Am Mittwoch, 22. April 2015, 14:23:04 schrieb Stephan Mueller: Hi, > Am Mittwoch, 22. April 2015, 14:13:54 schrieb Herbert Xu: > > Hi Herbert, > > > On Wed, Apr 22, 2015 at 01:53:24PM +0800, Herbert Xu wrote: > > > On Wed, Apr 22, 2015 at 06:36:59AM +0200, Stephan Mueller wrote: > > > > The key wrapping is an authenticated encryption operation without > > > > associated data. Therefore, setting of AAD is permissible, but that > > > > data > > > > is not used by the cipher implementation. > > > > > > In that case you should return an error if AAD is provided rather > > > than silently discarding them since by definition AEAD must include > > > the AAD in the integrity value. > > > > In fact drop the AEAD altogether and just use ablkcipher. The > > integrity value is then simply the output IV. > > Initially I was playing with ablkcipher. But then I moved to AEAD because > the ciphertext is longer than the plaintext. > > Isn't it a basic assumption to ablkcipher is that the ciphertext is equal in > size as the plaintext? One more issue to consider: the key wrapping is an authenticated encryption / decryption. Thus, decryption can return EBADMSG, a feature a normal blkcipher does not do. Key wrap is more than a blkcipher, but less than an AEAD. Thus, I would consider the key wrapping as a speciality of AEAD where the "AD" part is simply NULL (a valid use case of the "regular" AEAD ciphers). -- Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
