正确使用随机数和计数器进行AES-CTR模式 [英] Using the nonce and counter correctly for AES-CTR mode

问题描述

据我所知，在AES计数器模式下，我需要使用128位随机数。这种天真的方法是使用一个随机的128位随机数，但我不确定如果它作为所有随机位传递，算法将能够正确递增计数器。我认为正确的方法是使用96位随机数和一个从0开始的32位计数器，例如：

I understand that in AES Counter mode I need to use a 128 bit nonce. The naïve way to do that would be to use a random 128 bit nonce, but I'm not sure the algorithm will be able to increment the counter correctly if it's passed as all random bits. I thought the correct way to do it is to use a 96 bit nonce and also a 32 bit counter starting at 0, for example:

var key = CryptoJS.enc.Hex.parse('01ab23cd45ef67089a1b2c3d4e5f6a7b'); // 128 bits / 16 bytes
var nonce = '2301cd4ef785690a1b2c3dab'; // 96 bits / 12 bytes
var counter = '00000000'; // 32 bits / 4 bytes
var nonceAndCounter = nonce + counter;
    nonceAndCounter = CryptoJS.enc.Hex.parse(nonceAndCounter);
var plaintext = 'The quick brown fox jumps over the lazy dog.';

var encryption = CryptoJS.AES.encrypt(plaintext, key, { iv: nonceAndCounter, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding });
var ciphertext = encryption.ciphertext.toString(CryptoJS.enc.Hex);

这是使用 CryptoJS库？或者正确的方法是什么？

Is this the correct way to do it with the CryptoJS library? Or what is the correct way?

推荐答案

当我开始深入研究库代码时，我将回答我自己的问题。看看它到底发生了什么。

I'm going to answer my own question as I went digging into the library code to see what it really does.

摘要：

Summary:

答案是你可以使用两种方法中的任何一种，它会按预期工作：

The answer is you can use either of two methods and it will work as expected:

1）传入一个随机的nonce为96长度位和库本身将自动添加32位计数器，并在生成的每个密钥流块中递增它。例如。

1) Pass in a random nonce of 96 bits in length and the library itself will add the 32 bit counter automatically and increment it with every keystream block generated. E.g.

var nonce = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab'); // 12 Bytes
var encryption = CryptoJS.AES.encrypt(plaintext, key, { iv: nonce, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding });

2）传递一个长度为96位的随机nonce并明确如果你愿意，也可以指定32位计数器。如果要从第9个块开始加密/解密，您甚至可以指定一个像 00000009 这样的计数器。以下是从计数器0开始的示例：

2) Pass in a random nonce of 96 bits in length and explicitly specify the 32 bit counter as well if you want to. You can even specify a counter like 00000009 if you want to start encrypting/decrypting from the 9th block. Below is an example starting from counter 0:

var nonce = '2301cd4ef785690a1b2c3dab';  // 12 Bytes
var counter = '00000000';                // 4 Bytes, start at counter 0
var nonceAndCounter = CryptoJS.enc.Hex.parse(nonce + counter);  // 16 Bytes
var encryption = CryptoJS.AES.encrypt(plaintext, key, { iv: nonceAndCounter, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding });

说明：

Explanation:

使用32位计数器 00000000 的问题中的代码，相关代码在此文件中 mode-ctr.js ：

Using the code in the question with 32 bit counter of 00000000, the relevant code is in this file mode-ctr.js:

/**
 * Counter block mode.
 */
CryptoJS.mode.CTR = (function () {
    var CTR = CryptoJS.lib.BlockCipherMode.extend();

    var Encryptor = CTR.Encryptor = CTR.extend({
        processBlock: function (words, offset) {
            // Shortcuts
            var cipher = this._cipher
            var blockSize = cipher.blockSize;
            var iv = this._iv;
            var counter = this._counter;

            // Generate keystream
            if (iv) {
                counter = this._counter = iv.slice(0);

                // Remove IV for subsequent blocks
                this._iv = undefined;
            }
            var keystream = counter.slice(0);
            cipher.encryptBlock(keystream, 0);

            // Increment counter
            counter[blockSize - 1] = (counter[blockSize - 1] + 1) | 0

            // Encrypt
            for (var i = 0; i < blockSize; i++) {
                words[offset + i] ^= keystream[i];
            }
        }
    });

    CTR.Decryptor = Encryptor;

    return CTR;
}());

在使用断点的浏览器JS调试器中运行此代码时，它会转换 nonceAndCounter 到由32位元素组成的WordArray中：

When running this code in a browser JS debugger using a breakpoint, it converts the nonceAndCounter into a WordArray consisting of 32 bit elements:

[587320654，-142251766,455884203,0]

这用于加密块。要加密下一个块，它将运行此行：

This is used to encrypt a block. To encrypt the next block it runs this line:

counter [blockSize - 1] =（counter [blockSize - 1] + 1）| 0

评估采用计数器[3] 元素，即整数0并将其增加到：

Which evaluates to take the counter[3] element i.e. the integer 0 and increments it to:

[587320654，-142251766,455884203,1]

随后的块和随机数我可以看到......

With subsequent blocks and nonces I can see...

[587320654，-142251766,455884203,2]

[587320654，-142251766,455884203,3]

[587320654，-142251766,455884204,4]

等等上。所以看起来这种方式正常工作。

And so on. So it appears to be working correctly this way.

如果你传递128位随机数，这与它的工作方式形成对比，例如

Contrast this with how it works if you pass a 128 bit random nonce e.g.

var nonceAndCounter = CryptoJS.enc.Hex.parse（'2301cd4ef785690a1b2c3dabdf99a9b3'）;

这产生一个nonce：

This produces a nonce of:

[587320654，-142251766,455884203，-543577677,0]

所以它创建了5个数组元素！？然后该函数将第四个元素从​​ -543577677 递增到 -543577676 ，然后 -543577675 ，然后 -543577674 等等。所以它仍然在某种程度上起作用，但是从0开始并没有增加得很好并且可能更容易出错。

So it creates 5 array elements!? Then the function increments the fourth element from -543577677 to -543577676, then -543577675, then -543577674 and so on. So it still works in a way, but but does not increment as nicely as starting from 0 and is perhaps more error prone.

当我只传入96位随机数时nonce，库自动将起始计数器作为0添加到计数器数组的末尾，并为后续块正确递增。例如

When I passed in just a 96 bit random nonce, the library automatically added the start counter as 0 to the end of the counter array and incremented it correctly for subsequent blocks. e.g.

[587320654, -142251766, 455884203, 0]
[587320654, -142251766, 455884203, 1]
[587320654, -142251766, 455884203, 2]

这篇关于正确使用随机数和计数器进行AES-CTR模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！