[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?

Ryan Carboni ryacko at gmail.com
Wed Dec 24 19:53:22 EST 2014


yes, but if the NSA starts publishing things, people might realize the NSA
exists.

On Wed, Dec 24, 2014 at 4:48 PM, Matthew Green <matthewdgreen at gmail.com>
wrote:

> The NIST Key Wrap is unauthored, which in practice means it's an NSA
> construction. That doesn't mean it's insecure. In fact if anything it's
> over-engineered.
>
> It's designed to achieve CCA2 security (or an equivalent deterministic
> definition) for high-entropy messages. It probably does that, despite the
> absence of a security proof or any definitions at all. You could probably
> write a proof if you cared.
>
> I wouldn't use it on principle. There are more elegant constructions with
> proper analysis. NIST should stop publishing things just because someone at
> NSA tells them to.
>
> Matt
>
> On Dec 24, 2014, at 7:29 PM, Naveen Nathan <naveen at lastninja.net> wrote:
>
> >> As I see it from that paper the advantages of a key-wrap scheme over
> using a
> >> generic AEAD scheme is that
> >>
> >> (a) it may be lighter weight in computation and size of ciphertext
> >> (b) Defends against “IV misuse”.
> >> (c) RFC 3394 has been around for a while and is widely available
> >
> > The paper in question is available online:
> > https://eprint.iacr.org/2006/221.pdf
> >
> > The construct in RFC3394 I believe is the same in Appendix A (from ANSI
> X9.102 draft standard).
> > The stated security goal is IND-CCA2. However if you read further you
> will come across this little gem:
> > "There is no proof of security, and the mechanism is so complex that
> providing one would be difficult."
> >
> > The suggested mode of operation for keywrap is SIV mode which is both
> documented in the above paper
> > and in RFC5297. It provides deterministic CCA encryption but fails the
> indinguishabiltiy under
> > eavesdropping experiment (any two ciphertexts encrypted under a given
> key that are equal correspond
> > to the same plaintext).
> >
> > Keywrap in SIV mode (without the additional data) is essentially:
> IV=MAC(k,P), ENC(IV,k,P);
> > verification/integrity check is done after decryption by recomputing the
> MAC and ideally the
> > MAC and Encryption keys are distinct.
> >
> > - Naveen
> > _______________________________________________
> > cryptography mailing list
> > cryptography at randombit.net
> > http://lists.randombit.net/mailman/listinfo/cryptography
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20141224/e74a1d7c/attachment.html>


More information about the cryptography mailing list