New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: x/crypto: add support for AES Key Wrap #27599
Comments
@bdhess Any chance you've open-sourced your implementation in the mean time? |
We released the variant with padding in tink-crypto/tink@22467ef Note that the Tink implementation is fairly opinionated: no 192-bit wrapping keys, and wrapped keys must be between 16 and 8192 bytes inclusive. |
Awesome, thanks! |
/cc @FiloSottile |
This proposal has been added to the active column of the proposals project |
ping @FiloSottile |
1 similar comment
ping @FiloSottile |
AES Key Wrap is a weird legacy mode. It had completely undefined requirements, and when Rogaway looked at formalizing some he came up with SIV, a much better alternative. https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf Practically, KW is slow and bizarre: two rounds of it would be a SIV mode with not-fantastic bounds due to the 64-bit blocks. For some reason, KW runs six rounds, because why not. This works out to twelve AES compressions per 128-bit block, which is going to be at least ten times slower than any reasonable alternative. In terms of things I'd like to steer users who want deterministic encryption towards, I'd much rather have a real SIV mode like AES-GCM-SIV. In terms of compatibility, this issue only got seven 👍 in two years, and the two third-party implementations It's also a very very simple mode to implement, so I am not concerned about the quality of third-party implementations. I think this is a good fit for a third-party module, not x/crypto. |
Based on the discussion above, this proposal seems like a likely decline. |
No change in consensus, so declined. |
Curiously enough, CryptoKit just added KeyWrap support. It's not enough to reconsider the decision, but I wonder why. https://developer.apple.com/documentation/cryptokit/aes/keywrap |
@FiloSottile while AES KW may be "weird legacy", it is one of the algorithms in JWA (https://www.rfc-editor.org/rfc/rfc7518.html#section-4.4) which is used to make encrypted JWTs (i.e. JWEs)... and I am taking a wild guess here but that is probably why its now in cryptokit. Also, the two third-party implementations you mention above are not quite identical. |
AES Key Wrap is defined in RFC 3394 (plain) and RFC 5649 (with padding).
The implementation is straightforward and the relevant RFCs come with test vectors. I have an implementation complete that I'd be happy to submit. I'd suggest adding it to a package named
x/crypto/aeswrap
to avoid confusion with the AES data encryption functionality incrypto/aes
.The text was updated successfully, but these errors were encountered: