RE: [pkcs11] RE: NIST Special Publication 800-38F

["Burns, Robert" <Robert.Burns@thalesesec.com>]

Quite right, we will always have legacy support issues surrounding existing mechanisms now shown to be flawed.  I guess my statement was directed more towards consideration of new mechanisms and functionality, but even then I guess my recommendation should be taken as more of a guideline rather than a rule?  Either way, point taken.  And in this case I think AEAD for key wrapping should be an acceptable mechanism choice.

Thanks,

Bob

> -----Original Message-----
> From: pkcs11@lists.oasis-open.org [mailto:pkcs11@lists.oasis-open.org] On
> Behalf Of Valerie Anne Fenwick
> Sent: Wednesday, April 03, 2013 7:33 PM
> To: pkcs11@lists.oasis-open.org
> Subject: Re: [pkcs11] RE: NIST Special Publication 800-38F
> 
> Actually, even blocking mechanisms with known security issues is a problem
> for things like CIFS that require MD4.
> 
> Valerie
> 
> On 04/ 3/13 03:19 PM, Burns, Robert wrote:
> > Although the AEAD mechanisms are not specifically referenced, Section 3.1
> of that publication asserts, "Nevertheless, there is no requirement to protect
> cryptographic keys with a distinct cryptographic method. Previously
> approved authenticated-encryption modes-as well as combinations of an
> approved encryption mode with an approved authentication method-are
> approved for the protection of cryptographic keys, in addition to general
> data.".
> >
> > It would appear that NIST will allow other approved encryption modes, so
> GCM is a candidate.
> >
> > In general, I think we should only block inclusions of mechanisms if there
> are known security issues, and I wasn't able to locate any obvious research
> on the subject of the AEAD modes as being weaker for key wrap versus data
> protection.  Anyone know of any prohibitions against using GCM for key
> wrapping?
> >
> > Bob