In KMIP 1.4, there are two Wrapping Methods that I believe are not precisely specified:
- Encrypt then MAC/sign.
- MAC/sign then encrypt.
AFAIK there aren't any test case with those methods.
What exactly is Encrypt then MAC/sign (for symmetric crypto)?
It looks like it should compute C = Enc(IV, Msg), then T = MAC(C), return C as wrapped data and T inÂMAC/Signature. (Though it's not really explicitly defined...)
However, that is unsafe: we need to MAC the IV too, so it should be T = MAC(IVÂ+ÂC).
(seeÂhttps://crypto.stackexchange.com/questions/24353/encrypt-then-mac-do-i-need-to-authenticate-the-iv )
What exactly is MAC/sign then encrypt (for symmetric crypto)?
It looks like it should compute TÂ = MAC(Msg), then C = Enc(IV, Msg), return C as wrapped data and T in MAC/Signature. (Though also not explicitly defined...)
However, that is actually Encrypt and MAC, a totally different method. It should be C = Enc(IV, MsgÂ+ T), and then MAC/Signature would be not present.
For asymmetric crypto, Encrypt then Sign should be simple, but Sign then Encrypt falls into the same issue. If the signature isn't encrypted, then it's actually Encrypt and Sign.
So, what is the correct interpretation? Am I missing something?
Thanks!