[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Matthew Green matthewdgreen at gmail.com
Wed Dec 24 19:48:22 EST 2014

The NIST Key Wrap is unauthored, which in practice means it's an NSA construction. That doesn't mean it's insecure. In fact if anything it's over-engineered. 

It's designed to achieve CCA2 security (or an equivalent deterministic definition) for high-entropy messages. It probably does that, despite the absence of a security proof or any definitions at all. You could probably write a proof if you cared. 

I wouldn't use it on principle. There are more elegant constructions with proper analysis. NIST should stop publishing things just because someone at NSA tells them to. 


On Dec 24, 2014, at 7:29 PM, Naveen Nathan <naveen at lastninja.net> wrote:

>> As I see it from that paper the advantages of a key-wrap scheme over using a
>> generic AEAD scheme is that
>> (a) it may be lighter weight in computation and size of ciphertext
>> (b) Defends against “IV misuse”.
>> (c) RFC 3394 has been around for a while and is widely available
> The paper in question is available online:
> https://eprint.iacr.org/2006/221.pdf
> The construct in RFC3394 I believe is the same in Appendix A (from ANSI X9.102 draft standard).
> The stated security goal is IND-CCA2. However if you read further you will come across this little gem:
> "There is no proof of security, and the mechanism is so complex that providing one would be difficult."
> The suggested mode of operation for keywrap is SIV mode which is both documented in the above paper
> and in RFC5297. It provides deterministic CCA encryption but fails the indinguishabiltiy under
> eavesdropping experiment (any two ciphertexts encrypted under a given key that are equal correspond
> to the same plaintext).
> Keywrap in SIV mode (without the additional data) is essentially: IV=MAC(k,P), ENC(IV,k,P);
> verification/integrity check is done after decryption by recomputing the MAC and ideally the
> MAC and Encryption keys are distinct.
> - Naveen
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

More information about the cryptography mailing list