http://en.zaoniao.it/index.php?action=history&feed=atom&title=Key_WrapKey Wrap - Revision history2026-05-15T07:34:07ZRevision history for this page on the wikiMediaWiki 1.32.0http://en.zaoniao.it/index.php?title=Key_Wrap&diff=5622&oldid=prevAdmin: Created page with "'''Key Wrap''' constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wra..."2019-06-07T05:38:01Z<p>Created page with "'''Key Wrap''' constructions are a class of <a href="/index.php?title=Symmetric_encryption&action=edit&redlink=1" class="new" title="Symmetric encryption (page does not exist)">symmetric encryption</a> algorithms designed to <a href="/index.php?title=Key_encapsulation&action=edit&redlink=1" class="new" title="Key encapsulation (page does not exist)">encapsulate</a> (encrypt) cryptographic key material. The Key Wra..."</p>
<p><b>New page</b></p><div>'''Key Wrap''' constructions are a class of [[symmetric encryption]] algorithms designed to [[key encapsulation|encapsulate]] (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks. The constructions are typically built from standard primitives such as [[block cipher]]s and [[cryptographic hash function]]s.<br />
<br />
Key Wrap may be considered as a form of [[key encapsulation]] algorithm, although it should not be confused with the more commonly known ''asymmetric'' (public-key) [[key encapsulation]] algorithms (e.g., [[PSEC-KEM]]). Key Wrap algorithms can be used in a similar application: to securely transport a session key by encrypting it under a long-term encryption key.<br />
<br />
==Background==<br />
<br />
In the late 1990s, the [[National Institute of Standards and Technology]] (NIST) posed the "Key Wrap" problem: to develop secure and efficient cipher-based key encryption algorithms. The resulting algorithms would be formally evaluated by NIST, and eventually approved for use in NIST-certified cryptographic modules. NIST did not precisely define the security goals of the resulting algorithm, and left further refinement to the algorithm developers. Based on the resulting algorithms, the design requirements appear to be (1) confidentiality, (2) integrity protection (authentication), (3) efficiency, (4) use of standard (approved) underlying primitives such as the [[Advanced Encryption Standard]] (AES) and the Secure Hash Algorithm ([[SHA-1]]), and (5) consideration of additional circumstances (e.g., resilience to operator error, low-quality random number generators). Goals (3) and (5) are particularly important, given that many widely deployed [[authenticated encryption]] algorithms (e.g., AES-CCM) are already sufficient to accomplish the remaining goals.<br />
<br />
[[Image:NIST_AES_key_wrap.png|thumb|right|NIST AES Key Wrap Specification]]<br />
<br />
Several constructions have been proposed. These include:<br />
<br />
* ''[http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf AES Key Wrap Specification]'' (November 2001)<br />
* [http://eprint.iacr.org/2004/340.pdf American Standards Committee ANSX9.102], which defines four algorithms:<br />
** AESKW (a variant of the ''AES Key Wrap Specification'')<br />
** TDKW (similar to AESKW, built from [[Triple DES]] rather than AES).<br />
** AKW1<br />
** AKW2<br />
<br />
Each of the proposed algorithms can be considered as a form of [[authenticated encryption]] algorithm providing confidentiality for highly [[entropic security|entropic]] messages such as cryptographic keys. The AES Key Wrap Specification, AESKW, TDKW, and AKW1 are intended to maintain confidentiality under [[adaptive chosen ciphertext attack]]s, while the AKW2 algorithm is designed to be secure only under known-plaintext (or weaker) attacks. (The stated goal of AKW2 is for use in legacy systems and computationally limited devices where use of the other algorithms would be impractical.) AESKW, TDKW and AKW2 also provide the ability to authenticate cleartext "header", an associated block of data that is not encrypted.<br />
<br />
[[Phillip Rogaway|Rogaway]] and Shrimpton evaluated the design of the ANSX9.102 algorithms with respect to the stated security goals. Among their general findings, they noted the lack of clearly stated design goals for the algorithms, and the absence of security proofs for all constructions.<br />
<br />
In their paper, [[Phillip Rogaway|Rogaway]] and Shrimpton proposed a provable key-wrapping algorithm (SIV—the Synthetic Initialization Vector mode) that authenticates and encrypts an arbitrary string and authenticates, <br />
but does not encrypt, additional data which can be bound into the wrapped key. This has been standardized as a <br />
new AES mode in RFC 5297.<br />
<br />
==See also==<br />
* [[Authenticated encryption]]<br />
* [[Deterministic encryption]]<br />
* [[Key management]]<br />
* [[Offline private key protocol]]<br />
<br />
==Source==<br />
<br />
[http://wikipedia.org/ http://wikipedia.org/]<br />
[[Category:Cryptographic algorithms]]</div>Admin