Cryptography Reference
In-Depth Information
// Now encrypt the MAC block and output it
memset( nonce + 12, '\0', sizeof( unsigned int ) );
nonce[ 15 ] = 0x01;
aes_block_encrypt( nonce, input_block, key, 16 );
xor( output, input_block, AES_BLOCK_SIZE );
return 0;
}
As you can see, the
H
parameter that GHASH requires is a block of all zeros,
AES-encrypted with the shared key.
memset( zeros, '\0', AES_BLOCK_SIZE );
aes_block_encrypt( zeros, H, key, 16 );
memset( nonce + 12, '\0', sizeof( unsigned int ) );
The CTR-mode computation is identical to that of AES-CCM; the only differ-
ence is that the nonce counter starts at 2, rather than at 1. However, the MAC
is different: AES-GCM MACs the encrypted output, instead of the plaintext
as AES-CCM does. The only potentially confusing line of Listing 9-18, then, is
this one:
memset( ( input_block + AES_BLOCK_SIZE ) -
( AES_BLOCK_SIZE - block_size ), '\0',
AES_BLOCK_SIZE - block_size );
Because the MAC is computed over the encrypted output, and
input_block
currently contains the encrypted output (it was
memcpy
'd i n t o
output
on the
previous line), you can feed this block into the MAC computation. However,
the GHASH MAC requires that a non-aligned block be zero-padded, whereas the
CTR mode just drops any unused output. This complex line, then, zero pads
the fi nal block, if needed. Otherwise, this looks just like the GHASH computa-
tion in Listing 9-17, with somewhat more meaningful variable names.
Finally, the trailer is appended to the MAC:
memset( input_block, '\0', AES_BLOCK_SIZE );
memcpy( input_block + 12, ( void * ) &original_input_len,
sizeof( unsigned int ) );
xor( input_block, mac_block, AES_BLOCK_SIZE );
gf_multiply( input_block, H, output );
Note that
original_input_len
is given in bits, not bytes — hence the
<< 3
at the start of the function.
Finally, the whole MAC is CTR-mode encrypted with nonce 1 (not nonce 0,
as it was with AES-CCM), and output as the fi nal block:
memset( nonce + 12, '\0', sizeof( unsigned int ) );
nonce[ 15 ] = 0x01;
aes_block_encrypt( nonce, input_block, key, 16 );
xor( output, input_block, AES_BLOCK_SIZE );
Search WWH ::
Custom Search