public final class EncryptThenAuthenticate extends Object implements Aead
The Mac is computed over (ad || ciphertext || size of ad), thus it doesn't violate the Horton Principle. This implementation is based on Authenticated Encryption with AES-CBC and HMAC-SHA.
| Constructor and Description |
|---|
EncryptThenAuthenticate(IndCpaCipher cipher,
Mac mac,
int macLength) |
| Modifier and Type | Method and Description |
|---|---|
static Aead |
create(AesCtrHmacAeadKey key)
Create an AES CTR HMAC instance.
|
byte[] |
decrypt(byte[] ciphertext,
byte[] associatedData)
Decrypts
ciphertext with associatedData as associated data. |
byte[] |
encrypt(byte[] plaintext,
byte[] associatedData)
Encrypts
plaintext with associatedData. |
static Aead |
newAesCtrHmac(byte[] aesCtrKey,
int ivSize,
String hmacAlgorithm,
byte[] hmacKey,
int tagSize)
Returns a new
EncryptThenAuthenticate instance using AES-CTR and HMAC. |
public EncryptThenAuthenticate(IndCpaCipher cipher, Mac mac, int macLength)
public static Aead create(AesCtrHmacAeadKey key) throws GeneralSecurityException
GeneralSecurityExceptionpublic static Aead newAesCtrHmac(byte[] aesCtrKey, int ivSize, String hmacAlgorithm, byte[] hmacKey, int tagSize) throws GeneralSecurityException
EncryptThenAuthenticate instance using AES-CTR and HMAC. This is an older
method that doesn't use the new Tink keys API, thus the returned instance is not a full
primitive. This means that `outputPrefix` is always empty even for TINK/CRUNCHY type keys.GeneralSecurityExceptionpublic byte[] encrypt(byte[] plaintext,
byte[] associatedData)
throws GeneralSecurityException
plaintext with associatedData. The resulting ciphertext allows
for checking authenticity and integrity of associated data (ad), but does not guarantee its
secrecy.
The plaintext is encrypted with an IndCpaCipher, then MAC is computed over (ad ||
ciphertext || t) where t is ad's length in bits represented as 64-bit bigendian unsigned
integer. The final ciphertext format is (output prefix || ind-cpa ciphertext || mac).
encrypt in interface Aeadplaintext - the plaintext to be encrypted. It must be non-null, but can also
be an empty (zero-length) byte arrayassociatedData - associated data to be authenticated, but not encrypted. Associated data
is optional, so this parameter can be null. In this case the null value
is equivalent to an empty (zero-length) byte array.
For successful decryption the same associatedData must be provided
along with the ciphertext.GeneralSecurityExceptionpublic byte[] decrypt(byte[] ciphertext,
byte[] associatedData)
throws GeneralSecurityException
ciphertext with associatedData as associated data. The decryption
verifies the authenticity and integrity of associated data (ad), but there are no guarantees
with respect to secrecy of that data.
The ciphertext format is output prefix || ciphertext || mac. If present, the correctness of output prefix is verified. The MAC is verified against (ad || ciphertext || t) where t is ad's length in bits represented as 64-bit big-endian unsigned integer.
decrypt in interface Aeadciphertext - the plaintext to be decrypted. It must be non-null.associatedData - associated data to be authenticated. For successful decryption it must be
the same as associatedData used during encryption. Can be null, which is equivalent to an
empty (zero-length) byte array.GeneralSecurityException - if decryption fails. Decryption must fail if ciphertext is not correctly authenticated for the given associatedData.