[RFC PATCH 2/3] Add API for initializing AEAD modes

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed Oct 16 13:49:13 CEST 2013 

On 16.10.2013 14:20, Dmitry Eremin-Solenikov wrote:
> Hello,
> 
> On Wed, Oct 16, 2013 at 1:05 PM, Jussi Kivilinna <jussi.kivilinna at iki.fi> wrote:
>> On 15.10.2013 16:46, Werner Koch wrote:
>>> On Mon, 14 Oct 2013 13:20, jussi.kivilinna at iki.fi said:
>>>
>>>> gcry_cipher_authenticate (hd, aadbuf, aadbuflen)
>>>>
>>>> which does the actual MAC initialization. If aadbuflen == 0, then
>>>> above call can be omitted and gcry_cipher_(en|de)crypt will call
>>>> gcry_cipher_authenticate with zero length.
>>>
>>> What about extending this fucntion to also take the authentication tag
>>> and, if the plaintext length is required for the MAC setup, also that
>>> length?  That would group the information together.
>>
>> Ok, so we'd have
>>   gcry_cipher_authenticate (hd, const void *aadbuf, size_t aadbuflen,
>>                             count void *tag, size_t taglen, size_t crypt_len)
>>
>> For encryption, tag is NULL pointer and taglen is zero and after encryption
>> authentication tag can be read with 'gcry_cipher_tag'. For decryption, tag
>> is given for authentication check with above function.
> 
> Hmm. That would require for the tag to be stored in the context to be validated
> after we process  all enciphered data. I would suggest to move tag validation
> to upper layer:
> 
> * setiv/setkey/etc.
> * authenticate(AAD, crypt_len)
> * while (has_data) enc_data = encrypt(data)
> * tag = tag() -> returns tag for AAD and passed data
> Upper layer passes AAD, enc_data and tag to other side.
> 
> Upper layer received AAD, enc_data, and tag
> * setiv/setkey/etc
> * authenticate(AAD, crypt_len)
> * while (has_enc_data) data = decrypt(enc_data)
> * new_tag = tag() -> returns tag for AAD and unencrypted data
> Then upper layer  can compare tag with new_tag and thus verify that data
> is authenticated. What do you think?
> 
> BTW: Looking at GCM/GMAC I have the feeling that single
> authenticate() might be enough for now (and should be enough for
> e.g. TLS), but in future to support GMAC (GCM working in auth-only mode,
> no crypto data) we might want to support several sequential authenticate()
> calls (if all of them come before first encrypt()/decrypt() call).
> 

I've been looking at adding CMAC to libgcrypt, maybe gcry_cipher_authenticate()
could be used for this too.

-Jussi

More information about the Gcrypt-devel mailing list