[cryptography] Is KeyWrap (RFC 3394) vulnerable to CCAs?
pgut001 at cs.auckland.ac.nz
Tue Jan 6 05:56:28 EST 2015
Naveen Nathan <naveen at lastninja.net> writes:
>[Quoting someone else]
>> As I see it from that paper the advantages of a key-wrap scheme over using a
>> generic AEAD scheme is that
>> (a) it may be lighter weight in computation and size of ciphertext
>> (b) Defends against âIV misuseâ.
>> (c) RFC 3394 has been around for a while and is widely available
>The suggested mode of operation for keywrap is SIV mode which is both
>documented in the above paper and in RFC5297. It provides deterministic CCA
>encryption but fails the indinguishabiltiy under eavesdropping experiment
>(any two ciphertexts encrypted under a given key that are equal correspond to
>the same plaintext).
There's another key wrap mechanism for CMS used with PWRI, originally
documented in RFC 3211. RFC 3394 exists because NIST had invented a key wrap
mechanism for AES and the RFC was created in order to specify its use with
CMS. RFC 3211 is a general-purpose (not tied to AES) key wrap mechanism. Note
that it's malleable (due to use of CBC-MAC), but that's because it uses a
primitive from a decade earlier that's been reasonably well-analyzed, and it's
not obvious that it's a practical weakness or not (you can cause a partial
garble of the key resulting in a decrypt failure, but flipping a bit in the
ciphertext will do the same thing). See Adam Back's original post:
and my followup:
It's amazing that there doesn't seem to be any published research on such a
fundamental crypto mechanism, with the result that everyone has to invent
their own way of doing it, usually badly. We don't even have a decent
threat model for this
The design goals I used were:
1. Resistance to dictionary/password-guessing attacks above all else.
2. No need to use additional algorithms like hash algorithms (see the RFC for
the rationale, to save me typing it all in again).
(A third one, not explicitly stated there, is "Use an existing, analysed
mechanism rather than inventing yet another new one").
More information about the cryptography