Symmetric key-wrapping algorithms

Related tags

Cryptography key-wraps
Overview

RustCrypto: Key Wrapping Functions

dependency status Apache2/MIT licensed

Collection of symmetric Key Wrapping Functions (KW) written in pure Rust.

About

"Key Wrapping" describes symmetric encryption algorithms designed for encrypting cryptographic key material under another symmetric key, known as a "Key-Encrypting-Key" (KEK).

They're intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks.

Supported Algorithms

Algorithm Crate Crates.io Documentation MSRV
AES‑KW aes‑kw crates.io Documentation MSRV 1.56

NOTE: for modern proven KWs (e.g. AES-SIV, AES-GCM-SIV), please see RustCrypto/AEADs

Minimum Supported Rust Version (MSRV) Policy

MSRV bumps are considered breaking changes and will be performed only with minor version bump.

License

All crates licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Comments
  • openssl key wrap differs

    openssl key wrap differs

    Hello, Thank you for making aes_kw library available!

    However, there might be issue, or lack of understanding on my side...
    I'm trying to upload ed25519 key into HashiCorp Vault and using aes_kw to wrap ed25519 signing key with AES256... Unfortunately, Vault unable to unwrap ed25519...

    Using same ed25519 and AES256 keys, openssl produces correct wrapping and Vault imports key with no error. I'm not sure what the issues is, very well could be "user error" :-).

    Attached code snippet outlines my expectations..

    ` const IN_ED25519: &str = "RWaT0oB0VB8e3v0MBesnwguR5b+gTeS/gFqALEDcmE+cRiE2qOeld+yiO+zyamGGGSBp3AcHNCFuewZqqxdRUw=="; const IN_AES256: &str = "nB0HVnvTXp65QtpDsAM0vq2LI9G/wQGOhOQ04l1y2JM=";

    //openssl enc -id-aes256-wrap-pad -iv A65959A6 -K $( hexdump -v -e '/1 "%02x"' < "./in-aes-key.bin" ) -in "in-ed25519.bin" -out "out-wrapped-ed25519.bin"
const WRAPPED_IN_ED_WITH_IN_AES: &str =
    "t1/OHaQBU7YjJrtNxYRGXkdURFRN2v2K5MzFzSOFK10Ek1KyGIW9GMoCy7jdpXJ88XMsyYgB0pk=";

pub fn main() {
    let in_aes_key = base64::decode(IN_AES256).unwrap();
    let in_ed25519_key = base64::decode(IN_ED25519).unwrap();

    let mut aes_key = [0u8; 32];
    aes_key.copy_from_slice(&in_aes_key[..32]);

    let kek = aes_kw::KekAes256::from(aes_key);
    let wrapped_input_key = kek
        .wrap_with_padding_vec(&in_ed25519_key)
        .expect("input key wrapping error!");

    println!("openssl:{}", WRAPPED_IN_ED_WITH_IN_AES);
    println!("aes_kw :{}", base64::encode(wrapped_input_key.clone()));
    assert_eq!(
        base64::decode(WRAPPED_IN_ED_WITH_IN_AES).unwrap(),
        wrapped_input_key
    );
}

    ` for the reference, HashiCorp uses golang to unwrap, here is the link https://github.com/google/tink/blob/master/go/kwp/subtle/kwp.go#L184

    openssl produces 56 bytes and aes_kw - 40 aes_kw:ivR/2HMzPVKz6p8gPqQMHITCBmY80y8hjhdswGCOHSOlfaGezVGUZw==, size:40 openssl:t1/OHaQBU7YjJrtNxYRGXkdURFRN2v2K5MzFzSOFK10Ek1KyGIW9GMoCy7jdpXJ88XMsyYgB0pk=, size:56

    opened by soleinik-figment 13
  • aes-kw: use en(de)crypt_with_backend methods to improve performance

    aes-kw: use en(de)crypt_with_backend methods to improve performance

    Right now aes-kw is implemented in terms of multiple calls to en(de)crypt_block. it's somewhat inefficient since on each call checks CPU features flag, not only it introduces unnecessary branching, but also prevent compiler from keeping data in registers across calls.

    enhancement help wanted 
    opened by newpavlov 5
  • Add aes-kwp (Key Wrap with Padding) mode

    Add aes-kwp (Key Wrap with Padding) mode

    Apart from AES-KW, NIST SP 800-38F also defines the AES Key Wrap with Padding mode (KWP), which allows input keys that are not a multiple of 8 bytes. This mode is also described in rfc5649.

