[Cryptech Tech] [Cryptech-Commits] [user/sra/aes-keywrap] 01/01: Initial commit of AES Key Wrap implementation.

[Russ Housley]

Peter:

>> 2) For the portions that do come from RFC 3394, be warned that RFC
>>  3394 specifies the steps in two different ways, one intended for
>>  software, the other (perhaps) better suited for hardware. 
> 
> Another thing to be aware of with RFC 3394, or more specifically the NIST key
> wrap spec, is that it has no provenance, it's just some random thing that
> someone at NIST, or possibly the NSA (or space aliens, the NIST doc lists no
> authors), dreamed up.  There's no analysis, either in the NIST spec, or
> independently, of the design, it's just "bash the key bits around randomly".
> 
> When your sole reference is an unexplained algorithm from an anonymous doc on
> the NIST web site you're really going out on a limb.  A better way to do key
> wrap would be to use conventional encrypt-then-MAC packaging.

While the document does not list authors, I do not agree with the rest of your characterization.  I think of AES Key Wrap as an AEAD.  The algorithm has been published for a long time.  If someone outside an intelligence agency had an attack on this FIPS-approved algorithm, I think they would make a name for themselves by publishing it.

Russ