AEGIS: Family of Authenticated Encryption Algorithms
AEGIS is a family of authenticated encryption and hashing algorithms designed for high-performance applications. It was chosen in the CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) competition. A detailed description of the algorithms can be found here.
The AEGIS implementation used in SQLite3 Multiple Ciphers is based on the Portable C implementation by Frank Denis. The source code was adjusted to be useable in the SQLite3 Multiple Ciphers amalgamation.
The AEGIS cipher scheme supports the selection of all available AEGIS variants: AEGIS-128L, AEGIS-128X2, AEGIS-128X4, AEGIS-256, AEGIS-256X2, and AEGIS-256X4, the default being AEGIS-256.
The encryption key is derived from the passphrase using a random salt (stored in the first 16 bytes of the database file) and the key derivation algorithm Argon2id. The Argon2 implementation used in SQLite3 Multiple Ciphers is based on the reference C implementation of Argon2, that won the Password Hashing Competition (PHC).
One-time keys per database page are derived from the encryption key, the page number, and a 16 or 32 bytes nonce - depending on the AEGIS variant. Additionally, the AEGIS cipher provides a 32 bytes authentication tag per database page. Therefore this cipher requires 48 or 64 reserved bytes per database page.
The following table lists all parameters related to this cipher that can be set before activating database encryption.
| Parameter | Default | Min | Max | Description |
|---|---|---|---|---|
tcost | 2 | 1 | Number of iterations for the key derivation with Argon2id | |
mcost | 19456 | 1 | Amount of memory in kB for key derivation with Argon2id | |
pcost | 1 | 1 | Parallelism, number of threads for key derivation with Argon2 | |
algorithm | 4 | 1 | 6 | AEGIS variant to be used for page encryption |
Notes
- The default values were chosen based on the OWASP(Open Web Application Security Project) recommendations as listed on the Argon2 WikiPedia web page under the heading Recommended minimum parameters.
- Each combination of parameter values leads to different encryption and authentication tag values. If databases need to be compatible across different platforms and devices, the parameter values should be chosen with care. For example, iOS restricts memory use to about 47 MB, so that choosing a value greater than
47 x 1024(=48128) formcostcan cause errors. - Any of the available algorithms can be chosen on any platform. If hardware support is available, it will be used to accelerate the encryption process, but a software implementation will be used where hardware support is lacking.
Note
When specifying the algorithm via PRAGMA or as an URI parameter, the value can be specified as a number or as a string according to the following table:
| Index | Name | Description |
|---|---|---|
| 1 | aegis-128l | 128-bit key, a 128-bit nonce, 128-bit register |
| 2 | aegis-128x2 | 128-bit key, a 128-bit nonce, 256-bit register |
| 3 | aegis-128x4 | 128-bit key, a 128-bit nonce, 512-bit register |
| 4 | aegis-256 | 256-bit key, a 256-bit nonce, 128-bit register (default) |
| 5 | aegis-256x2 | 256-bit key, a 256-bit nonce, 256-bit register |
| 6 | aegis-256x4 | 256-bit key, a 256-bit nonce, 512-bit register |
Example: Setup for AEGIS cipher scheme
PRAGMA cipher = 'aegis';
PRAGMA algorithm = 'aegis-256x2';
PRAGMA key='<passphrase>';