Authenticated Encryption

  • a Block cipher mode of operation:
    • Ciphertext + MAC ops (gives CIA) = tag

APIs

  • Encryption
    • Plaintext + encryption key + MAC key --> cipher text + auth tag
  • Decryption
    • Ciphertext + auth tag + encryption key + MAC key --> plain text (valid) || error (invalid)

Approaches

Mac-THEN-Encrypt (TLS)

plaintext + MAC --> encrypt

Mac-AND-Encrypt (SSH)

independently MAC, independently encrypt plaintext

Encrypt-THEN-Mac (Best! GCM, Poly1305, CCM, ...)

MAC the Cipher Text

Encrypt-THEN-HMAC

BAD: Does two passes on the data

  • 1 block cipher call + 2 hash function calls ~~3x longer than encryption alone

  • Worse if AES x86 instruction in use

Galois\/Counter Mode (GCM)

  • lightweight MAC running parallel with encryption
  • Block Cipher in CTR mode

results matching ""

    No results matching ""