> From: owner-openssl-us...@openssl.org On Behalf Of pkumarn > Sent: Monday, 26 March, 2012 01:52
> I was going through the RFC of AES and it does say we get the IV upon > unwrapping . Check the below link > http://www.ietf.org/rfc/rfc3394.txt Not really. 2.2.3 says .... In the final step of the unwrapping process, the recovered value of A[0] is compared to the expected value of A[0]. If there is a match, the key is accepted as valid, and the unwrapping algorithm returns it. If there is not a match, then the key is rejected, and the unwrapping algorithm returns an error. and this is what OpenSSL implements. It doesn't say that the IV is returned to the caller or can be used in any way except comparing to the expected value (which necessarily must be known in order to be expected). This is an example of now-conventional practice in crypto design. There have been a number of attacks, including on fielded systems, which succeeded because of error 'details' being available -- deliberately or accidentally -- to the attacker, so in the last several years designers have generally moved to returning only success/fail and nothing else, even in cases where it appears not to matter and maybe actually doesn't. However, on re-looking at this algorithm, it does *multiple* passes of reversible-half-CBCish, which should block the types of attacks I can easily think of -- and although I don't claim to know all by a long shot, if it was indeed blessed by NIST as the RFC suggests (I don't have time to track down) I'd trust them that it does provide satisfactory integrity protection. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
