CryptoStream的和认证加密模式 [英] CryptoStream and Authenticated Encryption Modes
问题描述
我很感兴趣,在净,提供认证的加密服务提供使用托管DLL。该DLL可能会在WPF程序或ASP应用程序中使用。我有几个关系到微软的加密和数据流模型的问题。
I'm interested in providing a managed dll for use in .Net that provides authenticated encryption services. The DLL might be used in a WPF program or an ASP application. I have a couple of questions related to Microsoft's crypto and stream models.
认证加密模式(CCM,CWC,EAX,GCM等),通常会产生两件神器 - 首先是密文二是认证标签。其相当容易流加密,但可以有一些问题。例如,CCM不能由于传输到头部的构建方式和认证的加密方式产生一个认证标记。
Authenticated encryption modes (CCM, CWC, EAX, GCM, etc) typically produce two artifacts - first is the cipher text and second is the authentication tag. Its fairly easy to stream encryption, but there can be some problems. For example, CCM cannot be streamed due to the way the header is built and authenticated encryption modes produce an authentication tag.
解密是棘手,因为它不能进行流式传输。解密不能被解密之前流,因为所有的密文必须是可用的,并且密文必须使用认证标签进行验证。
Decryption is trickier since it can't be streamed. Decryption can't be streamed because all the cipher text must be available, and that cipher text must be verified using the authentication tag before being decrypted.
一个人如何适应的认证加密模式的块加密算法,因此它可以被用在的CryptoStream ?它甚至有可能?也许它为什么微软不提供呢?
How does one adapt an authenticated encryption mode for a block cipher so that it can be used in a CryptoStream? Is it even possible? Perhaps its why Microsoft does not supply it?
Microsoft是否有建议?例如,掰开大邮件分成较小的邮件或单位(每个都有自己的标签)?还是MS推荐的缓冲,直到整个消息和标记输入?
Does Microsoft have a recommendation? For example, break apart a large message into smaller messages or units (each with its own tag)? Or does MS recommend buffering until the entire message and tag is input?
在哪里微软建议把的标签?在流的开始?在流的末尾?
Where does Microsoft recommend 'putting' the tag? At the beginning of the stream? At the end of the stream?
一些有用的参考文献:
- SymmetricAlgorithm Class
- CipherMode Enumeration
- CryptoStream Class
推荐答案
在2010年,微软CLR安全团队发布了的扩展,System.Security.Cryptography ,其中包括身份验证的对称加密专门的 GCM 。为什么他们还没有从那以后用它做任何事情,我不知道。
In 2010 the microsoft CLR security team released an extension to the System.Security.Cryptography that included authenticated symmetric encryption specifically GCM. Why they haven't done anything with it since then, I don't know.
不过,既然你的问题注重什么微软做什么?,它就在那里......他们这样做。
But, since your question put emphasis on "what would microsoft do?", there it is... they did that.
这篇关于CryptoStream的和认证加密模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
