Privacy and Integrity - Confidentiality and Authenticity of Data

Confidentiality means that no one can read your data without the key (here: without knowing or guessing the correct password). This also ensures encryption without authentication.

Almost all encryption applications ensure confidentiality - assuming they do not use out dated encryption algorithms like DES or RC4 or have implementation errors.

What this type of encryption does not guarantee is the authenticity of data.

Some Short Definitions about Encryption and Authentication

There are a few terms that are important when it comes to encryption and authentication:

Encryption is one aspect of cryptography, and means the encoding of information in a way that only those persons can access it who are intended to do so. For all others, the information remains unreadable.
For example, no one other than you should be able to read your encrypted calendar or your private notes.
Authentication is a property that an information has not been modified during transmission or absence. The receiving party can verify the origin of the message.
If someone has modified your (encrypted) calendar dates or notes, you'll know.

The cryptographic key is a piece of information that is necessary to execute the encryption as well as the authentication.
One could assume that a password is the key, but for technical and security reasons it must first be transformed into a key by a key derivation function.
The algorithm that performs the encryption is called a cipher.
Ciphertext is the resulting content of an encryption, the encrypted plaintext.
A MAC (Message Authentication Code) or a tag is a piece of information that is used to ensure, that the information was not modified. This is produced and verified by a MAC algorithm.

Authenticated Encryption

The goal of an authenticated encryption scheme is to provide both privacy and integrity: confidentiality and authenticity of the data.

A common way to achieve authenticity is to use Message Authentication Code (MAC) with a tag. In the public-key cryptography, the same goal is achieved with digital signatures.

Common ways the achieve authenticity are (in historical order):

encrypt-than-MAC in two separate steps: first encrypt the information, than create a MAC
using ciphers in special modes of operation: authenticated encryption modes like GCM, CCM or EAX (used here), who do both internally
or - still less common - using new authenticated cipher from the CAESAR competition, who can do both in one

Ciphertext Integrity (INT-CTXT) and Misuse Resistance

The focus here is on one aspect of the authenticated encryption: The misuse resistance which means that it is not possible to generate a ciphertext that is decrypted except by encrypting a message. The infeasibility to forge ciphertexts guarantees the integrity of the data.

This is called ciphertext integrity (INT-CTXT). In short: An advisory can't tamper or manipulate the ciphertext unnoticed.

Relevance of Authenticity for the PEAs

Many attack scenarios, which are to be prevented by authenticated encryption, do not play a role for the PEAs, because they refer either to a server client scenarios or to public key cryptography like:

Padding Oracle attacks
Chosen ciphertext attacks: Gathering information by obtaining the decryptions of chosen ciphertexts to recover the encryption key

At first glance, chosen ciphertext attacks do not seem to apply to PEA applications. The data like calendar dates or notes can of course be swapped with any other, if an advisory has access to our device. But then we would just have an unreadable data salad instead of our dates and notes. That would be annoying, but not an advantage for a crook, who might as well delete the data.

But often an advisory can make assumptions about data. For example, if she or he can assume that a note begins with "Give Beloumix $100", she or he can change it easily through a chosen ciphertext attack to "Give Beloumix $999" - without us even noticing.

Or let's say the crook can assume that we store login web pages in our notes. He or she could change the page and intercept our password with a fake page.

Chosen ciphertext attacks assume more preconditions, but they are also possible for symmetric encryption without a server scenario like password encryption. And authentication is only a small additional effort for the developer, which is not noticeable for the user at all.

The Choice of Encryption Methods

The PEAs are using the cipher Threefish in an authenticated mode of operation, the EAX mode.

For security reasons other ciphers would also have been ok, but Threefish runs faster with the programming language and the libraries used here than e.g. AES, and Threefish is not vulnerable to cache-timing attacks.

The EAX mode is the most flexible authenticated mode and allows larger keys than others.