Re: Review of draft-zorn-radius-keywrap

["Dan Harkins" <dharkins@lounge.org>]

  Hello,

On Tue, December 14, 2010 8:32 am, Alan DeKok wrote:
>   This is a review of the draft-zorn-radius-keywrap document.
>
>   First off, as co-author of the "Guidelines" document, most of the
> comments below come straight from that document.
>
>   The keywrap document defines a new RADIUS packet signature method, at
> a time when TLS and DTLS transport have been worked on for a number of
> years.  This new signature method has had little security analysis, in
> contrast to TLS.

  Neither AES Key Wrap nor (D)TLS are "signature methods". AES Key Wrap
is providing an integrity check and confidentiality only on a random key.
This technique is now new; it's used in 802.11 (you should note that
the draft in question pre-dates the "guidelines" document).

  AES Key Wrap has received quite a bit of analysis. There is a very
good critique of it in "Deterministic Authenticated Encryption: A
Provable Security Treatment of the Key Wrap Problem" by Rogaway and
Shrimpton available at:

            http://web.cecs.pdx.edu/~teshrim/keywrap.pdf

  regards,

  Dan.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>