On Mon, Mar 26, 2012 at 1:49 AM, Prashanth kumar N <prashanth.kuma...@gmail.com> wrote: > > [SNIP] >> > > <<>> : In my case, i would be storing the wrapped key and >> > not the original >> > > key. So when user tries to decrypt the wrapped key, he would get the >> > > original key but how do i make sure that is the right key. So the >> > > suggestion is to see if i can get the same IV i have used >> > to encrypt which >> > > indirectly proves that the key decrypted is the right one. No, you should not do this. The Handbook of Applied Cryptography specifically warns against the "meaningful decrypted text" syndrome. >From page 364:
"A common misconception is that encryption provides data origin authentication and data integrity, under the argument that if a message is decrypted with a key shared only with party A, and the message is meaningful, then it must have originated from A." >> >> Even if you could recover the IV instead of supplying it, >> as this wrap algorithm *could* do (unlike normal CBC etc.), >> it doesn't prove the unwrapped=decrypted key is correct. >> CBC modes are often vulnerable to blockwise attacks >> (although I haven't worked out this one specifically). >> In general most encryption schemes don't attempt to provide >> integrity protection and shouldn't be relied on for that; If your scheme is not authenticating its data, then your scheme is probably broken. In memory keys might have a different threat model so that the attacker never gets access to a program's memory. But then it begs the question: why wrap at all? Padding Oracles and the Beast Attack are possible because the encryption system is broken. They were not using Authenticated Encryption properly. I'd encourage folks who are combining primitives (AES, HMACs, or using 'padding' as an authenticagtion tag) to review Hugo Krawczyk 2001 paper, "The Order of Encryption and Authentication for Protecting Communications." >From the Krawczyk paper, we learned SSH was broken, and SSL could be broken under the right circumstances. The only protocol which was provably correct was IPSec. The folks who are using "padding" as an authentication tag remind me of these comments (they are actully doing a bit worse than described): "...people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)" - Bellare, Rogaway, and Wagner in "A Conventional Authenticated-Encryption Mode" and "...it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes" - Kohno, Viega, Whiting in "The CWC Authenticated Encryption (Associated Data) Mode." Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
