Cryptography Reference
In-Depth Information
Note that, regardless of which order is used, the encryption operation and the
MAC operation should be computed using
different
cryptographic keys. This is
because they are different cryptographic operations, providing different security
services. Using different keys follows the best-practice principle of key separation,
which we discuss in more detail in Section 10.6.1.
One cost of using separate operations is therefore that two different keys
are needed in order to provide confidentiality and data origin authentication.
It would thus be attractive if a cryptographic primitive that provides both services
using just one key could be found. Another cost is that the two separate operations
require the message data to be cryptographically processed twice, once for each
of the operations. It would thus be better from an efficiency perspective if
a cryptographic primitive could be designed that requires the message to be
processed just once.
USING AN AUTHENTICATED-ENCRYPTION PRIMITIVE
An
authenticated-encryption primitive
is a symmetric cryptographic primitive
that uses a single key to simultaneously provide both confidentiality and data
origin authentication. We have already seen that block ciphers can be used to
provide both confidentiality (in Section 4.3) and data origin authentication (in
Section 6.3.3). Further, in Section 4.6 we saw that block cipher modes of operation
can be used to achieve different properties. It should thus not be surprising that
authenticated-encryption primitives are special modes of operation of a block
cipher.
There are several different authenticated-encryption primitives proposed.
All of these support the presence of associated data that does not require
encryption. The differences between these primitives are mostly fairly subtle and
largely to do with implementation and intellectual property issues. Examples
include:
Counter with CBC-MAC (CCM) Mode
. This mode is, almost literally, a
combination of CTR mode (see Section 4.6.4) for encryption and a type of
CBC-MAC (see Section 6.3.3) for data origin authentication. It essentially
follows the MAC-then-encrypt construction, with the MAC itself separately
encrypted using CTR mode. CCM mode has been standardised by NIST and
is the subject of an Internet Standard, as well as being adopted by a number
of significant applications, for example WPA2 (see Section 12.2.5). It requires
two block cipher encryption operations for each message block (one for the
CTR mode encryption and one for the CBC-MAC).
EAX mode
. This mode of operation is heavily influenced by CCM mode, also
being based on CTRmode and a special type of CBC-MAC calledOMAC. EAX
makes a number of improvements in comparison to CCMmode, amongst the
most notable of which is that EAX does not require the length of the message
to be known in advance (CCM employs the length of the message during its
computation), thus allowing on-the-fly processing.
