CTR mode broken in libgcrypt 1.2.1
Adam Langley
alangley at gmail.com
Tue Jun 14 18:50:32 CEST 2005
CTR mode is defined as[1]:
Let C be the XOR (excusive-or) of M and the first |M| bits of the
pad E(ctr) | E(ctr+1) | ...
With libgcrypt 1.2.1 there is a message boundary bug. In short,
E('abc') will cause E(ctr) to be calculated and the last 13 bytes to
be discarded. E('def') will use another, fresh, E(ctr+1) and will
discard another 13 bytes. This is incorrect (by [1] above, and by
OpenSSL's implementation)
The attached patch fixes this. This patch has been tested against code
which uses OpenSSL for AES128 CTR.
[1] http://csrc.nist.gov/CryptoToolkit/modes/workshop1/papers/lipmaa-ctr.pdf
AGL
--
Adam Langley agl at imperialviolet.org
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ctr-mode.agl.patch
Type: application/octet-stream
Size: 2373 bytes
Desc: not available
Url : /pipermail/attachments/20050614/21ed1262/ctr-mode.agl-0001.obj
More information about the Gcrypt-devel
mailing list