refactoring Algorithm definition components into separate encryption, kdf, and authentication algorithm suites by mattsb42-aws · Pull Request #36 · aws/aws-encryption-sdk-python (original) (raw)

This is an idea I've been playing with to try and make the algorithm suites more comprehensible and less error-prone.

Status Quo

Each algorithm suite is composed of a large number of individual values that together form the complete algorithm suite specification.

Problem

These algorithm suite definitions are hard to understand, hard to debug, and easy to mess up.

Solution

Algorithm suites are not conceptually a grouping of a large number of primitives. They are a grouping of a small number of groupings of related values. Each of these groupings define characteristics of the overall algorithm suite.

I have separated these out into three sub-suites:

1. Encryption : contains only those values that control the encryption behavior
2. KDF : contains only those values that control the key derivation behavior
3. Authentication : contains only those values that control the authentication behavior

Each algorithm suite is then defined as a combination of these three sub-suites.

This lets us move from each algorithm suites having 13 distinct characteristics with no innately relations to:

• Three distinct encryption suites
• Two distinct KDF suites
• Three distinct authentication suites

Each algorithm suite now has four important values: algorithm ID, encryption suite, KDF suite, and authentication suite.

For legacy compatibility, when each algorithm suite is constructed, it still sets all of its expected attributes using the attributes of the sub-suites.