随机访问加密数据AES GCM模式 [英] Random access of encrypted data AES GCM mode

问题描述

有一个很好的例子，用于随机访问AES CTR模式，它的工作原理是：
随机访问在Android中使用AES CTR模式的InputStream

There is a very good example for random access AES CTR mode and it works: Random access InputStream using AES CTR mode in android

private static final int AES_BLOCK_SIZE = 16;
private static IvParameterSpec calculateIVForOffset(final IvParameterSpec iv,
    final long blockOffset) {
final BigInteger ivBI = new BigInteger(1, iv.getIV());
final BigInteger ivForOffsetBI = ivBI.add(BigInteger.valueOf(blockOffset
        / AES_BLOCK_SIZE));

final byte[] ivForOffsetBA = ivForOffsetBI.toByteArray();
final IvParameterSpec ivForOffset;
if (ivForOffsetBA.length >= AES_BLOCK_SIZE) {
    ivForOffset = new IvParameterSpec(ivForOffsetBA, ivForOffsetBA.length - AES_BLOCK_SIZE,
            AES_BLOCK_SIZE);
} else {
    final byte[] ivForOffsetBASized = new byte[AES_BLOCK_SIZE];
    System.arraycopy(ivForOffsetBA, 0, ivForOffsetBASized, AES_BLOCK_SIZE
            - ivForOffsetBA.length, ivForOffsetBA.length);
    ivForOffset = new IvParameterSpec(ivForOffsetBASized);
}

return ivForOffset;
}

但是，它在AES GCM模式下不起作用。解密时我正在收到垃圾。我不是加密专家，而是试图破解好几天。也许任何人都可以给出任何见解？我猜，我需要改变偏移量的IV计算，或者与auth标签（我没有使用）有关。

However, it doesn't work on AES GCM mode. I am getting garbage when decrypted. I am not encryption expert and was trying to crack it for couple days already. Maybe anyone can give any insight on it? My guess I need to change the IV calculation for offset somehow or it is something to do with an auth Tag (which I am not using).

推荐答案

对于GCM模式，底层密码也是CTR。 Java实现将认证标签添加到密文中。

For GCM mode the underlying cipher is CTR as well. The Java implementation adds the authentication tag to the ciphertext.

不幸的是，您不能直接使用它来从偏移量使用高级实现来解密，因为IV（nonce真的）isn' t直接使用，但先转变。这使得IV计算不可能。

Unfortunately you cannot directly use it for decrypting from an offset using high level implementations as the IV (nonce really) isn't directly used but is transformed first. This makes IV calculations impossible.

您可以创建计算偏移量的智能CTR实现，但如果跳过一个字节，则无法验证任何密文。所以使用GCM，你可能需要分割成块并单独加密。

You could create a smart CTR implementation that calculates the offset, but you would be unable to verify any ciphertext if you skip even a single byte. So with GCM you probably have to divide into blocks and encrypt those separately.

GCM 可以包含联机资源：直接加密/在不缓冲的情况下解密明文/密文。然而，Java实现将认证标签添加到密文的末尾，使得不可能直接解密密文而不进行缓冲（至少达到认证标签的大小）。

GCM could contain the online property: directly encrypting / decrypting the plaintext / ciphertext streams without buffering. However, the Java implementation adds the authentication tag to the end of the ciphertext, making it impossible do directly decrypt the ciphertext without buffering (up to the size of the authentication tag at the very minimum).

不幸的是，当涉及到跳过字节时，还有更多的问题。这并不奇怪，因为验证将不可用。一个非常聪明的实现可能会验证密文而不对其部分进行解密，但您仍然必须通过所有数据来计算底层的GMAC值。

Unfortunately there are more issues when it comes to skipping bytes. This is not surprising as verification would become unavailable. A very smart implementation could possibly verify the ciphertext without decryption of parts of it but you would still have to pass over all of the data to do so to calculate the underlying GMAC value.

这篇关于随机访问加密数据AES GCM模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！