ASCON Suite
Encrypting and decrypting files with ASCONcrypt

Table of Contents

The asconcrypt program in the apps directory demonstrates how to use ASCON-80pq, ASCON-80pq-SIV, and ASCON-PBKDF2 to create a password-based file encryption and decryption utility. The incremental version of ASCON-80pq is used, which permits large files up to 1 terabyte in size to be encrypted.

ASCONcrypt is inspired AES Crypt which provides a simple password-based file encryption method using AES-256 in CBC mode. The file format for ASCONcrypt and the differences with AES Crypt are described below.

The program is installed by "make install" as part of the library build.

Using ASCONcrypt

Files are encrypted by passing them directly to the asconcrypt program. If the system supports it, the user will be prompted for a password and the file is then encrypted into a file with the ".ascon" file extension:

$ ls
MySecretDocument.txt
$ asconcrypt MySecretDocument.txt
Password:
Confirm Password:
$ ls
MySecretDocument.txt.ascon MySecretDocument.txt

The password can also be supplied on the command-line or in a "key file":

$ asconcrypt -p Hello MySecretDocument.txt
$ asconcrypt -k key MySecretDocument.txt

Decrypting a file whose name ends in ".ascon" is similar:

$ ls
MySecretDocument.txt.ascon
$ asconcrypt MySecretDocument.txt.ascon
Password:
$ ls
MySecretDocument.txt.ascon MySecretDocument.txt

In the examples above, the asconcrypt command is able to detect whether to encrypt or decrypt based on the file extension. If the file extension is not clear, then use the "-e" or "-d" options to clarify whether encryption or decryption is required. The "-o" option can also be used to specify an explicit output file:

$ asconcrypt -d -o MySecretDocument.txt -p Hello MySecretDocument.bin

Key files consist of a single line of text with the password, so they are easy to create:

$ echo "This is a long password!" >key
$ asconcrypt -k key MySecretDocument.txt

The asconcrypt program can also generate a random 40 character password for you using the "-g" (generate) option:

$ asconcrypt -g key
$ asconcrypt -k key MySecretDocument.txt
$ cat key
JqEm5mqJUt9mA0wvT3yaoR00knLNVXGD8cwEEpyk

Source code for the asconcrypt program

ASCONcrypt file format

The ASCONcrypt file format was inspired in part by AES Crypt. That format has several sections of interest:

  • Identification string and version for the file format.
  • Metadata extension blocks in plaintext.
  • Random initialization vector (essentially a salt).
  • Key and IV for AES-CBC, encrypted under the password and salt.
  • HMAC value to validate the encrypted key and IV.
  • File contents, encrypted with AES-CBC.
  • HMAC value for the encrypted file contents.

ASCONcrypt files contain the following sections:

  • 10 bytes containing the characters "ASCONcrypt".
  • 2 bytes containing the 16-bit version number in big endian format. For the current version of the format, this should be 0x0001.
  • 16 byte salt value, allocated randomly.
  • 52 byte "SIV block" as described below.
  • File contents, encrypted with ASCON-80pq as described below.
  • 16 byte authentication tag computed over the encrypted file contents.

The size of the input file will increase by 96 bytes when it is encrypted.

We don't support plaintext metadata in this format. It makes the decryption process complicated to skip arbitrary-sized metadata blocks. The only metadata item that "AES Crypt" seemed to support was a "CREATED_BY" tag for the name and version of the encryption software.

If metadata is important, then it should be placed into the encrypted payload or distributed separately.

The "SIV block" contains the key and nonce, encrypted with the password and salt. The block is formed as follows:

  • Let (k1,n1) be the first 36 bytes of output from ASCON-PBKDF2(password, salt, 8192) where k1 is 20 bytes in length and n1 is 16 bytes in length.
  • Generate the 36 byte sequence (k2,n2) randomly. Once again, k2 is 20 bytes in length and n2 is 16 bytes in length.
  • Encrypt the sequence (k2,n2) with ASCON-80pq-SIV using the key k1 and the nonce n1. The associated data is everything from the first byte of the file to the last byte of the salt.
  • The 52 byte output of ASCON-80pq-SIV (encrypted data plus tag) is written to the "SIV block" section in the output file.

The file's contents are encrypted with ASCON-80pq using the key k2 and the nonce n2. The associated data is the 52 bytes of the SIV block.

The SIV block "wraps" the actual encryption key and nonce. When the file is decrypted, the 16 byte authentication tag on the SIV block can be used to verify that the password is correct before attempting to decrypt the rest of the file.

The ASCON specification indicates that no more than 267 bytes of data should be encrypted under the same key with ASCON-80pq. For safety, the encryption process is aborted if more than 240 bytes or 1 terabyte are encountered. Larger files will need to be split into smaller sections.

Generated on Sun Mar 19 2023 13:56:57 for ASCON Suite by doxygen 1.9.1