Authenticated block cipher mode of operation

Common symmetric block cipher mode of operation (such as CBC, OFB, CTR) only provide confidentiality. That means that your plaintext is not readable without the knowledge of a secret key. When ciphertext gets changed by unauthorized third parties, it is not replicable if that change happened intentionally by an authorized party or by an unauthorized one.

But there are several ways to provide confidentiality as well as authenticity. One possibility to guarantee confidentiallity and authenticity  is to use message authentication codes. MACs tag messages with additional data. Only authorized parties having information about the key which was used for the generation of the the MAC are able to generate and check the tag. If the tag or the message gets changed by an unauthorized party, one is able to recognize it.

Opinions are divided wether to tag plaintext or ciphertext data. Both opportunities have advantages and disadvantages: Another reason to MAC ciphertext, not plaintext , When authenticating ciphertexts, what should be HMACed?

As it is explained here, the correct usage of CBC-MAC is also a well-known issue 🙂 I personally prefer using HMAC for authenticating messages. It is quite easy to use and fool proofed. But all MAC’s have one big disadvantage: When decrypting or encrypting data, one has to iterate two times over the data, no matter if plaintext or ciphertext got tagged. One iteration is for de/encryption and one is for the generation of the MAC. This is convenient for small amounts of data but it leads to high loads when working with bulk data. So this method is inappropriate for hard disk encryption.

Therefor “authenticated encryption with associated data (AEAD)” or simpy “authenticated encryption (AE)” could be used. Data gets de/encrypted AND tagged simultaneously. Here are some examples for authenticated encryption modes. Those methods encrypt and authenticate a secret message m and also authenticates “additional authenticated data” a, which gets not encrypted (a can also stay empty). Unfortunatelly, those modes of operation are not very popular up to now. Some authenticated mode of operation are not able to finish decryption if some (authentication) error occurs during decryption. This could lead to problems in some cases, especially when it is necessary to recover faulty data.

Authenticated block cipher mode of operation could actually be used much more frequently instead of HMAC or other ways to provide authenticity. They are much more performant, elegant and straightforward. But even modern disk encryption software like TrueCrypt or Linux’s cryptsetup (LUKS) do not support authenticated encryption. I had a nice discussion on that topic on the
dm-crypt mailing list: [dm-crypt] Authenticated Encryption for dm-crypt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.