1 // Copyright 2017 Google Inc. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 // 15 //////////////////////////////////////////////////////////////////////////////// 16 17 package com.google.crypto.tink; 18 19 import java.security.GeneralSecurityException; 20 21 /** 22 * Interface for hybrid encryption. 23 * 24 * <p>Hybrid Encryption combines the efficiency of symmetric encryption with the convenience of 25 * public-key encryption: to encrypt a message a fresh symmetric key is generated and used to 26 * encrypt the actual plaintext data, while the recipient’s public key is used to encrypt the 27 * symmetric key only, and the final ciphertext consists of the symmetric ciphertext and the 28 * encrypted symmetric key. 29 * 30 * <h3>WARNING</h3> 31 * 32 * <p>Hybrid Encryption does not provide authenticity, that is the recipient of an encrypted message 33 * does not know the identity of the sender. Similar to general public-key encryption schemes the 34 * security goal of Hybrid Encryption is to provide privacy only. In other words, Hybrid Encryption 35 * is secure if and only if the recipient can accept anonymous messages or can rely on other 36 * mechanisms to authenticate the sender. 37 * 38 * <h3>Security guarantees</h3> 39 * 40 * <p>The functionality of Hybrid Encryption is represented as a pair of primitives (interfaces): 41 * {@link HybridEncrypt} for encryption of data, and {@link HybridDecrypt} for decryption. 42 * Implementations of these interfaces are secure against adaptive chosen ciphertext attacks. In 43 * addition to {@code plaintext} the encryption takes an extra parameter {@code contextInfo}, which 44 * usually is public data implicit from the context, but should be bound to the resulting 45 * ciphertext, i.e. the ciphertext allows for checking the integrity of {@code contextInfo} (but 46 * there are no guarantees wrt. the secrecy or authenticity of {@code contextInfo}). 47 * 48 * <p>{@code contextInfo} can be empty or null, but to ensure the correct decryption of a ciphertext 49 * the same value must be provided for the decryption operation as was used during encryption (cf. 50 * {@link HybridEncrypt}). 51 * 52 * <p>A concrete instantiation of this interface can implement the binding of {@code contextInfo} to 53 * the ciphertext in various ways, for example: 54 * 55 * <ul> 56 * <li>use {@code contextInfo} as "associated data"-input for the employed AEAD symmetric 57 * encryption (cf. https://tools.ietf.org/html/rfc5116). 58 * <li>use {@code contextInfo} as "CtxInfo"-input for HKDF (if the implementation uses HKDF as key 59 * derivation function, cf. https://tools.ietf.org/html/rfc5869). 60 * </ul> 61 * 62 * @since 1.0.0 63 */ 64 public interface HybridEncrypt { 65 /** 66 * Encryption operation: encrypts {@code plaintext} binding {@code contextInfo} to the resulting 67 * ciphertext. 68 * 69 * @return resulting ciphertext 70 */ encrypt(final byte[] plaintext, final byte[] contextInfo)71 byte[] encrypt(final byte[] plaintext, final byte[] contextInfo) throws GeneralSecurityException; 72 } 73