Previous: XChaCha20-Poly1305 with key ratcheting and multi-recipient DEM, Up: Data encapsulation mechanisms [Index]
cm/encrypted’s /dem/a equals to "kuznechik-ctr-hmac-kr".
CEK is 64 bytes long. Data is split on 128 KiB chunks, each of which is encrypted the following way:
H = Streebog-512
CK0 = CEK
CKi = HKDF-Extract(H, salt="", ikm=CK{i-1})
Kenc = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/enc")
IV = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/iv", len=8)
Kauth || KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/auth")
KauthTail = HKDF-Expand(H, prk=CKi, info="cm/encrypted/kuznechik-ctr-hmac-kr/authTail")
CT = Kuznechik-CTR(key=Kenc, ctr=IV, data=chunk)
CT || HMAC(Streebog-256, key={Kauth|KauthTail}, data=CT)
KauthTail is used only in the last chunk to explicitly signal
that it is the last one.
/payload’s chunk length equals to 128KiB+32 bytes.
HKDF is KDF algorithm, RFC 5869. HMAC is MAC algorithm, RFC 2104. Kuznechik is GOST R 34.12-2015 encryption algorithm, RFC 7801. Streebog is GOST R 34.11-2012 hashing algorithm, RFC 6986.