Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/cipher: detached mode AEAD Seal/Open #24990

Open
riobard opened this issue Apr 22, 2018 · 4 comments

Comments

@riobard
Copy link

commented Apr 22, 2018

The AEAD interface currently exposes only combined mode operation with authentication tag appended to the cipher text.

The popular crypto library libsodium supports detached mode operation where authentication tag and cipher text can be at different locations (e.g. some applications may need to store authentication tag before cipher text).

Due to Go1 compatibility requirement the existing AEAD interface cannot be changed. Therefore I propose we add a new interface DetachedAEAD.

type DetachedAEAD interface {
        // NonceSize returns the size of the nonce that must be passed to Seal
        // and Open.
        NonceSize() int

        // TagSize returns the size of the tag.
        TagSize() int

        // Seal encrypts and authenticates plaintext, authenticates the
        // additional data and appends the result to dst, returning the updated
        // slice. The nonce must be NonceSize() bytes long and unique for all
        // time, for a given key. The tag must be at least TagSize() bytes long.
        //
        // The plaintext and dst must overlap exactly or not at all. To reuse
        // plaintext's storage for the encrypted output, use plaintext[:0] as dst.
        Seal(dst, tag, nonce, plaintext, additionalData []byte) []byte

        // Open decrypts and authenticates ciphertext, authenticates the
        // additional data and, if successful, appends the resulting plaintext
        // to dst, returning the updated slice. The nonce must be NonceSize()
        // bytes long and both it and the additional data must match the
        // value passed to Seal. The tag must be at least TagSize() bytes long.
        //
        // The ciphertext and dst must overlap exactly or not at all. To reuse
        // ciphertext's storage for the decrypted output, use ciphertext[:0] as dst.
        //
        // Even if the function fails, the contents of dst, up to its capacity,
        // may be overwritten.
        Open(dst, tag, nonce, ciphertext, additionalData []byte) ([]byte, error)
}

@riobard riobard changed the title crypto/cipher: Detached mode AEAD Seal/Open crypto/cipher: detached mode AEAD Seal/Open Apr 22, 2018

@agnivade agnivade changed the title crypto/cipher: detached mode AEAD Seal/Open proposal: crypto/cipher: detached mode AEAD Seal/Open Apr 22, 2018

@gopherbot gopherbot added this to the Proposal milestone Apr 22, 2018

@gopherbot gopherbot added the Proposal label Apr 22, 2018

@FiloSottile

This comment has been minimized.

Copy link
Member

commented May 4, 2018

Based on discussion with @agl, we want something like this. We need to decide what shape the API will take. If it will be different from BoringSSL we'll need a good reason to ignore their decision.

@jyxjjj

This comment has been minimized.

Copy link

commented Jun 23, 2019

@FiloSottile So, how to split at this moment? It seems to "append", so can i just get the last 32 length?

@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jun 23, 2019

@jyxjjj Yes, but the GCM tag is normally 16 bytes. You can get its length by calling AEAD.Overhead().

@jyxjjj

This comment has been minimized.

Copy link

commented Jun 23, 2019

Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.