Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [authenticated-encryption]

Combination of encryption and authentication in a way that ensures confidentiality, integrity and authentication

Authenticated encryption (AE) and authenticated encryption with associated data (AEAD) are forms of encryption that simultaneously assure the confidentiality, integrity, and authenticity of data.

CCM, EAX, Poly1305, and GCM are examples.

570 questions
429
votes
13 answers

Should we MAC-then-encrypt or encrypt-then-MAC?

Most of the time, when some data must be encrypted, it must also be protected with a MAC, because encryption protects only against passive attackers. There are some nifty encryption modes which include a MAC (EAX, GCM...) but let's assume that we…
Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
49
votes
1 answer

AES256-GCM - can someone explain how to use it securely (ruby)

I am looking into using AES256-GCM for encrypting some database fields. I know that for AES256-CBC, I need to generate a new IV for each encrypt, but I can use the same key. The IV can be openly stored alongside the ciphertext (ie, it can be…
breakingbreadmuffins
  • 491
  • 1
  • 5
  • 3
46
votes
2 answers

What do the magic numbers 0x5c and 0x36 in the opad/ipad calc in HMAC do?

Wikipedia lists the following pseudocode for HMAC: function hmac (key, message) if (length(key) > blocksize) then key = hash(key) // keys longer than blocksize are shortened end if if (length(key) < blocksize) then //…
sneak
  • 617
  • 1
  • 5
  • 10
42
votes
12 answers

Is it possible to create a "digital seal" to tell if a document has been opened?

So, in real life we have a handful of ways to leave a physical mark on a packet to know if it has been opened without authorization (eg. you can use 'opened' security tapes, or you can put a signature or stamp right through the envelop opening). One…
Jaime Silva
  • 521
  • 1
  • 4
  • 3
39
votes
2 answers

Why should I use Authenticated Encryption instead of just encryption?

There are various different modes of operation for block cipher use, some of which provide "encryption" and some of which provide authenticated encryption. Why should I use an authenticated encryption mode rather than just an encryption mode? This…
Cryptographeur
  • 4,357
  • 2
  • 29
  • 40
36
votes
2 answers

Using the same secret key for encryption and authentication in a Encrypt-then-MAC scheme

Is it a weakness to use a single shared secret for protecting messages using a Encrypt-then-MAC scheme? Assuming a system is using AES-256-CBC and a SHA1-HMAC and the same secret key for both operations. Upon intercepting one of these messages…
Rook
  • 1,506
  • 1
  • 13
  • 22
36
votes
3 answers

Practical disadvantages of GCM mode encryption

It seems that GCM mode encryption has a clear advantage over CBC + HMAC in the sense that it only requires a single key. But it seems that there are some experts here that do not trust it enough to recommend it. This question is a call to those…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
33
votes
2 answers

Disadvantage AES-GCM

What are the disadvantages and weaknesses of AES-GCM mode for authenticated encryption? Why does the CAESAR competition say that it’s one of the goals to "find an AE scheme that offers an advantage over AES-GCM"? What advantage they are talking…
user2035863
  • 437
  • 4
  • 4
33
votes
2 answers

Why do we need special key-wrap algorithms?

Wikipedia says: Key Wrap constructions are a class of symmetric encryption algorithms designed to encapsulate (encrypt) cryptographic key material. We are using these algorithms to encrypt (and authenticate) a key, using a symmetric algorithm…
Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
28
votes
3 answers

Plain text size limits for AES-GCM mode just 64GB?

Based on NIST SP 800-38D section 5.2.1.1, it seems that the maximum length of plaintext is 2^39-256 bits ~ 64 GB. We've got 100+GB files in genomics that need to be GCM encrypted so are concerned about hitting this. So two questions: What's the…
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24
26
votes
3 answers

Is Encrypt+HMAC stronger than AEAD?

There are a few posts that I've come across that seem to imply that using regular encryption and a MAC might be better than using the newer AEAD (ie: AES/GCM)…
slipheed
  • 437
  • 4
  • 8
22
votes
3 answers

Cryptographic Challenge: How to Say Something Confidentially to Snowden?

The Snowden situation raises an intereting cryptograpic problem. At present, how can something be sent confidentially to Snowden? Claim: I have no particular political orientation. The above question is merely a cryptographic challenge. The meta…
Pigmann
  • 421
  • 2
  • 7
21
votes
1 answer

Why choose an authenticated encryption mode instead of a separate MAC?

What are cryptographic reasons to choose an authenticated-encryption mode of operation (such as GCM) over a traditional encryption mode plus an independent MAC, or vice versa? Assume there is no implementation reason to pick one or the other (crypto…
zwol
  • 785
  • 4
  • 12
21
votes
4 answers

Why is OCB-AES mode not becoming a standard for authenticated encryption?

The OCB mode of authenticated encryption (used for example with AES) is the fastest way to provide authenticity and confidentiality without having to strive into questions like: Encrypt then MAC, MAC then encrypt, Encrypt and MAC. So why it is not…
curious
  • 6,280
  • 6
  • 34
  • 48
21
votes
2 answers

What is the advantage of AEAD ciphers?

What is the advantage of AEAD ciphers? Why is the TLS working group pushing for them? I thought modern cipher suites require SHA256 for authentication. What advantage is there to including Poly1305? Slight additional question:…
user3201068
  • 721
  • 1
  • 5
  • 18
1
2 3
37 38