[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Review of draft-zorn-radius-keywrap
Hello,
On Tue, December 14, 2010 8:32 am, Alan DeKok wrote:
> This is a review of the draft-zorn-radius-keywrap document.
>
> First off, as co-author of the "Guidelines" document, most of the
> comments below come straight from that document.
>
> The keywrap document defines a new RADIUS packet signature method, at
> a time when TLS and DTLS transport have been worked on for a number of
> years. This new signature method has had little security analysis, in
> contrast to TLS.
Neither AES Key Wrap nor (D)TLS are "signature methods". AES Key Wrap
is providing an integrity check and confidentiality only on a random key.
This technique is now new; it's used in 802.11 (you should note that
the draft in question pre-dates the "guidelines" document).
AES Key Wrap has received quite a bit of analysis. There is a very
good critique of it in "Deterministic Authenticated Encryption: A
Provable Security Treatment of the Key Wrap Problem" by Rogaway and
Shrimpton available at:
http://web.cecs.pdx.edu/~teshrim/keywrap.pdf
regards,
Dan.
--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>