Am Dienstag, 28. April 2015, 09:09:41 schrieb Herbert Xu: Hi Herbert, > On Sun, Apr 26, 2015 at 12:07:31AM +0200, Stephan Mueller wrote: > > Hi, > > > > Please note that this patch will conflict with the DRBG patch for > > additional seeding sent earlier today. Both add test vectors in > > testmgr.c between the existing hmac() and lrw() due to the ordering > > requirements of testmgr.c. > > Can you clarify the use case of this algorithm? In particular, > who is going to use it in the kernel? This doesn't seem to be > a candidate for use via algif since there aren't any or aren't > likely going to be any hardware implementations. > > If we can narrow down who is going to use it perhaps we can then > figure out the appropriate interface for this. The use case I see goes along the lines of dm-crypt and Ext4 crypto, or ecryptfs: For the key wrapping they all do, I am thinking about suggesting KW as it has one advantage no other cipher currently has: it is an authenticated decryption where I still only need one symmetric key. Yes, KW is inefficient compared to other ciphers, but for handling small data blobs, it should be just fine. For example, dm-crypt: dm-crypt currently uses the same cipher used for the bulk encryption to wrap the LUKS header. Obviously we miss the authentication check of the data blob. So, we could use other authenticated schemas, like GCM or authenc(). But they all need either two keys or AAD for which the common mechanisms typically have no provisions. Therefore, KW is a drop-in replacement for standard symmetric ciphers where one want authentication as well. -- Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
