Skip to main content

No project description provided

Project description

AES keywrap

implementation of RFC 3394 AES key wrapping/unwrapping

http://www.ietf.org/rfc/rfc3394.txt

also, alternative IV per RFC 5649

http://www.ietf.org/rfc/rfc5649.txt

This is a symmetric key-encryption algorithm. It should only be used to encrypt keys (short and globally unique strings.)

In documentation, the key used for this kind of algorithm is often called the KEK (Key-Encryption-Key), to distinguish it from data encryption keys.

usage

import binascii
from aes_keywrap import aes_wrap_key, aes_unwrap_key
KEK = binascii.unhexlify("000102030405060708090A0B0C0D0E0F")
CIPHER = binascii.unhexlify("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5")
PLAIN = binascii.unhexlify("00112233445566778899AABBCCDDEEFF")
assert aes_unwrap_key(KEK, CIPHER) == PLAIN
assert aes_wrap_key(KEK, PLAIN) == CIPHER

Why a special key-encryption algorithm?

In a word: size. By assuming keys are high enough entropy to be globally unique, and small enough not to require streaming encryption, aes-keywrap is able to avoid an IV (initial value) or nonce that increases the size of the ciphertext. This can be a significant savings – if the data being encrypted is a 32 byte AES-256 key, AES-GCM would result in a 60 byte ciphertext (87% overhead), AES-CTR or AES-CBC would result in a 48 byte ciphertext (50% overhead) and would also not provide authenticated encryption, but aes-keywrap would result in a 32 byte ciphertext (no overhead).

In an application where there are many keys being generated and encrypted (e.g. a separate data encryption key for each row in a database), this overhead can be significant.

Another important use case is compatibility with existing systems.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aes-keywrap-17.12.1.tar.gz (2.9 kB view details)

Uploaded Source

File details

Details for the file aes-keywrap-17.12.1.tar.gz.

File metadata

File hashes

Hashes for aes-keywrap-17.12.1.tar.gz
Algorithm Hash digest
SHA256 0977f08e80f66aa6c2591eca3716ef8ab9e7ee7ad9cd5fb63e72c6308bda2619
MD5 4402698e3c23f8582c9964e52f46ef6e
BLAKE2b-256 40be631f1dd7a65c1ee7419fff826073620e50055d8e77a7dae152436250bf1a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page