dewyatt
commented
4 years ago @ronaldtse do we want to: 1) Only support non-deterministic AES-GCM/AES-GCM-SIV (current state of things). 2) Only support deterministic AES-GCM/AES-GCM-SIV. 3) Support both
Open dewyatt opened 4 years ago
dewyatt
commented
4 years ago @ronaldtse do we want to: 1) Only support non-deterministic AES-GCM/AES-GCM-SIV (current state of things). 2) Only support deterministic AES-GCM/AES-GCM-SIV. 3) Support both
ronaldtse
commented
4 years ago Ideally we want to support both. I believe the NIST version may only be non-deterministic, though. Actually let me ask.
UPDATE: Waiting for official answer.
Currently we support:
In the initial implementation of enprot (
--pbkdf legacy --cipher aes-256-siv), the encryption was simplyAES-256-SIV(SHA3-512(password)), which is deterministic. This seems consistent with the concept of CAS.With the current implementation of AES-GCM, encrypting identical plaintexts with the same password/key will result in two separate ciphertexts since the nonce is random.
We also now use proper pbkdfs, but with pbkdf caching it could still be beneficial to support DAE for AES-GCM/AES-GCM-SIV.
That way, for example, encrypt-and-store on a set of identical plaintexts, with the same password, and the same keyword (Agent_007 etc) would be stored as a single CAS entry. This would be beneficial if working with a large set of documents with similar data, for example.
The approach I've tested out is: 1) Use the PBKDF-derived key as a master key 2) Use HKDF-Expand(HMAC(...)) to derive both an encryption key and an IV key 3) HMAC the plaintext w/the IV key to generate the IV
Which seems to be commonly recommended: https://crypto.stackexchange.com/a/20963 https://crypto.stackexchange.com/a/52694