Crypto%20Agility%20and%20Key%20Wrap%20Attributes%20for%20RADIUS

1
Crypto Agility and Key Wrap Attributes for RADIUS

• Glen Zorn
• Joe Salowey
• Hao Zhou
• Dan Harkins

2
Goals

• Meet crypto-agility requirements
• Deliver key material for various purposes
  securely
• Deliver arbitrary attributes securely
• Meet NIST key wrapping requirements

3
RADIUS Key Wrap Attribute

• Contains
• Information for the key encryption
• Information about the key being encrypted
• Key
• Supports Key Wrap Specific Algorithms
• AES-Keywrap Specified by NIST
• Key wrapping algorithms (AES-Keywrap) not
  necessary sufficient for general bulk data
  encryption
• Should be updated to use extended attributes
  draft for extensibility

4
Encrypted Attributes

• Attributes
• Crypto Parameters
• Encrypted Data
• Randomizer
• MAC Attribute
• Does not use extended attributes
• Existing RADIUS attributes need to be encrypted
• Currently only one encrypted attributes set per
  message

5
Issues with using Encrypted Attribute for Key-Wrap

• Key wrap algorithms not always appropriate for
  encrypting generic data
• Generic data encryption algorithms may not be
  specified for key encryption
• The encryption attribute would need to be
  special cased to handle key-wrapping
• More than one encrypted attribute set may be
  required per message

6
Summary

• Believe we meet the crypto agility requirements
• Keywrap can be used for various types of keys
• Extended attribute would allow for arbitrary,
  optional data associated with key