June 16th, 2010, 11:44 AM
AES-128 GCM Mode Implementation
I have a quick question about the AES-128 GCM Mode algorithm.
Im using Crypto++ GUI to try and verify some encryption data.
I was just wondering if I should get the same data output from AES-128 GCM mode as AES-128 CTR Mode if I increase the IV of CTR Mode by 1?
I know that GCM mode takes the GHASH of the IV to use as an initial counter value but Im using 0x0 as an IV so this shouldnt affect the counter value.
(GHASH(0x0) is 0x0 right? According to crypto++ it is but I'm starting to wonder...)
In CTR mode Im using 0x1 as an IV but crypto++ GUI is giving me a completly different data output...
This is kinda worrying me as crypto++ GUI is what I'm using to verify my data and if its wrong then Im in serious trouble.
Any help would be incredibly appriciated....
June 21st, 2010, 09:51 PM
There are a few things here...
GHASH - what is this?
An IV should not be zero or null unless it is not required. It should be chosen at random, and unique per message and key.
Normally in counter mode the IV is xor'd or somehow combined (hashed for example), with a non-reversible (but repeatable) kind of deterministic input.
What is it you are trying to implement or inter-operate with? Your problem doesn't seem very clear.
Last edited by AstroTux; June 21st, 2010 at 09:53 PM.
June 22nd, 2010, 10:26 AM
Forgot I posted this, I figured it out after all. In response to AstroTux:
Ghash is the actual hashing function used to provide the hash key to authorise the encrypted data. However in GCM it is XORed with the encrypted counter0 block to produce the key.
I know I shouldnt use 0 or 1 as an IV in real life but I was just testing the principal.
As it turns out I was looking at the wrong standerd. What I believed about the counter was true for the original GCM paper but not for the NIST standard.
For those who are intrested, if the IV is 96 bits long it is concateated with 31 zero bits and 1. If it is greater or less then the Ghash is taken of (IV padded to next multiple of 128 bits || 64 zero bits || Lenght of IV represented as 64 bits)
Where I went wrong is that the NIST standerd increments the encrypted original counter block for an cipher block IV while the original paper increments the original IV and uses this as a IV for a cipher block IV.
Thanks for responding anyway...