This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||
|
From Block cipher modes of operation: ... After observing that compositing a confidentiality mode with a authenticity mode could be difficult and error prone, the cryptographic community began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. The modes are referred to as authenticated encryption, AE, and authenc. Examples of authenticated encryption modes are CCM (SP800-38C), GCM (SP800-38D), CWC, EAX, IAPM, and OCB.
Patents can be a bear for me because I'm not always aware of the minor legal issues. But I think this is one of the earliest Authenticated Encryption modes: US2003/0223585 A1, "Method and Apparatus for Performing Encryption and Authentication", May 2002 by Tardo and Matthews. It appears they perform the single pass operation (see the methods accompanying Figure 7), but it also appears that Authenticate and Encrypt (A&E) is performed. According to Krawczyk, A&E is insecure but I don't think it affects the legal standing of the "single pass" innovation.
Kohno, Viega, Whiting, "CWC: A High-Performance Conventional Authenticated Encryption Mode", IACR, May 2003 ( http://eprint.iacr.org/2003/106).
Jutla, "Encryption Modes with Almost Free Message Integrity", Journal of Cryptography, December 2003 ( http://www.springerlink.com/content/q615311611mx2057/).
Maybe it should be noted that authenticated encryption, being symmetric, cannot supply non-repudiation like a digital signature would. I.e. all parties which know the key can easily make authenticated messages. E.g. suppose Alice sends Bob a message "I, Alice, owe Bob $100". Bob keeps the message and eventually demands to be paid, but Alice now denies having sent the message. Suppose both agree to giving a trusted third party the key, then there is no way for this third party to tell whether the message was actually written by Alice, as it could equally have been written by Bob, who, by necessity, also knows the key. Likewise, Bob could have altered the message to read "I, Alice, owe Bob $1000" with no (cryptographic) way for the trusted third party to figure out who is telling the truth.
Non-repudiation can obviously be added on top of authenticated encryption by signing the authentication tag using an asymmetric algorithm. The default lack of non-repudiation is no criticism of AE, as it may not be required, is easily supplemented, and unavoidable in any purely symmetric cryptosystem. Aragorn2 ( talk) 10:23, 19 June 2019 (UTC)
@ Olivander1337: The term privacy is routinely used to define confidentiality in AEAD schemes. See, for example, the title of Mihir Bellare's paper [1]. I have no issue with adding a note that this use is not related to the privacy preservation. Dimawik ( talk) 15:14, 5 November 2023 (UTC)
The following just-added text is moved here for a discussion. The reason is simple: the text reads like the GCM mode was broken, but in reality the Len's paper appears to describe an attack on poor implementations. As far as I can understand, in the case considered the brute-force attack was not that hard to pull off to begin with, without acceleration. I see absolutely no problem with describing the key-committing AEAD here, just in a proper context: as a new research and based on some kind of peer-reviewed paper that was authored by a non-inventor of a better AEAD. If I am wrong in my interpretation of the papers, just let me know (here) where I am wrong (I am very thick-skinned). Dimawik ( talk) 01:34, 22 February 2024 (UTC)
Symmetric keys shall be either generated by an approved method (e.g., using an approved random number generator; see SP 800-133) or derived from a master key/key-derivation key (see Section 8.2.4) using an approved key-derivation function (see SP 800-108). Symmetric keys may also be generated using key-agreement techniques (see Section 8.1.5.2.3)
— SP 800-57 8.1.5.2.1 Key Generation
unless the password is generated randomly (in which case, no problem again).When a key is generated from a password, the entropy provided (and thus, the maximum security strength that can be supported by the generated key) shall be considered to be zero
— SP 800-133 6.2.3, boldface is mine
This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||
|
From Block cipher modes of operation: ... After observing that compositing a confidentiality mode with a authenticity mode could be difficult and error prone, the cryptographic community began to supply modes which combined confidentiality and data integrity into a single cryptographic primitive. The modes are referred to as authenticated encryption, AE, and authenc. Examples of authenticated encryption modes are CCM (SP800-38C), GCM (SP800-38D), CWC, EAX, IAPM, and OCB.
Patents can be a bear for me because I'm not always aware of the minor legal issues. But I think this is one of the earliest Authenticated Encryption modes: US2003/0223585 A1, "Method and Apparatus for Performing Encryption and Authentication", May 2002 by Tardo and Matthews. It appears they perform the single pass operation (see the methods accompanying Figure 7), but it also appears that Authenticate and Encrypt (A&E) is performed. According to Krawczyk, A&E is insecure but I don't think it affects the legal standing of the "single pass" innovation.
Kohno, Viega, Whiting, "CWC: A High-Performance Conventional Authenticated Encryption Mode", IACR, May 2003 ( http://eprint.iacr.org/2003/106).
Jutla, "Encryption Modes with Almost Free Message Integrity", Journal of Cryptography, December 2003 ( http://www.springerlink.com/content/q615311611mx2057/).
Maybe it should be noted that authenticated encryption, being symmetric, cannot supply non-repudiation like a digital signature would. I.e. all parties which know the key can easily make authenticated messages. E.g. suppose Alice sends Bob a message "I, Alice, owe Bob $100". Bob keeps the message and eventually demands to be paid, but Alice now denies having sent the message. Suppose both agree to giving a trusted third party the key, then there is no way for this third party to tell whether the message was actually written by Alice, as it could equally have been written by Bob, who, by necessity, also knows the key. Likewise, Bob could have altered the message to read "I, Alice, owe Bob $1000" with no (cryptographic) way for the trusted third party to figure out who is telling the truth.
Non-repudiation can obviously be added on top of authenticated encryption by signing the authentication tag using an asymmetric algorithm. The default lack of non-repudiation is no criticism of AE, as it may not be required, is easily supplemented, and unavoidable in any purely symmetric cryptosystem. Aragorn2 ( talk) 10:23, 19 June 2019 (UTC)
@ Olivander1337: The term privacy is routinely used to define confidentiality in AEAD schemes. See, for example, the title of Mihir Bellare's paper [1]. I have no issue with adding a note that this use is not related to the privacy preservation. Dimawik ( talk) 15:14, 5 November 2023 (UTC)
The following just-added text is moved here for a discussion. The reason is simple: the text reads like the GCM mode was broken, but in reality the Len's paper appears to describe an attack on poor implementations. As far as I can understand, in the case considered the brute-force attack was not that hard to pull off to begin with, without acceleration. I see absolutely no problem with describing the key-committing AEAD here, just in a proper context: as a new research and based on some kind of peer-reviewed paper that was authored by a non-inventor of a better AEAD. If I am wrong in my interpretation of the papers, just let me know (here) where I am wrong (I am very thick-skinned). Dimawik ( talk) 01:34, 22 February 2024 (UTC)
Symmetric keys shall be either generated by an approved method (e.g., using an approved random number generator; see SP 800-133) or derived from a master key/key-derivation key (see Section 8.2.4) using an approved key-derivation function (see SP 800-108). Symmetric keys may also be generated using key-agreement techniques (see Section 8.1.5.2.3)
— SP 800-57 8.1.5.2.1 Key Generation
unless the password is generated randomly (in which case, no problem again).When a key is generated from a password, the entropy provided (and thus, the maximum security strength that can be supported by the generated key) shall be considered to be zero
— SP 800-133 6.2.3, boldface is mine