Skip to content

Commit 6dd276a

Browse files
silverdazsilverdaz
committed
Adding AEAD support as new encryption method
1 parent 34b37e4 commit 6dd276a

File tree

1 file changed

+72
-21
lines changed

1 file changed

+72
-21
lines changed

crypt4gh.tex

Lines changed: 72 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -266,13 +266,13 @@ \subsection{File Structure}
266266
\node (data encryption packet) [boxes=3,below=of header packet.five south] {
267267
\nodepart{one}Packet Type
268268
\nodepart{two}Encryption Method
269-
\nodepart[text width=10em]{three}Data Encryption Key
269+
\nodepart[text width=15em]{three}Data Encryption Parameters
270270
};
271271
\draw (header packet.four split south) to (data encryption packet.north west);
272272
\draw (header packet.five split south) to (data encryption packet.north east);
273273
\node (data encryption packet notes) at (data encryption packet -| file notes) [notes] {
274274
\textbf{Data Encryption Packet (plain-text)} \\
275-
Stores $K_{data}$
275+
Stores $K_{data}$ and/or a sequence number per key
276276
};
277277

278278
\node (data edit list) [boxes=3,below=of data encryption packet.south] {
@@ -323,13 +323,20 @@ \subsection{File Structure}
323323
\subsection{Header Packet Types}\label{overview:header_packet_types}
324324
There are two types of header packet:
325325
\begin{itemize}
326-
\item Data encryption key packets.
326+
\item Data encryption parameters packets.
327327

328-
These describe the parameters used to encrypt one or more of the data blocks.
329-
They contain a code indicating the type of encryption, and the symmetric key ($K_{data}$) needed to decrypt the data.
328+
They contain a code indicating the type of encryption and describe the list of parameters used to encrypt one or more of the data blocks.
330329

330+
The list starts with the symmetric key ($K_{data}$) needed to decrypt the data.
331331
If parts of the data have been encrypted with different keys, more than one of this packet type will be present.
332332

333+
In AEAD mode, an additional 8-bytes sequence number is appended to the
334+
parameter list. The sequence number forms part of the authenticated
335+
data used when encrypting each segment (See
336+
section~\ref{data:AEAD_encrypting_mode}).
337+
%
338+
This mode ensures no encrypted segments can be lost or re-ordered.
339+
333340
\item Data edit list packets.
334341

335342
These packets allow parts of the data to be discarded after decryption.
@@ -536,6 +543,7 @@ \subsubsection{Header packet encrypted payload}
536543
537544
enum Data_encryption_method<le_uint32> {
538545
chacha20_ietf_poly1305 = 0;
546+
chacha20_ietf_poly1305_with_AEAD = 1;
539547
};
540548
541549
struct Encrypted_header_packet {
@@ -547,11 +555,15 @@ \subsubsection{Header packet encrypted payload}
547555
select (data_encryption_method) {
548556
case chacha20_ietf_poly1305:
549557
byte data_key[32];
558+
case chacha20_ietf_poly1305_with_AEAD:
559+
byte data_key[32];
560+
le_uint64 sequence_number;
550561
};
551562
552563
case data_edit_list:
553564
le_uint32 number_lengths;
554565
le_uint64 lengths[number_lengths];
566+
555567
};
556568
};
557569
\end{verbatim}
@@ -569,7 +581,11 @@ \subsubsection{data\_encryption\_parameters packet}\label{header:data_encryption
569581
To allow parts of the data to be encrypted with different $K_{data}$ keys,
570582
more than one of this packet type may be present.
571583
If there is more than one, the \kw{data\_encryption\_method} MUST be the same for all of them to prevent problems
572-
with random access in the encrypted file.
584+
with random access in the encrypted file. If the data encryption methods are mixed, the file MUST be rejected.
585+
586+
When \kw{data\_encryption\_method} is \kw{chacha20\_ietf\_poly1305\_with\_AEAD}, the AEAD mode is activated and each
587+
\kw{data\_key} is followed by an 8-bytes unsigned integer \kw{sequence\_number}, which forms part of the authenticated data used to encrypt part of the file.
588+
Application of the AEAD mode to the plain-text is described in section~\ref{data:AEAD_encrypting_mode}.
573589

574590
\subsubsection{data\_edit\_list packet}
575591

@@ -671,20 +687,6 @@ \subsubsection{Reading the header}
671687
If more than one \kw{data\_edit\_list} packet is present, the file SHOULD be rejected.
672688

673689
\subsection{Encrypted Data}\label{data:encryption}
674-
\subsubsection{chacha20\_ietf\_poly1305 Encryption}\label{data:chacha20_encryption}
675-
676-
ChaCha20 is a stream cipher which maps a 256-bit key, nonce and counter to a 512-bit key-stream block.
677-
In IETF mode the nonce is 96 bits long and the counter is 32 bits.
678-
The counter starts at 1, and is incremented by 1 for each successive key-stream block.
679-
The cipher-text is the plain-text message combined with the key-stream using the bit-wise exclusive-or operation.
680-
681-
Poly1305 is used to generate a 16-byte message authentication code (MAC) over the cipher-text.
682-
As the MAC is generated over the entire cipher-text it is not possible to authenticate partially decrypted data.
683-
684-
ChaCha20 and Poly1305 are combined using the AEAD construction described in section 2.8 of \cite{RFC8439}.
685-
This construction allows additional authenticated data (AAD) to be included in the Poly1305 MAC calculation.
686-
For the purposes of this format, the AAD is zero bytes long.
687-
688690
\subsubsection{Segmenting the input}
689691

