[Cryptography] Should we always KeyWrap, even with Key Recovery?

Phillip Hallam-Baker phill at hallambaker.com
Tue Dec 27 12:07:32 EST 2016


I am just working on some code and it occurs to me that the use of RSA to
encrypt data under a session key might give an attacker more leverage than
we need to allow.

With RSA we typically generate a random session key and encrypt that. The
counterparty decrypts the blob to recover the key. If there are n
counterparties there are n different encryptions of the same data under
different RSA keys.

With DH we don't encrypt, we have a key agreement. If we have only one
counterparty then we can perform the key agreement and use the result to
generate the session key, preferably involving some sort of digest step. If
however we have more than one recipient, we have to wrap the session key
using the result of the key agreement.

It seems to me that the second approach is a lot more robust in the case of
related key attacks. It also provides a much more straightforward defense
against the types of attack Rogaway identified.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161227/d7d35219/attachment.html>


More information about the cryptography mailing list