# password based key-wrap (Re: The Crypto Gardening Guide and Planting Tips)

Adam Back adam at cypherspace.org
Thu Feb 6 17:07:16 PST 2003

```Peter lists applied crypto problem in his "Crypto Gardening Guide" at:

http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt

One of the problems from the "Problems that Need Solving" section is:

> * A key wrap function where the wrapping key is derived from a
> password.  The requirements for this are subtly different from a
> straight symmetric key wrap in that the threat model is rather
> different.  For example a symmetric key wrap may use HMAC to ensure
> non-malleability, but for password-based key wrap this makes a
> dictionary attack rather easier (throw passwords at the HMAC,
> sidestepping the encrypted key altogether).  There exists a (ad-hoc)
> design that has rather limited non-malleability in order to avoid
> potential dictionary attacks.

I may not be fully understanding the problem spec: you want to encrypt
(wrap) a randomly generated key (a per message session key for
example) with a key derived from a password.

What would be wrong with using PBKDF2 (from PKCS #5 / RFC2898) as the
key derivation function to give you defense against dictionary attack.
(Allows choice of number of iterations to "stretch" the password,
allows a salt to frustrate precomputation.)

Why do you care about non-malleability of the key-wrap function?

If you do want non-malleability of th ekey-wrap function, isn't
encrypt and MAC a standard way to do this?

Then you would need two keys, and I presume it would make sense to
derive them (using KDF2 from IEEE P1363a) a start key:

sk = KDF2( password, salt, iterations )
ek = KDF( sk, specialization1 )
mk = KDF( sk, specialization2 )

and then AES in CBC mode with random IV encrypting with ek, with
appended HMAC with key mk.

That leaves the comment:

> but for password-based key wrap this makes a dictionary attack
> rather easier (throw passwords at the HMAC, sidestepping the
> encrypted key altogether).

but in this case the attacker could take his pick with no significant
advantage of either method:

- brute force passwords to get sk, derive ek from sk, decrypt the
wrapped key and use some knowledge about the plaintext encrypted with
the wrapped key to tell if the write password was chosen; or

- brute force passwords to get sk, derive mk from sk, and see if the
MAC is valid MAC of the ciphertext (presuming encrypt and then MAC)

Or is the problem that the above ensemble is ad-hoc (though using
standardised constructs).  Or just that the ensemble is ad-hoc and so
everyone will be forced to re-invent minor variations of it, with
varying degrees of security.

Adam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

```

More information about the cypherpunks-legacy mailing list