Adding difference between NIST standard and RFC for KeyWrap.
NOKEYCHECK=True PiperOrigin-RevId: 265045010 GitOrigin-RevId: e6a7420bac93cc3e0e610f8f511a3c5f36309f7f
This commit is contained in:
@@ -21,6 +21,14 @@ of an "ideal pseudorandom permutation" without a precise definition.
|
||||
|
||||
{style="display:block;margin:auto"}
|
||||
|
||||
# Ambiguities
|
||||
|
||||
There are some minor differences between NIST SP 800 38f and the RFCs.
|
||||
NIST does not define a KWP when the wrapped key is 64-bits long. RFC 3394
|
||||
specifies in Section 2, that the input for the key wrap algorithm must be at
|
||||
least two blocks and otherwise the constant field and key are simply encrypted
|
||||
with ECB as a single block.
|
||||
|
||||
# Padding oracles (KWP)
|
||||
|
||||
Keys wrapped with KWP are padded before the wrapping. The padding of a key K has
|
||||
|
||||
Reference in New Issue
Block a user