Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate AesSiv parameters in AesSivKeyManager the same way the AesSivParameters #34

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dinigo
Copy link

@dinigo dinigo commented Mar 21, 2024

This enables keys of lengths 32 and 48 bytes to be used

see #32

…vParameters

This enables keys of lengths 32 and 48 bytes to be used
@dinigo
Copy link
Author

dinigo commented Mar 22, 2024

Hello. Do you have documentation on how to run the tests? bazel test tink doesn't find them

ERROR: No test targets were found, yet testing was requested

I'd like to add a test on keys length 32 and 48 bytes.
I have it working and it is consistent with other libraries implementations. But It's hard to progress without properly setting up the project.

@dinigo dinigo marked this pull request as draft March 22, 2024 11:03
@morambro
Copy link
Contributor

morambro commented Mar 22, 2024

HI @dinigo still haven't looked at this patch. For testing you can do (I recommend using Bazelisk https://github.com/bazelbuild/bazelisk):

cd path/to/tink_java
# Run all the tests; will cache results if files are unchanged.
bazelisk test ...
# Limited to daead:
bazelisk test //src/test/java/com/google/crypto/tink/daead/...
# Or even:
bazelisk test //src/test/java/com/google/crypto/tink/daead:AesSivKeyManagerTest

@tholenst
Copy link
Contributor

tholenst commented Mar 25, 2024

Can you add some context why you want this? Current behavior is on purpose (see e.g. https://github.com/tink-crypto/tink-cross-lang-tests/blob/main/cross_language/cross_language/daead/aes_siv_keys.py#L38-L39 where we explicitly test that these keys fail)

Edit: please add the context to the issue you filed -- sorry for commenting here. I didn't see the issue at first.

@dinigo
Copy link
Author

dinigo commented Mar 25, 2024

@tholenst . Currently Google Cloud DLP "states" in their documentation their service is using AES-SIV for deterministic encryption.

However, they only support keys as long as 32 bytes.

  • I need to encrypt-decrypt consistently with this Google service in an air-gapped system where we cannot access the API/Service.
  • I need the ability to bulk decrypt big amounts of information without relying on the DLP service small throughput.
  • I see AES-SIV RFC5297 does not support this key length (apparently)
  • Google Cloud support asked explicitly to raise it here.

I see there's no point on supporting 128 bit keys since it doesn't align with the RFC

@tholenst
Copy link
Contributor

Thanks for the context. The fact that Tink out of the box only supports 64 bytes is intentional. See https://developers.google.com/tink/deterministic-aead#choose_a_key_type.

I will however comment on #32 with a way forward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants