Possibly incorrect counter overflow handling for AES-GCM
Jussi Kivilinna
jussi.kivilinna at iki.fi
Tue Jan 30 23:12:26 CET 2018
Hello,
On 30.01.2018 13:21, NIIBE Yutaka wrote:
> Clemens.Lang at bmw.de wrote:
>> Note that you will also have to use the same key K to trigger the behavior. This is because the initial counter value J_0 is calculated from the given IV using the GHASH function, which uses the hash subkey H = CIPH_K(0^128).
>>
>> Just for the record, I tested this with 1.8.2 and 1.7.6.
>
> Ah, I see. I created a ticket:
>
> https://dev.gnupg.org/T3764
>
> I was naively read your previous message which addressed section 7.1,
> algorithm 4, step 3 of the document. It is actually section 6.5,
> algorithm 3, step 5, which matters.
>
> I'll create a test case in libgcrypt/tests/ and fix.
>
> Since I'm going to travel, it will be next week.
>
I can do the fix for this one, if that's ok.
-Jussi
More information about the Gcrypt-devel
mailing list