- From: Wan-Teh Chang <wtc@google.com>
- Date: Fri, 31 Aug 2012 16:12:16 -0700
- To: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
- Cc: Ryan Sleevi <sleevi@google.com>, Web Cryptography Working Group <public-webcrypto@w3.org>
Applying the standard incrementing function to the least significant m
bits of the counter block should meet the requirements of most use
cases of the Counter Mode. This is what PKCS #11 supports:
CK_AES_CTR_PARAMS is a structure that provides the parameters to the
CKM_AES_CTR mechanism. It is defined as follows:
typedef struct CK_AES_CTR_PARAMS {
CK_ULONG ulCounterBits;
CK_BYTE cb[16];
} CK_AES_CTR_PARAMS;
The fields of the structure have the following meanings:
ulCounterBits the number of bits in the counter block (cb) that shall
be incremented. This number shall be such that 0 <
ulCounterBits ≤128. For any values outside this range
the mechanism shall return
CKR_MECHANISM_PARAM_INVALID.
cb specifies the counter block. It's up to the caller to
initialize all of the bits in the counter block including
the counter bits. The counter bits are the least
significant bits of the counter block. They are a bigendian
value usually starting with 1. The rest of cb is for the nonce,
and maybe an optional IV.
This matches the definition of in the current draft:
http://www.w3.org/2012/webcrypto/WebCryptoAPI/#aes-ctr-params
So I suggest that we specify:
The least significant |length| bits of the counter block are incremented
using the standard incrementing function specified in NIST SP 800-38A
Appendix B.1.
Wan-Teh
Received on Friday, 31 August 2012 23:12:43 UTC