Oddity in AES encryption?

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed Oct 23 21:47:43 CEST 2019 

Hello,

On 22.10.2019 1.42, Clay Shields wrote:
> 
> Hi,
> 
> I am working on a C programming project that involves encrypting files with AES-256-CBC. I was testing libgcrypt and was comparing it to other libraries when I noticed that the the output of libgcrypt seems to reverse the order of the final two blocks compared to the openssl library. I then used test values from NIST 800-38a and found that the final two blocks produced by libgcrypt are swapped from what the standards recommend. Libgcrypt is able to decrypt its own output but fails to decrypt the output of openssl.

Oddity is actually caused by ciphertext stealing. With CTS enabled, the last two blocks of CBC ciphertext get swapped when input length is multiply of cipher's blocksize. Running your example without "GCRY_CIPHER_CBC_CTS", I get:

gcrypt Ciphertext is:
0000 - f5 8c 4c 04 d6 e5 f1 ba-77 9e ab fb 5f 7b fb d6   ..L.....w..._{..
0010 - 9c fc 4e 96 7e db 80 8d-67 9f 77 7b c6 70 2c 7d   ..N.~...g.w{.p,}
0020 - 39 f2 33 69 a9 d9 ba cf-a5 30 e2 63 04 23 14 61   9.3i.....0.c.#.a
0030 - b2 eb 05 e2 c3 9b e9 fc-da 6c 19 07 8c 6a 9d 1b   .........l...j..

-Jussi

> 
> Using the test vectors from F.2.5 of NIST Special Publication 800-38A (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf), I get:
> 
> SSl Ciphertext :
> 0000 - f5 8c 4c 04 d6 e5 f1 ba-77 9e ab fb 5f 7b fb d6   ..L.....w..._{..
> 0010 - 9c fc 4e 96 7e db 80 8d-67 9f 77 7b c6 70 2c 7d   ..N.~...g.w{.p,}
> 0020 - 39 f2 33 69 a9 d9 ba cf-a5 30 e2 63 04 23 14 61   9.3i.....0.c.#.a
> 0030 - b2 eb 05 e2 c3 9b e9 fc-da 6c 19 07 8c 6a 9d 1b   .........l...j..
> 
> gcrypt Ciphertext is:
> 0000 - f5 8c 4c 04 d6 e5 f1 ba-77 9e ab fb 5f 7b fb d6   ..L.....w..._{..
> 0010 - 9c fc 4e 96 7e db 80 8d-67 9f 77 7b c6 70 2c 7d   ..N.~...g.w{.p,}
> 0020 - b2 eb 05 e2 c3 9b e9 fc-da 6c 19 07 8c 6a 9d 1b   .........l...j..
> 0030 - 39 f2 33 69 a9 d9 ba cf-a5 30 e2 63 04 23 14 61   9.3i.....0.c.#.a
> 
> I believe that according to the NIST specs, libgcrypt has swapped the blocks labelled 0020 and 0030.
> 
> Perhaps I have done something wrong or unusual in my use of the library?
> 
> Thanks,
> 
> Clay
>

More information about the Gcrypt-devel mailing list