Cryptography Reference
In-Depth Information
original_addl_len = htonl( addldata_len << 3 ); // remember this for final block
…
memset( input_block, '\0', AES_BLOCK_SIZE );
memcpy( input_block + 4, ( void * ) &original_addl_len,
sizeof( unsigned int ) );
memcpy( input_block + 12, ( void * ) &original_input_len,
sizeof( unsigned int ) );
You can see this in action, as well, if you modify the main routine to invoke
aes_gcm_encrypt
or
aes_gcm_decrypt
instead of
aes_ccm
:
[jdavies@localhost ssl]$ ./aes -e “@ABCDEFGHIJKLMNO” “12345678” “tuvwxyz” “abc”
87fd0515d242cf110c77b98055c3ad3196aec6
[jdavies@localhost ssl]$ ./aes -d “@ABCDEFGHIJKLMNO” “12345678” “tuvwxyz” \
0x87fd0515d242cf110c77b98055c3ad3196aec6
616263
Notice that the AES-GCM output for the same input is 8 bytes longer than
the AES-CCM output because the AES-GCM routine included a 16-byte MAC,
but AES-CCM's was just 8. There's no particular reason why it must be this
way. This is the way they're shown in their relative specifi cations, so they were
coded this way here. The MAC-length is variable, but remember that because
the length itself is not included anywhere in the output, both sides must agree
on what it must be before transmitting any data.
Incorporating AEAD Ciphers into TLS 1.2
AEAD ciphers such as AES-CCM and AES-GCM are just different enough than
block and stream ciphers, from the perspective of TLS 1.2, to warrant their own
format. Both ciphers examined here are stream ciphers with a MAC, which is just
like RC4 with SHA-1. However, AEAD ciphers must also transmit their nonce.
Block ciphers do something similar with their IVs; they incorporate padding,
but in theory you could implement an AEAD cipher by treating it as a block-
ciphered structure with a 0-length input block.
In fact, you could get away with this for AES-CCM. If you declared the cipher
as
aes_ctr_(en/de)crypt
, you could make the MAC function variable and
replace the default HMAC operation with a CBC-MAC. This would actually work
with the block ciphered encryption structure coded in Listing 6-64. However,
this would fail for AES-GCM. AES-GCM computes a MAC over the ciphertext,
rather than the plaintext. Although you could probably write code to maintain
this as a special case, AEAD ciphers are designed to be treated as a black-box.
You give it the plaintext and the key, and it gives you back an arbitrarily sized
chunk of data that it promises to decrypt and authenticate, with the key, at a
later date. To properly support AEAD, you must treat AEAD ciphers as yet
another sort of cipher.
Search WWH ::
Custom Search