RE: NIST Special Publication 800-38F

["Burns, Robert" <Robert.Burns@thalesesec.com>]

Although the AEAD mechanisms are not specifically referenced, Section 3.1 of that publication asserts, "Nevertheless, there is no requirement to protect cryptographic keys with a distinct cryptographic method. Previously approved authenticated-encryption modes-as well as combinations of an approved encryption mode with an approved authentication method-are approved for the protection of cryptographic keys, in addition to general data.".

It would appear that NIST will allow other approved encryption modes, so GCM is a candidate.  

In general, I think we should only block inclusions of mechanisms if there are known security issues, and I wasn't able to locate any obvious research on the subject of the AEAD modes as being weaker for key wrap versus data protection.  Anyone know of any prohibitions against using GCM for key wrapping?

Bob

> -----Original Message-----
> From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On
> Behalf Of Lockhart, Robert
> Sent: Wednesday, April 03, 2013 6:01 PM
> To: pkcs11@lists.oasis-open.org
> Subject: [pkcs11] NIST Special Publication 800-38F
> 
> I took a quick glance and GCM and CCM are in fact only mentioned in the
> Appendix B as other authenticating modes of operation.  The major
> difference being that GCM & CCM perform authentication on the encrypted
> value not the clear text value.
> 
> http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
> 
> This will teach me to re-read the documents before bringing them up.
> 
> Bob L.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php