The Basics of Crypto 8: Authenticated Encryption Algorithms

Authenticated encryption algorithms combine the functionality of a standard encryption algorithm alongside the signature functionality supplied by MACs/HMACs. Combining these two features can provide varying levels of security and a notable speed increase however the larger attack surface does allow for more errors to sneak into the system. In this instalment we shall discuss the methods, benefits and pitfalls associated with authenticated encryption algorithms.

Authenticated Encryption Using MACs

There are three main ways of turning plaintext into ciphertext and supplying a MAC token. These ways offer differing levels of security and we will cover them from least secure to most secure. These methods are encrypt and MAC (do both independent of each other) MAC then encrypt (get the MAC of the plaintext then encrypt) encrypt then MAC (encrypt the plaintext then get the MAC of the ciphertext).

Encrypt and MAC

When using this method you can generate either the ciphertext or MAC first (or simultaneously). Once both are generated they are transmitted to the intended recipient who then decrypts the ciphertext, generates the MAC of the plaintext and compares it to the supplied MAC. This system will throw an error if either the ciphertext or MAC was tampered with or corrupted in transit. The weakness of this system is that the actions (encrypt and MAC) are carried out independently and that if there are flaws in the hashing algorithm used it could leak information about the plaintext.

However if both the encryption and hashing algorithms used are strong this system is more than suitable for usage even if it is the weakest of the three. It has been used in SSH for a substantial amount of time at this point demonstrating the strengths of the system. A diagram depicting the process is below:

MAC then Encrypt

MAC then encrypt works by generating the MAC and then encrypting the MAC and plaintext together. This system is more secure than encrypt and MAC because it hides the MAC during transit as only the ciphertext needs to be communicated. However similarly to encrypt and MAC, the MAC can not be used to check the validity of the message before decryption, something which we will need to look to the next system for.  An image depicting the MAC then encrypt system can be seen below:

Encrypt then MAC

Encrypt then MAC is the strongest of the three systems. This system works by encrypting the plaintext and then generating a MAC from the ciphertext and sending both the ciphertext and MAC to the intended recipient. The benefits of this system being that the recipient can check the validity of the cipher text without decrypting it using the MAC and the MAC can not leak any information about the plaintext as it was generated from the ciphertext. A image depicting the Encrypt then MAC process can be seen below:

Associated Data

Associated data is a feature supported by most authenticated encryption algorithms. It is essentially data that is transmitted in plaintext along with the ciphertext that is also covered by the MAC. As an example let's say you are sending a network packet and want to encrypt the data but obviously not the header as that is necessary to ensure the packet gets to where it needs to be, however you do not want it to be included in the MAC that is generated so the recipient can confirm that it was sent from the correct location.