From owner-freebsd-hackers@FreeBSD.ORG Wed Jul 18 18:16:40 2007 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F180416A401 for ; Wed, 18 Jul 2007 18:16:40 +0000 (UTC) (envelope-from rh@matriplex.com) Received: from edurus.com (mail.accessgeek.com [66.224.198.10]) by mx1.freebsd.org (Postfix) with ESMTP id C214013C46B for ; Wed, 18 Jul 2007 18:16:40 +0000 (UTC) (envelope-from rh@matriplex.com) Received: from lark.hodges.org by edurus.com (MDaemon PRO v9.0.5) with ESMTP id md50002276674.msg for ; Wed, 18 Jul 2007 11:05:59 -0700 From: Richard Hodges To: freebsd-hackers@freebsd.org Date: Wed, 18 Jul 2007 12:06:35 -0600 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5676419.k3EZgrb2d2"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200707181206.52765.rh@matriplex.com> X-Authenticated-Sender: richard@hodges.org X-Spam-Processed: edurus.com, Wed, 18 Jul 2007 11:05:59 -0700 (not processed: message from trusted or authenticated source) X-MDRemoteIP: 72.36.38.114 X-Return-Path: rh@matriplex.com X-Envelope-From: rh@matriplex.com X-MDaemon-Deliver-To: freebsd-hackers@freebsd.org X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Rijndael sanity check? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2007 18:16:41 -0000 --nextPart5676419.k3EZgrb2d2 Content-Type: multipart/mixed; boundary="Boundary-01=_3alnG3DPVpU1/lH" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_3alnG3DPVpU1/lH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Okay, I am a little bit puzzled. I have been working with AES/Rijndael for= a=20 couple months now, and I have just run into something interesting. I have written two AES 128-bit implementations, one in C and one for a=20 microcontroller. I have carefully studied various references, including=20 =46IPS-197 and its test vectors. I have tested the C-language encryption a= nd=20 decryption functions with untold millions of pseudo-random blocks, checking= =20 that the encrypted blocks decrypt back to the originals, and also using the= =20 =46reeBSD rijndael functions (in libssh) as an arms-length comparison. I h= ave=20 also compared the results from my assembly language functions with those on= =20 my FreeBSD box, but not as extensively. So with three different code=20 implementations seemingly in agreement, I _thought_ things were just fine. Now I have run across an "interesting" situation. It appears that I have t= wo=20 different plaintext blocks that encrypt into the same cipher text. =20 Obviously, decryption will only provide one of the two original blocks. It= =20 was my understanding that one (and only) one plaintext will encrypt into a= =20 particular cipher text, and vice versa. So that is why I am puzzled. It also appears that I may have many more examples, if one is not enough. Here is my AES 128 bit key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c Here is plaintext #1: 920F0CE0A9A96BB9D8416962BDBBAA7C Here is plaintext #2: c74601001001000000000054006b51FF With my two implementations and the FreeBSD SSH library, I get: Encrypted result: c93d42187034cea8671b88431000d18c I have attached a test program that demonstrates this with the FreeBSD=20 Rijndael library. I have tested this on 6.0/AMD64 and 6.2/I386 with the sa= me=20 results. For 6.0, the ssh_ prefix is removed from the rijndael function=20 calls. > cc -Wall -O2 aes_test.c -o aes_test -l ssh aes_test.c: In function `encrypt_1': aes_test.c:136: warning: implicit declaration of function=20 `ssh_rijndael_set_key' aes_test.c:137: warning: implicit declaration of function=20 `ssh_rijndael_encrypt' > ./aes_test Using key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 920F0CE0A9A96BB9D8416962BDBBAA7C decr: 92 0f 0c e0 a9 a9 6b b9 d8 41 69 62 bd bb aa 7c encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 00 d1 8c c74601001001000000000054006b51FF decr: c7 46 01 00 10 01 00 00 00 00 00 54 00 6b 51 ff encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 a2 d1 8c So I am asking if anyone can point out if I made an "obvious mistake",=20 duplicate my results on your own system, or provide some other useful=20 information on this. Many thanks! =2DRichard --Boundary-01=_3alnG3DPVpU1/lH-- --nextPart5676419.k3EZgrb2d2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBGnla84jpbt0KuB24RAik9AKCkXd4gpWeZ+XcM6eaaDEc+RWQ89ACfSSt6 XQY2MiCWSvYlF4CDWlTpiTE= =ST/G -----END PGP SIGNATURE----- --nextPart5676419.k3EZgrb2d2--