date:20141224

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

2014-12-24 Thread Jeffrey Goldberg

Following up on my own question:

 On Dec 24, 2014, at 3:44 PM, Jeffrey Goldberg jeff...@goldmark.org wrote:
 
 My big question whether use of Key Wrap (RFC 3394) is recommended or not.

If I want provable security, then I should use a generated AEAD construction, 
but there
is nothing known to be wrong with Key Wrap.

 My intuition is is that the integrity check (see section 2.2.3 of 
 http://www.ietf.org/rfc/rfc3394.txt )
 does more harm then good in providing necessary integrity checks.

My intuition was wrong. This is designed to prevent adaptive CCAs. (Though I 
still don’t fully
understand how).

 I assume that this has been discussed somewhere, but my Google-fu is failing 
 me today.
 Pointers to the literature would be welcome.

And the exact paper has already been written:

@incollection{rogaway2006provable,
  title={A provable-security treatment of the key-wrap problem},
  author={Rogaway, Phillip and Shrimpton, Thomas},
  booktitle={Advances in Cryptology-EUROCRYPT 2006},
  pages={373--390},
  year={2006},
  publisher={Springer}
}

As I see it from that paper the advantages of a key-wrap scheme over using a
generic AEAD scheme is that

(a) it may be lighter weight in computation and size of ciphertext
(b) Defends against “IV misuse”.
(c) RFC 3394 has been around for a while and is widely available

Cheers,

-j

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

2014-12-24 Thread Naveen Nathan

 As I see it from that paper the advantages of a key-wrap scheme over using a
 generic AEAD scheme is that
 
 (a) it may be lighter weight in computation and size of ciphertext
 (b) Defends against “IV misuse”.
 (c) RFC 3394 has been around for a while and is widely available

The paper in question is available online:
https://eprint.iacr.org/2006/221.pdf

The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 
draft standard).
The stated security goal is IND-CCA2. However if you read further you will come 
across this little gem:
There is no proof of security, and the mechanism is so complex that providing 
one would be difficult.

The suggested mode of operation for keywrap is SIV mode which is both 
documented in the above paper
and in RFC5297. It provides deterministic CCA encryption but fails the 
indinguishabiltiy under
eavesdropping experiment (any two ciphertexts encrypted under a given key that 
are equal correspond
to the same plaintext).

Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), 
ENC(IV,k,P);
verification/integrity check is done after decryption by recomputing the MAC 
and ideally the
MAC and Encryption keys are distinct.

- Naveen
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

2014-12-24 Thread Matthew Green

The NIST Key Wrap is unauthored, which in practice means it's an NSA 
construction. That doesn't mean it's insecure. In fact if anything it's 
over-engineered. 

It's designed to achieve CCA2 security (or an equivalent deterministic 
definition) for high-entropy messages. It probably does that, despite the 
absence of a security proof or any definitions at all. You could probably write 
a proof if you cared. 

I wouldn't use it on principle. There are more elegant constructions with 
proper analysis. NIST should stop publishing things just because someone at NSA 
tells them to. 

Matt

On Dec 24, 2014, at 7:29 PM, Naveen Nathan nav...@lastninja.net wrote:

 As I see it from that paper the advantages of a key-wrap scheme over using a
 generic AEAD scheme is that
 
 (a) it may be lighter weight in computation and size of ciphertext
 (b) Defends against “IV misuse”.
 (c) RFC 3394 has been around for a while and is widely available
 
 The paper in question is available online:
 https://eprint.iacr.org/2006/221.pdf
 
 The construct in RFC3394 I believe is the same in Appendix A (from ANSI 
 X9.102 draft standard).
 The stated security goal is IND-CCA2. However if you read further you will 
 come across this little gem:
 There is no proof of security, and the mechanism is so complex that 
 providing one would be difficult.
 
 The suggested mode of operation for keywrap is SIV mode which is both 
 documented in the above paper
 and in RFC5297. It provides deterministic CCA encryption but fails the 
 indinguishabiltiy under
 eavesdropping experiment (any two ciphertexts encrypted under a given key 
 that are equal correspond
 to the same plaintext).
 
 Keywrap in SIV mode (without the additional data) is essentially: 
 IV=MAC(k,P), ENC(IV,k,P);
 verification/integrity check is done after decryption by recomputing the MAC 
 and ideally the
 MAC and Encryption keys are distinct.
 
 - Naveen
 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

2014-12-24 Thread Ryan Carboni

yes, but if the NSA starts publishing things, people might realize the NSA
exists.

On Wed, Dec 24, 2014 at 4:48 PM, Matthew Green matthewdgr...@gmail.com
wrote:

 The NIST Key Wrap is unauthored, which in practice means it's an NSA
 construction. That doesn't mean it's insecure. In fact if anything it's
 over-engineered.

 It's designed to achieve CCA2 security (or an equivalent deterministic
 definition) for high-entropy messages. It probably does that, despite the
 absence of a security proof or any definitions at all. You could probably
 write a proof if you cared.

 I wouldn't use it on principle. There are more elegant constructions with
 proper analysis. NIST should stop publishing things just because someone at
 NSA tells them to.

 Matt

 On Dec 24, 2014, at 7:29 PM, Naveen Nathan nav...@lastninja.net wrote:

  As I see it from that paper the advantages of a key-wrap scheme over
 using a
  generic AEAD scheme is that
 
  (a) it may be lighter weight in computation and size of ciphertext
  (b) Defends against “IV misuse”.
  (c) RFC 3394 has been around for a while and is widely available
 
  The paper in question is available online:
  https://eprint.iacr.org/2006/221.pdf
 
  The construct in RFC3394 I believe is the same in Appendix A (from ANSI
 X9.102 draft standard).
  The stated security goal is IND-CCA2. However if you read further you
 will come across this little gem:
  There is no proof of security, and the mechanism is so complex that
 providing one would be difficult.
 
  The suggested mode of operation for keywrap is SIV mode which is both
 documented in the above paper
  and in RFC5297. It provides deterministic CCA encryption but fails the
 indinguishabiltiy under
  eavesdropping experiment (any two ciphertexts encrypted under a given
 key that are equal correspond
  to the same plaintext).
 
  Keywrap in SIV mode (without the additional data) is essentially:
 IV=MAC(k,P), ENC(IV,k,P);
  verification/integrity check is done after decryption by recomputing the
 MAC and ideally the
  MAC and Encryption keys are distinct.
 
  - Naveen
  ___
  cryptography mailing list
  cryptography@randombit.net
  http://lists.randombit.net/mailman/listinfo/cryptography
 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Re: [cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

4 matches

Site Navigation

Mail list logo

Footer information