4

What are the pros/cons of using AES ECB mode to encrypt encryption keys (data encryption keys or DEKs)? Aware of the significant weaknesses when it come to encrypting low-entropy data that's greater than a block size and also aware of AES Key wrapping functions (nice post). The low efficiency of AES KW in high throughput cases is an issue in our case (thousands/millions of fields flowing, each encrypted with own DEK).

In our case, the data encryption keys

  1. are high entropy (hardware RNG + 4 PRNG sources + crypto-hash expansion) and
  2. will be 128/256 bits long (concerns on even longer keys?)

We're avoiding AES-GCM etc to skip the IV to reduce the size since every byte is precious (big data/high volume)

Update:

  1. Integrity of the DEK isn't a concern in the threat model. DEK tampering will trigger decryption failure affecting Availability. Availability is a concern at a higher system level. (Also, if an attacker can modify the DEK bits, they can simply delete the entire field/data payload just after the encrypted DEK)
  2. The main concerns are Confidentiality and Integrity of the data itself.
Community
  • 1
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24

2 Answers2

5

If you are encrypting a 128-bit key, then it's "OK" since the key size is the same as the block size. However, if you encrypt a 256-bit key, then it's possible to tamper with the result. For example, you can drop one of the blocks and it "looks like" a 128-bit key, or you can make a 256-bit key be the same block twice (so it's of the form $k\|k$ where each $k$ is 128 bits, and so on.

Having said the above, even in the case of 128-bit key, you have the problem that an attacker can tamper with the ciphertext and you won't be able to detect it. It is true that the result will be random garbage, but in most cases, we like to be able to detect the tampering.

Yehuda Lindell
  • 28,270
  • 1
  • 69
  • 86
0

Use ECB mode in CTR mode :)

AES_Encrypt(counter#1) XOR (1st_DEK_block) || AES_Encrypt(counter#2) XOR (2nd_DEK_block)

If your XOR is fast enough, the performance will be adequate and you'll avoid "k||k" concerns.

Inferno author
  • 1