[Cryptech Tech] [Cryptech-Commits] [user/sra/aes-keywrap] 01/01: Initial commit of AES Key Wrap implementation.

[Simon Josefsson]

Peter Gutmann <pgut001 at cs.auckland.ac.nz> writes:

> Russ Housley <housley at vigilsec.com> writes:
>
>>While the document does not list authors, I do not agree with the rest of
>>your characterization.  I think of AES Key Wrap as an AEAD.  The algorithm
>>has been published for a long time.  If someone outside an intelligence
>>agency had an attack on this FIPS-approved algorithm, I think they would make
>>a name for themselves by publishing it.
>
> Absence of evidence doesn't provide evidence of absence.  It's not just that
> there's no analysis showing weakness published, there's simply no analysis at
> all published.  We don't even know who wrote the document, it's just an
> anonymous PDF found on the NIST web site (it's also not present at the
> location given in RFC 3394, you have to Google for it and then follow the link
> you get as a result).

Hear, hear.

I suggest looking at SIV. It provides key wrapping, and it is (in
contrast to the RFC 3394 construct) a proper AEAD mode.  It is specified
by well-known crypto people, Phillip Rogaway and Thomas Shrimpton, in a
paper with security proofs and was presented at an academic conference.

https://tools.ietf.org/html/rfc5297
http://web.cecs.pdx.edu/~teshrim/keywrap.pdf

The burden shouldn't be on us to prove something is bad, it should be
for designers to convince everyone else that their stuff is good.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20150512/9d5c1fd1/attachment.sig>