Can AES algorithm be used as key wrap algorithm?

[Zhou Yang]

Hi, all

I'm implementing an U2F Token on JavaCard. I find that there is key wrap spec: AES Key Wrap Specification. But JavaCard's API only support the AES algorithm. 

So, I want to know that, can AES algorithm be used as key wrap algorithm rather than the AES Key Wrap algorithm?

And, what's the difference between the encryption algorithm(e.g. AES, DES) and the key wrap algorithm?

[Tim Becker]

So, I want to know that, can AES algorithm be used as key wrap algorithm rather than the AES Key Wrap algorithm?

Yes, the AES Key Wrap mechanism can be implemented using AES. You could also implement another AES based key wrapping scheme (e.g. RFC 5297) but since the card already support NIST, why not use that?

> And, what's the difference between the encryption algorithm(e.g. AES, DES) and the > key wrap algorithm?

The key wrap algorithm is a usage mode of the cipher algorithm, just like ECB, CBC.

Your Javacard does not support P256? You still need it for the U2F signatures, are you planning to implement ECC in software?

[Zhou Yang]

So I could use this AES algorithm as the key wrap algorithm in JavaCard?

Cipher.ALG_AES_BLOCK_128_CBC_NOPAD  

Actually, I do not have the real card yet. I am implementing on jcardsim which is a javacard simulator. And yes, jcardsim support secp256r1.

[Tim Becker]

It's hard to say what your Javacard will support, but the JCE in JDK8 I have installed here has: `Cipher.AESWrap_128` (also 192 and 256) which seems to be what you're looking for. I would check if your JC supports that.

If you need to construct AES Key Wrapping from primitives, the algorithm you named wouldn't work, because it's already using CBC mode. 

[Zhou Yang]

Here is the newly Javacard API: Javacard 3.0.5 API. In the `Cipher` part, Why I can not find the constant `AESWrap_128`, do I miss something? Actually I'm newbie to Javacard development.

[Fred Le Tamanoir (NEOWAVE.FR)]

1) Regarding Key wrapping

...remember you can chose not to use key wrapping at all:

- ECC Key sizes are small enough to be stored by dozens inside many secure elements (and nobody will have dozens of accounts) and you can even store only the ECC private key only (if needed) 

- In U2F specifications, key wrapping is not mandatory and is present in this section "Allowing for Inexpensive U2F Devices". If you are using a JavaCard, you are probably not focusing on a low cost / low memory device... 

- The fact that manufacturers are free to make choices -even bad ones- for key wrapping is... kind of a bad freedom of choice. Every customers have to investigate (or not) how it is done... and accept to trust (or not) what they will learn (or not). (And then they will understand they need to know how/who controls the initial secret)

- Key wrapping means a shared/common secret that users can't chose. For your information, several security experts we encountered -from private sectors to government related ones- simply recommend to avoid key wrapping.

2) Regarding ECC support in JavaCard

ECC support is only mandatory in JavaCard 3.0 specifications but you can find non-3.0 JavaCard 2.x smart cards that already support ECC, like several NXP JCOP based solutions...

Regards
-- 
Frédéric MARTIN
System & Security Architect
NEOWAVE (FIDO Alliance Member)