Crypto++ 8.9
Free C++ class library of cryptographic schemes
List of all members
Poly1305TLS Class Reference

Poly1305-TLS message authentication code. More...

#include <poly1305.h>

+ Inheritance diagram for Poly1305TLS:

Additional Inherited Members

- Public Member Functions inherited from MessageAuthenticationCodeFinal< Poly1305TLS_Base >
 MessageAuthenticationCodeFinal ()
 Construct a default MessageAuthenticationCodeFinal.
 
 MessageAuthenticationCodeFinal (const byte *key)
 Construct a BlockCipherFinal.
 
 MessageAuthenticationCodeFinal (const byte *key, size_t length)
 Construct a BlockCipherFinal.
 
- Public Member Functions inherited from ClonableImpl< DERIVED, BASE >
ClonableClone () const
 Create a copy of this object.
 

Detailed Description

Poly1305-TLS message authentication code.

This is the IETF's variant of Bernstein's Poly1305 from RFC 8439. IETF Poly1305 is called Poly1305TLS in the Crypto++ library. It is _slightly_ different from the Bernstein implementation. Poly1305-TLS can be used for cipher suites TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, and TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256.

The key is 32 bytes and a concatenation key = {r,s}, where r is additional key that gets clamped and s is the nonce. The key is clamped internally so there is no need to perform the operation before setting the key.

Each message must have a unique security context, which means the key must be changed after each message. It can be accomplished in one of two ways. First, you can create a new Poly1305 object with a new key each time its needed.

  SecByteBlock key(32);
  prng.GenerateBlock(key, key.size());

  Poly1305TLS poly1305(key, key.size());
  poly1305.Update(...);
  poly1305.Final(...);

Second, you can create a Poly1305 object, and use a new key for each message. The keys can be generated directly using a RandomNumberGenerator() derived class.

  SecByteBlock key(32);
  prng.GenerateBlock(key, key.size());

  // First message
  Poly1305TLS poly1305(key, key.size());
  poly1305.Update(...);
  poly1305.Final(...);

  // Second message
  prng.GenerateBlock(key, key.size());
  poly1305.SetKey(key, key.size());
  poly1305.Update(...);
  poly1305.Final(...);
  ...
Warning
Each message must have a unique security context. The Poly1305-TLS class does not enforce a fresh key or nonce for each message.
Since
Crypto++ 8.1
See also
MessageAuthenticationCode(), RFC 8439, ChaCha20 and Poly1305 for IETF Protocols

Definition at line 237 of file poly1305.h.


The documentation for this class was generated from the following file: