New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/cipher: io.Reader/Writer implementations for BlockMode #28153
Comments
CC @FiloSottile |
I have faced the same issue recently and ended up writing my own io.Reader and io.Writer. |
@FiloSottile : I saw @bcmills CC-ed you and no response followed. Hoping, may be you just forgot to reply here and it is still possible to get your comment on this? :) Personally do not think one should think about specific implementation right now (as in the issue description), but IMHO it is still worth to decide if one should provide Another person made a remark that the problem is solved in other languages, for example in Java it is: https://docs.oracle.com/javase/7/docs/api/javax/crypto/CipherOutputStream.html |
We won't provide an easy to use API for unauthenticated block modes, because we don't want them to be easy to use. Approximately no application should be directly using unauthenticated block (or stream) ciphers, as they let the attacker modify the message, which systematically leads to confidentiality breaks (such as with padding oracle attacks). They are just a building block for AEADs, which is what applications should use instead. Applications that do need to handle streaming data should use chunked AEAD schemes, where each chunk is authenticated before being released, such as STREAM (#43774, #49782 (comment)). /cc @golang/security |
Thank you for the references. Will track the progress there. |
The
cipher.Stream
interface can be wrapped in acipher.StreamReader
orcipher.StreamWriter
forio.Reader
/io.Writer
implementations. It was be nice to have the same interface forcipher.BlockMode
.The challenge with
cipher.BlockMode
is thatCryptBlocks
must be run on byte slices whose lengths are multiples of the block size. I don't see this being a fundamental problem, but it will complicate the implementation. For theReader
, I imagine it would consist of two internal buffers as the state:encrypted
to store encrypted bytes read from the underlying reader, anddecrypted
to store decrypted bytes to by copy out wheneverRead
is called. It would operate in two phases: Iflen(decrypted) == 0
, then callRead
on the underlyingReader
until there is at leastBlockSize
bytes inencrypted
. Then we can decrypt as many blocks as possible fromencrypted
intodecrypted
, and return these whenever Read is called untillen(decrypted) == 0
again.I haven't though as much about the Writer, but I suspect it will operate in a similar way.
The implementation is just a rough idea at the moment. I'm creating this issue mainly to see whether there is interest in the idea. If there is, I am happy to write a prototype.
The text was updated successfully, but these errors were encountered: