Authenticated Encryption (AE) is an

encryption In Cryptography law, cryptography, encryption (more specifically, Code, encoding) is the process of transforming information in a way that, ideally, only authorized parties can decode. This process converts the original representation of the inf ...

scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in other words, it is unforgeable: the encrypted message includes an authentication tag that the sender can calculate only while possessing the secret key). Examples of encryption modes that provide AE are GCM, CCM. Many (but not all) AE schemes allow the message to contain "associated data" (AD) which is not made confidential, but its integrity is protected (i.e., it is readable, but tampering with it will be detected). A typical example is the header of a

network packet In telecommunications and computer networking, a network packet is a formatted unit of Data (computing), data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the ''Payload ...

that contains its destination address. To properly

route Route or routes may refer to: * Air route, route structure or airway * GPS route, a series of one or more GPS waypoints * Route (gridiron football), a path run by a wide receiver * Route (command), a program used to configure the routing table * ...

the packet, all intermediate nodes in the message path need to know the destination, but for security reasons they cannot possess the secret key. Schemes that allow associated data provide authenticated encryption with associated data, or AEAD.

History

The need for authenticated encryption emerged from the observation that securely combining separate ''confidentiality'' and ''authentication'' block cipher operation modes could be error prone and difficult. This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack of authentication. Around the year 2000, a number of efforts evolved around the notion of standardizing modes that ensured correct implementation. In particular, strong interest in possibly secure modes was sparked by the publication of Charanjit Jutla's integrity-aware CBC and integrity-aware parallelizable, IAPM, modes in 2000 (see OCB and chronology). Six different authenticated encryption modes (namely offset codebook mode 2.0, OCB2.0; Key Wrap; counter with CBC-MAC, CCM; encrypt then authenticate then translate, EAX;

encrypt-then-MAC Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...

, EtM; and

Galois/counter mode In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achi ...

, GCM) have been standardized in ISO/IEC 19772:2009. More authenticated encryption methods were developed in response to

NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...

solicitation.

Sponge function Sponges or sea sponges are primarily marine invertebrates of the animal phylum Porifera (; meaning 'pore bearer'), a basal clade and a sister taxon of the diploblasts. They are sessile filter feeders that are bound to the seabed, and ar ...

s can be used in duplex mode to provide authenticated encryption. Bellare and Namprempre (2000) analyzed three compositions of encryption and MAC primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext (the

Encrypt-then-MAC Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality (also known as privacy: the encrypted message is impossible to understand without the knowledge of a secret key) and authenticity (in othe ...

approach) implies security against an

adaptive chosen ciphertext attack An adaptive chosen-ciphertext attack (abbreviated as CCA2) is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a ta ...

, provided that both functions meet minimum required properties. Katz and Yung investigated the notion under the name "unforgeable encryption" and proved it implies security against chosen ciphertext attacks. In 2013, the

CAESAR competition The Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) is a competition organized by a group of international cryptologic researchers to encourage the design of authenticated encryption schemes. The compet ...

was announced to encourage design of authenticated encryption modes. In 2015,

ChaCha20-Poly1305 ChaCha20-Poly1305 is an authenticated encryption with associated data (AEAD) algorithm, that combines the ChaCha20 stream cipher with the Poly1305 message authentication code. It has fast software performance, and without hardware acceleration, ...

is added as an alternative AE construction to GCM in

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

protocols.

Variants

Authenticated encryption with associated data

Authenticated encryption with associated data (AEAD) is a variant of AE that allows the message to include "associated data" (AD, additional non-confidential information, a.k.a. "additional authenticated data", AAD). A recipient can check the integrity of both the associated data and the confidential information in a message. AD is useful, for example, in

s where the header should be visible for

routing Routing is the process of selecting a path for traffic in a Network theory, network or between or across multiple networks. Broadly, routing is performed in many types of networks, including circuit-switched networks, such as the public switched ...

, but the payload needs to be confidential, and both need

integrity Integrity is the quality of being honest and having a consistent and uncompromising adherence to strong moral and ethical principles and values. In ethics, integrity is regarded as the honesty and Honesty, truthfulness or of one's actions. Integr ...

and authenticity. The notion of AEAD was formalized by Rogaway (2002).

