Cryptography Reference
In-Depth Information
int aes_ccm_decrypt( const unsigned char *input,
int input_len,
unsigned char *output,
void *iv,
const unsigned char *key )
{
return aes_ccm_process( input, input_len, output, iv, key, 1 );
}
As you can see, most of the changes involve making sure to process only the
ciphertext in decrypt mode. The big change is at the end; in decrypt mode, rather
than outputting the MAC, you decrypt it and then compare the computed MAC
with the one that was received. If they don't match, return false.
Note that there's nothing AES-specifi c about this routine; for optimum fl ex-
ibility, you could pass a pointer to a block encrypt function and invoke that
for each block. However, CCM with AES has been extensively studied and is
believed to be secure; if you swap AES with some arbitrary block cipher function,
you may not be so lucky. Your best bet for now is to only use CCM with AES.
Maximizing MAC Throughput with Galois-Field
Authentication
CBC-MAC has some theoretical problems, which are not serious enough to
discount using it (AES-CCM is actually becoming pretty popular), but the
problems are signifi cant enough that professional cryptanalysts have spent
effort trying to fi nd improvements. Additionally, recall that one of the benefi ts
of CTR mode is that it's infi nitely parallelizable. Unfortunately, CBC-MAC has
the same throughput problems that CBC encryption has, so CCM loses one of
the main advantages of using CTR mode in the fi rst place.
An alternative that avoids the problems with CBC-MAC is the GHASH authen-
tication routine. GHASH is based on Galois-Field (GF) multiplication; i.e.
multiplication in a fi nite fi eld. The idea behind GHASH is to XOR each block
with the previous block, but compute the GF(2 128 ) multiplication in the fi xed
polynomial fi eld x 128
x 7
x 2
1. This may sound somewhat familiar — it's
actually the same thing that you did to code the AES matrix multiplication, only
it's relative to a different polynomial. The code to perform this multiplication is
similar to the dot/xtime computation from Listing 2-36. The only real difference
here, other than the new polynomial, is that GHASH computation is done over
128-bit fi elds rather than only 8.
If all of that doesn't mean much to you, don't worry; you can treat the GHASH
function as a black box in the same way you treated the MD5 and SHA func-
tions. It creates a probabilistically unique, impossible-to-reverse output from
its input. How it does so is not as important as the fact that it does. Listing 9-16
shows the gf_multiply function.
x
Search WWH ::




Custom Search