为什么AES的不同实现产生不同的输出？ [英] Why do different implementations of AES produce different output?

问题描述

我觉得我对散列函数及其所包含的合约有很好的理解。

I feel I have a pretty good understanding of hash functions and the contracts they entail.

输入X上的SHA1将始终产生相同的输出。您可以使用Python库，Java库或笔和纸。这是一个函数，它是确定性的。我的SHA1和你的，Alice的和Bob的一样。

SHA1 on Input X will ALWAYS produce the same output. You could use a Python library, a Java library, or pen and paper. It's a function, it is deterministic. My SHA1 does the same as yours and Alice's and Bob's.

根据我的理解，AES也是一个函数。你输入一些值，它会输出密文。

As I understand it, AES is also a function. You put in some values, it spits out the ciphertext.

那么，为什么会有人担心Truecrypt（例如）是破碎？他们不是说AES是破碎的，他们说的程序实现它可能是。 AES在理论上是固体。所以为什么你不能只通过Truecrypt运行文件，通过参考AES函数运行它，并验证结果是否相同？我知道这绝对不能像这样工作，但我不知道为什么。

Why, then, could there ever be fears that Truecrypt (for instance) is "broken"? They're not saying AES is broken, they're saying the program that implements it may be. AES is, in theory, solid. So why can't you just run a file through Truecrypt, run it through a "reference AES" function, and verify that the results are the same? I know it absolutely does not work like that, but I don't know why.

什么使AES不同于SHA1这样？为什么当Truecrypt AES给出了所有相同的输入时，它会输出与Schneier-Ifier * AES不同的文件？

What makes AES different from SHA1 in this way? Why might Truecrypt AES spit out a different file than Schneier-Ifier* AES, when they were both given all the same inputs?

最后，我的问题归结为：

In the end, my question boils down to:

My_SHA1（X）== Bobs_SHA1（X）== ... etc

My_SHA1(X) == Bobs_SHA1(X) == ...etc

但TrueCrypt_AES X）！= HyperCrypt_AES（X）！= VeraCrypt_AES（X）等为什么呢？所有这些程序包装AES，但有不同的方式来确定像初始化矢量或东西的东西？

But TrueCrypt_AES(X) != HyperCrypt_AES(X) != VeraCrypt_AES(X) etc. Why is that? Do all those programs wrap AES, but have different ways of determining stuff like an initialization vector or something?

*这将是我的文件加密程序的名称，如果我写了一个

*this would be the name of my file encryption program if I ever wrote one

推荐答案

在你给出的SHA-1示例中，函数只有一个输入， -1实现应该产生与任何其他输出相同的输出，当提供相同的输入数据。

In the SHA-1 example you give, there is only a single input to the function, and any correct SHA-1 implementation should produce the same output as any other when provided the same input data.

对于AES但是事情有点棘手，因为你没有指定你的意思是AES，它本身似乎可能是实现之间感知的差异的来源。

For AES however things are a bit tricker, and since you don't specify what you mean exactly by "AES", this itself seems likely to be the source of the perceived differences between implementations.

首先，不是单个算法，而是采用不同键大小（128,192或256位）的算法系列。 AES也是块密码，它采用128字节/ 16字节的明文输入的单个块，并使用该密钥对其加密以产生单个16字节的输出块。

Firstly, "AES" isn't a single algorithm, but a family of algorithms that take different key sizes (128, 192 or 256 bits). AES is also a block cipher, it takes a single block of 128 bits/16 bytes of plaintext input, and encrypts this using the key to produce a single 16 byte block of output.

当然，在实践中，我们通常希望一次加密超过16字节的数据，因此我们必须找到一种方法来重复应用AES算法来加密所有数据。我们可以将它分成16个字节的块，并依次对每个块进行加密，但是这种模式（称为电子码本或ECB）被证明是可怕的不安全。相反，通常使用各种其他更安全的 模式 ，大​​多数这些需要初始化向量（IV），这有助于确保使用相同密钥加密相同的数据不会导致相同的密文（否则会泄露信息）。

Of course in practice we often want to encrypt more than 16 bytes of data at once, so we must find a way to repeatedly apply the AES algorithm in order to encrypt all the data. Naively we could split it into 16 byte chunks and encrypt each one in turn, but this mode (described as Electronic Codebook or ECB) turns out to be horribly insecure. Instead, various other more secure modes are usually used, and most of these require an Initialization Vector (IV) which helps to ensure that encrypting the same data with the same key doesn't result in the same ciphertext (which would otherwise leak information).

这些模式中的大多数仍然对固定大小的数据块进行操作，但是我们再次希望加密不是块大小的倍数的数据，因此我们必须使用某种形式 padding ，再次有各种不同的可能性我们将消息填充到一个长度，该长度是块大小的倍数。

Most of these modes still operate on fixed-sized blocks of data, but again we often want to encrypt data that isn't a multiple of the block size, so we have to use some form of padding, and again there are various different possibilities for how we pad a message to a length that is a multiple of the block size.

因此，为了将所有这些组合在一起，AES的两个不同实现应该产生相同输出如果以下所有都是相同的：

So to put all of this together, two different implementations of "AES" should produce the same output if all of the following are identical:

• 纯文本输入数据


• 键（以及键大小）


• IV


• 模式（包括任何特定于模式的输入）


• Padding

• Plaintext input data
• Key (and hence key size)
• IV
• Mode (including any mode-specific inputs)
• Padding

这篇关于为什么AES的不同实现产生不同的输出？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！