Introduction
One of the subjects I am currently studying is cryptography. There are many facets to cryptography, some of which I have learned and some I have yet to learn. However, I am currently studying authenticated encryption, and I have decided that I will write a blog post detailing what I have learned.
Find your footing
Okay. authenticated encryption, what is it? Well, first you need to understand a little something in Information Security known as the CIA triad. The CIA in the CIA triad stands for Confidentiality, Integrity, and Availability. In layman’s terms, confidentiality ensures that unauthorized people cannot read data that they are not allowed to access. Integrity means that unauthorized people cannot modify data they are not allowed to access. Availability means that authorized people can access data they need to access when they need to access it. Okay, what role does authenticated encryption play in this? Well, authenticated encryption spans two of the three subsets of the CIA triad. Whereas plain encryption only ensures that unauthorized individuals cannot read data they do not have access to (confidentiality), authenticated encryption ensures that the message is both confidential and has integrity (it has not been modified).
Terms to know
- Plaintext
- Ciphertext
- Key
- Message Authentication Code
- Authentication Tag
- Exclusive Or (XOR)
- Nonce
- Counter
- Advanced Encryption Standard (AES)
Basics
There are two main methods of performing authenticated encryption. Method 1 is by combining a cipher with a Message Authentication Code (a form of hashing) and method 2 is by using an Authenticated Cipher. First I’ll cover method 1 and then method 2.
There are three methods to combine a cipher with a MAC to form an authenticated cipher. They are as follows: 1) Encrypt-and-MAC, 2) MAC-then-encrypt, and 3) Encrypt-then-MAC.
Encrypt-and-MAC
The steps for Encrypt-and-MAC are as follows:
- The sender encrypts the plaintext
- The sender generates a hash of the plaintext using a MAC function
- The sender transmits the ciphertext and the hash of the plaintext to the recipient
- The recipient then decrypts the ciphertext
- Next, the recipient computes the hash of the decrypted ciphertext (the plaintext) using a MAC function
- Finally, the recipient compares the hash it generated to the hash that the sender transmitted to verify the authenticity of the message
Keep in mind that MAC used in this process is not a Psuedo Random Function, it can leak information about the plaintext.
Note: the SSH protocol uses the encrypt then MAC with a 32-bit sequence number to protect against replay attacks. FYI, a replay attack is where a malicious actor records traffic across a network and then retransmits it to the intended target.
MAC-then-encrypt
MAC-then-encrypt uses a slightly different methodology:
- The sender first computes the authentication tag using a MAC function
- The sender then computes the ciphertext by concatenating the plaintext with the authentication tag and encrypting the result
- The sender transmits the ciphertext to the recipient
- The recipient then decrypts the ciphertext which results in the plaintext concatenated with the authentication tag
- The recipient computes its own authentication tag from the plaintext and compares it to the plaintext it received from the sender
This method is more secure than MAC-and-encrypt because it hides the authentication tag within the ciphertext, thus obfuscating the encryption tag.
Note: the TLS protocol supported MAC-then-encrypt up until TLS version 1.3. For version 1.3 and up TLS uses authenticated ciphers.
Encrypt-then-MAC
Encrypt-then-MAC uses the following methodology:
- The sender encrypts the plaintext using the key
- The sender then generates the authentication tag as a hash of the resulting ciphertext
- The sender then sends the authentication tag and the ciphertext to the recipient
- Next, the recipient computes the authentication tag of the ciphertext and compares it to the authentication tag received from the sender
- If the tags match the recipient will decrypt the ciphertext
- If the tags do not match then the recipient will discard the ciphertext
There are a couple of important items to note about this methodology. First, is that this method is inherently more secure because the authentication tag is generated from (and therefore linked to) the ciphertext rather than the plaintext. Second, seeing as how the authentication tag is computed first, the recipient does not have to compute the plaintext if the authentication tags do not match. This means that if the authentication tags do not match then the recipient can discard the ciphertext.
Note: the IPSec protocol uses the Encrypt-then-MAC methodology to secure VPN tunnels.
Authenticated Ciphers
With authenticated ciphers, both the ciphertext and the authentication tag are generated by one function (the authenticated encryption algorithm). The steps are as follows:
- The sender uses the key and the plaintext as input into the authenticated encryption algorithm which then returns the ciphertext and the authentication tag.
- The sender then sends the ciphertext and the authentication tag to the recipient.
- The recipient uses the key, ciphertext, and the authentication tag as input into the authenticated decryption algorithm which then returns the plaintext.
- If the authenticated decryption algorithm returns an error then either the ciphertext or the authenticated tag is incorrect.
- Otherwise, the plaintext is guaranteed to be correct
Authenticated Encryption with Associated Data (AEAD)
Sometimes with authenticated encryption, there is data that needs to be authenticated but not necessarily encrypted. This could be something such as a packet header for an encrypted packet. In this instance, you are sending data in the clear and data that is encrypted with the need to verify the authenticity of both. What algorithm does this? Well, it is very similar to the algorithm for authenticated ciphers.
- The sender uses the key, plaintext, and the associated data as input into the authenticated encryption algorithm which then returns the ciphertext, associated data, and the authenticated tag.
- The sender then sends the ciphertext, associated data, and authenticated tag to the recipient.
- The recipient uses the key, ciphertext, associated data, and the authenticated tag as input into the authenticated decryption algorithm which then returns the plaintext and the authenticated tag.
If no associated data is fed into the AEAD algorithm then the algorithm functions as a normal authenticated cipher. If no plaintext is provided the AEAD algorithm becomes a MAC function. For additional security, a nonce can be provided as input into the AEAD algorithm thus providing additional unpredictability.