Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?
Following up on my own question: On Dec 24, 2014, at 3:44 PM, Jeffrey Goldberg jeff...@goldmark.org wrote: My big question whether use of Key Wrap (RFC 3394) is recommended or not. If I want provable security, then I should use a generated AEAD construction, but there is nothing known to be wrong with Key Wrap. My intuition is is that the integrity check (see section 2.2.3 of http://www.ietf.org/rfc/rfc3394.txt ) does more harm then good in providing necessary integrity checks. My intuition was wrong. This is designed to prevent adaptive CCAs. (Though I still don’t fully understand how). I assume that this has been discussed somewhere, but my Google-fu is failing me today. Pointers to the literature would be welcome. And the exact paper has already been written: @incollection{rogaway2006provable, title={A provable-security treatment of the key-wrap problem}, author={Rogaway, Phillip and Shrimpton, Thomas}, booktitle={Advances in Cryptology-EUROCRYPT 2006}, pages={373--390}, year={2006}, publisher={Springer} } As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has been around for a while and is widely available Cheers, -j ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?
As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has been around for a while and is widely available The paper in question is available online: https://eprint.iacr.org/2006/221.pdf The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard). The stated security goal is IND-CCA2. However if you read further you will come across this little gem: There is no proof of security, and the mechanism is so complex that providing one would be difficult. The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond to the same plaintext). Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P); verification/integrity check is done after decryption by recomputing the MAC and ideally the MAC and Encryption keys are distinct. - Naveen ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?
The NIST Key Wrap is unauthored, which in practice means it's an NSA construction. That doesn't mean it's insecure. In fact if anything it's over-engineered. It's designed to achieve CCA2 security (or an equivalent deterministic definition) for high-entropy messages. It probably does that, despite the absence of a security proof or any definitions at all. You could probably write a proof if you cared. I wouldn't use it on principle. There are more elegant constructions with proper analysis. NIST should stop publishing things just because someone at NSA tells them to. Matt On Dec 24, 2014, at 7:29 PM, Naveen Nathan nav...@lastninja.net wrote: As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has been around for a while and is widely available The paper in question is available online: https://eprint.iacr.org/2006/221.pdf The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard). The stated security goal is IND-CCA2. However if you read further you will come across this little gem: There is no proof of security, and the mechanism is so complex that providing one would be difficult. The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond to the same plaintext). Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P); verification/integrity check is done after decryption by recomputing the MAC and ideally the MAC and Encryption keys are distinct. - Naveen ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?
yes, but if the NSA starts publishing things, people might realize the NSA exists. On Wed, Dec 24, 2014 at 4:48 PM, Matthew Green matthewdgr...@gmail.com wrote: The NIST Key Wrap is unauthored, which in practice means it's an NSA construction. That doesn't mean it's insecure. In fact if anything it's over-engineered. It's designed to achieve CCA2 security (or an equivalent deterministic definition) for high-entropy messages. It probably does that, despite the absence of a security proof or any definitions at all. You could probably write a proof if you cared. I wouldn't use it on principle. There are more elegant constructions with proper analysis. NIST should stop publishing things just because someone at NSA tells them to. Matt On Dec 24, 2014, at 7:29 PM, Naveen Nathan nav...@lastninja.net wrote: As I see it from that paper the advantages of a key-wrap scheme over using a generic AEAD scheme is that (a) it may be lighter weight in computation and size of ciphertext (b) Defends against “IV misuse”. (c) RFC 3394 has been around for a while and is widely available The paper in question is available online: https://eprint.iacr.org/2006/221.pdf The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard). The stated security goal is IND-CCA2. However if you read further you will come across this little gem: There is no proof of security, and the mechanism is so complex that providing one would be difficult. The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond to the same plaintext). Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P); verification/integrity check is done after decryption by recomputing the MAC and ideally the MAC and Encryption keys are distinct. - Naveen ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography