-
Notifications
You must be signed in to change notification settings - Fork 981
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AES CTR mode broken because no carry is done on the counter #383
Comments
The following patch should fix it (tests ok):
|
Added test generated with openssl (like written in the test file) that shows the issue. |
I was looking into this fix and how CCM is implemented. From the nonce and how it is used I can see that an overflow will happen (much like this one) if the IV is: 00 00 00 03 02 01 00 A0 A1 A2 A3 FF FF and we operate on the plain text FF FF times. Do you think my understanding is valid (@Nilos)? |
Yes, it's the same issue, see ccm.js:211. |
The ctr code is currently like this:
Here, only the last word of the iv (counter in CTR mode) is incremented. However, since the IV can be random (or user specified), the last word can contain
0xFFFFFFFF
, thus when incremented, it'll not transmit the carry to the before-last word and the encryption/decryption will be broken.Please notice that the number of words to en/decrypt will unlikely be low, so this carry issue might have been missed by the tests if the last word is not overflowing.
Solution: Test before incrementing that the last word is not overflowing and if it is, increment the before last word (and so on).
The text was updated successfully, but these errors were encountered: