3

I have some doubts regarding AEAD ciphersuites and I need some clarification. In the following ciphersuites list:

dhe_rsa_aes_128_sha
dhe_rsa_aes_256_sha
ecdhe_ecdsa_aes_128_gcm_sha256
ecdhe_ecdsa_aes_128_sha
ecdhe_ecdsa_aes_256_gcm_sha384
ecdhe_ecdsa_aes_256_sha
ecdhe_ecdsa_chacha20_poly1305_sha256
ecdhe_rsa_aes_128_gcm_sha256
ecdhe_rsa_aes_128_sha
ecdhe_rsa_aes_256_gcm_sha384
ecdhe_rsa_aes_256_sha
ecdhe_rsa_chacha20_poly1305_sha256
rsa_aes_128_sha
rsa_aes_256_sha
rsa_des_ede3_sha

I have some questions:

  1. Can you help me identify the ciphersuites that provide Authenticate Encryption with Associated Data (AEAD) from those that do not?

  2. Are GCM and Poly1305 ciphers indicates AEAD and the rest of ciphers do not provide it? Can you list all the AEAD algorithms?

  3. Is it always the case that AE ciphersuites must be also Forward Secrecy ciphersuites? or there is no relation that binds the two?

  4. Is Authenticated Encryption (AE) is the same AEAD? or they are different terms?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
user6875880
  • 503
  • 4
  • 15

2 Answers2

5

Can you help me identify the ciphersuites that provide Authenticate Encryption with Associated Data (AEAD) from those that do not?

All which explicitely name gcm or chacha20_poly1305 are AEAD ciphersuites. The others use the TLS default which is MAC-then-encrypt with CBC.

Is it always the case that AE ciphersuites must be also Forward Secrecy ciphersuites?

There's no technical reason that forces this to be the case. In fact RFC 5487 defines TLS_PSK_WITH_AES_128_GCM_SHA256 which uses AES-GCM (AEAD) but doesn't offer forward-secrecy. And if you don't accept a PSK suite as an answer here, RFC 5288 defines TLS_RSA_WITH_AES_128_GCM_SHA256, which uses RSA key-transport (and thus offers no forward secrecy).

However, AEAD is what some people call "modern crypto". And as such it is usually paired with other "modern crypto", which does usually mean that you prefer to use forward-secrecy with AEAD suites and only have the non-forward secrecy ones for fallback, after all, clients who implement AES-GCM will also have all the other modern crypto like ECDHE.

Is Authenticated Encryption (AE) is the same AEAD? or they are different terms?

Technically yes. An AE scheme only needs to deliver authenticated encryption of the plaintext, the AEAD scheme also needs to authenticate data as well, so every AEAD scheme is also an AE scheme but not the other way around. Practically however, I am not aware of any scheme that is practically used and is AE but not AEAD (and even then, conversion would be quite simple).

Community
  • 1
SEJPM
  • 46,697
  • 9
  • 103
  • 214
4

An AEAD cipher is a construction where additional authenticated data (AD or AAD) authenticated together with the IV and ciphertext. Decryption will fail if the authentication tag is validated correctly.

It is perfectly possible to generate a AEAD cipher using normal constructs. There was even a proposal to standardize AES in CBC mode with HMAC as an AEAD cipher. The combination of ChaCha20 and Poly1305 is described in RFC 7539: ChaCha20 and Poly1305 for IETF Protocols, chapter 2.8: AEAD Construction .

Just using both encryption and authentication in the same protocol is however not enough; the idea is that the authenticated cipher provides confidentiality, integrity and authenticity of the message in itself.

GCM is a mix of AES in counter mode (CTR) and GMAC internally.

Q 1 & 2: Identification of cipher suites

In your cipher suite list only the suites with gcm and chacha20_poly1305 are considered AEAD cipher suites.

Q: 3. Is it always the case that AE ciphersuites must be also Forward Secrecy ciphersuites? or there is no relation that binds the two?

There is no direct relation besides the fact that the use of authenticated encryption and forward secrecy both are modern concepts that deliver more - or at least less brittle - security. So they are often used together and in TLS 1.3 they are even required (at least in the original proposals, for initial session key establishment).

  1. Is Authenticated Encryption (AE) is the same AEAD? or they are different terms?

AEAD ciphers are a subset of AE ciphers. But it is quite common that AE ciphers provide AEAD functionality, so they may/could be used synonymously.

AE may for instance be used whenever the authentication needs to be stressed rather than the fact that additional authentication data may be present. Such as "because the cipher suite uses authenticated encryption (AE) padding oracle attacks are not possible".

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323