Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CCM mode computes incorrect tag with empty AAD #166

Open
emillon opened this issue Sep 25, 2019 · 0 comments
Open

CCM mode computes incorrect tag with empty AAD #166

emillon opened this issue Sep 25, 2019 · 0 comments

Comments

@emillon
Copy link

emillon commented Sep 25, 2019

Hi,

When using CCM, the computed tag is different when no AAD is passed and when an empty AAD is passed:

let () =
  let key =
    Cstruct.of_hex "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"
    |> Nocrypto.Cipher_block.AES.CCM.of_secret ~maclen:16
  in
  let nonce = Cstruct.of_hex "00 01 02 03 04 05 06 07" in
  let plaintext = Cstruct.of_string "hello" in
  Nocrypto.Cipher_block.AES.CCM.encrypt ~key ~nonce plaintext
  |> Cstruct.hexdump;
  Nocrypto.Cipher_block.AES.CCM.encrypt ~adata:Cstruct.empty ~key ~nonce
    plaintext
  |> Cstruct.hexdump

Output: (note that the ciphertext is identical but tag differs)

65 92 16 9e 94 8b c0 88  9b fb e9 a5 2a f2 73 80
3d cf c2 a5 b4

65 92 16 9e 94 68 e4 95  f3 b1 16 49 d8 c9 9f 54
a1 7b 01 ab e3

In the Cstruct.empty case, it seems that an extra padding block is taken into account.

Quoting RFC 3610:

Users who do not wish to authenticate additional data can provide a string of length zero. (§2.1)

If l(a)>0 (as indicated by the Adata field), then one or more blocks of authentication data are added. (§2.2)

Thanks!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@emillon