7

I'm playing with libgcrypt (v1.6.1 on Gentoo x64) and i've already implemented (and tested thorugh the AEs test vectors) aes256-cbc and aes256-ctr. Now i am looking at aes256-gcm but i have some doubt about the workflow. Below there is a skeleton of a simple encryption program:

int main(void){

    unsigned char TEST_KEY[] = {0x60,0x3d,0xeb,0x10,0x15,0xca,0x71,0xbe,0x2b,0x73,0xae,0xf0,0x85,0x7d,0x77,0x81,0x1f,0x35,0x2c,0x07,0x3b,0x61,0x08,0xd7,0x2d,0x98,0x10,0xa3,0x09,0x14,0xdf,0xf4};
    unsigned char TEST_IV[] = {0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f};
    unsigned char TEST_PLAINTEXT_1[] = {0x6b,0xc1,0xbe,0xe2,0x2e,0x40,0x9f,0x96,0xe9,0x3d,0x7e,0x11,0x73,0x93,0x17,0x2a};

    unsigned char cipher[16] = {0};

    int algo = -1, i;
    const char *name = "aes256";

    algo = gcry_cipher_map_name(name);

    gcry_cipher_hd_t hd;
    gcry_cipher_open(&hd, algo, GCRY_CIPHER_MODE_GCM, 0);
    gcry_cipher_setkey(hd, TEST_KEY, 32);
    gcry_cipher_setiv(hd, TEST_IV, 16);

    gcry_cipher_encrypt(hd, cipher, 16, TEST_PLAINTEXT_1, 16);
    char out[33];
    for(i=0;i<16;i++){
        sprintf(out+(i*2), "%02x", cipher[i]);
    }
    out[32] = '\0';
    printf("%s\n", out);

    gcry_cipher_close(hd);

    return 0;
}

In GCM mode there want also these instruction:

gcry_cipher_authenticate (gcry cipher hd t h , const void * abuf , size t abuflen )
gcry_error_t gcry_cipher_gettag (gcry cipher hd t h , void * tag , size t taglen )

So the correct workflow of the encryption program is:

gcry_cipher_authenticate
gcry_cipher_encrypt
gcry_cipher_gettag

But what i haven't undestood is:

  1. abuf is like a salt? (so have i to generate it using gcry_create_nonce or similar?)
  2. If i want to encrypt a file, void *tag is what i have to write to the outfile?
polslinux
  • 1,739
  • 9
  • 34
  • 73

1 Answers1

5

1) gcry_cipher_authenticate is for supporting authenticated encryption with associated data. abuf is data that you need to authenticate but do not need to encrypt. For example, if you are sending a packet, you might want to encrypt the body, but you must send the header unencrypted for the packet to be delivered. The tag generated by the cipher will provide integrity for both the encrypted data and the data sent in plain.

2) The tag is used after decryption to make sure that the data has not been tampered with. You append the tag to the encrypted text. Note, that it is computed on encrypted data and associated (unencrypted) data, so you will need both when decrypting.

You can check these documents for more information on GCM:

http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

Also, you can probably get faster answers to cryptography questions like this on http://crypto.stackexchange.com.

tbraginets
  • 93
  • 5