    The actual algorithm itself is very similar to the AES-KW algorithm, however there are some major differences:

    • obviously, the input is padded (with zeroes), to align to 8 bytes
    • the IV is composed of a fixed IV prefix and a variable MLI (message length indicator)
    • when the input is <= 8 bytes long, it is simply (padded and) appended to the IV and one AES-ECB encryption is performed on the resulting 16 byte block
    • otherwise, the same wrapping algorithm as for AES-KW is performed

    Because of the many similarities, the implementation code was directly adapted from the AES-KW implementation. One of the differences here is the return type of unwrap. Because the plaintext length is unknown to the caller when unwrap is called, the caller needs to provide an output buffer which is large enough to hold all 8 possible message lengths. The unwrap function then returns the actual output size, and it is the responsibility of the caller to truncate the output buffer to the appropriate length (i.e. remove the padding applied by wrap). This is done automatically in unwrap_vec.

    Finally, I took the liberty to update the descriptions of the AES-KW mode. I know this is quite pedantic, but the actual name of the mode is AES Key Wrap, not AES Key Wrapping. Key Wrapping refers to the general method of wrapping keys, but there are multiple implementations of this, AES Key Wrap (KW) being one of them, but also AES Key Wrap with Padding (KWP) or even Triple DEA Key Wrap (TKW) (as described in SP 800-38F).

    opened by jvdsn 5
  • aes-kw: `no_std` support + other cleanups

    aes-kw: `no_std` support + other cleanups

    • Makes the Kek::{wrap, unwrap} functions take an output buffer rather than allocating a Vec<u8>, allowing them to be used in heapless no_std contexts.
    • Adds an alloc feature along with Kek::{wrap_vec, unwrap_vec} functions which provided the previous API.
    • Adds convenience KekAes128/KekAes192/KekAes256 type aliases.
    • Makes the IV and IV_LEN constants public.
    • Removes the use of hex for test vectors replacing it with hex-literal instead.
    • Improves README.md and rustdoc documentation.
    opened by tarcieri 2
  • Use encrypt/decrypt_with_backend methods

    Use encrypt/decrypt_with_backend methods

    Finally got around to issue #15 @newpavlov please check if this is how you intended the "rank-2 closure" to be used. @tarcieri should we bump the patch version for this change?

    opened by jvdsn 1
  • build(deps): bump aes from 0.8.0 to 0.8.1

    build(deps): bump aes from 0.8.0 to 0.8.1

    Bumps aes from 0.8.0 to 0.8.1.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump aes from 0.7.5 to 0.8.0

    build(deps): bump aes from 0.7.5 to 0.8.0

    Bumps aes from 0.7.5 to 0.8.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Add tests for AES-KW errors

    Add tests for AES-KW errors

    This PR adds unit tests for the four errors which can be returned by AES-KW. In particular, it's important to test whether the unwrapping function actually verifies the integrity of the ciphertext.

    Additionally, I fixed some inconsistent capitalization in the comments and some inconsistent whitespace in the tests.

    opened by jvdsn 1
  • build(deps): bump generic-array from 0.14.4 to 0.14.5

    build(deps): bump generic-array from 0.14.4 to 0.14.5

    Bumps generic-array from 0.14.4 to 0.14.5.

    Changelog

    Sourced from generic-array's changelog.

    • 0.14.5

      • Fix unsoundness behavior in GenericArrayIter::clone (#120)

    • 0.14.4

      • Update typenum to 1.12.0
      • Make Drop a no-op when the inner type does not require Drop (using core::mem::needs_drop)

    • 0.14.3

      • Improve behavior of GenericArray::from_exact_iter to assume ExactIterators can lie.
      • Fix alignment of zero-length GenericArrays
      • Implement From<&[T; N]> for &GenericArray<T, N> and its mutable variant

    • 0.14.2

      • Lower MSRV to 1.36.0 without From<[T; N]> implementations.

    • 0.14.1

      • Fix element conversions in arr! macro.

    • 0.14.0

      • Replace Into implementations with the more general From.
        • Requires minumum Rust version of 1.41.0
      • Fix unsoundness in arr! macro.
      • Fix meta variable misuse
      • Fix Undefined Behavior across the crate by switching to MaybeUninit
      • Improve some documentation and doctests
      • Add AsRef<[T; N]> and AsMut<[T; N]> impls to GenericArray<T, N>
      • Add Split impl for &GenericArray and &mut GenericArray

    • 0.13.2

      • Add feature more_lengths, which adds more From/Into implementations for arrays of various lengths.

    • 0.13.1

      • Mark GenericArray as #[repr(transparent)]
      • Implement Into<[T; N]> for GenericArray<T, N> up to N=32

    • 0.13.0

      • Allow arr! to be imported with use syntax.
        • Requires minumum Rust version of 1.30.1

    • 0.12.2

      • Implement FusedIterator for GenericArrayIter

    • 0.12.1

      • Use internal iteration where possible and provide more efficient internal iteration methods.

    • 0.12.0

      • Allow trailing commas in arr! macro.
      • BREAKING: Serialize GenericArray using serde tuples, instead of variable-length sequences. This may not be compatible with old serialized data.

