Privacy and Integrity - Confidentiality and Authenticity of Data
Confidentiality means that no one can read your data without the key (here: without knowing or guessing the correct password). This also ensures encryption without authentication.
Almost all encryption applications ensure confidentiality - assuming they do not use out dated encryption algorithms like DES or RC4 or have implementation errors.
What this type of encryption does not guarantee is the authenticity of data.
Some Short Definitions about Encryption and AuthenticationThere are a few terms that are important when it comes to encryption and authentication:
is one aspect of cryptography, and means the encoding of information in a way
that only those persons can access it who are intended to do so. For all others, the
information remains unreadable.
For example, no one other than you should be able to read your encrypted calendar or your private notes.
is a property that an information has not been modified during
transmission or absence. The receiving party can verify the origin of the message.
If someone has modified your (encrypted) calendar dates or notes, you'll know.
- The cryptographic key is a piece of information that is necessary to
execute the encryption as well as the authentication.
One could assume that a password is the key, but for technical and security reasons it must first be transformed into a key by a key derivation function.
- The algorithm that performs the encryption is called a cipher.
- Ciphertext is the resulting content of an encryption,
the encrypted plaintext.
- A MAC (Message Authentication Code)
or a tag is a piece of information
that is used to ensure, that the information was not modified. This is produced and verified
by a MAC algorithm.
The goal of an authenticated encryption scheme is to provide both privacy and integrity: confidentiality and authenticity of the data.
A common way to achieve authenticity is to use Message Authentication Code (MAC) with a tag. In the public-key cryptography, the same goal is achieved with digital signatures.
Common ways the achieve authenticity are (in historical order):
- encrypt-than-MAC in two separate steps: first encrypt the information, than create a MAC
- using ciphers in special modes of operation: authenticated encryption modes like GCM, CCM or EAX (used here), who do both internally
- or - still less common - using new authenticated cipher from the CAESAR competition, who can do both in one
Ciphertext Integrity (INT-CTXT) and Misuse Resistance
The focus here is on one aspect of the authenticated encryption: The misuse resistance which means that it is not possible to generate a ciphertext that is decrypted except by encrypting a message. The infeasibility to forge ciphertexts guarantees the integrity of the data.
This is called ciphertext integrity (INT-CTXT). In short: An advisory can't tamper or manipulate the ciphertext unnoticed.
Relevance of Authenticity for the PEAsMany attack scenarios, which are to be prevented by authenticated encryption, do not play a role for the PEAs, because they refer either to a server client scenarios or to public key cryptography like:
- Padding Oracle attacks
- Chosen ciphertext attacks: Gathering information by obtaining the decryptions of chosen ciphertexts to recover the encryption key
At first glance, chosen ciphertext attacks do not seem to apply to PEA applications. The data like calendar dates or notes can of course be swapped with any other, if an advisory has access to our device. But then we would just have an unreadable data salad instead of our dates and notes. That would be annoying, but not an advantage for a crook, who might as well delete the data.
But often an advisory can make assumptions about data. For example, if she or he can assume that a note begins with "Give Beloumix $100", she or he can change it easily through a chosen ciphertext attack to "Give Beloumix $999" - without us even noticing.
Or let's say the crook can assume that we store login web pages in our notes. He or she could change the page and intercept our password with a fake page.
Chosen ciphertext attacks assume more preconditions, but they are also possible for symmetric encryption without a server scenario like password encryption. And authentication is only a small additional effort for the developer, which is not noticeable for the user at all.
The Choice of Encryption Methods
The PEAs are using the cipher Threefish in an authenticated mode of operation, the EAX mode.
For security reasons other ciphers would also have been ok, but Threefish runs faster with the programming language and the libraries used here than e.g. AES, and Threefish is not vulnerable to cache-timing attacks.
The EAX mode is the most flexible authenticated mode and allows larger keys than others.