Possibly incorrect counter overflow handling for AES-GCM

Jussi Kivilinna jussi.kivilinna at iki.fi
Tue Jan 30 23:12:26 CET 2018


Hello,

On 30.01.2018 13:21, NIIBE Yutaka wrote:
> Clemens.Lang at bmw.de wrote:
>> Note that you will also have to use the same key K to trigger the behavior. This is because the initial counter value J_0 is calculated from the given IV using the GHASH function, which uses the hash subkey H = CIPH_K(0^128).
>>
>> Just for the record, I tested this with 1.8.2 and 1.7.6.
> 
> Ah, I see.  I created a ticket:
> 
>        https://dev.gnupg.org/T3764
> 
> I was naively read your previous message which addressed section 7.1,
> algorithm 4, step 3 of the document.  It is actually section 6.5,
> algorithm 3, step 5, which matters.
> 
> I'll create a test case in libgcrypt/tests/ and fix.
> 
> Since I'm going to travel, it will be next week.
> 

I can do the fix for this one, if that's ok.

-Jussi




More information about the Gcrypt-devel mailing list