- Comparison of Symmetric Encryption Methods - Dhole Moments
- Latacora - Cryptographic Right Answers
- Block ciphers are basically keyed pseudo-random permutation functions
- Be aware of nonce reuse: initialization vector - How bad it is using the same IV twice with AES/GCM? - Cryptography Stack Exchange
- Be aware of limits on how much data/messages you can safely encrypt under the same key (“cryptographic wear-out”): Cryptographic Wear-Out for Symmetric Encryption - Dhole Moments
stands for “authenticated encryption with associated data”
Authenticated Encryption (AE)
- I.e. “MACs built-in to encryption”
- Prevents the ciphertext that was transmitted to you from being tampered with by a third party that doesn’t know the key. This can break the overall security of your system in unexpected ways.
- Also prevents padding oracle attacks that even recover the key.
- XML Encryption famously broke due to lacking authentication: https://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf
- Associated Data (AD)
- Prevents the ciphertext from being “pulled out of context” by a third party that doesn’t know the key.
- A good crypto stackoverflow answer on why this can be dangerous: encryption - What is the purpose of associated authenticated data in AEAD? - Information Security Stack Exchange
Also interesting, but not captured in “AEAD” is probabilistic encryption:
- Prevents the same message to have the same ciphertext when encrypted twice with the same key.
- Usually achieved by providing a nonce (sometimes called initialization vector) that is either randomly generated or incremented for every message with a given random key.
Most ciphers are probabilistic (or “non-deterministic”). So why are some ciphers deterministic?
- You might not need additional randomness if your messages are inherently random, e.g. when you’re doing key-wrapping.
- To provide non-determinism you need to attach a random nonce to your ciphertext. Deterministic encryption ciphertexts thus tend to be shorter.
A newer property is key commitment. From a paper on key commitment:
if recipient A decrypts a ciphertext with the key K_A into a valid plaintext, meaning authentication succeeds, then A knows that the ciphertext has not been modified during
transmission. Intuitively, one might mistakenly extend that integrity guarantee to keys, i.e., if some other recipient B decrypts the same ciphertext with their key K_B, then decryp-
tion would fail. However, this is neither an AE design goal, nor a guaranteed property, and there are secure and globally deployed AE schemes where both recipients can successfully
decrypt the same ciphertext.
The paper both contains some examples on how to abuse non-key-committing encryption modes in practice as well as how to fix encryption schemes today.
In practice key-committing encryption schemes are not widely supported.