How much extra security does key wrapping provide?











up vote
3
down vote

favorite
1












Wikipedia says:




Key Wrap. Key Wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks.




Now key wrapping needs another key for wrapping. Isn't it like a chicken-egg problem. We now need to protect another key.



If someone needs to transfer key over network, wouldn't he/she use SSL/TLS rather than wrapping key?



For storing keys, wouldn't someone use the password protected keystore?










share|improve this question


























    up vote
    3
    down vote

    favorite
    1












    Wikipedia says:




    Key Wrap. Key Wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks.




    Now key wrapping needs another key for wrapping. Isn't it like a chicken-egg problem. We now need to protect another key.



    If someone needs to transfer key over network, wouldn't he/she use SSL/TLS rather than wrapping key?



    For storing keys, wouldn't someone use the password protected keystore?










    share|improve this question
























      up vote
      3
      down vote

      favorite
      1









      up vote
      3
      down vote

      favorite
      1






      1





      Wikipedia says:




      Key Wrap. Key Wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks.




      Now key wrapping needs another key for wrapping. Isn't it like a chicken-egg problem. We now need to protect another key.



      If someone needs to transfer key over network, wouldn't he/she use SSL/TLS rather than wrapping key?



      For storing keys, wouldn't someone use the password protected keystore?










      share|improve this question













      Wikipedia says:




      Key Wrap. Key Wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. The Key Wrap algorithms are intended for applications such as protecting keys while in untrusted storage or transmitting keys over untrusted communications networks.




      Now key wrapping needs another key for wrapping. Isn't it like a chicken-egg problem. We now need to protect another key.



      If someone needs to transfer key over network, wouldn't he/she use SSL/TLS rather than wrapping key?



      For storing keys, wouldn't someone use the password protected keystore?







      keys key-wrap






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 at 4:37









      Saptarshi Basu

      2476




      2476






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          It all depends on the key wrapping used. Key wrapping is little more than encryption of a key with another key. Although key wrapping schemes certainly exist (and are considered rather secure in general) other key schemes may use common methods of encryption, both symmetric and asymmetric. And in the end, how strong the encryption is depends on the method used.



          I've seen AES keys being encrypted using AES-CBC, which is perfectly fine for AES-128 and AES-256 keys. Wrapping an AES-192 key that way could already make it vulnerable padding oracle attacks. Encrypting a structured RSA key using CBC and an IV of zero bytes (as used by many HSM's) may even passively leak information to adversaries.





          Encryption itself is already a chicken egg problem. You've got this data you want to keep confidential. Now you can encrypt it, but you'd need to secure the key now.



          So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.



          As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.





          A password protected store can be used. Often the keys in those key stored can be protected separately as well. PKCS#8 could be seen as a high level form of key wrapping, for instance.



          However, such key stores are not always useful. For instance, you may want to wrap a key in a HSM to sync it with another HSM. In that case you'll need a wrapping key in both devices. Generally HSM's cannot simply create a password protected key store for that.



          Similarly, a device can offload wrapped keys if the memory is limited. This is a common method within TPM modules in PC's: instead of having a high end smart card chip, keys are wrapped with a TPM specific key and stored on the system's drive. When they are needed they are simply put back and used. This way the keys can be secure both at rest and when in use, even though they are not stored in the hardware device.





          Wrapping / unwrapping a single symmetric key with another symmetric key that has the same access level probably doesn't make too much sense. But for key management key wrapping is a very important - if not essential - tool.






          share|improve this answer




























            up vote
            2
            down vote













            It's not meant to provide extra security in a quantifiable sense. It's supposed to provide other security advantages, like for example, serve as a tool for key management systems.



