Thus spake "Thierry Boivin" <[EMAIL PROTECTED]> > http://archives.seul.org/mixminion/cvs/May-2002/msg00072.html shows > that the problem seems to have been submitted to the openssl team one > year ago.I agree with Nick and go to the same conclusion : as the > openssl aes counter mode routines wants to count by 2**64 instead of > by 1, the current implementation is not correct. > > The source of disagreement seems to be the interpretation of a NIST > document (Michael pointed such a document when replying at first).
In the specification of CTR mode, as proposed for AES, you will find the statement "The number /nonce/ is incremented following each encryption." I interpreted this to mean that the top 2^64 bits are to be incremented for each successive block, and this is how I implemented the code. Further review has indicated everyone else seems to think this means the nonce is incremented only between streams and it's the counter that is incremented between blocks; is there anyone out there who _disagrees_ with this? If not, it is a trivial matter to shift which bits in the counter are touched. On the matter of overflowing the lower 64 bits, this is not specifically addressed in the submission (I think they assumed nobody would exceed 2^64 blocks per stream, which is reasonable) and thus I think wrapping is the correct failure. To increment the nonce introduces a more insidious failure mode where the user unintentionally reuses nonces. Other specifications have suggested that nonce be of unspecified length, not exactly 64 bits; this implies that the lower bits wrap in an overflow condition, otherwise there would be no need to specify a boundary between the different parts of counter at all. Unfortunately, implementing this (as has been requested) would require more significant changes to the API than I know how to make,as passing parameters to a mode doesn't appear to be supported today. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