    • 0.11.0

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • build(deps): bump hex-literal from 0.2.1 to 0.3.4

    build(deps): bump hex-literal from 0.2.1 to 0.3.4

    Bumps hex-literal from 0.2.1 to 0.3.4.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump aes from 0.8.1 to 0.8.2

    Bump aes from 0.8.1 to 0.8.2

    Bumps aes from 0.8.1 to 0.8.2.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies rust 
    opened by dependabot[bot] 0
Owner
Rust Crypto
Cryptographic algorithms written in pure Rust
Rust Crypto
GitHub
Meta-repository for Miscreant: misuse-resistant symmetric encryption library with AES-SIV (RFC 5297) and AES-PMAC-SIV support

The best crypto you've never heard of, brought to you by Phil Rogaway A misuse resistant symmetric encryption library designed to support authenticate

miscreant. 480 Dec 8, 2022
Minimal flashloan borrower contracts with an extensible rust sdk to abstract wrapping generic onchain calls (similar to multicall3) with flashloans.

flashloan-rs • Minimal flashloan borrower contracts with an extensible rust sdk. Getting Started Flashloan-rs is published to crates.io as flashloan-r

White Noise 71 Apr 15, 2023
A (mostly) pure-Rust implementation of various cryptographic algorithms.

Rust-Crypto A (mostly) pure-Rust implementation of various common cryptographic algorithms. Rust-Crypto seeks to create practical, auditable, pure-Rus

null 1.2k Dec 27, 2022
Port path module (and tests) of nodejs to rust using the same algorithms.

rusty_nodejs_path Port path module (and tests) of nodejs to rust using the same algorithms. crates.io Documents Progress posix path.basename(path[, ex

Yunfei He 10 Sep 25, 2022
Cryptographic signature algorithms: ECDSA, Ed25519

RustCrypto: signatures Support for digital signatures, which provide authentication of data using public-key cryptography. All algorithms reside in th

Rust Crypto 300 Jan 8, 2023
Collection of stream cipher algorithms

RustCrypto: stream ciphers Collection of stream cipher algorithms written in pure Rust. ⚠️ Security Warning: Hazmat! Crates in this repository do not

Rust Crypto 186 Dec 14, 2022
Collection of block cipher algorithms written in pure Rust

RustCrypto: block ciphers Collection of block ciphers and block modes written in pure Rust. Warnings Currently only the aes crate provides constant-ti

Rust Crypto 506 Jan 3, 2023
Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers

RustCrypto: Authenticated Encryption with Associated Data (AEAD) Algorithms Collection of Authenticated Encryption with Associated Data (AEAD) algorit

Rust Crypto 457 Jan 4, 2023
A collection of algorithms that can do join between two parties while preserving the privacy of keys on which the join happens

Private-ID Private-ID is a collection of algorithms to match records between two parties, while preserving the privacy of these records. We present tw

Meta Research 169 Dec 5, 2022
Opendp - The core library of differential privacy algorithms powering the OpenDP Project.

OpenDP The OpenDP Library is a modular collection of statistical algorithms that adhere to the definition of differential privacy. It can be used to b

OpenDP 176 Dec 27, 2022
A Rust Library of China's Standards of Encryption Algorithms (SM2/3/4)

Libsm Libsm is an open source pure rust library of China Cryptographic Algorithm Standards. It is completed by a collaborative effort between the Cryp

CITAHub 149 Dec 23, 2022
A Rust Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4)

gm-rs A Pure Rust High-Performance Implementation of China's Standards of Encryption Algorithms(SM2/SM3/SM4) Usage Add this to your Cargo.toml: [depen

null 2 Oct 27, 2022
A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms.

Crypto-rs A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms. This is a Rust implementation

houseme 4 Nov 28, 2022
Chargo is a tool for file encryption/decryption. It's based on Argon2 and ChaCha20Poly1305 algorithms.

| Documentation Chargo is a tool for file encryption/decryption with password. It's based on Argon2 and ChaCha20Poly1305 algorithms. From arg2u with ♥

Airat Galiullin 7 Jan 1, 2023
A template for writing CMSIS-Pack flash algorithms in Rust

Flash Algorithm Template This is a flash algorithm template for writing CMSIS-Pack flash algorithms in Rust. It can be used to generate new flash algo

probe.rs 5 Feb 11, 2023
HD wallet BIP-32 related key derivation utilities.

HDWallet Docs HD wallet(BIP-32) key derivation utilities. This crate is build upon secp256k1 crate, this crate only provides BIP-32 related features,

jjy 23 Nov 27, 2022
X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.

x25519-dalek A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek. This

dalek cryptography 252 Dec 26, 2022
An implementation of the OPAQUE password-authenticated key exchange protocol

The OPAQUE key exchange protocol OPAQUE is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server

Novi 178 Jan 9, 2023
A safe implementation of the secure remote password authentication and key-exchange protocol (SRP), SRP6a and legacy are as features available.

Secure Remote Password (SRP 6 / 6a) A safe implementation of the secure remote password authentication and key-exchange protocol (SRP version 6a). Ver

Sven Assmann 10 Nov 3, 2022