com.google.crypto.tink.subtle

Class EncryptThenAuthenticate

java.lang.Object

com.google.crypto.tink.subtle.EncryptThenAuthenticate

All Implemented Interfaces:

Aead

public final class EncryptThenAuthenticate
extends Object
implements Aead

This primitive performs an encrypt-then-Mac operation on plaintext and associated data (ad).

The Mac is computed over (ad || ciphertext || size of ad), thus it doesn't violate the Horton Principle. This implementation is based on Authenticated Encryption with AES-CBC and HMAC-SHA.

Since:

1.0.0

Constructor Summary

Constructors

Constructor and Description
EncryptThenAuthenticate(IndCpaCipher cipher, Mac mac, int macLength)

Method Summary

Modifier and Type	Method and Description
byte[]	decrypt(byte[] ciphertext, byte[] associatedData) Decrypts ciphertext with associatedData as associated data.
byte[]	encrypt(byte[] plaintext, byte[] associatedData) Encrypts plaintext with associatedData.
static Aead	newAesCtrHmac(byte[] aesCtrKey, int ivSize, String hmacAlgorithm, byte[] hmacKey, int tagSize) Returns a new EncryptThenAuthenticate instance using AES-CTR and HMAC.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

EncryptThenAuthenticate

public EncryptThenAuthenticate(IndCpaCipher cipher,
                               Mac mac,
                               int macLength)

Method Detail

newAesCtrHmac

public static Aead newAesCtrHmac(byte[] aesCtrKey,
                                 int ivSize,
                                 String hmacAlgorithm,
                                 byte[] hmacKey,
                                 int tagSize)
                          throws GeneralSecurityException

Returns a new EncryptThenAuthenticate instance using AES-CTR and HMAC.

Throws:

GeneralSecurityException

encrypt

public byte[] encrypt(byte[] plaintext,
                      byte[] associatedData)
               throws GeneralSecurityException

Encrypts plaintext with associatedData. The resulting ciphertext allows for checking authenticity and integrity of associated data (ad), but does not guarantee its secrecy.

The plaintext is encrypted with an IndCpaCipher, then MAC is computed over (ad || ciphertext || t) where t is ad's length in bits represented as 64-bit bigendian unsigned integer. The final ciphertext format is (ind-cpa ciphertext || mac).

Specified by:

encrypt in interface Aead

Parameters:

plaintext - the plaintext to be encrypted. It must be non-null, but can also be an empty (zero-length) byte array

associatedData - associated data to be authenticated, but not encrypted. Associated data is optional, so this parameter can be null. In this case the null value is equivalent to an empty (zero-length) byte array. For successful decryption the same associatedData must be provided along with the ciphertext.

Returns:

resulting ciphertext.

Throws:

GeneralSecurityException

decrypt

public byte[] decrypt(byte[] ciphertext,
                      byte[] associatedData)
               throws GeneralSecurityException

Decrypts ciphertext with associatedData as associated data. The decryption verifies the authenticity and integrity of associated data (ad), but there are no guarantees with respect to secrecy of that data.

The ciphertext format is ciphertext || mac. The MAC is verified against (ad || ciphertext|| t) where t is ad's length in bits represented as 64-bit bigendian unsigned integer.

Specified by:

decrypt in interface Aead

Parameters:

ciphertext - the plaintext to be decrypted. It must be non-null.

associatedData - associated data to be authenticated. For successful decryption it must be the same as associatedData used during encryption. Can be null, which is equivalent to an empty (zero-length) byte array.

Returns:

resulting plaintext.

Throws:

GeneralSecurityException