RFR: 8248268: Support KWP in addition to KW [v4]

Greg Rubin greg at rubinfamily.org
Wed Apr 7 17:28:03 UTC 2021


Mike,

Yes, this was in response to your comment.

I'm aware that the IV really serves more as an integrity check and mode
signalling mechanism than anything else. My concern is that in the past few
years I've seen various issues related to "in band signalling" where
something about the ciphertext (or directly associated metadata) changes
how the data is decrypted and authenticated. This has reached the level
where several cryptographic forums I participate in are starting to
consider it a full anti-pattern.

The proposed "AutoPadding" mode is an example of in-band signalling in
which an externally provided ciphertext  changes how it is interpreted.
While I cannot personally think of a specific risk in this case, I would be
inclined not to include this mode unless there is a strong driving need
from our users. While I have definitely seen people not knowing if their
data was encrypted with KW or KW+PKCS5/7, I haven't personally seen
uncertainty between KW and KWP. (I also haven't worked with all possible
HSMs, just a few of them.)  So, from a position of caution, I'd avoid
"AutoPadding", but this is a preference based on current best-practice
rather than a strong objection based on specific concerns or risks.

Thank you,
Greg

On Sat, Apr 3, 2021 at 4:38 PM Michael StJohns <mstjohns at comcast.net> wrote:

> On 4/3/2021 11:35 AM, Greg Rubin wrote:
> > I'd advise against the AutoPadding scheme without more careful analysis
> and discussion. Have we seen either KW or KWP specifications which
> recommend that behavior?
> >
> > My concern is that we've seen cases before where two different
> cryptographic algorithms could be selected transparently upon decryption
> and it lowers the security of the overall system. (A variant of in-band
> signalling.) The general consensus that I've been seeing in the (applied)
> cryptographic community is strongly away from in-band signalling and
> towards the decryptor fully specifying the algorithms and behavior prior to
> attempting decryption.
>
> I think this is in response to my comment?
>
> The wrap function can take a Key as an input and can have the unwrap
> method produce a Key as an output - indeed it should be used primarily
> for this rather than the more general encrypt/decrypt functions.  The
> problem is that the encoding of the key may not be known prior to the
> attempt to wrap it - hence it's not known whether or not padding need be
> applied.  This is especially problematic with HSMs.  Providing an
> AutoPadding mode would allow the wrapping algorithm to decide whether to
> use either of the RFC 3394 (AKA KW) Integrity Check Value (ICV) or the
> RFC5649 (aka KWP) value and padding length.
>
> The key thing to remember here is that the IV (initial value - RFC
> language) /ICV (integrity check value - NIST language)actually isn't an
> IV(initialization vector) in the ordinary meaning, it's a flag, padding
> and integrity indicator and will be fixed for all keys of the same
> length that use the specified values.   E.g. unlike other modes that
> require an initialization vector, you don't need to know the ICV to
> decrypt the underlying key stream, but you can  (and for that matter
> MUST) easily test the recovered first block against the expected ICV to
> determine whether the output needs padding removed or not.
>
> FWIW, the actual cryptographic operations between padded data and
> non-padded data (of the right multiple length) are identical. It's only
> the pre or post processing that's looking for different data.
>
> Obviously, this doesn't work if someone provides their own IV - but
> that's fairly unlikely.  CF CCM and its non-normative example formatting
> function appendix A -  each and every implementation I've seen uses that
> formatting function, even though it isn't actually required by the
> standard.  I'd be surprised if anyone decided to use a different set of
> non-standard IV values.
>
> If an AutoPadding mode were implemented, I'd throw exceptions if someone
> tried to set the IV.
>
> Later, Mike
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210407/f47a485a/attachment.htm>


More information about the security-dev mailing list