Re: Review of draft-zorn-radius-keywrap

[Alan DeKok <aland@deployingradius.com>]

Dan Harkins wrote:
>   Neither AES Key Wrap nor (D)TLS are "signature methods". AES Key Wrap
> is providing an integrity check and confidentiality only on a random key.

  The document contains a Message-Authentication-Code attribute, which
is defined as:

   This Attribute MAY be used to "sign" messages ...

  The following text describes an "ad hoc" method for signing packets.
It is not based on keywrap.

  Perhaps you haven't read the document, or you didn't notice the pages
of text talking about a new packet signature method?

> This technique is now new; it's used in 802.11 (you should note that
> the draft in question pre-dates the "guidelines" document).

  I'm suitably impressed with this irrelevant fact.

>   AES Key Wrap has received quite a bit of analysis. There is a very
> good critique of it in "Deterministic Authenticated Encryption: A
> Provable Security Treatment of the Key Wrap Problem" by Rogaway and
> Shrimpton available at:
> 
>             http://web.cecs.pdx.edu/~teshrim/keywrap.pdf

  Which is not referenced anywhere in the document.

  In fact, there is *no* reference in the document to any security
analysis, origin, or history of the "keywrap" method.  The *only*
reference to "keywrap" is in the document title.

  Given the document *on its face*, the authors have given us every
reason to believe that the cryptographic methods described in it were
invented solely for this specification.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>