AEAD decryption-in-place traits with additional tag processing, created for committing AEAD wrappers #1372
Conversation
|
I'm still confused why these are necessary. The With a breaking change we can split the |
|
Under the CTX construction (which is the motivation for this PR), the original (inner) tag is not available. Pseudocode for CTX (crossposted from the Zulip chat) is as follows: fn ctx_encrypt<AEAD, Digest>(key, ptxt, aad) -> (ctxt, outer_tag) {
let nonce = AEAD::generate_nonce();
let (ctxt, inner_tag) = AEAD::encrypt(key, ptxt, aad);
let digest_obj = Digest::new();
digest_obj.update(key);
digest_obj.update(nonce);
digest_obj.update(aad);
digest_obj.update(inner_tag);
let outer_tag = digest_obj.finalize();
(ctxt, outer_tag)
}
fn ctx_decrypt<AEAD, Digest>(key, nonce, ctxt, aad, outer_tag) -> Result<ptxt, ()> {
let (ptxt, expected_inner_tag) = AEAD::decrypt_with_expected_tag(key, nonce, ctxt, aad);
let digest_obj = Digest::new();
digest_obj.update(key);
digest_obj.update(nonce);
digest_obj.update(aad);
digest_obj.update(expected_inner_tag);
let expected_outer_tag = digest_obj.finalize();
if expected_outer_tag.ct_eq(tag) {
Ok(ptxt)
} else {
Err(())
}
}The CTX construction wraps an AEAD and replaces the original (inner) tag with a hash that is computed over the AEAD's inputs. Only the hash (outer tag) gets sent as the MAC, but CTX decryption requires the original (inner) tag in order to check the received (outer) tag. The original (inner) tag cannot be recovered from the transmitted hash (outer tag), and as far as I can tell, there is no way to retrieve the expected inner tag during decryption using the current interfaces. Sending both tags has potential problems, which is why I created a CTXish-HMAC construction in the other PR to enable that to be done safely. |
|
But if you have a generic implementation of committing AEADs, what is the purpose of the trait? Abstracting over that and potential future constructions? |
|
The generic implementation of CTX in the other PR is incomplete because the decryption stage of many of the wrapping constructions, including CTX, require access to more of the wrapped AEAD's internal state than is provided by a decryption method that returns the equivalent of |
|
Aha, that makes sense. Thanks. |
Add AEAD decryption-in-place traits that allow additional processing on the expected tag before comparison to the received tag. This will allow me to implement the full CTX construction and possibly other similar constructions (see RustCrypto/AEADs#564) instead of only the encryption direction.
Exposing the expected tag in this way may increase the chances of misuse. I tried to file off as many potential sharp edges as possible (e.g. by leaving the final tag comparison up to the implementer of the trait and by using
Fninstead ofFnMutorFnOnceto make copying the expected tag out of the closure harder), but do leave feedback if there are safer ways of allowing this functionality.