3

I'm working on a for-fun cryptography project in Java. I'm struggling trying to understand Additional Associated Data use. From Cipher documentation and further online research I understood that AAD are appended to encrypted data and authenticated, but not encrypted. So, they should be readable without encrytpion key. But I can't understand how, since they seem to be retrieved after cipher initialization, that requires encryption key! Can someone help me? Thank you all in advance!

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Simone Errico
  • 109
  • 1
  • 4
  • *"since they seem to be retrieved after cipher initialization"* - I don't see how that is possible. The API doesn't provide this. I only know of `updateAAD`. Can you show the code you're having trouble with? The *additional authenticated data* needs to be provided along during decryption. You can't retrieve it though. – Artjom B. Mar 22 '16 at 13:59
  • I have no code to show yet, since I'm trying to understand how AAD works first. I myself know only about updateAAD, but ad I said it will not work if Cipher is not initialized. – Simone Errico Mar 22 '16 at 15:25

1 Answers1

7

Ok, I finally caught it. AAD are provided to the cipher but do not become part of cipher output! So I must store and handle them separately. Then, when I start decrypting, if they have been corrupted decryption will not work. Now I have everything clear. I'm sorry to have wasted your time :)

Simone Errico
  • 109
  • 1
  • 4
  • This will be changed in PHP 7.1 by the way: https://wiki.php.net/rfc/openssl_aead – Scott Arciszewski Mar 26 '16 at 06:04
  • 1
    No need to be sorry, I came here with exactly the same thought process. I'm still not entirely sure why it's not encrypted if it's not retrievable, that seems a tad pointless. – ian Jul 31 '19 at 17:03
  • This is documentation for a specific application, but is somewhat helpful: https://cloud.google.com/kms/docs/additional-authenticated-data (Rant: I'm annoyed by how difficult it is to use basic crypto primitives. Scrounging scraps of code and explanation from random sites and anonymous strangers, to cobble together code with dozens of lines of configuration, seems an exceptionally poor way to do safe crypto. How will we NOT suck at security, under these conditions?) – Erhannis Jan 20 '21 at 14:14
  • Also: my impression is that AAD is basically, an optional extra key that is optionally secret, and available for helping to verify the _circumstances_ of decryption, like username or protocol version, and is sortof a convenience more than a fundamental mechanism. – Erhannis Jan 20 '21 at 14:19