Authentication for Confidentiality Modes
Shortcut URL: https://csrc.nist.gov/bcm/authentication-for-confidentiality-modes
Authenticity is a goal that includes two types of assurance for data: its integrity (i.e., that the data is unaltered from its original form) and origin (i.e., that the data was in fact generated at its purported source). Authentication is a process (e.g., a cryptographic technique) for providing assurance of authenticity. Cryptographic authentication implies some form of data expansion (i.e., an increase in the size of the protected data).
Authenticity is a critical requirement for most information technology applications, and the encryption of data does not provide assurance of its authenticity. For example, if a cryptographic key is generated at random and encrypted for transmission over a public network, the recipient cannot necessarily detect whether the encrypted key was altered during transmission, either accidentally or deliberately.
Applications in which confidentiality is provided by a block cipher mode can be categorized as follows with respect to authentication:
- Integrated: a single mode provides both confidentiality and authentication.
- Ad hoc: an independent cryptographic technique provides authentication.
- None: No cryptographic authentication is applied.
Category I should be the default choice wherever feasible. NIST currently approves the following integrated techniques:
- For general-purpose authenticated encryption with associated data (AEAD):
- For resource-constrained devices:
- For deterministic authenticated encryption (DAE) used in key wrapping:
NIST has proposed developing cryptographic accordions with derived functions for both AEAD and DAE.
Category II is currently approved in SP 800-38F without any specification of how to combine the confidentiality-only mode with the independent authentication technique. Although secure combinations are possible, ad hoc combinations may be subject to potentially significant security vulnerabilities. Guidance and pitfalls are documented in the academic literature, such as the following:
- Mihir Bellare and Chanathip Namprempre, Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm ASIACRYPT 2000.
- Hugo Krawczyk, The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?), CRYPTO 2001.
- Serge Vaudenay, Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS..., EUROCRYPT 2002.
- John Black and Hector Urturbia, Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption, 11th Usenix Security Symposium, 2002.
Moreover, without a standard specification, validation testing is necessarily limited to the component techniques. Important details such as the ordering of the data or the generation of keys/subkeys would be out of scope of the testing.
Category III should be limited to applications that cannot tolerate the data expansion that is inherent in cryptographic authentication. Without assurance of authenticity, the confidentiality modes specified in SP 800-38A have significant security vulnerabilities, as described in Appendix D of the publication and in NIST Internal Report (IR) 8459. The XTS-AES mode that is approved in SP 800-38E was designed to mitigate some of these vulnerabilities for full-disk encryption. The development of cryptographic accordions is expected to facilitate enhanced security for this use case.
