aws-lc-rs is a cryptographic library using AWS-LC for its cryptographic operations. The library strives to be API-compatible with the popular Rust library named ring.
I would like to be able to use CBC in a streaming fashion. Unfortunately, currently the CBC encryptor always puts padding after an encryption operation and expects padding during a decryption operation.
Add CBC support to EncryptingKey and DecryptingKey types, and have the caveat that the inputs must be divisible by the block size, and leave padding decisions to the caller.
Introduce a StreamingPaddedBlockEncryptingKey and StreamingPaddedBlockDecryptingKey that implements the streaming and padding concepts.
The later would be nicer but more work
Does this change any public APIs? No it add more APIs
Which algorithm(s) will this impact? CBC
Requirements / Acceptance Criteria:
What must a solution address in order to solve the problem? How do we know the solution is complete?
Ideally we can encrypt/decrypt in a streaming fashion.
RFC links: N/A
Related Issues: None
Will the Usage Guide or other documentation need to be updated? Maybe depending on the solution
Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly
interesting/important unit tests. Probably through unit tests
Out of scope:
Is there anything the solution will intentionally NOT address?
justsmth
commented
1 week ago
Problem:
I would like to be able to use CBC in a streaming fashion. Unfortunately, currently the CBC encryptor always puts padding after an encryption operation and expects padding during a decryption operation.
OpenSSL solves that problem with finalize methods (for ex. https://docs.rs/openssl/latest/openssl/envelope/struct.Open.html#method.finalize)
Solution:
There are two possible options
Add CBC support to EncryptingKey and DecryptingKey types, and have the caveat that the inputs must be divisible by the block size, and leave padding decisions to the caller.
Introduce a StreamingPaddedBlockEncryptingKey and StreamingPaddedBlockDecryptingKey that implements the streaming and padding concepts.
The later would be nicer but more work
Requirements / Acceptance Criteria:
What must a solution address in order to solve the problem? How do we know the solution is complete?
Ideally we can encrypt/decrypt in a streaming fashion.
Out of scope:
Is there anything the solution will intentionally NOT address?