            One example is what in some systems is called envelope encryption, where there are two kinds of encryption key:





            • Key encryption keys, also known as KEKs or master keys


            • Data encryption keys, also known as DEKs


            There is a key management system (KMS) that owns the KEKs and works as a server. To encrypt data, clients follow this protocol:




            1. Client requests a fresh DEK from the KMS

            2. The KMS logs the request, generates a fresh DEK, and returns two versions thereof—one plain, one wrapped with the KEK

            3. The client encrypts data with the plain DEK

            4. The client writes out the wrapped DEK to storage along with the data ciphertexts, and discards the plain DEK.


            To decrypt data:




            1. Client reads ciphertext and wrapped DEK from storage

            2. Client requests from the KMS that it unwrap the DEK

            3. The KMS logs the request, authenticates the client and checks that it's authorized for that DEK

            4. If so, the KMS unwraps the DEK and sends the result to the client

            5. Client uses decrypted DEK to decrypt the data


            Some advantages of such a setup are:




            • Properly implemented clients don't store long-term data encryption keys.

            • The KMS authenticates clients, enforces authorization policies, and logs all operations. So you can for example quickly revoke access to a client if you suspect it's been compromised, and identify which DEKs it managed to get the KMS to unwrap for it.


            But as I said, these don't amount to a quantifiable improvement of security in the sense of "the encryption got stronger." They're practical architectural improvements over more naïve approaches to key management (e.g., using a single long-term key to encrypt all data, and putting copies of that key on all of your machines).






            share|improve this answer





















              Your Answer





              StackExchange.ifUsing("editor", function () {
              return StackExchange.using("mathjaxEditing", function () {
              StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
              StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
              });
              });
              }, "mathjax-editing");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "281"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














               

              draft saved


              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64184%2fhow-much-extra-security-does-key-wrapping-provide%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              3
              down vote



              accepted










              It all depends on the key wrapping used. Key wrapping is little more than encryption of a key with another key. Although key wrapping schemes certainly exist (and are considered rather secure in general) other key schemes may use common methods of encryption, both symmetric and asymmetric. And in the end, how strong the encryption is depends on the method used.



              I've seen AES keys being encrypted using AES-CBC, which is perfectly fine for AES-128 and AES-256 keys. Wrapping an AES-192 key that way could already make it vulnerable padding oracle attacks. Encrypting a structured RSA key using CBC and an IV of zero bytes (as used by many HSM's) may even passively leak information to adversaries.





              Encryption itself is already a chicken egg problem. You've got this data you want to keep confidential. Now you can encrypt it, but you'd need to secure the key now.



              So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.



              As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.





              A password protected store can be used. Often the keys in those key stored can be protected separately as well. PKCS#8 could be seen as a high level form of key wrapping, for instance.



              However, such key stores are not always useful. For instance, you may want to wrap a key in a HSM to sync it with another HSM. In that case you'll need a wrapping key in both devices. Generally HSM's cannot simply create a password protected key store for that.



              Similarly, a device can offload wrapped keys if the memory is limited. This is a common method within TPM modules in PC's: instead of having a high end smart card chip, keys are wrapped with a TPM specific key and stored on the system's drive. When they are needed they are simply put back and used. This way the keys can be secure both at rest and when in use, even though they are not stored in the hardware device.





              Wrapping / unwrapping a single symmetric key with another symmetric key that has the same access level probably doesn't make too much sense. But for key management key wrapping is a very important - if not essential - tool.






              share|improve this answer

























                up vote
                3
                down vote



                accepted










                It all depends on the key wrapping used. Key wrapping is little more than encryption of a key with another key. Although key wrapping schemes certainly exist (and are considered rather secure in general) other key schemes may use common methods of encryption, both symmetric and asymmetric. And in the end, how strong the encryption is depends on the method used.



                I've seen AES keys being encrypted using AES-CBC, which is perfectly fine for AES-128 and AES-256 keys. Wrapping an AES-192 key that way could already make it vulnerable padding oracle attacks. Encrypting a structured RSA key using CBC and an IV of zero bytes (as used by many HSM's) may even passively leak information to adversaries.





