Authenticated encryption

Authenticated Encryption (AE) is a block cipher mode of operation which simultaneously provides confidentiality, integrity and authenticity assurances on the data. These attributes are provided under single, easy to use programming interface and decryption is combined in single step with integrity validation.

The need for AE emerged from observation that securely compositing a confidentiality mode with an authentication mode could be error prone and difficult.^[1][2] This was confirmed by a number of practical attacks has been introduced into production protocols and applications by incorrect implementation, or lack of, authentication (including SSL/TLS).^[3]

Six different authenticated encryption modes, namely OCB 2.0, Key Wrap, CCM, EAX, Encrypt-then-MAC(EtM) and GCM, have been standardized in ISO/IEC 19772:2009.^[4] More were developed in response to NIST solicitation.^[5]

Typical programming interface of AE mode implementation would provide the following functions:

• Encryption
  • Input: plaintext, key and optionally a header — in plaintext, that will not be encrypted, but will be covered by authenticity protection;
  • Output: ciphertext and authentication tag (Message Authentication Code)
• Decryption
  • Input: ciphertext, key, authentication tag and optionally header;
  • Output: plaintext or error, if authentication tag did not match supplied ciphertext and header

The header part is intended to provide authenticity and integrity protection for metadata used for networking or storage purposes, which do not need to be confidential but their authenticity is desired.

In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess.

Many specialized authenticated encryption modes have been developed for use with symmetric block ciphers. However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code (MAC), provided that the encryption scheme is semantically secure under chosen plaintext attack and the MAC function is unforgeable under chosen message attack. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against adaptive chosen ciphertext attack, provided that both functions meet the required properties.

In 2013 a competition has been announced to encourage design of authenticated encryption modes.^[6]

Approaches to Authenticated Encryption

• Encrypt-then-Mac (EtM): The standard method according to ISO/IEC 19772:2009.^[4] This is the only method which can reach the highest definition of security in AE, this can only be achieved when the MAC used is "Strongly Unforgeable"^[7]
• Encrypt-and-Mac (E&M): Used in i.e. SSH. Even though the E&M approach has not been proved to be strongly unforgeable in it self,^[7] it is possible to apply some minor modifications to SSH to make it strongly unforgeable despite of the E&M approach.
• Mac-then-Encrypt (MtE): Used in i.e. SSL/TLS. Even though the MtE approach has not been proven to be strongly unforgeable in itself,^[7] the SSL/TLS implementation has been proved to be strongly unforgeable by Krawczyk who showed that SSL/TLS was in fact secure because of the encoding used alongside the MtE mechanism.^[8]

See also

• Block cipher mode of operation
• NIST: Modes Development
• CCM mode
• CWC mode
• OCB mode
• EAX mode
• GCM Mode

References

• Bellare, M.; Namprempre, C. (2000), "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm", in T. Okamoto, Extended abstract in Advances in Cryptology: Asiacrypt 2000 Proceedings, Lecture Notes in Computer Science (Springer-Verlag) 1976: 531, doi:10.1007/3-540-44448-3_41, ISBN 978-3-540-41404-9 

1. "people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)", in: M. Bellare, P. Rogaway, D. Wagner. "A Conventional Authenticated-Encryption Mode". NIST. Retrieved March 12, 2013. 
2. "it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes", in: T. Kohno, J. Viega, and D. Whiting. "The CWC Authenticated Encryption (Associated Data) Mode". NIST. Retrieved March 12, 2013. 
3. "Failures of secret-key cryptography". Daniel J. Bernstein. Retrieved March 12, 2013. 
4. "Information technology -- Security techniques -- Authenticated encryption". 19772:2009. ISO/IEC. Retrieved March 12, 2013. 
5. "Encryption modes development". NIST. Retrieved April 17, 2013. 
6. "CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness". Retrieved March 12, 2013. 
7. "Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm". M. Bellare and C. Namprempre. Retrieved April 13, 2013. 
8. "The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)". H. Krawczyk. Retrieved April 13, 2013.