Encryption is not enough

In 2011, researchers showed that an adversary positioned between a browser and an HTTPS server could, without ever decrypting a single byte, modify encrypted data in a predictable way and force behaviours the application never intended. The attack read nothing. It rewrote.

This scenario, called malleability Malleability A property of an encryption scheme where modifying the ciphertext produces a predictable, exploitable change in the corresponding plaintext. Unauthenticated cipher modes (stream, CTR, CBC without MAC) are malleable. Using an AEAD algorithm eliminates this property by causing any modified ciphertext to fail decryption. , is the central problem of this chapter. Classical encryption hides the content. It does not guarantee that the content has not been altered in transit.

By the end of this chapter, you will be able to explain the difference between confidentiality and integrity, recognise the malleability of unauthenticated encryption, and describe what AEAD Authenticated encryption (AEAD) A cryptographic primitive that simultaneously guarantees confidentiality and integrity of a message. It produces an authentication tag alongside the ciphertext, and any tampering causes decryption to fail cleanly. AEAD (Authenticated Encryption with Associated Data) extends this by also authenticating unencrypted associated data bound to the usage context. Source: NIST SP 800-38D guarantees and how.

Confidentiality versus integrity

These two properties are distinct, and confusing them is the source of many real-world vulnerabilities.

Confidentiality guarantees that an adversary who observes an encrypted message cannot deduce its content. It protects against a passive attacker, one who listens.

Integrity guarantees that an adversary cannot modify a message without that modification being detected. It protects against an active attacker, one who intervenes.

A system can have one without the other. And that is where the trap lies.

The active adversary

Consider a concrete example. A payment service encrypts the amount of a transfer using CTR (counter) mode. In CTR mode, encryption XORs the plaintext with a pseudo-random stream generated from the key and a counter. A zero bit in the plaintext becomes a bit from the stream, and vice versa.

If an adversary knows the position in the ciphertext that corresponds to the “amount” field, they can flip exactly the right bit in the ciphertext. When the recipient decrypts, they obtain a modified amount. The adversary never knew what the original amount was. They just changed it.

This is malleability Malleability A property of an encryption scheme where modifying the ciphertext produces a predictable, exploitable change in the corresponding plaintext. Unauthenticated cipher modes (stream, CTR, CBC without MAC) are malleable. Using an AEAD algorithm eliminates this property by causing any modified ciphertext to fail decryption. : the property of an encryption scheme that allows transforming a ciphertext into another ciphertext whose decryption is predictable, without knowing the key.

A confidential scheme can be malleable. A malleable scheme offers no integrity guarantee.

AEAD: the answer

Authenticated Encryption with Associated Data, written AEAD Authenticated encryption (AEAD) A cryptographic primitive that simultaneously guarantees confidentiality and integrity of a message. It produces an authentication tag alongside the ciphertext, and any tampering causes decryption to fail cleanly. AEAD (Authenticated Encryption with Associated Data) extends this by also authenticating unencrypted associated data bound to the usage context. Source: NIST SP 800-38D , solves this problem by combining confidentiality and integrity in a single operation.

An AEAD scheme exposes two operations:

• Seal: takes a key $k$, a nonce Nonce A value used exactly once with a given key. Uniqueness, not secrecy, is the critical property: reusing a nonce with the same key completely breaks the scheme. A 192-bit random nonce (XChaCha20) makes collisions negligible, while a 96-bit counter (AES-GCM, ChaCha20-Poly1305) requires careful management to never exceed 2^32 messages per key. Source: RFC 8439 $N$, associated data $A$, and a plaintext $P$. Produces a ciphertext augmented with an authentication tag: $C = \mathrm{Enc}_k(N, A, P)$.
• Open: takes $k$, $N$, $A$, and $C$. Verifies the tag Authentication tag A short value (typically 128 bits) produced by an AEAD algorithm or MAC, verified at decryption time. Any change to the ciphertext, associated data, or nonce invalidates the tag and causes the open operation to fail. It provides both integrity and authenticity guarantees. , then decrypts. If verification fails, returns an error without revealing anything else.

