Is there a practical and proven mechanism for wrapping "stronger" symmetric keys with a set of "weaker" RSA wrapping keys?
The problem is not due to any technical issue. It is just that the key strength would be undermined if the ciphertext was available to an attacker (and usually that's a common assumption, as otherwise you would not have to wrap anything in the first place). The mechanism is fine, but the security of the key is now less than 256 bits.
So what are your options around this issue:
- use a different method for key establishment, such as ECDH (agreement) or ECIES (wrapping / encapsulation);
- mitigate the problem by protecting the ciphertext using other measures;
- downgrade to AES-128 - hey is it pretty secure anyway.
Finally, maybe you are just using 256 bit AES because it is a technical requirement. If you only need 128 bits of security in the first place then using a 4Kib RSA key pair is fine.
Note that ECDH and ECIES and are more vulnerable to quantum analysis than RSA, so you may also want to look into post quantum computing if you need to keep the data confidential in the not so near future. AES-128 is also somewhat vulnerable.
