Authenticated-Encryption
AEAD 使用 AES-CBC 和 MAC:如何對 MAC 的輸入進行排序
我正在編寫程式碼以提供 AEAD 實用程序。它使用 AES-256-CBC 進行加密,並將 SHA-512(密鑰+數據)截斷為 256 位作為 MAC。
encrypt( aes_key: byte[32], mac_key: byte[32], plain_text: byte[], aad: byte[], ) { iv = crypto_random_bytes(16) cipher_text = aes_256_cbc(aes_key, iv, plain_text) aad_encoded_length = int_to_little_endian_4_bytes(aad.length); auth_state = sha_512(key + aad + iv + cipher_text + aad_encoded_length) auth_tag = truncate_bytes(auth_state, 32) return cipher_text + auth_tag }我主要對如何訂購我傳遞給的數據感興趣
sha_512。我以此為基礎:https ://www.ietf.org/archive/id/draft-mcgrew-aead-aes-cbc-hmac-sha2-05.txt這是最好的排序嗎?
(PS 雖然不是這個問題的一部分,但我決定使用 AES-256-CBC 和截斷的 SHA-512 是基於庫的可用性、性能和對意外 nonce 重用的抵抗力。)
這部分標準(最後)解釋了為什麼認證數據的長度在最後,即確保所有密文和認證數據對的 MAC 輸入的唯一性:
During the decryption process, the inputs A and C are mapped into the input of the HMAC algorithm. It is essential for security that each possible input to the MAC algorithm corresponds unambiguously to exactly one pair (A, C) of possible inputs. The fact that this property holds can be verified as follows. The HMAC input is X = A || C || len(A). Let (A,C) and (A',C') denote two distinct input pairs, in which either 1) A != A' and C = C', 2) C != C and A = A', or 3) both inequalities hold. We also let X' = A' || C' || len(A'). In cases 1 and 2, X != X' follows immediately. In case 3, if len(A) != len(A'), then X != X' directly. If len(A) = len(A'), then X != X follows from the fact that the initial len(A) bits of X and X' must be distinct.當然,在您的情況下, C 只是 IV 和剩餘的密文;在標準 IV 中明確是 C 的一部分。