Authenticated Encryption ( AE ) and Authenticated Encryption with Associated Data ( AEAD ) are forms of encoding which simultaneously assure the confidentiality and authenticity of data .
security guarantees [edit ]
In addition to protecting message integrity and confidentiality, authenticated encoding can provide security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem ( for example, information about the unavowed decoding key ) by submitting cautiously chosen ciphertexts to some “ decoding prophet ” and analyzing the decode results. attested encoding schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This, in turn, prevents the attacker from requesting the decoding of any ciphertext unless it was generated correctly using the encoding algorithm, frankincense implying that the plaintext is already known. Implemented correctly, authenticated encoding removes the utility of the decoding oracle, by preventing an attacker from gaining utilitarian information that the attacker does not already possess. many specialized authenticate encoding modes have been developed for use with symmetrical block ciphers. however, authenticate encoding can be generically constructed by combining an encoding dodge and a message authentication code ( MAC ), provided that :
Reading: Authenticated encryption – Wikipedia
- The encryption scheme is semantically secure under a chosen plaintext attack.
- The MAC function is unforgeable under a chosen message attack.
Programming interface [edit ]
A distinctive scheduling interface for an AE implementation provides the follow functions :
- Input: plaintext, key, and optionally a header in plaintext that will not be encrypted, but will be covered by authenticity protection.
- Output: ciphertext and authentication tag (message authentication code).
- Input: ciphertext, key, authentication tag, and optionally a header (if used during the encryption).
- Output: plaintext, or an error if the authentication tag does not match the supplied ciphertext or header.
The header character is intended to provide authenticity and integrity protection for network or repositing metadata for which confidentiality is unnecessary, but authenticity is desired .
history [edit ]
The indigence for attested encoding emerged from the notice that securely combining separate confidentiality and authentication blocking cipher mathematical process modes could be error prone and difficult. [ 1 ] [ 2 ] This was confirmed by a number of virtual attacks introduced into production protocols and applications by incorrect implementation, or miss of authentication ( including SSL/TLS ). [ 3 ] Around the year 2000, a number of efforts evolved around the impression of standardizing modes that ensured discipline execution. In detail, impregnable sake in possibly impregnable modes was sparked by the issue of Charanjit Jutla ‘s integrity-aware CBC and integrity-aware parallelizable, IAPM, modes [ 4 ] in 2000 ( see OCB and chronology [ 5 ] ). Six different authenticated encoding modes ( namely offset codebook mood 2.0, OCB 2.0 ; Key Wrap ; counter with CBC-MAC, CCM ; encrypt then authenticate then translate, EAX ; encrypt-then-MAC, EtM ; and Galois/counter mood, GCM ) have been standardized in ISO/IEC 19772:2009. [ 6 ] More authenticate encoding methods were developed in reception to NIST solicitation. [ 7 ] Sponge functions can be used in duplex apartment mode to provide attested encoding. [ 8 ] Bellare and Namprempre ( 2000 ) analyzed three compositions of encoding and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext ( the Encrypt-then-MAC approach ) implies security against an adaptive choose ciphertext approach, provided that both functions meet minimal required properties. Katz and Yung investigated the notion under the mention “ unforgeable encoding ” and proved it implies security against chosen ciphertext attacks. [ 9 ] In 2013, the CAESAR competition was announced to encourage invention of attested encoding modes. [ 10 ] In 2015, ChaCha20-Poly1305 is added as an alternate AE construction to GCM in IETF protocols .
Authenticated encoding with associated data ( AEAD ) [edit ]
AEAD is a version of AE that allows a recipient to check the integrity of both the encrypted and unencrypted information in a message. [ 11 ] AEAD binds associated data ( AD ) to the ciphertext and to the context where it is supposed to appear therefore that attempts to “ cut-and-paste ” a valid ciphertext into a different context are detected and rejected. It is required, for example, by network packets or frames where the header needs visibility, the cargo needs confidentiality, and both need integrity and authenticity.
Read more: Dual_EC_DRBG – Wikipedia
Approaches to authenticated encoding [edit ]
EtM approach The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. Used in, for example, IPsec. [ 12 ] The standard method acting according to ISO/IEC 19772:2009. [ 6 ] This is the lone method which can reach the highest definition of security in AE, but this can alone be achieved when the MAC used is “ powerfully unforgeable ”. [ 13 ] In November 2014, TLS and DTLS annex for EtM has been published as RFC 7366. versatile EtM ciphersuites exist for SSHv2 a well ( e.g., hmac-sha1-etm @ openssh.com ). note that samara separation is mandate ( distinct keys must be used for encoding and for the keyed hash ), otherwise it is potentially insecure depending on the particular encoding method acting and hash serve used. [ citation needed ]
E & M access A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext ‘s MAC and the ciphertext are sent in concert. Used in, for example, SSH. [ 14 ] even though the E & M approach has not been proved to be strongly unforgeable in itself, [ 13 ] it is possible to apply some minor modifications to SSH to make it powerfully unforgeable despite the overture. [ 15 ]
MtE overture A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext ( containing an code MAC ) is sent. AEAD is used in SSL/TLS. [ 16 ] even though the MtE approach has not been proven to be strongly unforgeable in itself, [ 13 ] the SSL/TLS execution has been proven to be strongly unforgeable by Krawczyk who showed that SSL/TLS was, in fact, secure because of the encode used alongside the MtE mechanism. [ 17 ] [ dubious – discuss ] Despite the theoretical security, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the jam size of the encoding affair. Padding errors frequently result in the detectable errors on the recipient role ‘s side, which in turn lead to padding prophet attacks, such as Lucky Thirteen.
Read more: A Few Thoughts on Cryptographic Engineering
See besides [edit ]
References [edit ]
- NIST: Modes Development
- How to choose an Authenticated Encryption mode