Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

EAX without a header #3

Closed
philips77 opened this issue Apr 14, 2016 · 3 comments
Closed

EAX without a header #3

philips77 opened this issue Apr 14, 2016 · 3 comments

Comments

@philips77
Copy link
Contributor

Hi,
The Cifra library produces an different TAG when AES-EAX encoding is used when no Header is set (length is 0 bytes) then other two souces: online tool and Bouncy Castle impl in Java. If Header is set to any non 0 data they all give the same result. See details below.

I'm encrypting a message using AES-EAX with the following data (all in HEX):

Plain data:
0x00001C400000004800000073

Key:
0x589417B0324B1B71D7A6751852867AE8

Nonce:
0x00010000F683

Header:
0 bytes

I get a correct cipher and, in my opinion, not correct TAG.

Cipher:
0xD5D89979AE79EBEE4E385FA5

Tag:
0x46A9F4BE8F4C92659DA6CD12368D8127

Listing from the app:
cifra_no_header

When I use the same input data and encrypt them using this: http://artjomb.github.io/cryptojs-extension/ website, or in Java:

try {
    cipher = Cipher.getInstance("AES/EAX/NoPadding", "SC"); // SC = Spongy Castle, an Android variation of Bouncy Castle
    cipher.init(Cipher.ENCRYPT_MODE, keySpec, new GCMParameterSpec(128, nonce));
    ret = cipher.doFinal(toBeEncrypted);
    Log.d("AA2", "Encoded->" + Arrays.toString(ret));
} catch (Exception e) {
    Log.e("AA2", e.getLocalizedMessage());
}

I get a different Tag (the same in both cases):
0x0EFB21FAD714A25B44145F79221A2C9A

online_no_header

However, if I set the Header to any(?) non-null data all 3 libraries give the same result:

Plain text, key and nonce as above

Header:
0x0123

Cipher (same as above)

Tag:
0xCCDA2E4E0698E24E0377E3CD3ED61391

cifra_with_header

Online tool:
online_with_tag

@ctz
Copy link
Owner

ctz commented Apr 16, 2016

Thanks for the report and sorry for the inconvenience. It looks like CMAC and CMAC-used-by-EAX differ in this case: CMAC treats an empty message as not needing padding, CMAC-used-by-EAX treats it as needing padding. That's a massive pain.

@ctz
Copy link
Owner

ctz commented Apr 16, 2016

In fact, that's not what's happening at all. The CMAC calculation isn't finalised properly if the last block is empty. I'm going to make that misuse fail at runtime, as well as fixing EAX.

ctz added a commit that referenced this issue Apr 16, 2016
ctz added a commit that referenced this issue Apr 16, 2016
This was caused by the CMAC update function with len=0 and isfinal=1
doing nothing (because the work it needed to do already happened
with the last message).

Now:
- CMAC defends against and documents this case.
- EAX makes the correct CMAC calls.
ctz added a commit that referenced this issue Apr 16, 2016
@ctz ctz closed this as completed Apr 16, 2016
@philips77
Copy link
Contributor Author

Wow, thanks, that was quick!

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants