4
$\begingroup$

If I'm encrypting very short/small data - like an int or a long (32 or 64 bits), does it make any sense to authenticate the ciphertext, when using an "online" mode of operation (like EAX)?

Essentially, guessing the plain text would (assuming no weaknesses in either the encryption or the authentication) be easier than forging the authentication tag if the plain text is shorter than the block size of the cipher - or equally hard if truncating the tag to the same length as the data when using EAX.

Are there any scenarios in which tags longer than the data would be useful? (Or are there any actual research results on this?)

Does any of this change if the key with which the individual ints are encrypted changes?

Improve this question
$\endgroup$

1 Answer 1

Reset to default
7
$\begingroup$

First, the fact that the data is "easy" to guess (in the sense that an attacker has a one-in-2^32 or a one-in-2^64 chance of guessing correctly) doesn't mean much if the attacker has no way of checking if his guess is correct. Or at least, it's not a problem with the cryptography.

Second, even if he does have that ability, the problem of protecting your data's secrecy is separate from the problem of protecting its authenticity. For example, it might be bad if an attacker can deduce that a message says "Yes", but it might be even worse if he can then tamper with the message so it now says "No".

In this example, the message itself was effectively only one bit long, but it definitely would make sense to have a long (e.g., 128 bit) authentication tag!

To answer your final question: No. As long as each key is random, then periodically changing your key is not a problem. In fact, in many situations it's recommended in order to limit how much data gets compromised if an attacker manages to obtain the current key.

Improve this answer
$\endgroup$
3
  • $\begingroup$ What if i dont want the tags for authentication and just the length preserving short block encryption is needed ? any suggestions apart from FPE techniques ? $\endgroup$ Commented Sep 19, 2014 at 9:49
  • 2
    $\begingroup$ Length-preserving schemes are by definition FPE. But if bandwidth is an issue, you can get very short authenticated ciphertexts by using encode-then-encipher (seclab.cs.ucdavis.edu/papers/Rogaway/encode.pdf). If you pad your 64-bit payload with 0s until it's 128 bits long and encrypt using AES (in ECB mode, no IV), then you can check authenticity by verifying that the padding is all 0s when you decrypt. Some warnings: (1) an attacker will be able to learn if a message is repeated (2) this only works if messages are significantly shorter than the AES block length (128 bits). $\endgroup$ Commented Sep 19, 2014 at 17:04
  • 1
    $\begingroup$ Addendum: I should probably also note that this approach won't protect you against replay attacks. While this is true of authenticated encryption in general, it's a harder problem to solve if messages are too short to include a monotonically increasing counter or some other protocol-level countermeasure. Without knowing more context, it's hard to know what threats you should be concerned with. $\endgroup$ Commented Sep 19, 2014 at 17:18

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.