Each symbol has its role:

• $k$: the secret key shared between the two parties.
• $N$: the nonce, a number used once. It guarantees that two encryptions of the same plaintext with the same key produce different ciphertexts. Details are covered in module 3.
• $A$: the associated data, metadata that is authenticated but not encrypted (an HTTP header, a session identifier, a protocol version). It is not part of the ciphertext, but any modification to it invalidates the tag. Module 2 covers this in detail.
• $P$: the plaintext, the message to protect.
• $C$: the output, that is, the ciphertext concatenated with the authentication tag.

The authentication tag

The tag Authentication tag A short value (typically 128 bits) produced by an AEAD algorithm or MAC, verified at decryption time. Any change to the ciphertext, associated data, or nonce invalidates the tag and causes the open operation to fail. It provides both integrity and authenticity guarantees. is a cryptographic fingerprint computed over the ciphertext and the associated data using the key. It is produced during seal and verified during open.

If a bit of the ciphertext has been flipped, if an associated data field has changed, if the tag itself has been tampered with: verification fails. The open returns a generic error, without indicating what changed or where. This absence of information is intentional: revealing the cause would allow an adversary to learn something, an oracle attack.

Encryption hides; it does not protect. Integrity is proved, not assumed.

How seal and open work

Try it yourself

The component below lets you flip a bit in the ciphertext and observe what happens depending on the mode.

In simple encryption mode, the flipped bit passes through decryption without anyone detecting it. The plaintext that comes out is silently altered.

In AEAD mode, the same flipped bit triggers a tag verification failure. The open returns a rejection. No information about the content is disclosed.

Simple encryptionAEAD

Decryption output

transfer 100

Flip a bitReset

Notice the difference in behaviour. In a real system, simple mode would let the altered message through without any warning. AEAD mode refuses categorically.

Quiz

Quiz

1. 1. A message is encrypted with an unauthenticated CTR mode. An adversary intercepts the ciphertext and flips a bit. What happens when the recipient decrypts?

   • Decryption fails with an error.
   • The plaintext is modified in a predictable way, with no alert whatsoever.
   • The key is compromised.
   • The message is automatically discarded.
   Check

2. 2. What property does AEAD add to classical encryption?

   • A compression of the plaintext.
   • A second layer of encryption.
   • An authentication tag that proves the ciphertext has not been altered.
   • An automatic key agreement.
   Check

3. 3. When the open of an AEAD scheme fails, what should it return?

   • The partially decrypted text up to the error.
   • A generic error with no indication of the cause.
   • The position of the corrupted bit.
   • The expected tag for comparison.
   Check

4. 4. A service encrypts a session cookie with AES-GCM. The user modifies the cookie in their browser and sends the request again. What happens on the server side?

   • The server decrypts and uses the modified value.
   • The server detects the modification via the tag and rejects the request.
   • The server generates a new key.
   • The server ignores the cookie.
   Check

Key takeaways

• Confidentiality (encryption) hides the content from a passive adversary. It does not protect against an active adversary who modifies data.
• Integrity guarantees that a modification is detected. It is proved by a cryptographic tag, not assumed.
• Malleability Malleability A property of an encryption scheme where modifying the ciphertext produces a predictable, exploitable change in the corresponding plaintext. Unauthenticated cipher modes (stream, CTR, CBC without MAC) are malleable. Using an AEAD algorithm eliminates this property by causing any modified ciphertext to fail decryption. is the property of an encryption scheme that allows transforming a ciphertext into a predictable ciphertext without knowing the key. Unauthenticated CTR and CBC modes suffer from it.
• AEAD Authenticated encryption (AEAD) A cryptographic primitive that simultaneously guarantees confidentiality and integrity of a message. It produces an authentication tag alongside the ciphertext, and any tampering causes decryption to fail cleanly. AEAD (Authenticated Encryption with Associated Data) extends this by also authenticating unencrypted associated data bound to the usage context. Source: NIST SP 800-38D (Authenticated Encryption with Associated Data) combines both properties in a single operation: seal produces ciphertext plus tag, open verifies the tag before decrypting.
• A failing open returns a generic error, with no information about the cause. This opacity is a security property, not a lack of detail.
• Associated data $A$ is authenticated but not encrypted: modifying it invalidates the tag, even if the ciphertext is intact.
• The common AEAD algorithms are AES-GCM and ChaCha20-Poly1305. The following modules examine their properties, constraints, and use cases.