AuthenticatedDecryptionFilter is the concrete object for authenticated encryption (AE) and authenticated encryption with additional data (AEAD). The filter combines a block cipher operated in an appropriate mode with a HashFilter for authenticated encryption. Currently, the two modes of operation that can be utilized by this filter are CCM and GCM.
The filter allows input of both confidential data (data to be encrypted or decrypted) and additional authenticated data (plain text data to be authenticated). The confidential data, on the primary channel, has both encryption and authentication applied to it. The additional authenticated data (aad), presented to the filter on the AAD channel, has only authentication assurances.
Unlike StreamTransformationFilter, the AuthenticatedDecryptionFilter requires a counterpart for the encryption and authentication process - the AuthenticatedEncryptionFilter. The wiki also has a AadSource example to pump both confidential data and aad to an AuthenticatedDecryptionFilter.
Crypto++ 8.2 and earlier had a bug in AuthenticatedDecryptionFilter where using a FileSource would cause an exception; but a StringSource was OK. The bug was fixed at Commit ff110c6e183e. Also see Issue 817.
AuthenticatedDecryptionFilter(AuthenticatedSymmetricCipher &c, BufferedTransformation *attachment = NULL, word32 flags = DEFAULT_FLAGS, int truncatedDigestSize=-1, BlockPaddingScheme padding = DEFAULT_PADDING);
The third parameter, flags, can be any of the following; however MAC_AT_BEGIN and MAC_AT_END are mutually exclusive.
- DEFAULT_FLAGS = THROW_EXCEPTION | MAC_AT_END
- MAC_AT_END (0)
- specifies the mac is inserted after the additional authenticated data (aad) and cipher text data
- MAC_AT_BEGIN (1)
- specifies the mac is inserted before the additional authenticated data (aad) and cipher text data
- THROW_EXCEPTION (16)
The fourth parameter, truncatedDigestSize, is used by the HashFilter to truncate the digest size. Only GCM mode should use this parameter, as simple truncation works as expected. CCM, which uses a formatting function, requires the digest size to be known at compile time and declared as a template parameter. So CCM mode should not change the default value.
The final parameter, padding, allows you to specify padding. Depending on the mode, the value may (or may not) have an effect.
The tag sizes are not always in the realm of construction (due to CCM's formatting function), however, it is appropriate to list their default values when discussing constructors. The default tag size for an AuthenticatedDecryptionFilter using both CCM and GCM is 16 bytes.
const int TAG_SIZE = 12 /*96 bits*/; CCM< AES, TAG_SIZE >::Decryption d; d.SetKeyWithIV(key, key.size(), iv, iv.size()); d.SpecifyDataLengths( ... ); AuthenticatedDecryptionFilter df( d, new StringSink( recovered) /* THROW_EXCEPTION | MAC_AT_END is default */ ); // AuthenticatedEncryptionFilter ... // If verification fails, catch a // HashVerificationFailed exception
const int TAG_SIZE = 12 /*96 bits*/; GCM< AES >::Decryption d; d.SetKeyWithIV(key, key.size(), iv, iv.size()); AuthenticatedDecryptionFilter df( d, new StringSink( recovered ), DEFAULT_FLAGS, TAG_SIZE ); // AuthenticatedEncryptionFilter ...
EAX-AE-Test.zip - EAX Test using only confidential data - 4KB
EAX-AEAD-Test.zip - EAX Test using both aad and confidential data - 7KB