Privacy and Integrity - Confidentiality and Authenticity of Data

Confidentiality means that no one can read your data without the key (here: without knowing or guessing the correct password). This also ensures encryption without authentication.

Almost all encryption applications ensure confidentiality - assuming they do not use out dated encryption algorithms like DES or RC4 or have implementation errors.

What this type of encryption does not guarantee is the authenticity of data.

Some Short Definitions about Encryption and Authentication

There are a few terms that are important when it comes to encryption and authentication:

Authenticated Encryption

The goal of an authenticated encryption scheme is to provide both privacy and integrity: confidentiality and authenticity of the data.

A common way to achieve authenticity is to use Message Authentication Code (MAC) with a tag. In the public-key cryptography, the same goal is achieved with digital signatures.

Common ways the achieve authenticity are (in historical order):

  1. encrypt-than-MAC in two separate steps: first encrypt the information, than create a MAC
  2. using ciphers in special modes of operation: authenticated encryption modes like GCM, CCM or EAX (used here), who do both internally
  3. or - still less common - using new authenticated cipher from the CAESAR competition, who can do both in one

Ciphertext Integrity (INT-CTXT) and Misuse Resistance

The focus here is on one aspect of the authenticated encryption: The misuse resistance which means that it is not possible to generate a ciphertext that is decrypted except by encrypting a message. The infeasibility to forge ciphertexts guarantees the integrity of the data.

This is called ciphertext integrity (INT-CTXT). In short: An advisory can't tamper or manipulate the ciphertext unnoticed.

Relevance of Authenticity for the PEAs

Many attack scenarios, which are to be prevented by authenticated encryption, do not play a role for the PEAs, because they refer either to a server client scenarios or to public key cryptography like:

At first glance, chosen ciphertext attacks do not seem to apply to PEA applications. The data like calendar dates or notes can of course be swapped with any other, if an advisory has access to our device. But then we would just have an unreadable data salad instead of our dates and notes. That would be annoying, but not an advantage for a crook, who might as well delete the data.

But often an advisory can make assumptions about data. For example, if she or he can assume that a note begins with "Give Beloumix $100", she or he can change it easily through a chosen ciphertext attack to "Give Beloumix $999" - without us even noticing.

Or let's say the crook can assume that we store login web pages in our notes. He or she could change the page and intercept our password with a fake page.

Chosen ciphertext attacks assume more preconditions, but they are also possible for symmetric encryption without a server scenario like password encryption. And authentication is only a small additional effort for the developer, which is not noticeable for the user at all.

The Choice of Encryption Methods

The PEAs are using the cipher Threefish in an authenticated mode of operation, the EAX mode.

For security reasons other ciphers would also have been ok, but Threefish runs faster with the programming language and the libraries used here than e.g. AES, and Threefish is not vulnerable to cache-timing attacks.

The EAX mode is the most flexible authenticated mode and allows larger keys than others.

Menu of PeaFactory