[Cryptech Tech] [Cryptech-Commits] [user/sra/aes-keywrap] 01/01: Initial commit of AES Key Wrap implementation.

Dan Harkins dharkins at lounge.org
Tue May 19 13:50:18 UTC 2015



On Tue, May 19, 2015 2:51 am, Peter Gutmann wrote:
> Rob Austein <sra at hactrn.net> writes:
>
>>I say "embarrassment" rather than "excess" because it would be silly and
>>dangerous for us to turn away well-intended advice.  But it seems
>> unlikely
>>that we're going to find the One True Answer.
>
> My comments weren't a do-or-die thing, I just prefer to go with designs
> that
> Ed Felten has characterised as ones "where you're unlikely to be
> surprised".
> Encrypt-then-HMAC is boring and conventional, but also the least likely of
> the
> three proposed candidates to have some paper pop up at Crypto next year
> announcing its cryptanalysis.

  But then you'd have to generate some nonce for the Encrypt portion
of Encrypt-then-MAC. The point of key wrapping, or deterministic
authenticated encryption, is that such a thing is not needed. When the
plaintext is a key, that should be all the randomness you need for the
encryption process.

  Not that this is an insurmountable problem, just that it's one more
thing to worry about and keep around.

  Dan.





More information about the Tech mailing list