Re: RNG using AES CTR as encryption algorithm

2009-09-14 Thread Damien Miller
On Wed, 9 Sep 2009, Peter Gutmann wrote:

 I was just going to reply with a variation of this, if you're implementing a
 full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
 other implementations that do it too and make sure that you can talk to them.
 In theory everyone could end up implementing it wrong, but that's somewhat
 unlikely.
 
 (This has already caught AES-CTR implementation bugs in the past, for example
 one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was
 noticed when SSH users couldn't connect to OpenSSH servers using this mode).

The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH.
I don't think OpenSSL even supports a CTR mode through its EVP API.

Any mistakes in implementing CTR mode in OpenSSH are therefore our own.

-d

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-14 Thread Peter Gutmann
Damien Miller d...@mindrot.org writes:

The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I
don't think OpenSSL even supports a CTR mode through its EVP API.

I first saw it reported on the Putty bugs list [0], a good place to track
interop problems with implementations since it's so widely used, which in turn
points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291:

  Connections from OpenSSH_4.5p1, OpenSSL 0.9.8d 28 Sep 2006 to
  OpenSSH_4.5p1, OpenSSL 0.9.8e 23 Feb 2007 using aes256-ctr fail with
  Bad packet length.  The same problem occurs when using PuTTY 0.59 against
  the newer server.

  PuTTY users have reported this problem too, with servers on both FreeBSD and
  Linux, and with OpenSSH versions back to 4.0.

In fact it was listed as closed and resolved by, uh, one Damien Miller :-).

Peter.

[0] Meaing bugs encountered while using Putty, not necessarily bugs in
Putty.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-14 Thread Damien Miller
On Mon, 14 Sep 2009, Peter Gutmann wrote:

 Damien Miller d...@mindrot.org writes:
 
 The seems unlikely, since we don't use OpenSSL for AES-CTR in OpenSSH. I
 don't think OpenSSL even supports a CTR mode through its EVP API.
 
 I first saw it reported on the Putty bugs list [0], a good place to track
 interop problems with implementations since it's so widely used, which in turn
 points to https://bugzilla.mindrot.org/show_bug.cgi?id=1291:

Actually, I'm half-wrong (or half-right) - there was a bug in OpenSSL, just
not in AES-CTR specifically. It was a mildly obscure bug in the EVP interface
that showed up when plugging in one's own ciphers. 

We now have automated interop regression tests againt PuTTY to catch this
sort of thing...

-d

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-09 Thread Peter Gutmann
David Johnston d...@deadhat.com writes:

Convincing yourself that you have implemented AES-CTR correctly usually
involves first checking that your AES-ECB is correct, then putting the output
of you counter construction into some other known good AES-CTR implementation
and comparing the results with your implementation.

I was just going to reply with a variation of this, if you're implementing a
full protocol that uses AES-CTR (or any algorithm/mode for that matter), find
other implementations that do it too and make sure that you can talk to them.
In theory everyone could end up implementing it wrong, but that's somewhat
unlikely.

(This has already caught AES-CTR implementation bugs in the past, for example
one particular version of OpenSSL 0.9.8 got AES-CTR keying wrong and it was
noticed when SSH users couldn't connect to OpenSSH servers using this mode).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-09 Thread Matt Ball
On Tue, Sep 1, 2009 at 11:28 PM, priya yelgar wrote:
 I have implemented RNG using AES algorithm in CTR mode.

 To test my implementation I needed some test vectors.

 How ever I searched on the CSRC site, but found the test vectors for AES_CBC 
 not for AES CTR.

 Please  can any one tell me where to look for the test vectors to test RNG 
 using  AES CTR.

