### Re: RNG using AES CTR as encryption algorithm

On Wed, 9 Sep 2009, Peter Gutmann wrote: I was just going to reply with a variation of this, if you're implementing a full protocol that uses AES-CTR (or any algorithm/mode for that matter), find other implementations that do it too and make sure that you can talk to them. In theory everyone could end up implementing it wrong, but that's somewhat unlikely. (This has already caught AES-CTR implementation bugs in the past, for example one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was noticed when SSH users couldn't connect to OpenSSH servers using this mode). The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. Any mistakes in implementing CTR mode in OpenSSH are therefore our own. -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

Damien Miller d...@mindrot.org writes: The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. I first saw it reported on the Putty bugs list [0], a good place to track interop problems with implementations since it's so widely used, which in turn points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291: Connections from OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006 to OpenSSH_4.5p1, OpenSSL 0.9.8e 23 Feb 2007 using aes256-ctr fail with Bad packet length. The same problem occurs when using PuTTY 0.59 against the newer server. PuTTY users have reported this problem too, with servers on both FreeBSD and Linux, and with OpenSSH versions back to 4.0. In fact it was listed as closed and resolved by, uh, one Damien Miller :-). Peter. [0] Meaing bugs encountered while using Putty, not necessarily bugs in Putty. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

On Mon, 14 Sep 2009, Peter Gutmann wrote: Damien Miller d...@mindrot.org writes: The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I don't think OpenSSL even supports a CTR mode through its EVP API. I first saw it reported on the Putty bugs list [0], a good place to track interop problems with implementations since it's so widely used, which in turn points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291: Actually, I'm half-wrong (or half-right) - there was a bug in OpenSSL, just not in AES-CTR specifically. It was a mildly obscure bug in the EVP interface that showed up when plugging in one's own ciphers. We now have automated interop regression tests againt PuTTY to catch this sort of thing... -d - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

David Johnston d...@deadhat.com writes: Convincing yourself that you have implemented AES-CTR correctly usually involves first checking that your AES-ECB is correct, then putting the output of you counter construction into some other known good AES-CTR implementation and comparing the results with your implementation. I was just going to reply with a variation of this, if you're implementing a full protocol that uses AES-CTR (or any algorithm/mode for that matter), find other implementations that do it too and make sure that you can talk to them. In theory everyone could end up implementing it wrong, but that's somewhat unlikely. (This has already caught AES-CTR implementation bugs in the past, for example one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was noticed when SSH users couldn't connect to OpenSSH servers using this mode). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

On Tue, Sep 1, 2009 at 11:28 PM, priya yelgar wrote: I have implemented RNG using AES algorithm in CTR mode. To test my implementation I needed some test vectors. How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR. Please can any one tell me where to look for the test vectors to test RNG using AES CTR. The first thing that jumps out at me is that you're looking for a nebulous Randon Number Generator based on AES CTR mode (defined by SP 800-38A), and this is cast in the context of NIST's CSRC website (http://csrc.nist.gov/). Referencing NIST implies that you're looking for some kind Algorithm Certificate or FIPS 140-2 certification for a cryptographic module. If this is true, then you cannot just use 'AES CTR' to generate FIPS-approved random numbers. Instead, you need to use one of the approved RNG methods listed in FIPS 140-2 Annex C Approved Random Number Generators. This includes several RNGs, including AES and 3DES variants based on ANSI X9.31, and SP 800-90. The closest thing to AES CTR is the CTR_DRBG defined in SP 800-90, which uses AES CTR for the random number generation, but also handles important things like distilling the initial entropy pool and periodic re-keying. Even if you're not intending to get FIPS 140-2 certification, I still highly recommend finding a good standard describing a 'recipe' for generating pseudo-random numbers, and follow the requirements for that. 'RNG using AES in CTR mode' is much different than 'Encryption using AES in CTR mode', and needs to be carefully handled accordingly. It's really easy to get things wrong outside of the AES CTR portion of the problem. You need to worry about justifying a particular entropy content of your true random source, which is then distilled down to create your key and nonce for the AES CTR portion of the RNG. This is not a task that is taken lightly. My personal recommendation is to go with the CTR_DRBG as defined in SP 800-90. You can easily find open source implementations of this algorithm, so I'm not even sure if you need to spend time implementing it. To test it, I recommend going through the process of getting an algorithm certificate from NIST. Cheers! Matt Ball, Chair, IEEE P1619 Security in Storage Working Group Staff Engineer, Sun Microsystems, Inc. 500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021 Work: 303-272-7580, Cell: 303-717-2717 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

And while you are at it, please implement these test vectors and report to Niels Ferguson: http://blogs.msdn.com/si_team/archive/2006/05/19/aes-test-vectors.aspx Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

On Wed, Sep 02, 2009 at 10:58:03AM +0530, priya yelgar wrote: Hi all, I have implemented RNG using AES algorithm in CTR mode. To test my implementation I needed some test vectors. How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR. Please? can any one tell me where to look for the test vectors to test RNG using? AES CTR. NIST SP 800-38A Recommendation for Block Cipher Modes of Operation contains a set of AES/CTR test vectors in Appendix F.5 http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf -Jack - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: RNG using AES CTR as encryption algorithm

NIST doesn't provide specific KAT vectors for AES-CTR because the results depend on your specific counter construction. When you interact with a FIPS test lab, you will provide them with your counter construction, they will provide you with the KATs and you will then test to those KATs. This is probably why you are not finding AES-CTR vectors in the same places you might find AES-CBC vectors. NIST explains this somewhere in their publications. Convincing yourself that you have implemented AES-CTR correctly usually involves first checking that your AES-ECB is correct, then putting the output of you counter construction into some other known good AES-CTR implementation and comparing the results with your implementation. Regards, DJ priya yelgar wrote: Hi all, I have implemented RNG using AES algorithm in CTR mode. To test my implementation I needed some test vectors. How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR. Please can any one tell me where to look for the test vectors to test RNG using AES CTR. Thanks in advance Priya Ainapur - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### RNG using AES CTR as encryption algorithm

Hi all, I have implemented RNG using AES algorithm in CTR mode. To test my implementation I needed some test vectors. How ever I searched on the CSRC site, but found the test vectors for AES_CBC not for AES CTR. Please can any one tell me where to look for the test vectors to test RNG using AES CTR. Thanks in advance Priya Ainapur Love Cricket? Check out live scores, photos, video highlights and more. Click here http://cricket.yahoo.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com