0

My server encrypts files using pycrypto with AES in CTR mode. My counter is a simple counter like this:

\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03

I wanna decrypt the cipher text with c++'s cryptopp library in my clients. How should I do so?

Python code:

encryptor = AES.new(
    CRYPTOGRAPHY_KEY,
    AES.MODE_CTR,
    counter=Counter.new(128),
)
cipher = encryptor.encrypt(plain_text)

C++ code so far:

byte ctr[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
mDecryptor = new CryptoPP::CTR_Mode<CryptoPP::AES>::Decryption(key, 32, ctr);
std::string plain;
CryptoPP::StringSource(std::string(data, len), true, new CryptoPP::StreamTransformationFilter(*mDecryptor, new CryptoPP::StringSink(plain)));

but after running this plain is garbage.

Update:

Sample encrypted data you can try to decrypt with crypto++ so that you can help me even if you don't know python and you're just experienced with crypto++:

Try to decrypt this base64 encoded text:

2t0lLuSBY7NkfK5I4kML0qjcZl3xHcEQBPbDo4TbvQaXuUT8W7lNbRCl8hfSGJA00wgUXhAjQApcuTCZckb9e6EVOwsa+eLY78jo2CqYWzhGez9zn0D2LMKNmZQi88WuTFVw9r1GSKIHstoDWvn54zISmr/1JgjC++mv2yRvatcvs8GhcsZVZT8dueaNK6tXLd1fQumhXCjpMyFjOlPWVTBPjlnsC5Uh98V/YiIa898SF4dwfjtDrG/fQZYmWUzJ8k2AslYLKGs=

with this key:

12341234123412341234123412341234

with counter function described in the beginning of this post using crypto++. If you succeed post the decrypted text (which contains only numbers) and your solution please.

Update2: I'm not providing an IV in python code, the python module ignores IV. I the IV thing is what causing the problem.

Sassan
  • 2,187
  • 2
  • 24
  • 43
  • I see, so the there's no initial vector in CTR or better said it's replaced by counter/nonce in CTR. (I assume slash here means they're both in case of CTR), right? – Sassan Jun 23 '16 at 18:16
  • If yes, then I have no idea why the C++ code doesn't decrypt the cipher text. – Sassan Jun 23 '16 at 18:17
  • Also I've read the wikipedia article you referenced at least 5 times, "If the IV/nonce is random, then they can be combined together with the counter using any lossless operation (concatenation, addition, or XOR) to produce the actual unique counter block" it assumes IV/nonce is the same and OPTIONALLY they can combine with counter, that's why I concluded that c++ library does use (combine) the IV/nonce and the python library doesn't. – Sassan Jun 23 '16 at 18:19
  • I need random access to parts of file where other parts are not available but I have the offset of contents (so I have the counter) – Sassan Jun 23 '16 at 19:07
  • Random access can be obtained with other modes. With ECB (not recommended) all that is needed is the key and data on a block bounds. With CBC mode the previous block of encrypted data is the iv. – zaph Jun 23 '16 at 20:53
  • @zaph Actually the above code works, the pycrypto and cryptopp both do same thing with IV, nonce and counter, they just concatenate these values: IV+nonce+counter and counter always start from 1. The problem was so ridiculous, I was prepending some data to the encrypted files and I just forgot about that. Using CTR is not hard at all thanks to these libraries. Thanks for trying to help, I appreciate it :) – Sassan Jun 23 '16 at 21:54
  • @Sassan - Counter mode is sound, but reusing a security context {secret key,counter,message} allows key recovery with a simple XOR of ciphertext streams. You should probably rethink your static key and counter. Under a single key, each message should get a unique counter. It only needs to be unique; it does not need to be random. – jww Jun 24 '16 at 00:17
  • @Sassan - *"I'm not providing an IV in python code, the python module ignores IV. I the IV thing is what causing the problem"* - you have to provide an IV - that's the starting counter value. It sounds like you are using Python incorrectly. You should probably ask a Python question, enquiring how to set the initial counter. – jww Jun 25 '16 at 08:27
  • You're right, this question should have `python` tag too. – Sassan Jun 25 '16 at 12:23

1 Answers1

0

As I read their source codes I can say PyCrypto and Crypto++ Both are perfect libraries for cryptography for Python and C++. The problem was that I was prefixing the encrypted data with some meta information about file and I totally forgot about that, after handling these meta data in client Crypto++ decrypted my files.

As I didn't find this documented explicitly anywhere (not even in Wikipedia) I write it here: Any combination of Nonce, IV and Counter like concatenation, xor, or likes will work for CTR mode, but the standard that most libraries implement is to concatenate these values in order. So the value that is used in block cipher algorithm is usually: Nonce + IV + Counter. And counter usually starts from 1 (not 0).

Sassan
  • 2,187
  • 2
  • 24
  • 43
  • "Nonce" is simply another name for "IV", so "Nonce + IV + Counter" doesn't make much sense. Please note that the nonce must be different for each encryption when the same key is used. Otherwise, you're giving a many-time pad to the attacker. Common size for the nonce is 96 bit and the remaining 32 bit will be for the counter. – Artjom B. Jun 27 '16 at 18:42
  • Well as you can see in this ietf document: http://tools.ietf.org/html/rfc3686#page-9 there are different fields for "nonce" and "iv", in sources of pycrypto and cryptopp there were 2 variables for storing nonce and iv so based on above 3 references that deal with nonce, iv and counter exactly same way (pycrypto and cryptopp both have tests embedded in source code that runs the mentioned rfc3686 tests) I think "Nonce" is not simply another name for "IV". As far as I read different cryptographer have different assumptions about these terms. – Sassan Jun 27 '16 at 19:23
  • read this: http://crypto.stackexchange.com/questions/3965/what-is-the-main-difference-between-a-key-an-iv-and-a-nonce – Sassan Jun 27 '16 at 19:23
  • Maybe the IPSec people needed different names for those two parts, but that's not something that is distinguished in common encryption libraries. They are implemented with a single IV/nonce in mind which are then synonymous. – Artjom B. Jun 27 '16 at 19:27
  • I see. Thanks for the info. – Sassan Jun 27 '16 at 19:30
  • *"As I didn't find this documented explicitly anywhere..."* - You should probably visit NIST's [SP 800-38, Recommendation for Block Cipher Modes of Operation](http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf). It provides two ways to interpret the counter/nonce block. Crypto++ [CTR Mode](http://www.cryptopp.com/wiki/CTR_Mode) is documented on their wiki, and it analyzes the source code so you don't have to. – jww Aug 11 '16 at 21:11
  • That wiki wouldn't answer my questions at the time, but NIST's documentation seems to cover all information I needed at the time, I'd handle it much easier if I had the chance to read it. – Sassan Aug 12 '16 at 13:08