Struct tink_daead::subtle::AesSiv
source · pub struct AesSiv { /* private fields */ }
Expand description
AesSiv
is an implementation of AES-SIV-CMAC as defined in
RFC 5297.
AesSiv
implements a deterministic encryption with additional data (i.e. the
DeterministicAEAD
trait). Hence the implementation below is restricted
to one AD component.
Security Note:
Chatterjee, Menezes and Sarkar analyze AES-SIV in Section 5.1 of “Another Look at Tightness”
Their analysis shows that AES-SIV is susceptible to an attack in a multi-user setting. Concretely, if an attacker knows the encryption of a message m encrypted and authenticated with k different keys, then it is possible to find one of the MAC keys in time 2^b / k where b is the size of the MAC key. A consequence of this attack is that 128-bit MAC keys give unsufficient security. Since 192-bit AES keys are not supported by tink for voodoo reasons and RFC 5297 only supports same size encryption and MAC keys this implies that keys must be 64 bytes (2*256 bits) long.
Implementations§
Trait Implementations§
source§impl DeterministicAead for AesSiv
impl DeterministicAead for AesSiv
source§fn encrypt_deterministically(
&self,
plaintext: &[u8],
additional_data: &[u8]
) -> Result<Vec<u8>, TinkError>
fn encrypt_deterministically( &self, plaintext: &[u8], additional_data: &[u8] ) -> Result<Vec<u8>, TinkError>
additional_data
as additional authenticated data.
The resulting ciphertext allows for checking authenticity and integrity of additional
data additional_data
, but there are no guarantees wrt. secrecy of that data.source§fn decrypt_deterministically(
&self,
ciphertext: &[u8],
additional_data: &[u8]
) -> Result<Vec<u8>, TinkError>
fn decrypt_deterministically( &self, ciphertext: &[u8], additional_data: &[u8] ) -> Result<Vec<u8>, TinkError>
additional_data
as
additional authenticated data. The decryption verifies the authenticity and integrity
of the additional data, but there are no guarantees wrt. secrecy of that data.