HOME

TheInfoList



Click Here for Items Related To - Key Wrap
OR:
Key Wrap on:   [Wikipedia]   [Google]   [Amazon]

In
cryptography Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or ''-logy, -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of Adversary (cryptography), ...
, key wrap constructions are a class of
symmetric encryption Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for both the encryption of plaintext and the decryption of ciphertext. The keys may be identical, or there may be a simple transformation to go between t ...
algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as
block cipher In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called ''blocks''. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage a ...
s and
cryptographic hash function A cryptographic hash function (CHF) is a hash algorithm (a map (mathematics), map of an arbitrary binary string to a binary string with a fixed size of n bits) that has special properties desirable for a cryptography, cryptographic application: ...
s. Key Wrap may be considered as a form of key encapsulation algorithm, although it should not be confused with the more commonly known ''asymmetric'' (public-key) key encapsulation algorithms (e.g., PSEC-KEM). Key Wrap algorithms can be used in a similar application: to securely transport a session key by encrypting it under a long-term encryption key.


Background

In the late 1990s, the
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
(NIST) posed the "Key Wrap" problem: to develop secure and efficient cipher-based key encryption algorithms. The resulting algorithms would be formally evaluated by NIST, and eventually approved for use in NIST-certified cryptographic modules. NIST did not precisely define the security goals of the resulting algorithm, and left further refinement to the algorithm developers. Based on the resulting algorithms, the design requirements appear to be (1) confidentiality, (2) integrity protection (authentication), (3) efficiency, (4) use of standard (approved) underlying primitives such as the
Advanced Encryption Standard The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...
(AES) and the Secure Hash Algorithm (
SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits. It was designed by the United States ...
), and (5) consideration of additional circumstances (e.g., resilience to operator error, low-quality random number generators). Goals (3) and (5) are particularly important, given that many widely deployed
authenticated encryption Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
algorithms (e.g., AES-CCM) are already sufficient to accomplish the remaining goals. Several constructions have been proposed. These include: *
AES Key Wrap Specification
' (November 2001, ) ** Implemented by the WebCrypto subtle API.
American Standards Committee ANSX9.102
which defines four algorithms: ** AESKW (a variant of the ''AES Key Wrap Specification'') ** TDKW (similar to AESKW, built from
Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The 56-bit key of the Dat ...
rather than AES). ** AKW1 (TDES, two rounds of CBC) ** AKW2 (TDES, CBC then CBC-MAC) Each of the proposed algorithms can be considered as a form of
authenticated encryption Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
algorithm providing confidentiality for highly entropic messages such as cryptographic keys. The AES Key Wrap Specification, AESKW, TDKW, and AKW1 are intended to maintain confidentiality under
adaptive chosen ciphertext attack An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a ta ...
s, while the AKW2 algorithm is designed to be secure only under known-plaintext (or weaker) attacks. (The stated goal of AKW2 is for use in legacy systems and computationally limited devices where use of the other algorithms would be impractical.) AESKW, TDKW and AKW2 also provide the ability to authenticate cleartext "header", an associated block of data that is not encrypted. Rogaway and Shrimpton evaluated the design of the ANSX9.102 algorithms with respect to the stated security goals. Among their general findings, they noted the lack of clearly stated design goals for the algorithms, and the absence of security proofs for all constructions. In their paper, Rogaway and Shrimpton proposed a provable key-wrapping algorithm (SIV—the Synthetic Initialization Vector mode) that authenticates and encrypts an arbitrary string and authenticates, but does not encrypt, associated data which can be bound into the wrapped key. This has been standardized as a new AES mode in .


See also

*
Authenticated encryption Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...
*
Deterministic encryption A deterministic encryption scheme (as opposed to a probabilistic encryption scheme) is a cryptosystem which always produces the same ciphertext for a given plaintext and encryption key, key, even over separate executions of the encryption algorithm ...
*
Key management Key management refers to management of Key (cryptography), cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic ...
*
Offline private key protocol The Offline Private Key Protocol (OPKP) is a cryptographic protocol to prevent unauthorized access to back up or archive data. The protocol results in a public key that can be used to encrypt data and an offline private key that can later be used ...


Further reading


P. Rogaway, T. Shrimpton. ''A Provable-Security Treatment of the Key-Wrap Problem''.

NIST, ''AES Key Wrap Specification'' (November 2001)

NIST Special Publication 800-38F, ''Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping'' (December 2012)

American Standards Committee, Request for Review of Key Wrap Algorithms
* *


References

{{Reflist Cryptographic algorithms