690692
To allow random access without having to authenticate the entire file, the plain-text is divided into 65536-byte
@@ -697,6 +699,7 @@ \subsubsection{Segmenting the input}
697699
struct Segment {
698700
select (method) {
699701
case chacha20_ietf_poly1305:
702+
case chacha20_ietf_poly1305_with_AEAD:
700703
byte nonce[12];
701704
byte[] encrypted_data;
702705
byte mac[16];
@@ -708,9 +711,48 @@ \subsubsection{Segmenting the input}
708711
For chacha20\_ietf\_poly1305, this expansion will be 28 bytes, so a 65536 byte plain-text input will become a 65564
709712
byte encrypted and authenticated cipher-text output.
710713

714+
\subsubsection{chacha20\_ietf\_poly1305 Encryption}\label{data:chacha20_encryption}
715+
716+
ChaCha20 is a stream cipher which maps a 256-bit key, nonce and counter to a 512-bit key-stream block.
717+
In IETF mode the nonce is 96 bits long and the counter is 32 bits.
718+
The counter starts at 1, and is incremented by 1 for each successive key-stream block.
719+
The cipher-text is the plain-text message combined with the key-stream using the bit-wise exclusive-or operation.
720+
721+
Poly1305 is used to generate a 16-byte message authentication code (MAC) over the cipher-text.
722+
As the MAC is generated over the entire cipher-text it is not possible to authenticate partially decrypted data.
723+
724+
ChaCha20 and Poly1305 are combined using the AEAD construction described in section 2.8 of \cite{RFC8439}.
725+
This construction allows additional authenticated data (AAD) to be included in the Poly1305 MAC calculation.
726+
In case the selected encryption method is \kw{chacha20\_ietf\_poly1305}, the AAD is zero bytes long.
727+
In case the selected encryption method is \kw{chacha20\_ietf\_poly1305\_with\_AEAD}, the AAD is a 8-bytes little-endian number (section~\ref{data:AEAD_encrypting_mode}).
728+
729+
\subsubsection{AEAD encrypting mode: chacha20\_ietf\_poly1305\_with\_AEAD}\label{data:AEAD_encrypting_mode}
730+
731+
The AEAD mode ensures no segments can be lost or re-ordered.
732+
733+
Consider the incrementing sequence of segment indexes, starting at
734+
$0$, created when the file is read segment by segment, in order.
735+
%
736+
When encrypting the plain-text segment, at index $i$, using the key
737+
$k$ (as in~\ref{data:chacha20_encryption}), we attach the number $n$ as authenticated data.
738+
%
739+
$n$ is obtained by adding $i$ to the sequence number paired with the
740+
encryption key $k$.
741+
%
742+
Note that $n$ is limited to 8-bytes, so it might eventually wrap
743+
around.
744+
745+
Additionally, in case the end of the file lands on a segment boundary,
746+
a final and empty encrypted segment is appended to the ciphertext. If
747+
not, the last segment is smaller then the segment maximum size and no
748+
extra encrypted segment is appended.
749+
% Should we mention the index position is the last element of the sequence + 1
750+
% or is it obvious?
751+
752+
711753
\section{Decryption}
712754

713-
\subsection{chacha20\_ietf\_poly1305 Decryption}
755+
\subsection{chacha20\_ietf\_poly1305 Decryption}\label{data:decryption}
714756

715757
The cipher-text is decrypted by authenticating and decrypting the segment(s) enclosing the requested byte range $[P;Q]$,
716758
where $P<Q$.
@@ -744,6 +786,15 @@ \subsection{chacha20\_ietf\_poly1305 Decryption}
744786
to timing attacks which try to detect which key was successful); or simply insist that only one key is used for
745787
the whole file.
746788

789+
\subsection{AEAD mode}\label{data:AEAD_decrypting_mode}
790+
791+
The encryption method MUST be \kw{chacha20\_ietf\_poly1305\_with\_AEAD} and is \kw{data\_key} is paired with a \kw{sequence\_number}.
792+
793+
The $n^{th}$ segment is decrypted, as in~\ref{data:decryption}, using the sequence number incremented by $n$ as authenticated data.
794+
795+
Finally, the presence of the eventual last empty segment must be checked according~to~\ref{data:AEAD_encrypting_mode}.\\
796+
Failing that check SHOULD consider the file as truncated, and reject it.
797+
747798
\subsection{Edit List}\label{data:edit_list}
748799

749800
The edit list is designed to assist splicing of encrypted files (for example to remove parts that are not needed

0 commit comments

Comments
 (0)