The first thing that jumps out at me is that you're looking for a
nebulous Randon Number Generator based on AES CTR mode (defined by
SP 800-38A), and this is cast in the context of NIST's CSRC website
(http://csrc.nist.gov/).  Referencing NIST implies that you're looking
for some kind Algorithm Certificate or FIPS 140-2 certification for a
cryptographic module.  If this is true, then you cannot just use 'AES
CTR' to generate FIPS-approved random numbers.  Instead, you need to
use one of the approved RNG methods listed in FIPS 140-2 Annex C
Approved Random Number Generators.  This includes several RNGs,
including AES and 3DES variants based on ANSI X9.31, and SP 800-90.
The closest thing to AES CTR is the CTR_DRBG defined in SP 800-90,
which uses AES CTR for the random number generation, but also handles
important things like distilling the initial entropy pool and periodic
re-keying.

Even if you're not intending to get FIPS 140-2 certification, I still
highly recommend finding a good standard describing a 'recipe' for
generating pseudo-random numbers, and follow the requirements for
that.  'RNG using AES in CTR mode' is much different than 'Encryption
using AES in CTR mode', and needs to be carefully handled accordingly.
 It's really easy to get things wrong outside of the AES CTR portion
of the problem.  You need to worry about justifying a particular
entropy content of your true random source, which is then distilled
down to create your key and nonce for the AES CTR portion of the RNG.
This is not a task that is taken lightly.

My personal recommendation is to go with the CTR_DRBG as defined in SP
800-90.  You can easily find open source implementations of this
algorithm, so I'm not even sure if you need to spend time implementing
it.  To test it, I recommend going through the process of getting an
algorithm certificate from NIST.

Cheers!

Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-09 Thread Zooko Wilcox-O'Hearn
And while you are at it, please implement these test vectors and  
report to Niels Ferguson:


http://blogs.msdn.com/si_team/archive/2006/05/19/aes-test-vectors.aspx

Regards,

Zooko

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-08 Thread Jack Lloyd
On Wed, Sep 02, 2009 at 10:58:03AM +0530, priya yelgar wrote:
 Hi all,
 
 I have implemented RNG using AES algorithm in CTR mode.
 
 To test my implementation I needed some test vectors.
 
 How ever I searched on the CSRC site, but found the test vectors for AES_CBC 
 not for AES CTR.
 
 Please? can any one tell me where to look for the test vectors to test RNG 
 using? AES CTR.

NIST SP 800-38A Recommendation for Block Cipher Modes of Operation
contains a set of AES/CTR test vectors in Appendix F.5

http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

-Jack

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


Re: RNG using AES CTR as encryption algorithm

2009-09-08 Thread David Johnston
NIST doesn't provide specific KAT vectors for AES-CTR because the 
results depend on your specific counter construction.
When you interact with a FIPS test lab, you will provide them with your 
counter construction, they will provide you with the KATs and you will 
then test to those KATs.


This is probably why you are not finding AES-CTR vectors in the same 
places you might find AES-CBC vectors. NIST explains this somewhere in 
their publications.


Convincing yourself that you have implemented AES-CTR correctly usually 
involves first checking that your AES-ECB is correct, then putting the 
output of you counter construction into some other known good AES-CTR 
implementation and comparing the results with your implementation.


Regards,
DJ

priya yelgar wrote:

Hi all,

I have implemented RNG using AES algorithm in CTR mode.

To test my implementation I needed some test vectors.

How ever I searched on the CSRC site, but found the test vectors for AES_CBC 
not for AES CTR.

Please  can any one tell me where to look for the test vectors to test RNG 
using  AES CTR.


Thanks in advance 
Priya Ainapur


  


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com


RNG using AES CTR as encryption algorithm

2009-09-04 Thread priya yelgar
Hi all,

I have implemented RNG using AES algorithm in CTR mode.

To test my implementation I needed some test vectors.

How ever I searched on the CSRC site, but found the test vectors for AES_CBC 
not for AES CTR.

Please  can any one tell me where to look for the test vectors to test RNG 
using  AES CTR.


Thanks in advance 
Priya Ainapur






  Love Cricket? Check out live scores, photos, video highlights and more. 
Click here http://cricket.yahoo.com
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com