Re: [Cfrg] Use of authenticated encryption for key wrapping
"Dan Harkins" <dharkins@lounge.org> Mon, 09 December 2013 02:03 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 057851AE1A2; Sun, 8 Dec 2013 18:03:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.467
X-Spam-Level:
X-Spam-Status: No, score=-2.467 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SglNYLCWMcYM; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC3A1AE0E3; Sun, 8 Dec 2013 18:03:36 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id CD85010224008; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Sun, 8 Dec 2013 18:03:31 -0800 (PST)
Message-ID: <5592752071777e5b279de4ab96af73e3.squirrel@www.trepanning.net>
In-Reply-To: <747787E65E3FBD4E93F0EB2F14DB556B183EB276@xmb-rcd-x04.cisco.com>
References: <747787E65E3FBD4E93F0EB2F14DB556B183EB276@xmb-rcd-x04.cisco.com>
Date: Sun, 08 Dec 2013 18:03:31 -0800
From: Dan Harkins <dharkins@lounge.org>
To: "David McGrew (mcgrew)" <mcgrew@cisco.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Brian Weis <bew@cisco.com>, "cfrg@ietf.org" <cfrg@ietf.org>, "jose@ietf.org" <jose@ietf.org>
Subject: Re: [Cfrg] Use of authenticated encryption for key wrapping
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 02:03:38 -0000
Hello, On Mon, March 18, 2013 5:24 am, David McGrew (mcgrew) wrote: > Hi Brian, > > On 3/15/13 11:42 AM, "Brian Weis (bew)" <bew@cisco.com> wrote: > >>Jim Schaad gave a presentation on JOSE to CFRG today >>(<http://www.ietf.org/proceedings/86/slides/slides-86-cfrg-5.pdf>). The >>question came up as to whether AES key wrap was necessarily the only >>method that was safe for key wrapping in JOSE. The other algorithm under >>consideration is AES-GCM. >> >>Section 3.1 of NIST 800-38F (Methods for Key Wrapping) says: >> >>"Previously approved authenticated-encryption modesas well as >>combinations of an approved encryption mode with an approved >>authentication methodare approved for the protection of cryptographic >>keys, in addition to general data." >> >>So if one considers that to be good enough advice, AES-GCM would indeed >>be an acceptable method of key wrapping. The chairs asked me to >>cross-post this for discussion. > > Thanks for sending out the pointer. > > I think the biggest negative with using AES-GCM for key wrapping is that > GCM is not designed to be misuse-resistant. In contrast, the AES-KW > algorithm does provide some misuse resistance: the AES-KW encryption > algorithm does not require that the caller provide a distinct nonce for > each invocation. AES-SIV was designed for key wrapping and provides misuse resistance. Once can obtain authenticated encryption without providing a distinct nonce each time. It is more efficient than AES-KW too. > The biggest negative with requiring the use of AES-KW for key wrapping is > that, it requires the implementation of the AES decryption operation > (unlike GCM), it is yet another algorithm to implement/test/validate, and > it takes up space that is precious in a constrained environment. AES-SIV does not require the AES decryption operation. So you get that benefit and you still get misuse-resistant authenticated encryption. Another cool benefit to AES-SIV key wrapping is that it can accept AAD. So you can bind in other data into the wrapping, such as a header of the payload of the message containing the wrapped key. > NIST is right to allow other authenticated encryption methods than AES-KW > to be used for key wrapping. But if AES-KW is available for JOSE, then > it makes sense to use it for key wrapping. But they're not right in not allowing AES-SIV. I have raised this with them on multiple occasions and the response is basically a catch-22-- NIST won't bless it unless it's used in some major protocol but major protocols are loath to specify some crypto mode that has not been blessed by NIST. AES-SIV is the right tool for this job. Consider using it. It's specified in RFC 5297 and there's a security proof in the paper that defined it: "Deterministic Authenticated Encryption: A Provable-Security Treatment of the Key-Wrap Problem" by Rogaway and Shrimpton. regards, Dan.
- [Cfrg] Use of authenticated encryption for key wr… Brian Weis
- Re: [Cfrg] [jose] Use of authenticated encryption… Russ Housley
- Re: [Cfrg] [jose] Use of authenticated encryption… John Bradley
- Re: [Cfrg] Use of authenticated encryption for ke… David McGrew (mcgrew)
- Re: [Cfrg] Use of authenticated encryption for ke… Dan Harkins