RE: crypto-ISSUE-27 (aes ctr): Specification of AES-CTR mode counter bits [Web Cryptography API] from Vijay Bharadwaj on 2012-08-27 (public-webcrypto@w3.org from August 2012)

From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
Date: Mon, 27 Aug 2012 09:59:23 +0000
To: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <382AD43736BB12439240773F68E90773A82E68@DF-M14-21.exchange.corp.microsoft.com>

I don't think it's enough to specify the length of the counter. SP 800-38A (http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf) allows for more-or-less arbitrary ways of generating counter sequences. Why not just ask for a function that generates counter values? In other words:

dictionary AesCtrParams : AlgorithmParameters {
  // The initial value of the counter. counter MUST be 16 bytes.
  ArrayBuffer counter;
  // A function that implements the desired counter increment rule
  ArrayBuffer nextCounter(ArrayBuffer currentValue);
};
            

-----Original Message-----
From: Web Cryptography Working Group Issue Tracker [mailto:sysbot+tracker@w3.org] 
Sent: Wednesday, August 22, 2012 1:35 PM
To: public-webcrypto@w3.org
Subject: crypto-ISSUE-27 (aes ctr): Specification of AES-CTR mode counter bits [Web Cryptography API]

crypto-ISSUE-27 (aes ctr): Specification of AES-CTR mode counter bits [Web Cryptography API]

http://www.w3.org/2012/webcrypto/track/issues/27


Raised by: Ryan Sleevi
On product: Web Cryptography API

Under the AesCtrParams [1], callers can currently specify an initial value for the counter, as well as a length for how many bits are used for the block counter. Such a specification matches the PKCS#11 definition for AES-CTR, although other APIs such as CDSA, CryptoAPI, and CNG, do not support explicit counter mode, and instead only support ECB as a foundation for CTR.

However, by only specifying the length in bits of the counter, it presumes that the counter bits are either in the most-significant or least-significant bytes. Different systems using AES-CTR may place the block counter in different places - some using the MSB, others using the LSB. Thus, should the API specify an 'offset' as well that, when combined with length, gives a clear position of where the block counter is (internally managed by the API), and where the message counter/nonce are (externally managed by the caller)

[1] http://www.w3.org/2012/webcrypto/WebCryptoAPI/#dfn-AesCtrParams

Received on Monday, 27 August 2012 10:05:43 UTC