[RFC PATCH 2/3] Add API for initializing AEAD modes

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Wed Oct 16 13:20:15 CEST 2013 

Hello,

On Wed, Oct 16, 2013 at 1:05 PM, Jussi Kivilinna <jussi.kivilinna at iki.fi> wrote:
> On 15.10.2013 16:46, Werner Koch wrote:
>> On Mon, 14 Oct 2013 13:20, jussi.kivilinna at iki.fi said:
>>
>>> gcry_cipher_authenticate (hd, aadbuf, aadbuflen)
>>>
>>> which does the actual MAC initialization. If aadbuflen == 0, then
>>> above call can be omitted and gcry_cipher_(en|de)crypt will call
>>> gcry_cipher_authenticate with zero length.
>>
>> What about extending this fucntion to also take the authentication tag
>> and, if the plaintext length is required for the MAC setup, also that
>> length?  That would group the information together.
>
> Ok, so we'd have
>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
>                             count void *tag, size_t taglen, size_t crypt_len)
>
> For encryption, tag is NULL pointer and taglen is zero and after encryption
> authentication tag can be read with 'gcry_cipher_tag'. For decryption, tag
> is given for authentication check with above function.

Hmm. That would require for the tag to be stored in the context to be validated
after we process  all enciphered data. I would suggest to move tag validation
to upper layer:

* setiv/setkey/etc.
* authenticate(AAD, crypt_len)
* while (has_data) enc_data = encrypt(data)
* tag = tag() -> returns tag for AAD and passed data
Upper layer passes AAD, enc_data and tag to other side.

Upper layer received AAD, enc_data, and tag
* setiv/setkey/etc
* authenticate(AAD, crypt_len)
* while (has_enc_data) data = decrypt(enc_data)
* new_tag = tag() -> returns tag for AAD and unencrypted data
Then upper layer  can compare tag with new_tag and thus verify that data
is authenticated. What do you think?

BTW: Looking at GCM/GMAC I have the feeling that single
authenticate() might be enough for now (and should be enough for
e.g. TLS), but in future to support GMAC (GCM working in auth-only mode,
no crypto data) we might want to support several sequential authenticate()
calls (if all of them come before first encrypt()/decrypt() call).

-- 
With best wishes
Dmitry

More information about the Gcrypt-devel mailing list