                Encryption itself is already a chicken egg problem. You've got this data you want to keep confidential. Now you can encrypt it, but you'd need to secure the key now.



                So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.



                As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.





                A password protected store can be used. Often the keys in those key stored can be protected separately as well. PKCS#8 could be seen as a high level form of key wrapping, for instance.



                However, such key stores are not always useful. For instance, you may want to wrap a key in a HSM to sync it with another HSM. In that case you'll need a wrapping key in both devices. Generally HSM's cannot simply create a password protected key store for that.



                Similarly, a device can offload wrapped keys if the memory is limited. This is a common method within TPM modules in PC's: instead of having a high end smart card chip, keys are wrapped with a TPM specific key and stored on the system's drive. When they are needed they are simply put back and used. This way the keys can be secure both at rest and when in use, even though they are not stored in the hardware device.





                Wrapping / unwrapping a single symmetric key with another symmetric key that has the same access level probably doesn't make too much sense. But for key management key wrapping is a very important - if not essential - tool.






                share|improve this answer























                  up vote
                  3
                  down vote



                  accepted







                  up vote
                  3
                  down vote



                  accepted






                  It all depends on the key wrapping used. Key wrapping is little more than encryption of a key with another key. Although key wrapping schemes certainly exist (and are considered rather secure in general) other key schemes may use common methods of encryption, both symmetric and asymmetric. And in the end, how strong the encryption is depends on the method used.



                  I've seen AES keys being encrypted using AES-CBC, which is perfectly fine for AES-128 and AES-256 keys. Wrapping an AES-192 key that way could already make it vulnerable padding oracle attacks. Encrypting a structured RSA key using CBC and an IV of zero bytes (as used by many HSM's) may even passively leak information to adversaries.





                  Encryption itself is already a chicken egg problem. You've got this data you want to keep confidential. Now you can encrypt it, but you'd need to secure the key now.



                  So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.



                  As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.





                  A password protected store can be used. Often the keys in those key stored can be protected separately as well. PKCS#8 could be seen as a high level form of key wrapping, for instance.



                  However, such key stores are not always useful. For instance, you may want to wrap a key in a HSM to sync it with another HSM. In that case you'll need a wrapping key in both devices. Generally HSM's cannot simply create a password protected key store for that.



                  Similarly, a device can offload wrapped keys if the memory is limited. This is a common method within TPM modules in PC's: instead of having a high end smart card chip, keys are wrapped with a TPM specific key and stored on the system's drive. When they are needed they are simply put back and used. This way the keys can be secure both at rest and when in use, even though they are not stored in the hardware device.





                  Wrapping / unwrapping a single symmetric key with another symmetric key that has the same access level probably doesn't make too much sense. But for key management key wrapping is a very important - if not essential - tool.






                  share|improve this answer












                  It all depends on the key wrapping used. Key wrapping is little more than encryption of a key with another key. Although key wrapping schemes certainly exist (and are considered rather secure in general) other key schemes may use common methods of encryption, both symmetric and asymmetric. And in the end, how strong the encryption is depends on the method used.



                  I've seen AES keys being encrypted using AES-CBC, which is perfectly fine for AES-128 and AES-256 keys. Wrapping an AES-192 key that way could already make it vulnerable padding oracle attacks. Encrypting a structured RSA key using CBC and an IV of zero bytes (as used by many HSM's) may even passively leak information to adversaries.





                  Encryption itself is already a chicken egg problem. You've got this data you want to keep confidential. Now you can encrypt it, but you'd need to secure the key now.



                  So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.



                  As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.





                  A password protected store can be used. Often the keys in those key stored can be protected separately as well. PKCS#8 could be seen as a high level form of key wrapping, for instance.



                  However, such key stores are not always useful. For instance, you may want to wrap a key in a HSM to sync it with another HSM. In that case you'll need a wrapping key in both devices. Generally HSM's cannot simply create a password protected key store for that.



                  Similarly, a device can offload wrapped keys if the memory is limited. This is a common method within TPM modules in PC's: instead of having a high end smart card chip, keys are wrapped with a TPM specific key and stored on the system's drive. When they are needed they are simply put back and used. This way the keys can be secure both at rest and when in use, even though they are not stored in the hardware device.





                  Wrapping / unwrapping a single symmetric key with another symmetric key that has the same access level probably doesn't make too much sense. But for key management key wrapping is a very important - if not essential - tool.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 20 at 5:08









                  Maarten Bodewes

                  51.7k673188




                  51.7k673188






















                      up vote
                      2
                      down vote













                      It's not meant to provide extra security in a quantifiable sense. It's supposed to provide other security advantages, like for example, serve as a tool for key management systems.



                      One example is what in some systems is called envelope encryption, where there are two kinds of encryption key:





                      • Key encryption keys, also known as KEKs or master keys


                      • Data encryption keys, also known as DEKs


                      There is a key management system (KMS) that owns the KEKs and works as a server. To encrypt data, clients follow this protocol:




                      1. Client requests a fresh DEK from the KMS

                      2. The KMS logs the request, generates a fresh DEK, and returns two versions thereof—one plain, one wrapped with the KEK

                      3. The client encrypts data with the plain DEK

                      4. The client writes out the wrapped DEK to storage along with the data ciphertexts, and discards the plain DEK.


                      To decrypt data:




                      1. Client reads ciphertext and wrapped DEK from storage

                      2. Client requests from the KMS that it unwrap the DEK

                      3. The KMS logs the request, authenticates the client and checks that it's authorized for that DEK

                      4. If so, the KMS unwraps the DEK and sends the result to the client

                      5. Client uses decrypted DEK to decrypt the data


                      Some advantages of such a setup are:




                      • Properly implemented clients don't store long-term data encryption keys.

                      • The KMS authenticates clients, enforces authorization policies, and logs all operations. So you can for example quickly revoke access to a client if you suspect it's been compromised, and identify which DEKs it managed to get the KMS to unwrap for it.


                      But as I said, these don't amount to a quantifiable improvement of security in the sense of "the encryption got stronger." They're practical architectural improvements over more naïve approaches to key management (e.g., using a single long-term key to encrypt all data, and putting copies of that key on all of your machines).






                      share|improve this answer

























                        up vote
                        2
                        down vote













                        It's not meant to provide extra security in a quantifiable sense. It's supposed to provide other security advantages, like for example, serve as a tool for key management systems.



                        One example is what in some systems is called envelope encryption, where there are two kinds of encryption key:





                        • Key encryption keys, also known as KEKs or master keys


                        • Data encryption keys, also known as DEKs


                        There is a key management system (KMS) that owns the KEKs and works as a server. To encrypt data, clients follow this protocol:




                        1. Client requests a fresh DEK from the KMS

                        2. The KMS logs the request, generates a fresh DEK, and returns two versions thereof—one plain, one wrapped with the KEK

                        3. The client encrypts data with the plain DEK

                        4. The client writes out the wrapped DEK to storage along with the data ciphertexts, and discards the plain DEK.


                        To decrypt data:




                        1. Client reads ciphertext and wrapped DEK from storage

                        2. Client requests from the KMS that it unwrap the DEK

                        3. The KMS logs the request, authenticates the client and checks that it's authorized for that DEK

                        4. If so, the KMS unwraps the DEK and sends the result to the client

                        5. Client uses decrypted DEK to decrypt the data


                        Some advantages of such a setup are:




                        • Properly implemented clients don't store long-term data encryption keys.

                        • The KMS authenticates clients, enforces authorization policies, and logs all operations. So you can for example quickly revoke access to a client if you suspect it's been compromised, and identify which DEKs it managed to get the KMS to unwrap for it.


                        But as I said, these don't amount to a quantifiable improvement of security in the sense of "the encryption got stronger." They're practical architectural improvements over more naïve approaches to key management (e.g., using a single long-term key to encrypt all data, and putting copies of that key on all of your machines).






