Re: [kmip] EtM and MtE Wrapping Methods

[Tony Cox <tony.cox@cryptsoft.com>]

Hi Conrado,

Thank you for your feedback. Section 4.2 of the KMIP v1.4 Usage Guide (as referenced in Judith's last message to you) covers a wide range of content in this area but as the role of this document is to provide guidance rather than specification data or conformance tests, not every scenario is covered. In many cases we point to existing NIST documentation.
If your specific usage is not covered by an existing Test Case (http://docs.oasis-open.org/kmip/testcases/v1.4/kmip-testcases-v1.4.docx) or Profile Test Case (http://docs.oasis-open.org/kmip/profiles/v1.4/kmip-profiles-v1.4.docx), the KMIP TC would welcome submissions for either of these documents and/or specific requests for test cases.
The KMIP TC intends to close off submissions for KMIP v2.1 in the coming weeks so if you have something to submit for this version, I would encourage you to provide a request to the comment list or contact the document editors directly.

Thank you for your comment.

Tony Cox & Judy Furlong
KMIP TC Co-Chairs

On 25/07/2019 12:16 am, Conrado GouvÃa wrote:

Hi everyone,

In KMIP 1.4, there are two Wrapping Methods that I believe are not precisely specified:

- Encrypt then MAC/sign.
- MAC/sign then encrypt.

AFAIK there aren't any test case with those methods.

What exactly is Encrypt then MAC/sign (for symmetric crypto)?

It looks like it should compute C = Enc(IV, Msg), then T = MAC(C), return C as wrapped data and T inÂMAC/Signature. (Though it's not really explicitly defined...)
However, that is unsafe: we need to MAC the IV too, so it should be T = MAC(IVÂ+ÂC).
(seeÂhttps://crypto.stackexchange.com/questions/24353/encrypt-then-mac-do-i-need-to-authenticate-the-iv )

What exactly is MAC/sign then encrypt (for symmetric crypto)?

It looks like it should compute TÂ = MAC(Msg), then C = Enc(IV, Msg), return C as wrapped data and T in MAC/Signature. (Though also not explicitly defined...)
However, that is actually Encrypt and MAC, a totally different method. It should be C = Enc(IV, MsgÂ+ T), and then MAC/Signature would be not present.

For asymmetric crypto, Encrypt then Sign should be simple, but Sign then Encrypt falls into the same issue. If the signature isn't encrypted, then it's actually Encrypt and Sign.

So, what is the correct interpretation? Am I missing something?

Thanks!

Conrado GouvÃa Software Developer +55 (19) 3112-5000 conradoplg@kryptus.com www.kryptus.com