I am interested in providing a managed dll for use in .Net, which provides authenticated encryption services. The DLL can be used in a WPF program or ASP application. I have a couple of questions related to Microsoft cryptographic and streaming models.
Authenticated encryption modes (CCM, CWC, EAX, GCM, etc.) usually create two artifacts - first it's encrypted text, and the second is an authentication tag. Its pretty simple encryption, but there may be some problems. For example, CCM cannot be streamed because of the way the header is created, and authenticated encryption modes create an authentication tag.
Decryption is more complicated because it cannot be streamed. Decryption cannot be streamed, because all encryption text must be accessible, and so that the encrypted text is verified using an authentication tag before decryption.
How to adapt authenticated encryption mode for block encryption so that it can be used in CryptoStream? Is it possible? Perhaps this is why Microsoft is not providing it?
Does Microsoft have a recommendation? For example, break a large message into smaller messages or units (each with its own tag)? Or does MS recommend buffering until the entire message and tag has been entered?
Where does Microsoft recommend putting a tag? At the beginning of the stream? At the end of the stream?
Some useful links: