The best widely implemented algorithm for PBES2/PKCS8 is AES-256-CBC. However RFC 8018 is open supporting any cipher in an application defined way
encryptionScheme identifies the underlying encryption scheme. It shall be an algorithm ID with an OID in the set PBES2-Encs, whose definition is left to the application.
RFC 8018 section A.4
Some implementations of PBES2/PKCS8 support GCM as an alternative; I'm aware of https://github.com/randombit/botan and https://github.com/Legrandin/pycryptodome (these implementations are compatible).
Would there be any interest in extending pkcs8 to also support AES-256-GCM? It extends pretty naturally from the AES-CBC ASN.1 definitions:
- Use the appropriate OID for AES-GCM
- Put the GCM nonce where CBC places the IV
- Profit with AEAD protected keys
The best widely implemented algorithm for PBES2/PKCS8 is AES-256-CBC. However RFC 8018 is open supporting any cipher in an application defined way
RFC 8018 section A.4
Some implementations of PBES2/PKCS8 support GCM as an alternative; I'm aware of https://github.com/randombit/botan and https://github.com/Legrandin/pycryptodome (these implementations are compatible).
Would there be any interest in extending
pkcs8to also support AES-256-GCM? It extends pretty naturally from the AES-CBC ASN.1 definitions: