Package com.google.crypto.tink

Interface StreamingAead

  • All Known Implementing Classes:
    AesCtrHmacStreaming, AesGcmHkdfStreaming, LegacyFullStreamingAead
    public interface StreamingAead
    An interface for streaming authenticated encryption with associated data.

    Streaming encryption is typically used for encrypting large plaintexts such as large files. Tink may eventually contain multiple interfaces for streaming encryption depending on the supported properties. This interface supports a streaming interface for symmetric encryption with authentication. The underlying encryption modes are selected so that partial plaintext can be obtained fast by decrypting and authenticating just a part of the ciphertext.

    Security guarantees

    Instances of StreamingAead must follow the nOAE definition as proposed in the paper "Online Authenticated-Encryption and its Nonce-Reuse Misuse-Resistance" by Hoang, Reyhanitabar, Rogaway and Vizár https://eprint.iacr.org/2015/189.pdf

    Restrictions

    Encryption must be done in one session. There is no possibility to modify an existing ciphertext or append to it (other than reencrypt the whole file again). One reason for this restriction is the use of AES-GCM as one cipher to implement this interface. If single segments are modified then this is equivalent to reusing the same IV twice, but reusing an IV twice leaks an AES-GCM key. Another reason is that implementations of this interface have no protection against roll-back attacks: an attacker can always try to restore a previous version of the file without detection.

    Blocking vs non-blocking I/O

    A channel can be in a blocking mode (i.e. always waits until the requested number of bytes have been processed) or non-blocking mode (i.e. I/O operation will never block and may transfer fewer bytes than were requested or possibly no bytes at all).

    If the channel provided to the streaming encryption is in blocking mode then encryption and decryption have the same property. That is, encryption always processes all the plaintext passed in, and waits until complete segments have been written to the ciphertext channel (incomplete segment, if any, is buffered). Similarly, decryption blocks until sufficiently many bytes have been read from the ciphertext channel so that all the requested plaintext can be decrypted and authenticated, or until the end of the plaintext has been reached, or an IOException occurred.

    If the channel provided to the streaming encryption is in non-blocking mode, then encryption and decryption are also non-blocking. Since encryption and decryption is done in segments it is possible that for example a call attempting to read() returns no plaintext at all even if partial ciphertext was read from the underlying channel.

    Sample encryption

    
 StreamingAead s = ...
 java.nio.channels.FileChannel ciphertextDestination =
     new FileOutputStream(ciphertextFile).getChannel();
 byte[] aad = ...
 WritableByteChannel encryptingChannel = s.newEncryptingChannel(ciphertextDestination, aad);
 while ( ... ) {
   int r = encryptingChannel.write(buffer);
   ...
 }
 encryptingChannel.close();

    Sample full decryption

    
 StreamingAead s = ...
 java.nio.channels.FileChannel ciphertextSource =
     new FileInputStream(ciphertextFile).getChannel();
 byte[] aad = ...
 ReadableByteChannel decryptingChannel = s.newDecryptingChannel(ciphertextSource, aad);
 int chunkSize = ...
 ByteBuffer buffer = ByteBuffer.allocate(chunkSize);
 do {
   buffer.clear();
   int cnt = decryptingChannel.read(buffer);
   if (cnt > 0) {
     // Process cnt bytes of plaintext.
   } else if (read == -1) {
     // End of plaintext detected.
     break;
   } else if (read == 0) {
     // No ciphertext is available at the moment.
   }
 }
    Since:
    1.1.0

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      java.nio.channels.ReadableByteChannel newDecryptingChannel​(java.nio.channels.ReadableByteChannel ciphertextSource, byte[] associatedData)  
      java.io.InputStream newDecryptingStream​(java.io.InputStream ciphertextSource, byte[] associatedData)
      Returns a wrapper around ciphertextSource, such that any read-operation via the wrapper results in AEAD-decryption of the underlying ciphertext, using associatedData as associated authenticated data.
      java.nio.channels.WritableByteChannel newEncryptingChannel​(java.nio.channels.WritableByteChannel ciphertextDestination, byte[] associatedData)
      Returns a WritableByteChannel for plaintext.
      java.io.OutputStream newEncryptingStream​(java.io.OutputStream ciphertextDestination, byte[] associatedData)
      Returns a wrapper around ciphertextDestination, such that any write-operation via the wrapper results in AEAD-encryption of the written data, using associatedData as associated authenticated data.
      java.nio.channels.SeekableByteChannel newSeekableDecryptingChannel​(java.nio.channels.SeekableByteChannel ciphertextSource, byte[] associatedData)
      Returns a SeekableByteChannel that allows to access the plaintext.

