Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/crypto: add support for AES Key Wrap #27599

Closed
bdhess opened this issue Sep 10, 2018 · 12 comments
Closed

proposal: x/crypto: add support for AES Key Wrap #27599

bdhess opened this issue Sep 10, 2018 · 12 comments
Labels
FrozenDueToAge Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Proposals (old)
Milestone
Proposal

Comments

@bdhess
Copy link

bdhess commented Sep 10, 2018

AES Key Wrap is defined in RFC 3394 (plain) and RFC 5649 (with padding).

The implementation is straightforward and the relevant RFCs come with test vectors. I have an implementation complete that I'd be happy to submit. I'd suggest adding it to a package named x/crypto/aeswrap to avoid confusion with the AES data encryption functionality in crypto/aes.
@gopherbot gopherbot added this to the Proposal milestone Sep 10, 2018
@rsc rsc added the Proposal-Crypto Proposal related to crypto packages or other security issues label Sep 19, 2018
@FiloSottile FiloSottile mentioned this issue Feb 8, 2019
Closed
@jefferai
Copy link

@bdhess Any chance you've open-sourced your implementation in the mean time?

@bdhess
Copy link
Author

bdhess commented Jun 10, 2019
edited

We released the variant with padding in tink-crypto/tink@22467ef

Note that the Tink implementation is fairly opinionated: no 192-bit wrapping keys, and wrapped keys must be between 16 and 8192 bytes inclusive.

@jefferai
Copy link

Awesome, thanks!

@ianlancetaylor ianlancetaylor added this to Incoming in Proposals (old) Jan 6, 2021
@rsc
Copy link
Contributor

rsc commented Jan 13, 2021

/cc @FiloSottile

@rsc rsc moved this from Incoming to Active in Proposals (old) Jan 13, 2021
@rsc
Copy link
Contributor

rsc commented Jan 13, 2021

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc rsc mentioned this issue Jan 13, 2021
Open
@rsc
Copy link
Contributor

rsc commented Jan 20, 2021

ping @FiloSottile

1 similar comment
@rsc
Copy link
Contributor

rsc commented Feb 17, 2021

ping @FiloSottile

@FiloSottile
Copy link
Contributor

AES Key Wrap is a weird legacy mode. It had completely undefined requirements, and when Rogaway looked at formalizing some he came up with SIV, a much better alternative. https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf

Practically, KW is slow and bizarre: two rounds of it would be a SIV mode with not-fantastic bounds due to the 64-bit blocks. For some reason, KW runs six rounds, because why not. This works out to twelve AES compressions per 128-bit block, which is going to be at least ten times slower than any reasonable alternative.

In terms of things I'd like to steer users who want deterministic encryption towards, I'd much rather have a real SIV mode like AES-GCM-SIV. In terms of compatibility, this issue only got seven 👍 in two years, and the two third-party implementations github.com/NickBall/go-aes-key-wrap@v0.0.0-20170929221519-1c3aa3e4dfc5 (unpadded) and github.com/google/tink/go/kwp/subtle@v1.5.0 (padded) have three and one importer, respectively.

It's also a very very simple mode to implement, so I am not concerned about the quality of third-party implementations.

I think this is a good fit for a third-party module, not x/crypto.

@rsc rsc moved this from Active to Likely Decline in Proposals (old) Mar 24, 2021
@rsc
Copy link
Contributor

rsc commented Mar 24, 2021

Based on the discussion above, this proposal seems like a likely decline.
— rsc for the proposal review group

@rsc rsc moved this from Likely Decline to Declined in Proposals (old) Apr 1, 2021
@rsc
Copy link
Contributor

rsc commented Apr 1, 2021

No change in consensus, so declined.
— rsc for the proposal review group

@rsc rsc closed this as completed Apr 1, 2021
@FiloSottile
Copy link
Contributor

Curiously enough, CryptoKit just added KeyWrap support. It's not enough to reconsider the decision, but I wonder why.

https://developer.apple.com/documentation/cryptokit/aes/keywrap

@omz13
Copy link

omz13 commented Nov 17, 2021
edited

@FiloSottile while AES KW may be "weird legacy", it is one of the algorithms in JWA (https://www.rfc-editor.org/rfc/rfc7518.html#section-4.4) which is used to make encrypted JWTs (i.e. JWEs)... and I am taking a wild guess here but that is probably why its now in cryptokit.

Also, the two third-party implementations you mention above are not quite identical. NickBall/go-aes-key-wrap does Key Wrapping per RFC 3394 / KW from NIST 800-38F whereas google/tink/go/kwp/subtle does KWP from NIST 800-38F. That unpadded/padded distinction is very subtle and quite unobvious if coming from the RFC instead of the NIST document.

@golang golang locked and limited conversation to collaborators Nov 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
No open projects
Proposals (old)
Declined
Milestone
Proposal
Development

No branches or pull requests
6 participants
@jefferai @omz13 @rsc @FiloSottile @bdhess @gopherbot