- Comparison of Symmetric Encryption Methods - Dhole Moments
- Latacora - Cryptographic Right Answers
- Block ciphers are basically keyed pseudo-random permutation functions
- Be aware of nonce reuse: initialization vector - How bad it is using the same IV twice with AES/GCM? - Cryptography Stack Exchange
- Be aware of limits on how much data/messages you can safely encrypt under the same key (“cryptographic wear-out”): Cryptographic Wear-Out for Symmetric Encryption - Dhole Moments
stands for “authenticated encryption with associated data”
Authenticated Encryption (AE)
- I.e. “MACs built-in to encryption”
- Prevents the ciphertext that was transmitted to you from being tampered with by a third party that doesn’t know the key. This can break the overall security of your system in unexpected ways.
- Also prevents padding oracle attacks that even recover the key.
- XML Encryption famously broke due to lacking authentication: https://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf
- Associated Data (AD)
- Prevents the ciphertext from being “pulled out of context” by a third party that doesn’t know the key.
- A good crypto stackoverflow answer on why this can be dangerous: encryption - What is the purpose of associated authenticated data in AEAD? - Information Security Stack Exchange
Also interesting, but not captured in “AEAD” is probabilistic encryption:
- Prevents the same message to have the same ciphertext when encrypted twice with the same key.
- Usually achieved by providing a nonce (sometimes called initialization vector) that is either randomly generated or incremented for every message with a given random key.
Most ciphers are probabilistic (or “non-deterministic”). So why are some ciphers deterministic?
- You might not need additional randomness if your messages are inherently random, e.g. when you’re doing key-wrapping.
- To provide non-determinism you need to attach a random nonce to your ciphertext. Deterministic encryption ciphertexts thus tend to be shorter.