    • Method Detail

      • newEncryptingChannel

        java.nio.channels.WritableByteChannel newEncryptingChannel​(java.nio.channels.WritableByteChannel ciphertextDestination,
                                                           byte[] associatedData)
                                                    throws java.security.GeneralSecurityException,
                                                           java.io.IOException
        Returns a WritableByteChannel for plaintext. Any data written to the returned channel will be encrypted and the resulting ciphertext written to the provided ciphertextDestination
        Parameters:
        ciphertextDestination - the channel to which the ciphertext is written.
        associatedData - data associated with the plaintext. This data is authenticated but not encrypted. It must be passed into the decryption.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • newSeekableDecryptingChannel

        java.nio.channels.SeekableByteChannel newSeekableDecryptingChannel​(java.nio.channels.SeekableByteChannel ciphertextSource,
                                                                   byte[] associatedData)
                                                            throws java.security.GeneralSecurityException,
                                                                   java.io.IOException
        Returns a SeekableByteChannel that allows to access the plaintext.

        This method does not work on Android Marshmallow (API level 23) or older because these Android versions don't have the java.nio.channels.SeekableByteChannel interface.

        Parameters:
        ciphertextSource - the ciphertext
        associatedData - the data associated with the ciphertext.
        Returns:
        SeekableByteChannel that allows random read access to the plaintext. The following methods of SeekableByteChannel are implemented:
        • long position() Returns the channel's position in the plaintext.
        • SeekableByteChannel position(long newPosition) Sets the channel's position. Setting the position to a value greater than the plaintext size is legal. A later attempt to read byte will immediately return an end-of-file indication.
        • int read(ByteBuffer dst) Bytes are read starting at the channel's position, and then the position is updated with the number of bytes actually read. All bytes returned have been authenticated. If the end of the stream has been reached -1 is returned. A result of -1 is authenticated (e.g. by checking the MAC of the last ciphertext chunk.) A call to this function attempts to fill dst, but it may return fewer bytes than requested, e.g. if the underlying ciphertextSource does not provide the requested number of bytes or if the plaintext ended.

          Throws IOException if a MAC verification failed. TODO: Should we extend the interface with read(ByteBuffer dst, long position) to avoid race conditions?

        • long size() Returns the size of the plaintext. TODO: Decide whether the result should be authenticated)
        • SeekableByteChannel truncate(long size) throws NonWritableChannelException because the channel is read-only.
        • int write(ByteBuffer src) throws NonWritableChannelException because the channel is read-only.
        • close() closes the channel
        • isOpen()
        Throws:
        java.security.GeneralSecurityException - if the header of the ciphertext is corrupt or if associatedData is not correct.
        java.io.IOException - if an IOException occurred while reading from ciphertextDestination.

      • newDecryptingChannel

        java.nio.channels.ReadableByteChannel newDecryptingChannel​(java.nio.channels.ReadableByteChannel ciphertextSource,
                                                           byte[] associatedData)
                                                    throws java.security.GeneralSecurityException,
                                                           java.io.IOException
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • newEncryptingStream

        java.io.OutputStream newEncryptingStream​(java.io.OutputStream ciphertextDestination,
                                         byte[] associatedData)
                                  throws java.security.GeneralSecurityException,
                                         java.io.IOException
        Returns a wrapper around ciphertextDestination, such that any write-operation via the wrapper results in AEAD-encryption of the written data, using associatedData as associated authenticated data. The associated data is not included in the ciphertext and has to be passed in as parameter for decryption.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException

      • newDecryptingStream

        java.io.InputStream newDecryptingStream​(java.io.InputStream ciphertextSource,
                                        byte[] associatedData)
                                 throws java.security.GeneralSecurityException,
                                        java.io.IOException
        Returns a wrapper around ciphertextSource, such that any read-operation via the wrapper results in AEAD-decryption of the underlying ciphertext, using associatedData as associated authenticated data.

        The returned InputStream may support mark()/reset(), but does not have to do it -- markSupported() provides the corresponding info.

        The returned InputStream supports skip(), yet possibly in an inefficient way, i.e. by reading a sequence of blocks until the desired position. If a more efficient skip()-functionality is needed, the Channel-based API can be used.

        Throws:
        java.security.GeneralSecurityException
        java.io.IOException