More on key wrapping.

*(English)*Zbl 1267.94061
Jacobson, Michael J. jun. (ed.) et al., Selected areas in cryptography. 16th annual international workshop, SAC 2009, Calgary, Alberta, Canada, August 13–14, 2009. Revised selected papers. Berlin: Springer (ISBN 978-3-642-05443-3/pbk). Lecture Notes in Computer Science 5867, 53-70 (2009).

Summary: We address the practice of key-wrapping, where one symmetric cryptographic key is used to encrypt another. This practice is used extensively in key-management architectures, often to create an “adapter layer” between incompatible legacy systems. Although in principle any secure encryption scheme can be used for key wrapping, practical constraints (which are commonplace when dealing with legacy systems) may severely limit the possible implementations, sometimes to the point of ruling out any “secure general-purpose encryption.” It is therefore desirable to identify the security requirements that are “really needed” for the key-wrapping application, and have a large variety of implementations that satisfy these requirements.

This approach was developed in a work by P. Rogaway and T. Shrimpton at EUROCRYPT 2006 [Lect. Notes Comput. Sci. 4004, 373–390 (2006; Zbl 1140.94369)]. They focused on allowing deterministic encryption, and defined a notion of deterministic authenticated encryption (DAE), which roughly formalizes “the strongest security that one can get without randomness.” Although DAE is weaker than full blown authenticated encryption, it seems to suffice for the case of key wrapping (since keys are random and therefore the encryption itself can be deterministic). Rogaway and Shrimpton also described a mode of operation for block ciphers (called SIV) that realizes this notion.

We continue in the direction initiated by Rogaway and Shirmpton. We first observe that the notion of DAE still rules out many practical and “seemingly secure” implementations. We thus look for even weaker notions of security that may still suffice. Specifically we consider notions that mirror the usual security requirements for symmetric encryption, except that the inputs to be encrypted are random rather than adversarially chosen. These notions are all strictly weaker than DAE, yet we argue that they suffice for most applications of key wrapping.

As for implementations, we consider the key-wrapping notion that mirrors authenticated encryption, and investigate a template of Hash-then-Encrypt (HtE), which seems practically appealing: In this method the key is first “hashed” into a short nonce, and then the nonce and key are encrypted using some standard encryption mode. We consider a wide array of “hash functions”, ranging from a simple XOR to collision-resistant hashing, and examine what “hash function” can be used with what encryption mode.

For the entire collection see [Zbl 1177.94012].

This approach was developed in a work by P. Rogaway and T. Shrimpton at EUROCRYPT 2006 [Lect. Notes Comput. Sci. 4004, 373–390 (2006; Zbl 1140.94369)]. They focused on allowing deterministic encryption, and defined a notion of deterministic authenticated encryption (DAE), which roughly formalizes “the strongest security that one can get without randomness.” Although DAE is weaker than full blown authenticated encryption, it seems to suffice for the case of key wrapping (since keys are random and therefore the encryption itself can be deterministic). Rogaway and Shrimpton also described a mode of operation for block ciphers (called SIV) that realizes this notion.

We continue in the direction initiated by Rogaway and Shirmpton. We first observe that the notion of DAE still rules out many practical and “seemingly secure” implementations. We thus look for even weaker notions of security that may still suffice. Specifically we consider notions that mirror the usual security requirements for symmetric encryption, except that the inputs to be encrypted are random rather than adversarially chosen. These notions are all strictly weaker than DAE, yet we argue that they suffice for most applications of key wrapping.

As for implementations, we consider the key-wrapping notion that mirrors authenticated encryption, and investigate a template of Hash-then-Encrypt (HtE), which seems practically appealing: In this method the key is first “hashed” into a short nonce, and then the nonce and key are encrypted using some standard encryption mode. We consider a wide array of “hash functions”, ranging from a simple XOR to collision-resistant hashing, and examine what “hash function” can be used with what encryption mode.

For the entire collection see [Zbl 1177.94012].

##### MSC:

94A60 | Cryptography |