Am 19.10.2015 um 19:05 schrieb
lasl...@gmail.com:
Hi Jean Pierre:
Thank you very much for your answer!
First of all: yes, I need read and write at any place in
the stored file. I know this is a problem.
I was reading some doc about AES-GCM, and the way you
propose to work, and have some doubts/observations:
- I understand that
using 256bit AES, the GCM mode, and size of TAG = 96
bytes (the shortest recommended) will get a resulting
file, 37.5% larger than the original (regardless of the
header).
I think you're getting something wrong here. The longest standard
tag for GCM is 16 bytes (128 bits) and the shortest standard tag is
12 bytes (96 bits).
Some of the files we will encrypt are about 1 GB or even
2GB, so we are speaking about 375MB for tags. This is
correct?
I don't know how you calculated those 375MB. Depending on how far
you want to chunk you can have 16 byte tag overhead (for the whole
files, only one chunk) or more if you want smaller chunks.
Reasonable would be a sector-size alignment, meaning Data||Tag would
be as large as one sector of your filesystem. This would result in
an increase of 3.2% (512-byte sectors) to 0.09% (16,384-byte
sectors). Or you could just use some arbitrary unit like one
Megabyte per chunk, resulting in a 0.0015% increase in storage
needed.
- You say In your
scenario I'd suggest dividing the file into several
subsections: Where can I find the info about how
to handle the subsection concept for AES-GCM?
Chunking and Blocking (see Jeffrey's answer) are standard concepts.
What I basically suggest is to divide the file into
Header||Chunk1||Chunk2||Chunk3... where each Chunk has it's own tag
and is fully independent from the others (besides the somewhat
dependent IV).
Yes, you can't seek with AES-GCM and Crypto++, because you'd skip
parts of the enciphered data, which you can't because the
authentication would fail in this case.
By the way, what do you think about using XTS as shown
in the link? I see this option is not implemented in
Crypto++...
See Jeffrey's answer.
- If I want not to have TAG overhead I have two
options AES-CTR+HMAC or AES-CBC+HMAC:
CTR would be the better option here as it can be parallelized
(supports seek() in Crypto++) and has less severe IV requirements.
- Pros:
- File size will
change only with header info.
You can also get constant tag size "tag overhead" with AES-GCM by
only using one chunk.
- Need to change HMAC every time file is
changed. A test to perform: how long it takes to
compute HMAC of a 1GB file?
With SHA-256, you'd roughly need 20 cycles / byte on such long
messages with a C implementation on an Intel Core 2 Duo [1]. Meaning
you may get something like 10 cycles / byte with ASM code on a
modern CPU. HMAC is not significantly slower than plain hashing.
This would mean you'd need 10^10 cycles for this - or equivalently -
5 seconds on a 2GHz CPU. Reading the whole file is likely to take
longer.
BR
JPM
[1]:
https://www.schneier.com/skein1.3.pdf