Go implementation of the Data At Rest Encryption (DARE) format.
It is a common problem to store data securely – especially on untrusted remote storage. One solution to this problem is cryptography. Before data is stored it is encrypted to ensure that the data is confidential. Unfortunately encrypting data is not enough to prevent more sophisticated attacks. Anyone who has access to the stored data can try to manipulate the data – even if the data is encrypted.
To prevent these kinds of attacks the data must be encrypted in a tamper-resistant way. This means an attacker should not be able to:
- Read the stored data – this is achieved by modern encryption algorithms.
- Modify the data by changing parts of the encrypted data.
- Rearrange or reorder parts of the encrypted data.
Authenticated encryption schemes (AE) – like AES-GCM or ChaCha20-Poly1305 – encrypt and authenticate data. Any modification to the encrypted data (ciphertext) is detected while decrypting the data. But even an AE scheme alone is not sufficiently enough to prevent all kinds of data manipulation.
All modern AE schemes produce an authentication tag which is verified after the ciphertext is decrypted. If a large amount of data is decrypted it is not always possible to buffer all decrypted data until the authentication tag is verified. Returning unauthenticated data has the same issues like encrypting data without authentication.
Splitting the data into small chunks fixes the problem of deferred authentication checks but introduces a new one. The chunks can be reordered – e.g. exchanging chunk 1 and 2 – because every chunk is encrypted separately. Therefore the order of the chunks must be encoded somehow into the chunks itself to be able to detect rearranging any number of chunks.
This project specifies a format for en/decrypting an arbitrary data stream and gives some recommendations about how to use and implement data at rest encryption (DARE). Additionall, this project provides a reference implementation in Go.