3

The Web Crypto API available in most browsers supports both AES-GCM and AES-KW for key wrapping.

There are examples for AES-KW and AES-GCM performing key wrapping, and a popular live table indicates without any supporting reference that both are "recommended".

Is there a practical or theoretical reason why one might choose GCM over KW and vice-versa?

Brian M. Hunt
  • 289
  • 2
  • 8
  • 2
    Practical disadvantages of GCM mode encryption See KW section of the accepted answer – kelalaka Oct 17 '18 at 13:31
  • Thanks @kelalaka — I saw that answer. I noted the one advantage there is that an iv is not needed for AES-KW, however the examples for the API for WebCrypto seems to use an iv. The WebCrypto standard seems to indicate that wrapKey does not require any arguments. Does it look like an iv can safely be omitted? – Brian M. Hunt Oct 17 '18 at 13:43
  • 1
    @BrianM.Hunt Please point us to those examples, don't leave us guessing. – Maarten Bodewes Oct 17 '18 at 13:56
  • @MaartenBodewes They're in the question, in the text starting with "There are examples", the AES-KW and AES-GCM links go to those respective examples (please feel free to edit the question to make them more prominent) – Brian M. Hunt Oct 17 '18 at 14:16
  • With the caveat that I misread the examples, and AES-KW wrapKey example linked do not use an `iv. The accepted answer may be from the link @kelalaka linked. – Brian M. Hunt Oct 17 '18 at 14:21
  • I don't see the IV for AES-KW in the example. AES-GCM requires an IV, otherwise you could have one wrapped known key and one wrapped unknown key, XOR them together and retrieve the key value (disregarding the authentication tag). – Maarten Bodewes Oct 17 '18 at 14:25
  • What do you want to do with the question now the IV issue is out of the way? Generally we close or delete questions if the answer is already given, but that other question doesn't answer why you would want GCM over KW so maybe it is not a dupe in that sense. – Maarten Bodewes Oct 17 '18 at 14:28
  • @MaartenBodewes I'd be interested in hearing why one might prefer GCM over KW, but of course I would respect the decision to close this question (or have it marked as a dupe) if it substantially overlaps the peer. – Brian M. Hunt Oct 17 '18 at 14:32
  • 1
    @BrianM.Hunt Well for one, if the live table is to be trusted, KW can't wrap as many key types on my current chrome. Not that I can get GCM to wrap my RSA-OAEP private key either, but at least the table says it should work. – Joachim Lous Aug 16 '19 at 07:46

0 Answers0