Merge pull request #176 from reaperhulk/gcm-support

[WIP] GCM support
author: David Reid <dreid@dreid.org> 2013-12-04 14:21:53 -0800
committer: David Reid <dreid@dreid.org> 2013-12-04 14:21:53 -0800
commit: 3029fe414a3dba0231a44e72ddfc398634c173de (patch)
tree: 4cc5e7a8933a6a916bbf7a2712df143d6e2ceb71 /docs/hazmat/primitives/symmetric-encryption.rst
parent: bdb6debe4a9a3ccba6648c56028f849c0e5b6a12 (diff)
parent: 672843712d6b42404fea27a07a87b70d850cc0dd (diff)
download: cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.tar.gz
cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.tar.bz2
cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.zip
1 files changed, 72 insertions, 0 deletions
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index edf3c050..8d8d558b 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -118,6 +118,36 @@ an "encrypt-then-MAC" formulation as `described by Colin Percival`_.
         :meth:`update` and :meth:`finalize` will raise
         :class:`~cryptography.exceptions.AlreadyFinalized`.
 
+.. class:: AEADCipherContext
+
+    When calling ``encryptor()`` or ``decryptor()`` on a ``Cipher`` object
+    with an AEAD mode you will receive a return object conforming to the
+    ``AEADCipherContext`` interface (in addition to the ``CipherContext``
+    interface). If it is an encryption context it will additionally be an
+    ``AEADEncryptionContext`` interface. ``AEADCipherContext`` contains an
+    additional method ``authenticate_additional_data`` for adding additional
+    authenticated but unencrypted data. You should call this before calls to
+    ``update``. When you are done call ``finalize()`` to finish the operation.
+
+    .. method:: authenticate_additional_data(data)
+
+        :param bytes data: The data you wish to authenticate but not encrypt.
+        :raises: :class:`~cryptography.exceptions.AlreadyFinalized`
+
+.. class:: AEADEncryptionContext
+
+    When creating an encryption context using ``encryptor()`` on a ``Cipher``
+    object with an AEAD mode you will receive a return object conforming to the
+    ``AEADEncryptionContext`` interface (as well as ``AEADCipherContext``).
+    This interface provides one additional attribute ``tag``. ``tag`` can only
+    be obtained after ``finalize()``.
+
+    .. attribute:: tag
+
+        :return bytes: Returns the tag value as bytes.
+        :raises: :class:`~cryptography.exceptions.NotYetFinalized` if called
+                 before the context is finalized.
+
 .. _symmetric-encryption-algorithms:
 
 Algorithms
@@ -295,6 +325,47 @@ Modes
                                         reuse an ``initialization_vector`` with
                                         a given ``key``.
 
+.. class:: GCM(initialization_vector, tag=None)
+
+    .. danger::
+
+        When using this mode you MUST not use the decrypted data until every
+        byte has been decrypted. GCM provides NO guarantees of ciphertext
+        integrity until decryption is complete.
+
+    GCM (Galois Counter Mode) is a mode of operation for block ciphers. An
+    AEAD (authenticated encryption with additional data) mode is a type of
+    block cipher mode that encrypts the message as well as authenticating it
+    (and optionally additional data that is not encrypted) simultaneously.
+    Additional means of verifying integrity (like
+    :doc:`HMAC </hazmat/primitives/hmac>`) are not necessary.
+
+    :param bytes initialization_vector: Must be random bytes. They do not need
+                                        to be kept secret (they can be included
+                                        in a transmitted message). NIST
+                                        `recommends 96-bit IV length`_ for
+                                        performance critical situations, but it
+                                        can be up to 2\ :sup:`64` - 1 bits.
+                                        Do not reuse an ``initialization_vector``
+                                        with a given ``key``.
+
+    :param bytes tag: The tag bytes to verify during decryption. Must be provided
+                      for decryption, but is ignored when encrypting.
+
+    .. doctest::
+
+        >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+        >>> cipher = Cipher(algorithms.AES(key), modes.GCM(iv), backend)
+        >>> encryptor = cipher.encryptor()
+        >>> encryptor.authenticate_additional_data(b"authenticated but not encrypted payload")
+        >>> ct = encryptor.update(b"a secret message") + encryptor.finalize()
+        >>> tag = encryptor.tag
+        >>> cipher = Cipher(algorithms.AES(key), modes.GCM(iv, tag), backend)
+        >>> decryptor = cipher.decryptor()
+        >>> decryptor.authenticate_additional_data(b"authenticated but not encrypted payload")
+        >>> decryptor.update(ct) + decryptor.finalize()
+        'a secret message'
+
 
 Insecure Modes
 --------------
@@ -314,3 +385,4 @@ Insecure Modes
 
 
 .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
+.. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
author	David Reid <dreid@dreid.org>	2013-12-04 14:21:53 -0800
committer	David Reid <dreid@dreid.org>	2013-12-04 14:21:53 -0800
commit	3029fe414a3dba0231a44e72ddfc398634c173de (patch)
tree	4cc5e7a8933a6a916bbf7a2712df143d6e2ceb71 /docs/hazmat/primitives/symmetric-encryption.rst
parent	bdb6debe4a9a3ccba6648c56028f849c0e5b6a12 (diff)
parent	672843712d6b42404fea27a07a87b70d850cc0dd (diff)
download	cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.tar.gz cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.tar.bz2 cryptography-3029fe414a3dba0231a44e72ddfc398634c173de.zip