[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Matthew Green matthewdgreen at gmail.com
Wed Dec 24 19:48:22 EST 2014


The NIST Key Wrap is unauthored, which in practice means it's an NSA construction. That doesn't mean it's insecure. In fact if anything it's over-engineered. 

It's designed to achieve CCA2 security (or an equivalent deterministic definition) for high-entropy messages. It probably does that, despite the absence of a security proof or any definitions at all. You could probably write a proof if you cared. 

I wouldn't use it on principle. There are more elegant constructions with proper analysis. NIST should stop publishing things just because someone at NSA tells them to. 

Matt

On Dec 24, 2014, at 7:29 PM, Naveen Nathan <naveen at lastninja.net> wrote:

>> As I see it from that paper the advantages of a key-wrap scheme over using a
>> generic AEAD scheme is that
>> 
>> (a) it may be lighter weight in computation and size of ciphertext
>> (b) Defends against “IV misuse”.
>> (c) RFC 3394 has been around for a while and is widely available
> 
> The paper in question is available online:
> https://eprint.iacr.org/2006/221.pdf
> 
> The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard).
> The stated security goal is IND-CCA2. However if you read further you will come across this little gem:
> "There is no proof of security, and the mechanism is so complex that providing one would be difficult."
> 
> The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper
> and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under
> eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond
> to the same plaintext).
> 
> Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P);
> verification/integrity check is done after decryption by recomputing the MAC and ideally the
> MAC and Encryption keys are distinct.
> 
> - Naveen
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography


More information about the cryptography mailing list