[Cryptech Tech] AES SIV mode for key wrapping?

Dan Harkins dharkins at lounge.org
Tue Mar 17 18:53:38 UTC 2015

Previous message (by thread): [Cryptech Tech] AES SIV mode for key wrapping?
Next message (by thread): [Cryptech Tech] AES SIV mode for key wrapping?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  The lack of uptake has nothing to do with its security.

  Regarding security, though, AES-SIV has a security proof and
AES KEY-WRAP does not, see the paper "Deterministic Authenticated
Encryption, A Provable-Security Treatment of the Key-Wrap Problem"
by Rogaway and Shrimpton. That paper has a great critique of AES
KEY-WRAP.

  Aside from provable security, there are other benefits to AES-SIV
over AES KEY-WRAP that make it well qualified for any key wrapping
use:

  *  SIV mode allows for AAD, additional data that is authenticated
     but not encrypted. The AAD typically, but need not, accompanies
     the wrapped key. This can be used to bind other associated data
     to the wrapped key.

  * SIV does not impose unnatural boundaries, like being a multiple
    of 64 bits, on the plaintext data to be wrapped.

  * SIV is much more efficient that AES KEY-WRAP.

  As a key wrapping (deterministic authenticated encryption) solution
AES-SIV is superior to AES KEY-WRAP but AES-SIV also has a mode
to provide "probabilistic" authenticated encryption analogous to
traditional AEAD schemes like CCM (or GCM). The advantages it has
over these other schemes is that AES-SIV is misuse resistant: if the
nonce is reused you do not lose all security in the same way you do
with CCM (or GCM).

  regards,

  Dan.

On Mar 17, 2015, at 13:21:59, Russ Housley wrote:
>
> SIV is seeing almost no uptake.  AES KEY-WRAP is preferred.
>
> Russ
>
> On Mar 17, 2015, at 5:36 AM, Rob Austein wrote:
> >
> > So our roadmap (under construction, but also under discussion today)
> > lists AES as a requirement for key wrapping for HSM backup.
> > Specifically, it lists SIV mode, which is one I hadn't heard of until
> > now.  RFC 5297 is interesting, but I'm not competent to have an
> > opinion on crypto at this level.
> >
> > Crypto guys (Russ, PeterG, etc), please confirm that SIV is the mode
> > we should be using for this, or tell us what we should use instead.
> >
> > Is SIV also an appropriate mode to use for the encrypted key store
> > within the HSM?
> > _______________________________________________
> > Tech mailing list
> > Tech at cryptech.is
> > https://lists.cryptech.is/listinfo/tech

Previous message (by thread): [Cryptech Tech] AES SIV mode for key wrapping?
Next message (by thread): [Cryptech Tech] AES SIV mode for key wrapping?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list