Key-committing AEAD

AE was originally designed primarily to provide the ciphertext integrity: successful validation of an authentication tag by

Alice Alice may refer to: * Alice (name), most often a feminine given name, but also used as a surname Literature * Alice (''Alice's Adventures in Wonderland''), a character in books by Lewis Carroll * ''Alice'' series, children's and teen books by ...

using her symmetric key K_A indicates that the message was not tampered with by an adversary Mallory that does not possess the K_A. The AE schemes usually do not provide the key commitment, a guarantee that the decryption would fail for any other key. As of 2021, most existing AE schemes (including the very popular GCM) allow some messages to be decrypted without an error using more than just the (correct) K_A; while the plaintext decrypted using a second (wrong) key K_M will be incorrect, the authentication tag would still match the new plaintext. Since crafting a message with such property requires Mallory to already possess both K_A and K_M, the issue might appear to be one of a purely academic interest. However, under special circumstances, practical attacks can be mounted against vulnerable implementations. For example, if an identity authentication protocol is based on successful decryption of a message that uses a password-based key, Mallory's ability to craft a single message that would be successfully decrypted using 1000 different keys associated with

weak Weak may refer to: Songs * Weak (AJR song), "Weak" (AJR song), 2016 * Weak (Melanie C song), "Weak" (Melanie C song), 2011 * Weak (SWV song), "Weak" (SWV song), 1993 * Weak (Skunk Anansie song), "Weak" (Skunk Anansie song), 1995 * "Weak", a son ...

, and thus known to her, potential passwords, can speed up her search for passwords by a factor of almost 1000. For this

dictionary attack In cryptanalysis and computer security, a dictionary attack is an attack using a restricted subset of a keyspace to defeat a cipher or authentication mechanism by trying to determine its decryption key or passphrase, sometimes trying thousands or ...

to succeed, Mallory also needs an ability to distinguish successful decryption by Alice from an unsuccessful one, due, for example, to a poor protocol design or implementation turning Alice's side into an

oracle An oracle is a person or thing considered to provide insight, wise counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. If done through occultic means, it is a form of divination. Descript ...

. Naturally, this attack cannot be mounted at all when the keys are generated randomly. Key commitment was originally studied in the 2010s by Abdalla et al. and Farshim et al. under the name "robust encryption". To mitigate the attack described above without removing the "oracle", a ''key-committing AEAD'' that does not allow this type of crafted messages to exist can be used. AEGIS is an example of fast (if the

AES instruction set An Advanced Encryption Standard instruction set (AES instruction set) is a set of instructions that are specifically designed to perform AES encryption and decryption operations efficiently. These instructions are typically found in modern process ...

is present), key-committing AEAD. It is possible to add key-commitment to an existing AEAD scheme.

Approaches to authenticated encryption

Encrypt-then-MAC (EtM)

The plaintext is first encrypted, then a MAC is produced based on the resulting ciphertext. The ciphertext and its MAC are sent together. ETM is the standard method according to ISO/IEC 19772:2009. It is the only method which can reach the highest definition of security in AE, but this can only be achieved when the MAC used is "strongly unforgeable". IPSec adopted EtM in 2005. In November 2014, TLS and DTLS received extensions for EtM with . Various EtM ciphersuites exist for SSHv2 as well (e.g., ).

Encrypt-and-MAC (E&M)

A MAC is produced based on the plaintext, and the plaintext is encrypted without the MAC. The plaintext's MAC and the ciphertext are sent together. Used in, e.g.,

SSH The Secure Shell Protocol (SSH Protocol) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution. SSH was designed for Un ...

. Even though the E&M approach has not been proved to be strongly unforgeable in itself, it is possible to apply some minor modifications to

to make it strongly unforgeable despite the approach.

MAC-then-Encrypt (MtE)

A MAC is produced based on the plaintext, then the plaintext and MAC are together encrypted to produce a ciphertext based on both. The ciphertext (containing an encrypted MAC) is sent. Until TLS 1.2, all available

SSL/TLS Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, b ...

cipher suites were MtE. MtE has not been proven to be strongly unforgeable in itself. The

implementation has been proven to be strongly unforgeable by Krawczyk who showed that SSL/TLS was, in fact, secure because of the encoding used alongside the MtE mechanism. However, Krawczyk's proof contains flawed assumptions about the randomness of the

initialization vector In cryptography, an initialization vector (IV) or starting variable is an input to a cryptographic primitive being used to provide the initial state. The IV is typically required to be random or pseudorandom, but sometimes an IV only needs to be un ...

(IV). The 2011 BEAST attack exploited the non-random chained IV and broke all CBC algorithms in TLS 1.0 and under. – BEAST attack whitepaper In addition, deeper analysis of SSL/TLS modeled the protection as MAC-then-pad-then-encrypt, i.e. the plaintext is first padded to the block size of the encryption function. Padding errors often result in the detectable errors on the recipient's side, which in turn lead to

padding oracle attack In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible ...

s, such as Lucky Thirteen.

References

;General *

Sources

* * * * * * * {{Cryptography navbox , hash Symmetric-key cryptography Message authentication codes