Abstract
Key wrapping schemes are used to encrypt data of high entropy, such as cryptographic keys. There are two known security definitions for key wrapping schemes. One captures the security against chosen plaintext attacks (called DAE-security), and the other captures known plaintext attacks (called AKW-security). In this paper, we revisit the security of Hash-then-CBC key wrapping schemes. At SKEW 2011, Osaki and Iwata showed that the U CC -then-CBC key wrapping scheme, a key wrapping scheme that uses the U CC hash function and the CBC mode, has provable AKW-security. In this paper, we show that the scheme achieves the stronger notion of DAE-security. We also show our proof in the variable input length setting, where the adversary is allowed making queries of varying lengths. To handle such a setting, we generalize the previous definition of the U CC hash function to the variable input length setting, and show an efficient construction that meets the definition. We next consider linear-then-CBC, 2nd-preimage-resistant-then-CBC, and universal-then-CBC schemes. At SAC 2009, Gennaro and Halevi noted that these schemes do not achieve DAE-security. However, details were not presented, and we show concrete and efficient chosen plaintext attacks on these schemes, and confirm that they do not achieve DAE-security.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
ANSI: Symmetric Key Cryptography for the Financial Services Industry — Wrapping of Keys and Associated Data. X9.102 (2008)
Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)
Carter, L., Wegman, M.N.: Universal Classes of Hash Functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Chakraborty, D., Mancillas-Lopez, C.: Double Ciphertext Mode: A Proposal for Secure Backup. Cryptology ePrint Archive, Report 2010/369 (2010), http://eprint.iacr.org/
Dworkin, M.: Request for Review of Key Wrap Algorithms. Cryptology ePrint Archive, Report 2004/340 (2004), http://eprint.iacr.org/
Gennaro, R., Halevi, S.: More on key wrapping. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 53–70. Springer, Heidelberg (2009)
Halevi, S., Krawczyk, H.: One-pass HMQV and Asymmetric Key-Wrapping. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 317–334. Springer, Heidelberg (2011)
Hoyer, P., Pei, M., Machani, S.: Portable Symmetric Key Container (PSKC) (2010)
Iwata, T., Yasuda, K.: BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption. In: Jacobson Jr., M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 313–330. Springer, Heidelberg (2009)
Iwata, T., Yasuda, K.: HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 394–415. Springer, Heidelberg (2009)
Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput. 17(2), 373–386 (1988)
NIST: Recommendation for Block Cipher Modes of Operation, Methods and Techniques (2001)
OASIS: Key Management Interoperability Protocol Specification Version 1.0 (2010)
Osaki, Y., Iwata, T.: Further More on Key Wrapping. In: Symmetric Key Encryption Workshop, SKEW (2011), http://skew2011.mat.dtu.dk/
Rogaway, P., Shrimpton, T.: Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 371–388. Springer, Heidelberg (2004)
Rogaway, P., Shrimpton, T.: A Provable-Security Treatment of the Key-Wrap Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Osaki, Y., Iwata, T. (2011). Security of Hash-then-CBC Key Wrapping Revisited. In: Chen, L. (eds) Cryptography and Coding. IMACC 2011. Lecture Notes in Computer Science, vol 7089. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25516-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-25516-8_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25515-1
Online ISBN: 978-3-642-25516-8
eBook Packages: Computer ScienceComputer Science (R0)