All Downloads are FREE. Search and download functionalities are using the official Maven repository.

de.schlichtherle.crypto.io.raes.package.html Maven / Gradle / Ivy

Go to download

TrueZIP is a Java based Virtual File System (VFS) to enable transparent, multi-threaded read/write access to archive files (ZIP, TAR etc.) as if they were directories. Archive files may be arbitrarily nested and the nesting level is only limited by heap and file system size.

The newest version!




    
    
        

Reads and writes files according to the Random Access Encryption Specification (RAES). RAES is an extensible file format specification which allows fast, transparent random read access to encrypted arbitrary data (the pay load) with multistep authentication.

RAES is extensible, which means that the file header contains a single byte to identify the Type of the RAES file. Each data type specifies the cryptographic parameters required to decrypt or encrypt and authenticate the pay load data when reading or writing files of this type.

Currently, only Type-0 is specified, but more types may be added in future. Note that it is an error for an implementation to process an unknown type.

RAES features transparent random read access to the encrypted data. In order to do so, RAES has some invariants:

  • RAES uses only block ciphers which are operated in Counter Mode (CTR). According to cryptanalysis by the US National Institute of Standards and Technology (NIST), CTR mode is considered to provide a strong level of privacy for the encrypted data.
  • RAES provides two methods to authenticate the pay load:
    1. The first, mandatory method is the cipher Key and text Length Authentication Code (KLAC).
    2. The second, optional method is the well-known Message Authentication Code (MAC) on the full cipher text.

The mandatory KLAC method authenticates the cipher key and the length of the cipher text only. This is a very limited authentication which does not prevent an opponent to modify the contents of the cipher text. However, its processing time is constant (O(1)). Hence, relying on this authentication method alone may be acceptable if the pay load data provides another considerably secure means of authentication.

The optional MAC method authenticates the full cipher text. This is secure and should be used whenever the pay load does not to provide additional means of authentication. However, its processing time is linear to the size of the file (O(n)). Please note that this option does not require the cipher text to be decrypted first, which features comparably fast processing.

An example of a pay load which offers an authentication method by itself is the ZIP file format specification: Entries in a ZIP file are checksummed with CRC-32, which is applied to decompressed (deflated) source data. It is considered computationally infeasible to attack the integrity of a ZIP file which contains only compressed (deflated) entries and has a considerable size (say, at least 512KB) so that after decryption of the archive and decompression (inflation) the CRC-32 value of an entry still matches! This should hold true even though CRC-32 is not at all a good cryptographic hash function because of its frequent collisions, its linear output and small output size. It is the ZIP inflation algorithm which actually comes to its rescue!

RAES types

As said, RAES currently defines only Type-0 files. Type-0 has the following specifications:

  • The encryption scheme is password based according to PKCS #5 V2.0 with key derivation according to PKCS #12 V1.0. The latter allows to use Unicode password characters.
  • The cipher algorithm is the Advanced Encryption Standard (AES) with a key length of 128, 192 or 256 bits.
  • The salt is the same length as the cipher key length.
  • The digest used to derive the cipher key, Initialization Vector (IV) and authentication codes is the Secure Hash Algorithm (SHA) Version 2 with 256 bits output length.

As usual with PKCS #12 the Initialization Vector (IV) for the CTR mode is derived from the password, the salt and the counter by the same Pseudo Random Number Generation (PRNG) function which is also used to derive the cipher key - so SHA-256.

Type 0 also supports the use of key files instead of passwords. If a key file is used for encryption, the first 512 bytes of the file are decoded into 16 bit Unicode characters in big endian format (without the byte order indicator) so that the byte order is preserved when the resulting character array is then again encoded into a byte array according to PKCS #12.

A file which shall be used as a key file for encryption must not be shorter than 512 bytes. However, in order to provide a certain level of fault tolerance for bogus RAES implementations, when using a key file for decryption an implementation is only required to assert that no more than the first 512 bytes of the key file are used. So the key file may actually be shorter.

As an optional step, an implementation should also check whether the key file used for encryption is a reasonably good source of entropy. The easiest way to achieve this is to use a compression API like J2SE's {@link java.util.zip.Deflater}. After compression, the result should be no shorter than the maximum key size (256 bits). Assuming a worst-case overhead for the deflater's algorithm of 100%, the minimum number of compressed bytes for the first 512 bytes of a key file should be no less than 2 * 256 / 8 = 64 bytes.





© 2015 - 2024 Weber Informatics LLC | Privacy Policy