Date: Wed, 18 Jul 2007 12:06:35 -0600 From: Richard Hodges <rh@matriplex.com> To: freebsd-hackers@freebsd.org Subject: Rijndael sanity check? Message-ID: <200707181206.52765.rh@matriplex.com>
next in thread | raw e-mail | index | archive | help
--nextPart5676419.k3EZgrb2d2 Content-Type: multipart/mixed; boundary="Boundary-01=_3alnG3DPVpU1/lH" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_3alnG3DPVpU1/lH Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Okay, I am a little bit puzzled. I have been working with AES/Rijndael for= a=20 couple months now, and I have just run into something interesting. I have written two AES 128-bit implementations, one in C and one for a=20 microcontroller. I have carefully studied various references, including=20 =46IPS-197 and its test vectors. I have tested the C-language encryption a= nd=20 decryption functions with untold millions of pseudo-random blocks, checking= =20 that the encrypted blocks decrypt back to the originals, and also using the= =20 =46reeBSD rijndael functions (in libssh) as an arms-length comparison. I h= ave=20 also compared the results from my assembly language functions with those on= =20 my FreeBSD box, but not as extensively. So with three different code=20 implementations seemingly in agreement, I _thought_ things were just fine. Now I have run across an "interesting" situation. It appears that I have t= wo=20 different plaintext blocks that encrypt into the same cipher text. =20 Obviously, decryption will only provide one of the two original blocks. It= =20 was my understanding that one (and only) one plaintext will encrypt into a= =20 particular cipher text, and vice versa. So that is why I am puzzled. It also appears that I may have many more examples, if one is not enough. Here is my AES 128 bit key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c Here is plaintext #1: 920F0CE0A9A96BB9D8416962BDBBAA7C Here is plaintext #2: c74601001001000000000054006b51FF With my two implementations and the FreeBSD SSH library, I get: Encrypted result: c93d42187034cea8671b88431000d18c I have attached a test program that demonstrates this with the FreeBSD=20 Rijndael library. I have tested this on 6.0/AMD64 and 6.2/I386 with the sa= me=20 results. For 6.0, the ssh_ prefix is removed from the rijndael function=20 calls. > cc -Wall -O2 aes_test.c -o aes_test -l ssh aes_test.c: In function `encrypt_1': aes_test.c:136: warning: implicit declaration of function=20 `ssh_rijndael_set_key' aes_test.c:137: warning: implicit declaration of function=20 `ssh_rijndael_encrypt' > ./aes_test Using key: 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c 920F0CE0A9A96BB9D8416962BDBBAA7C decr: 92 0f 0c e0 a9 a9 6b b9 d8 41 69 62 bd bb aa 7c encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 00 d1 8c c74601001001000000000054006b51FF decr: c7 46 01 00 10 01 00 00 00 00 00 54 00 6b 51 ff encr: c9 3d 42 18 70 34 ce a8 67 1b 88 43 10 a2 d1 8c So I am asking if anyone can point out if I made an "obvious mistake",=20 duplicate my results on your own system, or provide some other useful=20 information on this. Many thanks! =2DRichard --Boundary-01=_3alnG3DPVpU1/lH-- --nextPart5676419.k3EZgrb2d2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBGnla84jpbt0KuB24RAik9AKCkXd4gpWeZ+XcM6eaaDEc+RWQ89ACfSSt6 XQY2MiCWSvYlF4CDWlTpiTE= =ST/G -----END PGP SIGNATURE----- --nextPart5676419.k3EZgrb2d2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707181206.52765.rh>