[Cryptech Tech] AES SIV mode for key wrapping?

[Dan Harkins]

  Russ,

On Tue, March 17, 2015 12:08 pm, Russ Housley wrote:
> Paul:
>
>>> SIV is seeing almost no uptake.  AES KEY-WRAP is preferred.
>>
>> Uptake and technical value are not the same.
>>
>> First, AES-SIV is being introduced into other non-IETF forums.
>>
>> Second, AES-SIV is much more efficient that AES KEY-WRAP.
>>
>> AES-SIV is also nonce insensitive.  A very nice property for an AEAD
>> cipher.
>
> I am aware of all of these properties, but I still recommend AES KEY-WRAP
> for two reasons.  First, I see little uptake.  I am aware of the places
> that Dan Harkins is pushing for its adoption, but they have not happened
> as yet.  Second, if someone wanted to use Cryptech to make a FIPS 140
> module, they would need a FIPS validated mode for key wrapping.

  You are asking to take part in a catch-22-- NIST will certify modes that
people use but people won't use it until/unless NIST certifies it. Phil
Rogaway submitted SIV to NIST [1] back in 2007 and when I ask people
from NIST about it they say, "where is it being used?" When I try to get
it adopted in some standard protocol (e.g. 802.11) I am opposed by
people affiliated with NSA, which is odd.

  The upshot is that they'll certify it if it gets used so the argument
that it shouldn't be specified because it's not, today, certified is
somewhat specious.

  regards,

  Dan.

[1] http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html