Topic: [FEATURE REQUEST] AES-GCM stream encryption

Hi,
I'm trying to implement AES-GCM stream encryption, but it seems WolfSSL doesn't provide such feature for GCM mode, while it does for CBC mode.
Encrypted output of the following processing

wc_AesGcmEncrypt(&enc, buffer.data(), s_plain_text.data(), 0xf,    s_iv.data(), s_iv.size(), auth_tag.data(), auth_tag.size(), aad.data(), aad.size());

wc_AesGcmEncrypt(&enc, buffer.data() + 0xf, s_plain_text.data() + 0xf, s_plain_text.size() - 0xf, s_iv.data(), s_iv.size(), auth_tag.data(), auth_tag.size(), aad.data(), aad.size());

is not the same as of such one

wc_AesGcmEncrypt(&enc, buffer.data(), s_plain_text.data(), s_plain_text.size(), s_iv.data(), s_iv.size(), auth_tag.data(), auth_tag.size(), aad.data(), aad.size());

I debugged a bit and found that Aes structure which is passed to wc_AesGcmEncrypt is not changed between wc_AesGcmEncrypt invocations, so counter value is not stored.

Is there another way of doing AES-GCM stream encryption or is it planned to add such feature?

Thanks in advance,
Yaroslav

Share

Re: [FEATURE REQUEST] AES-GCM stream encryption

Hi Yaroslav,

Can you tell us about what it is you are working on and what motivated the need to attempt to use AesGCM as a stream cipher? The reason I inquire is that GCM already has significant throughput over a chained-block-cipher like CBC as it's blocks can be encrypted in parallel and do not suffer the same performance and efficiency impacts as a chained block cipher would. The reason for supporting CBC stream modes is to offer a more performant solution.

Due to the authentication step in GCM I am not entirely sure it would make sense to try and use GCM in this way unless you could guarantee all inputs would be reasonably small to avoid massive memory use. Have you considered AES-CCM as an alternative?

If you are looking to optimize performance and throughput we do offer the --enable-aesgcm=table option.

If you can tell us a little more about your motivation and goals perhaps it would help us to better understand your need!


Warm Regards,

K

Re: [FEATURE REQUEST] AES-GCM stream encryption

Hi Kaleb,

I'm trying to optimize existing system which uses AES-GCM to be able to process big input with low memory footprint.

Regards,
Yaroslav

Share

Re: [FEATURE REQUEST] AES-GCM stream encryption

Yaroslav,

I see. Reducing the footprint is good but using AES-GCM in this fashion could result in massive run-time resource use depending on the data being encrypted. Because AES-GCM uses an authentication step if you want to use it as a stream cipher you would have to pre-load the entire input so it could be authenticated once the encryption was complete. Do you control the size of the items being encrypted? Are they always of a fixed, and finite size or can they be items such as a video file on the order of gigabytes large?

There have been some stream-like implementations of AES-GCM done against other crypto libraries and it is not impossible. It is also not very practical in most use cases due to the authentication step in AES-GCM. If however this is something you would like to see support added for in wolfSSL I am happy to bring it up with the wolfSSL team to gather their thoughts and input as well. Let me know if this is something you wish for us to consider with understanding that it is not run-time resource friendly.

- K

Re: [FEATURE REQUEST] AES-GCM stream encryption

Hi Kaleb,

The reason why I've considered stream encoding is that I need ability to encode big amounts of data (several gigs) of fixed size with low memory footprint (less than 50 megabytes) using AES-GCM. The idea is to divide big input into chunks of apropriate size, load and process them one by one until entire input is processed. With current implementation of AES-GCM in WolfSSL we are unable to do that as it requires entire input to be preloaded.

One of possible solutions is to calculate authentication tag on the fly during encryption. Intermediate authentication tag vaules could be saved into Aes structure. Message authentication could also be implemented using streaming approach or be combined with decryption.

Regards,
Yaroslav

Share

Re: [FEATURE REQUEST] AES-GCM stream encryption

Hi Kaleb,

It looks like you are talking past each other, maybe choice of "stream" wording is confusing. It refers here not to distinction between stream/block ciphers but to processing data chunks as they arrive without buffering full file in memory(which can be of any size and we can't change cipher mode or framing or anything else because we have to interoperate with existing implementations). I.e. we would like to see API which can be used in chunked fashion, like { init, update, update, ..., finish }, not current function which handles all data in one go.
I'm pretty sure intermediate resources needed for this are constant and consist of two counter blocks and one hash block, i.e. 48 bytes.

You could look for inspiration here https://stackoverflow.com/questions/121 … 2#13045182
Take note of while loops. It doesn't loop over AAD portion, but it is both supported by OpenSSL and not required in our case(because its size is small).

Share

Re: [FEATURE REQUEST] AES-GCM stream encryption

@pal,

Thank you so much for clarifying! It is much clearer now what the end goal and use-case is! I will check our road map to see if we have something like this planned for the future similar to the CBC solution we implemented. If it is not yet on our road map I will add it to our feature request list!

Feature request are unfunded projects that we work on if we have free time but they can always be accelerated via a working agreement if there is a time-line to consider!


Warm Regards,

K

Re: [FEATURE REQUEST] AES-GCM stream encryption

Hi Kaleb,

thanks for reply, that is encouraging

Share

Re: [FEATURE REQUEST] AES-GCM stream encryption

@Pal,

I checked our roadmap and we do not have this feature listed. I am putting in this feature request on behalf of this forum post

Feature Requested:        "AES-GCM support for processing data chunks without buffering entire input"
Requestor By:             @pal, @yaroslav.torzuk
Requestor Email:          <left out for public forum post>
Requested Source:         wolfSSL Forums
Source Link:              https://www.wolfssl.com/forums/topic1266-aesgcm-stream-encryption.html
Requested Date:           26 Sep 2018
Request Priority:         2 users requested to date, non-funded effort
Implementation Timeline:  None
Special Notes:            None at this time

Warm Regards,

- K