Skip to content

Instantly share code, notes, and snippets.

@bitraft
Forked from tarcieri/aefd.md
Created April 25, 2016 04:22
Show Gist options
  • Save bitraft/6824b404e1a85a13685d39451f674e9c to your computer and use it in GitHub Desktop.
Save bitraft/6824b404e1a85a13685d39451f674e9c to your computer and use it in GitHub Desktop.
Authenticated Encryption for Dummies

It might seem like a silly exercise, but I was looking at the "NIST approved" algorithms in NaCl (i.e. AES, HMAC) and wondering if I could build an authenticated encryption system with them. djb lists AES-GCM as a "todo" secretbox primitive so unfortunately NaCl does not presently expose any AES-based authenticated encryption, only aes128ctr.

This is what I came up with using the algorithms available in NaCl:

Diagram

A quick rundown:

Encrypt-then-MAC with AES-CTR (128-bit for now, 256-bit later!) encryption and HMAC SHA-512256 (i.e. SHA-512, truncated to 256-bits by NaCl via crypto_auth_hmacsha512256) authentication. MAC comparisons are performed using a NaCl supplied verifier function which is (hopefully!) constant time.

Separate keys are used for AES and HMAC, derived by combining an initial 256-bit key and a nonce with HKDF and expanding the result into unique keys for AES and HMAC. Because a unique key is used for each AES encryption, the AES counter can always start at 0.

While a cryptographic layman should probably not be designing an authenticated encryption mode, it seems like these particular primitives are relatively free of rough edges, particularly when I am using the implementations available in NaCl

Cool story, should I run off and implement this?

No, you want Crypto::SecretBox

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment