CTR模式使用初始向量(IV) [英] CTR mode use of Initial Vector(IV)
问题描述
从我知道,CTR模式不使用初始向量。
它只需要一个计数器,用给定的密钥加密它,然后XOR的结果与明文,以获得密文。
from what I know, CTR mode doesn't use an Initial Vector. It just takes a counter, encrypts it with a given key and then XOR's the result with the plaintext in order to get the ciphertext.
其他块密码模式像CBC在做加密之前,它们将明文与一个初始向量XOR。
Other block cipher modes like CBC before doing the encryption they XOR the plaintext with an Initial Vector.
这里是我的问题。我有以下Java代码(使用bouncycastle库):
So here is my problem. I have the following code in Java(using bouncycastle library):
Cipher cipher = Cipher.getInstance("AES/CTR/PKCS5Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] result = cipher.doFinal("Some plaintext");
使用相同键值的上述代码的每个不同调用都会产生不同的输出!但是当执行时:
Every different call of the above code with the same key gives different output! But when doing:
byte[] IV = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
Cipher cipher = Cipher.getInstance("AES/CTR/PKCS5Padding", "BC");
cipher.init(Cipher.ENCRYPT_MODE, key, IV);
byte[] result = cipher.doFinal("Some plaintext");
我在每次调用上面的代码时取同样的结果。
但是为什么呢?我的意思是,CTR不需要IV,所以为什么当我没有给每个电话中的IV,我得到不同的结果,当我给一个IV它返回相同的结果?
如果我在使用CTR时总是使用上述IV(全零),那么是否安全?
I take the same result in every call of the above code. But why is this? I mean, CTR doesn't need an IV, so why when I don't give an IV in every call I get a different result and when I given an IV it returns the same result? If I always use the above IV(all zeroes) when using CTR, would that be safe?
任何想法都会非常有帮助。
谢谢
Any ideas would be very helpful. Thank you
推荐答案
使用CTR模式的最重要注意事项:永远不要使用相同的键重复使用相同的计数器值。
The most important caveat with CTR mode is that you never, ever re-use the same counter value with the same key. If you do so, you have effectively given away your plaintext.
为了协助这一点,在CTR模式的一些实际实现中,要传递给块的块密码被分成两部分,标记为IV和计数器(而不是调用整个计数器)。 IV是随机生成的,计数器从0开始计数。
To assist with this, in some real-world implementations of CTR mode the block to be passed to the block cipher is split up into two parts, labelled as an IV and a counter (rather than calling the whole thing a counter). The IV is generated randomly, and the counter starts at 0.
这允许您为多个消息启动零计数器,使用IV部分。
This lets you start the "counter" part at zero for multiple messages, as long as you never re-use the "IV" part.
请注意,这只是一个标签约定。在数学上,它与调用整个事件的计数器相同,并为每个消息以某个整数的随机倍数启动计数器。
Note though that this is just a labelling convention. Mathematically, it's the same as calling the whole thing the "counter", and starting the counter at a random multiple of some integer for each message.
我不知道Bouncy Castle实现具体是工作 - 它可能让你用 IV 值设置整个初始块,计数器和所有。如果你不提供一个显然生成一个合理的IV,这就是为什么你得到不同的输出与相同的输入。底线是,这是好,正是你想要的 - 提供所有的零是坏,而不是你想要的。
I am not sure how the Bouncy Castle implementation specifically is working - it is perhaps letting you set the entire initial block, counter and all, with the IV value. It is apparently generating a sensible IV for you if you do not supply one, which is why you are getting different output with the same input. The bottom line is that this is good, and exactly what you want - supplying all zeroes is bad, and not what you want.
这篇关于CTR模式使用初始向量(IV)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
