[openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

Rich Salz via RT

(See attached file: ibm.patch)

This contribution has complied with both local (Australian) and US export
requirements (as IBM is a US based company) and is donated to the OpenSSL
project under the terms of the existing OpenSSL license.

Attached, a patch against OpenSSL 0.9.8e which adds support for the NIST
modes described in SP800-38B (CMAC), SP800-38C (AES-CCM) and the draft
SP800-38D (AES-GCM).

We do have test cases against the NIST know answer data which I'll also
contribute, however those share common code to parse the NIST test data and
will need to be built manually until someone works out how to integrate
them.

Notes:
AES-CCM doesn't use the normal Init/Update/Final pattern as the standard
mandates that no decrypted data be available unless the tag check passes.
That's so ugly that this may as well be implemented in one pass.

AES-GCM lacks table driven acceleration at this point, if no-one beats me
to it I'll add that in a few months.

Peter
Peter Waltenberg


ibm.patch (92K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

Aaron Christensen
Cool.  I've been working on an EVP interface for AEAD (part of a project for my Master's degree), but I haven't implemented gcm (or other) in openssl, yet.  I think I can integrate these two pieces of code.  I'd be interested in your test cases.

I have some gcm code I wrote that is written with support for the tables, so maybe we can work on bringing that into the code in this patch.

Also, since I haven't taken time to learn about CCM, yet, are there serious restrictions on implementing an incremental interface for it?  My next step was going to be an attempt to get some of the new SSL/AEAD stuff written, and it would be nice to be able to use a common EVP-like interface...

Regards,
~Aaron Christensen

On 10/5/07, Peter Waltenberg via RT <[hidden email]> wrote:

(See attached file: ibm.patch)

This contribution has complied with both local (Australian) and US export
requirements (as IBM is a US based company) and is donated to the OpenSSL
project under the terms of the existing OpenSSL license.

Attached, a patch against OpenSSL 0.9.8e which adds support for the NIST
modes described in SP800-38B (CMAC), SP800-38C (AES-CCM) and the draft
SP800-38D (AES-GCM).

We do have test cases against the NIST know answer data which I'll also
contribute, however those share common code to parse the NIST test data and
will need to be built manually until someone works out how to integrate
them.

Notes:
AES-CCM doesn't use the normal Init/Update/Final pattern as the standard
mandates that no decrypted data be available unless the tag check passes.
That's so ugly that this may as well be implemented in one pass.

AES-GCM lacks table driven acceleration at this point, if no-one beats me
to it I'll add that in a few months.

Peter
Peter Waltenberg



Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

Peter Waltenberg
Thanks, the GCM table code would be appreciated. Test cases, I'd hope
within a couple of weeks. IBM throws a wrapper around OpenSSL, and our test
cases currently test the code via that wrapper, so I have to do more than
just a copy.

CCM - the only problem with it is the NIST standard - you aren't allowed to
produce any decrypted output unless the tags match and you can't check the
tag until you've processed the entire data stream.
Without  that I've have coded it with the normal Init/Update/Final pattern
- with that restriction it was easier for me and with the users I support -
to make the limitation explicit. The original coding was Init/Update/Final
so it should be fairly easy to revert.

Peter



                                                                                                           
  From:       "Aaron Christensen" <[hidden email]>                                                      
                                                                                                           
  To:         [hidden email]                                                                      
                                                                                                           
  Date:       07/10/2007 05:56                                                                              
                                                                                                           
  Subject:    Re: [openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes                                  
                                                                                                           





Cool.  I've been working on an EVP interface for AEAD (part of a project
for my Master's degree), but I haven't implemented gcm (or other) in
openssl, yet.  I think I can integrate these two pieces of code.  I'd be
interested in your test cases.

I have some gcm code I wrote that is written with support for the tables,
so maybe we can work on bringing that into the code in this patch.

Also, since I haven't taken time to learn about CCM, yet, are there serious
restrictions on implementing an incremental interface for it?  My next step
was going to be an attempt to get some of the new SSL/AEAD stuff written,
and it would be nice to be able to use a common EVP-like interface...

Regards,
~Aaron Christensen

On 10/5/07, Peter Waltenberg via RT <[hidden email]> wrote:

  (See attached file: ibm.patch)

  This contribution has complied with both local (Australian) and US export
  requirements (as IBM is a US based company) and is donated to the OpenSSL
  project under the terms of the existing OpenSSL license.

  Attached, a patch against OpenSSL 0.9.8e which adds support for the NIST
  modes described in SP800-38B (CMAC), SP800-38C (AES-CCM) and the draft
  SP800-38D (AES-GCM).

  We do have test cases against the NIST know answer data which I'll also
  contribute, however those share common code to parse the NIST test data
  and
  will need to be built manually until someone works out how to integrate
  them.

  Notes:
  AES-CCM doesn't use the normal Init/Update/Final pattern as the standard
  mandates that no decrypted data be available unless the tag check passes.
  That's so ugly that this may as well be implemented in one pass.

  AES-GCM lacks table driven acceleration at this point, if no-one beats me

  to it I'll add that in a few months.

  Peter
  Peter Waltenberg




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

Jack Lloyd
In reply to this post by Aaron Christensen
On Sat, Oct 06, 2007 at 02:55:19PM -0500, Aaron Christensen wrote:

> Also, since I haven't taken time to learn about CCM, yet, are there serious
> restrictions on implementing an incremental interface for it?  My next step
> was going to be an attempt to get some of the new SSL/AEAD stuff written,
> and it would be nice to be able to use a common EVP-like interface...

As I understand it, CCM is mostly used in packet-based protocols (and
in fact you have to know the length of the whole message to even start
processing). So a complete transform mechanism without any incremental
support isn't that bad; the expectation is that you'll pull small
packets off the wire (or radio interface), and decrypt them
sequentially and then (perhaps) reassemble them into a stream.

-Jack

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1585] NIST CMAC, AES-CCM and AES-GCM modes

Peter Waltenberg
In reply to this post by Peter Waltenberg
AES_CCM has a real "well duh!" type bug on systems where long is 32 bits.
The compiler will probably tell you where it is.

Sorry - fix it a couple of days.

Peter

Peter Waltenberg

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]