[Cryptech Tech] AES SIV mode for key wrapping?

[Peter Gutmann]

Rob Austein <sra at hactrn.net> writes:

>Crypto guys (Russ, PeterG, etc), please confirm that SIV is the mode we
>should be using for this, or tell us what we should use instead.

SIV is a cute encryption mode, but there are lots of other cute encryption
modes around.  The important thing here isn't "what's a cool mode to use" but
"what's standardised and suited for this purpose".  If the purpose is HSM
backup then I'd use PKCS #15, which was specifically designed as a key (and
data in general) storage mechanism for things like smart cards and HSMs.

(SIV has other issues as well, it's just an encryption mode and not a complete
solution, so you'd need to do a lot more work than just deciding on SIV, and
more importantly it's virtually unused in practice - I'd say "completely
unused" but I assume there's something somewhere that uses it for something so
I'll hedge my bets :-).

>Is SIV also an appropriate mode to use for the encrypted key store within the
>HSM?

For that I'd definitely use PKCS #15.

Peter.