Cryptography Reference
In-Depth Information
// Hash the length of the ciphertext as well
memset( X_block, '\0', AES_BLOCK_SIZE );
memcpy( X_block + 12, ( void * ) &input_len, sizeof( unsigned int ) );
xor( X_block, Y, AES_BLOCK_SIZE );
gf_multiply( X_block, H, Y );
}
As you can see, it's not too complex after you've gotten
gf_multiply
work-
ing. The input is
gf_multiply
'ed, one block at a time, and each resulting block
is XOR'ed with the last. Here, the block size is hardcoded as
AES_BLOCK_SIZE
because this is used in the context of AES. The terse variable names presented
here match the specifi cation so you can easily compare what this code is doing
with what the specifi cation declares.
Combining CTR and Galois-Field Authentication with
AES-GCM
AES-GCM is specifi ed by
http://csrc.nist.gov/publications/nistpubs/800-
38D/SP-800-38D.pdf
and in more detail in
http://www.csrc.nist.gov/groups/
ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
. It's a
lot like AES-CCM, but it uses GHASH instead of CBC-MAC. It also MAC's the
encrypted values rather than the plaintext, so although you can, in theory, try to
write one über-routine that encapsulated both, you'd end up with such a mess
of special cases it wouldn't really be worth it. AES-GCM also does away with
AES-CCM's special
header block
and starts the encryption on counter block 2,
rather than counter block 1; the MAC is encrypted with counter block 1 rather
than counter block 0.
Listing 9-18 illustrates a combined CTR/GHASH implementation of AES-GCM.
There are a lot of similarities between this and the AES-CCM implementation
in Listing 9-14, but not
quite
enough to make it worth trying to combine them
into a single common routine.
Listing 9-18:
“aes.c” aes_gcm_encrypt
/**
* This implements 128-bit AES-GCM.
* IV must be exactly 12 bytes long and must consist of
* 12 bytes of random, unique data. The last four bytes will
* be overwritten.
* output must be exactly 16 bytes longer than input.
*/
int aes_gcm_encrypt( const unsigned char *input,
int input_len,
unsigned char *output,
void *iv,
(Continued)
Search WWH ::
Custom Search