How does a key wrapping like RFC 3394 secure my cryptographic keys?

Question

So I'm messing around in the BouncyCastle library with the RFC 3394 AES Key Wrap engine and I'm trying to understand the benefit of it.

The problem I'm running into is how to store keys securely on a device like a phone or even a laptop or desktop. I need to wrap the keys so that anyone snooping around in memory can't just get those keys. RFC 3394 looks as though it's designed to help with that issue.

I can just do

$$ \bar k = \operatorname{wrap}_{k^*, IV}(k) $$

and store $\bar k$ instead of $k$, and use

$$ k = \operatorname{unwrap}_{k^*, IV}(\bar k)$$

to retrieve $k$ again when I need it.

I've written this code in C# to test it out. This seems to work okay, except for the fact that I'm trying to understand how this is more secure. At some point I have to store the key encryption key $k^*$ in memory, and it seems to me that any hacker who could get their hands on $k^*$ now has their hands on the encryption keys.

So how does this secure the encryption keys in memory?

score 9 · Accepted Answer · answered Oct 31 '11 at 15:11

Yes, you are correct; the keywrap algorithm assumes that you have one long term secure key, which you can use to protect other keys. The writers of RFC 3394 assume that you do have a secure key-encrypting-key (KEK).

This doesn't appear to be a valid assumption in your case. In your case, you need to do cryptographical operations even though someone can assume your entire memory space; this sounds like you need White Box cryptography.

How does a key wrapping like RFC 3394 secure my cryptographic keys?

1 Answers1

Linked