                        share|improve this answer























                          up vote
                          2
                          down vote










                          up vote
                          2
                          down vote









                          It's not meant to provide extra security in a quantifiable sense. It's supposed to provide other security advantages, like for example, serve as a tool for key management systems.



                          One example is what in some systems is called envelope encryption, where there are two kinds of encryption key:





                          • Key encryption keys, also known as KEKs or master keys


                          • Data encryption keys, also known as DEKs


                          There is a key management system (KMS) that owns the KEKs and works as a server. To encrypt data, clients follow this protocol:




                          1. Client requests a fresh DEK from the KMS

                          2. The KMS logs the request, generates a fresh DEK, and returns two versions thereof—one plain, one wrapped with the KEK

                          3. The client encrypts data with the plain DEK

                          4. The client writes out the wrapped DEK to storage along with the data ciphertexts, and discards the plain DEK.


                          To decrypt data:




                          1. Client reads ciphertext and wrapped DEK from storage

                          2. Client requests from the KMS that it unwrap the DEK

                          3. The KMS logs the request, authenticates the client and checks that it's authorized for that DEK

                          4. If so, the KMS unwraps the DEK and sends the result to the client

                          5. Client uses decrypted DEK to decrypt the data


                          Some advantages of such a setup are:




                          • Properly implemented clients don't store long-term data encryption keys.

                          • The KMS authenticates clients, enforces authorization policies, and logs all operations. So you can for example quickly revoke access to a client if you suspect it's been compromised, and identify which DEKs it managed to get the KMS to unwrap for it.


                          But as I said, these don't amount to a quantifiable improvement of security in the sense of "the encryption got stronger." They're practical architectural improvements over more naïve approaches to key management (e.g., using a single long-term key to encrypt all data, and putting copies of that key on all of your machines).






                          share|improve this answer












                          It's not meant to provide extra security in a quantifiable sense. It's supposed to provide other security advantages, like for example, serve as a tool for key management systems.



                          One example is what in some systems is called envelope encryption, where there are two kinds of encryption key:





                          • Key encryption keys, also known as KEKs or master keys


                          • Data encryption keys, also known as DEKs


                          There is a key management system (KMS) that owns the KEKs and works as a server. To encrypt data, clients follow this protocol:




                          1. Client requests a fresh DEK from the KMS

                          2. The KMS logs the request, generates a fresh DEK, and returns two versions thereof—one plain, one wrapped with the KEK

                          3. The client encrypts data with the plain DEK

                          4. The client writes out the wrapped DEK to storage along with the data ciphertexts, and discards the plain DEK.


                          To decrypt data:




                          1. Client reads ciphertext and wrapped DEK from storage

                          2. Client requests from the KMS that it unwrap the DEK

                          3. The KMS logs the request, authenticates the client and checks that it's authorized for that DEK

                          4. If so, the KMS unwraps the DEK and sends the result to the client

                          5. Client uses decrypted DEK to decrypt the data


                          Some advantages of such a setup are:




                          • Properly implemented clients don't store long-term data encryption keys.

                          • The KMS authenticates clients, enforces authorization policies, and logs all operations. So you can for example quickly revoke access to a client if you suspect it's been compromised, and identify which DEKs it managed to get the KMS to unwrap for it.


                          But as I said, these don't amount to a quantifiable improvement of security in the sense of "the encryption got stronger." They're practical architectural improvements over more naïve approaches to key management (e.g., using a single long-term key to encrypt all data, and putting copies of that key on all of your machines).







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Nov 20 at 19:54









                          Luis Casillas

                          9,29711235




                          9,29711235






























                               

                              draft saved


                              draft discarded



















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64184%2fhow-much-extra-security-does-key-wrapping-provide%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              AnyDesk - Fatal Program Failure

                              How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

                              QoS: MAC-Priority for clients behind a repeater