Dear Steve, Dne sreda, 06. marec 2013 12:40:50 UTC+1 je oseba "Dr. Stephen Henson" napisala: > On Wed, Mar 06, 2013, Matej Kenda wrote: > > > I am working on a solution which includes encryption of files of arbitrary > > > size (at least up to 2 GB) to be encrypted with AES CCM with 256-bit key > > > and uploaded to a server. > > > > > CCM isn't really the mode to use for that, GCM is better. > > There are two reasons. One is that you need to know the length of the AAD and > > plaintext in advance before you can process any data: this makes it unusable > > for things like streaming for CMS.
Thank you for the advice. Unfortunately I am currently not in the position to select AES mode, but I will forward your observations to designers of the cryptographic concept. > > You can only check the tag if you've processed all the ciphertext so if you > > were handling it in parts you'd have to either buffer everything or perform > > two passes. My first attempt was to load complete file in memory and encrypt it in one call to EVP_EncryptUpdate. It worked fine for files smaller that 16 MB, however output buffer was not filled with encrypted data for larger input buffers. EVP_EncryptUpdate returned success (OpenSSL 1.0.1c) This failed attempt made me think of different solutions. Authenticity of the uploaded encrypted file is verified on the server as well, because tag size and the size of the file is known. > > The only way round this is to violate the standard and reveal some of the > > plaintext on the fly. Why would plaintext need to be revealed? Regards, Matej
