2

I use AES CTR to encrypt our documents for now. This is done to provide ability to make range-requests to encrypted documents. With AES CTR it is possible to calculate IV for specific block by simple function like that:

    private static int AES_BLOCK_SIZE = 16;

    private static ParametersWithIV CalculateIvForOffset(KeyParameter sk, ParametersWithIV iv,  long blockOffset) 
    {
        var ivBI = new BigInteger(1, iv.GetIV());
        var ivForOffsetBi = ivBI.Add(BigInteger.ValueOf(blockOffset/ AES_BLOCK_SIZE));

        var ivForOffsetBA = ivForOffsetBi.ToByteArray();
        ParametersWithIV ivForOffset;
        if (ivForOffsetBA.Length >= AES_BLOCK_SIZE) {
            ivForOffset = new ParametersWithIV(sk, ivForOffsetBA, ivForOffsetBA.Length - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
        } else {
            byte[] ivForOffsetBASized = new byte[AES_BLOCK_SIZE];
            Array.Copy(ivForOffsetBA, 0, ivForOffsetBASized, AES_BLOCK_SIZE
                    - ivForOffsetBA.Length, ivForOffsetBA.Length);
            ivForOffset = new ParametersWithIV(sk, ivForOffsetBASized);/**/
        }

        return ivForOffset;

}

I use BouncyCastle in my app. But in particular cases I need to track document integrity. And I want to use AES GCM for this purpose. However I still need ability to decipher particular block of data. Is it possible to calculate IV for specific position/block of GCM and how to do it?

Simplified code I use for encryption decryption is here:

        var offset = 0;
        var decryptionSize = 128;
        var file = Hex.Decode("2B7E151628AED2A6ABF7158809CF4F3C12312312312312312312312312312312312391792837012937019238102938012938017230192830192830192830192730129730129830192380192730192730");

        var encryptor = CipherUtilities.GetCipher("AES/GCM/NoPadding");

        var sk = ParameterUtilities.CreateKeyParameter("AES", Hex.Decode("2B7E151628AED2A6ABF7158809CF4F3C"));
        encryptor.Init(true, new ParametersWithIV(sk, Hex.Decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001")));
        var encryptedFile = encryptor.DoFinal(file);

        var decryptor = CipherUtilities.GetCipher("AES/GCM/NoPadding");
        var arrayToDecrypt = encryptedFile.Skip(offset).Take(decryptionSize).ToArray();

        // recalculate initial vector for offset
        var newiv = CalculateIvForOffset(sk, new ParametersWithIV(sk, Hex.Decode("F0F1F2F3F4F5F6F7F8F9FAFBFCFD0001")),offset);
        decryptor.Init(false, newiv);
        var output2 = decryptor.ProcessBytes(arrayToDecrypt, 0, arrayToDecrypt.Length);

Thanks!

Vengrovskyi
  • 307
  • 1
  • 4
  • 9
  • 2
    It is possible to calculate the IV+counter of a particular block. However, the GCM tag is calculated for the [full data](https://www.researchgate.net/figure/AES-GCM_fig5_279264224). – kelalaka Dec 28 '18 at 17:26
  • @kelalaka I do not have access to provided site but thanks in any case. I do see 16 bytes size increment on each file/data. It`s interesting if logic of IV calculation is the same for CTR and GCM modes? Because CalculateIvForOffset(...) method with GCM not works for me(however works for CTR). – Vengrovskyi Dec 28 '18 at 17:52
  • are you forced to use `GCM`? – Afshin Dec 28 '18 at 17:57
  • 1
    Not exactly, Currently the NIST closed. The counter starts from 1, but the IV can be processed. see [here](https://crypto.stackexchange.com/questions/41601/aes-gcm-recommended-iv-size-why-12-bytes). Ah find the [doc](http://web.cs.ucdavis.edu/~rogaway/ocb/gcm.pdf) somewhere else. See page 13 – kelalaka Dec 28 '18 at 17:58
  • @Afshin mostly YES. – Vengrovskyi Dec 28 '18 at 18:08
  • @Vengrovskyi the tag size is [16-bytes](https://crypto.stackexchange.com/questions/26783/ciphertext-and-tag-size-and-iv-transmission-with-aes-in-gcm-mode). The IV should be prepended and the tag should be appended. – kelalaka Dec 28 '18 at 21:04

2 Answers2

0

GCM is based on a combination of CTR mode encryption and the GHASH message authentication code. Therefore, if you do not wish to verify the integrity of the message (or have already done so, and can be sure that the message has not been tampered with since), you can simply ignore the GHASH authentication tag and decrypt the message just as if it was encrypted using normal CTR mode.

One detail to be aware of is that GCM uses the counter value 0 for generating the authentication tag, while the counter sequence for the actual encryption keystream starts at 1. So you should be able to use the same code for calculating the counter values as for basic CTR mode, but you'll need to offset the results by one.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153
0

Thanks for help! Yes, found all answers from official documentation. Implemented my variant of IV generation for specific block using example provided in this post

Vengrovskyi
  • 307
  • 1
  • 4
  • 9