# AuthenticatedEncryptionFilter

 Documentation #include

AuthenticatedEncryptionFilter is the concrete filter object for authenticated encryption (AE) and authenticated encryption with additional data (AEAD). The filter combines a block cipher operated in an appropriate mode with a HashFilter for authenticated encryption. Currently, the three modes of operation that can be utilized by this filter are CCM, EAX and GCM.

The filter allows input of both confidential data (data to be encrypted or decrypted) and additional authenticated data (plain text data to be authenticated). The confidential data, on the primary channel, has both encryption and authentication applied to it. The additional authenticated data (aad), presented to the filter on the AAD channel, has only authentication assurances.

The output of the filter is a concatenation of both encrypted data (from the confidential data alone), and an authenticity tag over both the confidential data and aad data. In the case of GCM, the tag is a truncation of a 128-bit MAC. CCM uses the tag size as an input parameter to the formatting function. So a change in the CCM tag size results in a change in the CCM MAC value which results in a change to CCM's final tag value.

Unlike StreamTransformationFilter, the AuthenticatedEncryptionFilter requires a counterpart for the decrpytion and verfication process - the AuthenticatedDecryptionFilter. The wiki also has a AadSource example to pump both confidential data and aad to an AuthenticatedEncryptionFilter.

Crypto++ 8.2 and earlier had a bug in AuthenticatedDecryptionFilter where using a FileSource would cause an exception; but a StringSource was OK. The bug was fixed at Commit ff110c6e183e. Also see Issue 817.

Sources, filters and sinks are discussed at Pipelining. The pipeline article explains the design and shows you how to use them.

## Constructor

AuthenticatedEncryptionFilter(AuthenticatedSymmetricCipher &c,
BufferedTransformation *attachment = NULL, bool putAAD=false,
int truncatedDigestSize=-1, const std::string &macChannel=DEFAULT_CHANNEL,
BlockPaddingScheme padding=DEFAULT_PADDING);

The AuthenticatedSymmetricCipher will be a CCM mode, EAX mode or GCM mode object. As is customary with Crypto++, a BufferedTransformation is available for pipelining as the second parameter. The third parameter, putAAD, is passed directly to the HashFilter.

The fourth parameter, truncatedDigestSize, is used by the HashFilter to truncate the digest size. Only GCM mode should use this parameter, as a simple truncation works as expected. CCM, which uses a formatting function, requires the digest size to be known at compile time and declared as a template parameter. So CCM mode should not change the default value.

The final two parameters, macChannel and padding, should not be modified. Depending on the mode, the padding value may (or may not) have an effect.

While the tag sizes are not always in the realm of construction (due to CCM's formatting function), it is appropriate to list their default values when discussing constructors. The default tag size for an AuthenticatedEncryptionFilter using both CCM and GCM is 16 bytes.

## Sample Programs

### CCM Mode

The first sample demonstrates using the AuthenticatedEncryptionFilter with CCM mode. Recall that the tag size must be a template parameter when using CCM.

const int TAG_SIZE = 12 /*96 bits*/;

CCM< AES, TAG_SIZE >::Encryption e;
e.SetKeyWithIV(key, key.size(), iv, iv.size());
e.SpecifyDataLengths( ... );

AuthenticatedEncryptionFilter ef( e,
new StringSink( cipher )
); // AuthenticatedEncryptionFilter

...

### GCM Mode

The second sample demonstrates using the AuthenticatedEncryptionFilter with GCM mode. Recall that the tag size is passed as a parameter to the AuthenticatedEncryptionFilter during construction.

const int TAG_SIZE = 12 /*96 bits*/;

GCM< AES >::Encryption e;
e.SetKeyWithIV(key, key.size(), iv, iv.size());

AuthenticatedEncryptionFilter ef( e,
new StringSink( cipher ), false, TAG_SIZE
); // AuthenticatedEncryptionFilter

...