a catch-22-- NIST won't
bless it unless it's used in some major protocol but major protocols are
loath to specify some crypto mode that has not been blessed by NIST.

  AES-SIV is the right tool for this job. Consider using it. It's
specified in
RFC 5297 and there's a security proof in the paper that defined it:
"Deterministic Authenticated Encryption: A Provable-Security Treatment
of the Key-Wrap Problem" by Rogaway and Shrimpton.

  regards,

  Dan.