Random Access Decryption (ring, openssl, AES-GCM)

Hi all. Disclaimer...I am relatively new to Rust, but I do have deep experience in java, including some advanced encryption/decryption support.

In learning cryptography from a rust perspective, I'm interested to re-enact a previous use case I encountered in work, namely, random access decryption given an arbitrary (but legal!) offset. This was easily achieved using AES-CBC and later AES-CFB, as computing the correct IV is trivial in these cases.

In choosing ring to handle symmetric encryption, it seems that I am constraining myself to AEAD algorithms, so I chose AES-GCM...this is a choice I am in theory perfectly happy with.

My reading leads me to believe that computing the IV is relatively straightforward for AES-GCM as well, especially if you limit yourself to a 12 byte nonce. I am, however, stumped at the mechanism by which I can drive the ring API to handle a "calculated" IV. The API I have explored so far only appears to support "all or nothing"...perhaps this is due to the difficulties around performing the authentication portion? Am I simply using the wrong library for the use case I have in mind?

I attempted to decrypt just the first block, but this fails:

let symm_algo = &AES_256_GCM;
let mut in_out = content.clone();

let mut nonce_vec : Vec<u8> = vec![0; 12];
let rand = SystemRandom::new();
rand.fill(&mut nonce_vec).unwrap();

let mut nonce: [u8; 12] = [0; 12];

let unbound_key = UnboundKey::new(symm_algo, &key).unwrap();
let less_safe_key = LessSafeKey::new(unbound_key);

less_safe_key.seal_in_place_append_tag(Nonce::assume_unique_for_key(nonce), Aad::from(&additional_data), &mut in_out).unwrap();

let decrypted_data = less_safe.open_in_place(Nonce::assume_unique_for_key(nonce), Aad::from(&additional_data), &mut in_out[0..16]).unwrap();

perhaps predictably this failed, as there is none of the tag information.

Can anyone offer any insight or examples for how to do random access decryption using ring? Or am I better off finding another library? I don't mind losing the authentication aspect, but as previously stated, ring appears to only support AEAD algorithms.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.