So What Is AEAD? And Why Is It So Important for Encryption?

Alice creates a secret message and ciphers it with her secret key, and then sends this to Bob. He also has the secret key, and so he…
Photo by Brett Jordan on Unsplash

So What Is AEAD? And Why Is It So Important for Encryption?

Alice creates a secret message and ciphers it with her secret key, and then sends this to Bob. He also has the secret key, and so he decrypts it and reveals the secret message. It says “You can take tomorrow as a holiday”. Bob is happy and takes the holiday. Eve, though, has been listening to their communications, and, the next day, resends the ciphered message, even though she cannot read it. Bob takes the next day off, and Alice wonders why he is not at work? Eve has thus performed a replay attack on Alice’s ciphered message. So what we need is to bind the cipher to a network connection or a session, in order that Eve cannot recreate the same scenario.

With enhanced encryption methods, we can both authenticate the cipher and prove its integrity. This is known as Authenticated Encryption with Associated Data (AEAD). For this we provide additional data to authenticate the encryption process, and where we can identify where the ciphertext has been modified, and for it not to be decrypted. With most conventional AEAD methods we create a nonce value and add additional data (AD) that is authenticated but not encrypted. The additional data can include [here]:

addresses, ports, sequence numbers, protocol version numbers, and other fields that indicate how the plaintext or ciphertext should be handled, forwarded, or processed

In this way, we can bind network packets to the encrypted data, and provide integrity, so that an intruder cannot copy and paste valid ciphertext from other transmissions. For example, if we bind to a packet sequence number and the port, the authentication would fail for another sequence number or another port.

AES GCM converts the AES method into a stream cipher. It thus does not need padding and is faster than other modes. GCM also supports AEAD, and where we can add additional data into the cipher, and which can be used to authenticate the cipher. It does this by adding an authentication tag. The additional data might bind the cipher to a given network port or session. This means that an intruder cannot replay a cipher because they cannot create the same additional data. Another popular method ChaCha20/Poly1305, and which also integrate AEAD.

In this case we will generate a 256-bit encryption key and a 96-bit IV (nonce) for ChaCha20/Poly1305 [here]:

extern crate base64;
extern crate hex;
extern crate crypto;
use crypto::{aead::AeadEncryptor, symmetriccipher::{ SynchronousStreamCipher}};
use rustc_serialize::hex::FromHex;
use std::env;
use core::str;
use std::iter::repeat;
fn hex_to_bytes(s: &str) -> Vec {
    s.from_hex().unwrap()
}
fn main() {
let mut mykey="0000000000000000000000000000000000000000000000000000000000000000";
    let mut msg="Hello123456789";
let mut myiv="0000000000000000";
let mut myadd="Additional data";
let args: Vec<String> = env::args().collect();
  
    if args.len() >1 { msg = args[1].as_str();}
    if args.len() >2 { mykey = args[2].as_str();}
    if args.len() >3 { myiv = args[3].as_str();}
    println!("== ChaCha20/Poly1305 ==");
    println!("Message: {:?}",msg);
    println!("Key: {:?}",mykey);
    println!("IV: {:?}",myiv);
    println!("Additional data: {:?}",myadd);
let key=&hex_to_bytes( mykey)[..];
    let iv=&hex_to_bytes( myiv)[..];
    let plain=msg.as_bytes();
    let aad=myadd.as_bytes();

// Encrypting
    let mut c = crypto::chacha20poly1305::ChaCha20Poly1305::new(&key, iv, aad);
    let mut output: Vec = repeat(0).take(plain.len()).collect();
    let mut outtag: Vec = repeat(0).take(16).collect();
    c.encrypt(&plain[..], &mut output[..],&mut outtag[..]);
    println!("\nEncrypted: {}",hex::encode(output.clone()));
    println!("\nTag: {}",hex::encode(outtag.clone()));
// Decrypting
    let mut c = crypto::chacha20poly1305::ChaCha20Poly1305::new(&key, iv,aad);
    let mut newoutput: Vec = repeat(0).take(output.len()).collect();
    c.encrypt(&mut output.clone()[..], &mut newoutput[..],&mut outtag[..]);
    println!("\nDecrypted: {}",str::from_utf8(&newoutput[..]).unwrap());
    
}

In this case, we have simply added the additional message of “additional data”, but we could have easily had taken a session number, a subject field header, so on. Overall the wider the range of additional data, the more difficult it will be for Eve to replicate it. A sample run is [here]:

== ChaCha20/Poly1305 ==
Message: "Hello123456789"
Key: "0000000000000000000000000000000000000000000000000000000000000000"
IV: "0000000000000000"
Additional data: "Additional data"

Encrypted: d7628bd23a600a49ac8fa14b4b14

Tag: e956cf49a523b46f7e9fbfe3fee398bd

Decrypted: Hello123456789

But, that is a random key, and we have the problem of Alice passing this to Bob. We could do this with public key encryption, and where Bob could pass his public key to Alice, and then Alice can encrypt the secret key for him. He can then decrypt with his private key. But Bob and Alice could use a secret passphrase for the generation of the key, and use it whenever they needed to recreate the key. For this, we can use a KDF (Key Derivation Function), and which takes a passphrase (and some salt) and generate an encryption key of a given size.

Conclusions

So, AEAD allows you do bind some additional data into the cipher, and so you can bind the ciphertext, so it cannot be used for other purposes.