[Cryptech Tech] [Cryptech-Commits] [user/sra/aes-keywrap] 01/01: Initial commit of AES Key Wrap implementation.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue May 19 09:51:37 UTC 2015


Rob Austein <sra at hactrn.net> writes:

>I say "embarrassment" rather than "excess" because it would be silly and
>dangerous for us to turn away well-intended advice.  But it seems unlikely
>that we're going to find the One True Answer.

My comments weren't a do-or-die thing, I just prefer to go with designs that
Ed Felten has characterised as ones "where you're unlikely to be surprised".
Encrypt-then-HMAC is boring and conventional, but also the least likely of the
three proposed candidates to have some paper pop up at Crypto next year
announcing its cryptanalysis.

Having said that, I'm not arguing for its adoption, merely pointing out that
it meets the unlikely-to-be-surprised requirement better than the other two,
and particularly the RFC 3394 one.

Peter.



More information about the Tech mailing list