Key Wrap Cipher
Is far as I understand the security white paper, 1Password uses AES GCM everywhere - also for key wrapping. Is that true? And if yes - why don't you use specialized key wrapping ciphers like AESKW?
Greeting,
Johannes
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
What do you believe the benefits of deploying AES in KW mode to be?
Some of the disadvantages that immediately spring to mind are:
- Very few developers choose to deploy it
- Little cryptanalysis has been performed
- It's extremely inefficient (bad for mobile)
- Keys have to be short (bad for security)
It's only relevant use is to prevent an adaptive chosen-ciphertext attack. The very nature of 1Password, and the use of 'nested' encryption keys, means this isn't a concern (if you're talking about the data within 1Password). If you're referring to the master password then this is protected with a PAKE for 1Password accounts.
AESKW bite size is deterministic and that's not a desirable property most of the time. (You can use SHA-256 to avoid this).
AESKW doesn't allow authentication without decryption.
Providing the nonce isn't reused then AES GCM is the best bet because it's easily implemented, has been very well studied (and withstood determined, expert cryptanalysis) and has low performance overheads.
If you're comfortable with simple maths, read this paper:
GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte
0 -
I think some of the points you mentioned are valid (like little cryptanalysis has been performed), some are not (Keys have to be short? How long do you want them to be? ).
But the biggest advantage of AESKW is that is does not depend on the quality of random data at all. And the security of AES CGM is 100% dependent on the quality of the random data. And I think that is the reason why specialized key wrapping algorithms exist. And GCM-SIV is also not widely adopted.
Furthermore, there are popular examples of AESKW being used, like in iOS security.
I just would like to know why AgileBits decided against it?
0 -
But the biggest advantage of AESKW is that is does not depend on the quality of random data at all. And the security of AES CGM is 100% dependent on the quality of the random data.
I know what you are trying to say, but we need to clarify what you mean by "random data" for that to make sense. GCM is harder to use securely, but we are already using GCM for everything else. So that advantage of KW doesn't apply in a system where GCM is already being used
Outstanding question @johannesauer!
I just would like to know why AgileBits decided against it?
There is no "deep" answer to why we chose not to use KW. It's the same reason we use GCM-256 in places where we have 128 bit security (such as the ephemeral session keys used for SRP). It is so that we could say internally "this is how all symmetric encryption is to be done".) We do AES-256-GCM right, and use it everywhere even where it is overkill.
0 -
But the biggest advantage of AESKW is that is does not depend on the quality of random data at all.
That's not entirely true. Whilst it will prevent a conventional algorithm substitution attack there are myriad other attacks which will fatally weaken AESKW where non-random data is used.
GCM-SIV is also not widely adopted
I quoted that paper not to advocate for GCM-SIV but to show you the obvious (when you look at the maths) weaknesses when using AESKW. :)
Furthermore, there are popular examples of AESKW being used, like in iOS security.
That's true but it's used for a different purpose and it's not a single point of failure. See RFC3394 for more information.
We do AES-256-GCM right, and use it everywhere even where it is overkill.
This is a fantastic answer.
It's very easy for a reviewer to check that it's done right and I like that 1Password uses a greater than necessary margin of security.
I should add that AESKW implementations are more difficult to audit - another negative in my opinion.
0 -
:+1: :)
Ben
0