|
Authenticated Encryption (AE) or Authenticated Encryption with Associated Data (AEAD) is a block cipher mode of operation which simultaneously provides confidentiality, integrity, and authenticity assurances on the data; decryption is combined in single step with integrity verification. These attributes are provided under a single, easy to use programming interface. The need for AE emerged from the observation that securely combining a confidentiality mode with an authentication mode could be error prone and difficult.〔''"people had been doing rather poorly when they tried to glue together a traditional (privacy-only) encryption scheme and a message authentication code (MAC)"'', in: 〕〔''"it is very easy to accidentally combine secure encryption schemes with secure MACs and still get insecure authenticated encryption schemes"'', in: 〕 This was confirmed by a number of practical attacks introduced into production protocols and applications by incorrect implementation, or lack, of authentication (including SSL/TLS).〔(【引用サイトリンク】title=Failures of secret-key cryptography )〕 Interest in these modes was sparked by the publication of Charanjit Jutla's IACBC and IAPM modes in 2000. Six different authenticated encryption modes (namely OCB 2.0, Key Wrap, CCM, EAX, Encrypt-then-MAC (EtM), and GCM) have been standardized in ISO/IEC 19772:2009. More were developed in response to NIST solicitation.〔(【引用サイトリンク】title=Encryption modes development )〕 Sponge functions can be used in duplex mode to provide authenticated encryption.〔(【引用サイトリンク】title=Duplexing The Sponge )〕 A typical programming interface for AE mode implementation would provide the following functions: * Encryption * * Input: ''plaintext'', ''key'', and optionally a ''header'' in plaintext that will not be encrypted, but will be covered by authenticity protection. * * Output: ''ciphertext'' and ''authentication tag'' (Message Authentication Code). * Decryption * * Input: ''ciphertext'', ''key'', ''authentication tag'', and optionally a ''header''. * * Output: ''plaintext'', or an error if the ''authentication tag'' does not match the supplied ''ciphertext'' or ''header''. The ''header'' part is intended to provide authenticity and integrity protection for networking or storage metadata for which confidentiality is unnecessary, but authenticity is desired. In addition to protecting message integrity and confidentiality, authenticated encryption can provide plaintext awareness and security against chosen ciphertext attack. In these attacks, an adversary attempts to gain an advantage against a cryptosystem (e.g., information about the secret decryption key) by submitting carefully chosen ciphertexts to some "decryption oracle" and analyzing the decrypted results. Authenticated encryption schemes can recognize improperly-constructed ciphertexts and refuse to decrypt them. This in turn prevents the attacker from requesting the decryption of any ciphertext unless he generated it correctly using the encryption algorithm, which would imply that he already knows the plaintext. Implemented correctly, this removes the usefulness of the decryption oracle, by preventing an attacker from gaining useful information that he does not already possess. Many specialized authenticated encryption modes have been developed for use with symmetric block ciphers. However, authenticated encryption can be generically constructed by combining an encryption scheme and a Message Authentication Code (MAC), provided that: * The encryption scheme is semantically secure under a chosen plaintext attack. * The MAC function is unforgeable under a ''chosen message attack''. Bellare and Namprempre (2000) analyzed three compositions of these primitives, and demonstrated that encrypting a message and subsequently applying a MAC to the ciphertext implies security against an adaptive chosen ciphertext attack, provided that both functions meet the required properties. In 2013, a competition was announced to encourage design of authenticated encryption modes.〔(【引用サイトリンク】title=CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness )〕 ==Approaches to Authenticated Encryption== 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Authenticated encryption」の詳細全文を読む スポンサード リンク
|