AES CTR 256 Encryption Mode of operation on OpenSSL

by

Usually, you will be intending to call AES_ctr128_encrypt() repeatedly to send several messages with the same key and IV, and an incrementing counter. This means you need to keep track of the ‘ivec’, ‘num’ and ‘ecount’ values between calls – so create a struct to hold these, and an initialisation function:

struct ctr_state {
    unsigned char ivec[16];  /* ivec[0..7] is the IV, ivec[8..15] is the big-endian counter */
    unsigned int num;
    unsigned char ecount[16];
};

int init_ctr(struct ctr_state *state, const unsigned char iv[8])
{
    /* aes_ctr128_encrypt requires 'num' and 'ecount' set to zero on the
     * first call. */
    state->num = 0;
    memset(state->ecount, 0, 16);

    /* Initialise counter in 'ivec' to 0 */
    memset(state->ivec + 8, 0, 8);

    /* Copy IV into 'ivec' */
    memcpy(state->ivec, iv, 8);
}

Now, when you start communicating with the destination, you’ll need to generate an IV to use and initialise the counter:

unsigned char iv[8];
struct ctr_state state;

if (!RAND_bytes(iv, 8))
    /* Handle the error */;

init_ctr(&state, iv);

You will then need to send the 8 byte IV to the destination. You’ll also need to initialise an AES_KEY from your raw key bytes:

AES_KEY aes_key;

if (AES_set_encrypt_key(key, 128, &aes_key))
    /* Handle the error */;

You can now start encrypting data and sending it to the destination, with repeated calls to AES_ctr128_encrypt() like this:

AES_ctr128_encrypt(msg_in, msg_out, msg_len, &aes_key, state->ivec, state->ecount, &state->num);

(msg_in is a pointer to a buffer containing the plaintext message, msg_out is a pointer to a buffer where the encrypted message should go, and msg_len is the message length).

Decryption is exactly the same, except that you do not generate the IV with RAND_bytes() – instead, you take the value given to you by the other side.

Important:

  1. Do not call init_ctr() more than once during the encryption process. The counter and IV must be initialised once only prior to the start of encryption.

  2. Under no circumstances be tempted to get the IV anywhere other than from RAND_bytes() on the encryption side. Don’t set it to a fixed value; don’t use a hash function; don’t use the recipient’s name; don’t read it from disk. Generate it with RAND_bytes() and send it to the destination. Whenever you start with a zero counter, you must start with a completely fresh IV that you have never used before.

  3. If it is at all possible that you will be sending 2**64 bytes without changing the IV and/or key, you will need to test for the counter overflowing.

  4. Do not omit error-checking. If a function fails and you ignore it, it’s quite possible (even likely) that your system will appear to be functioning normally, but will actually be operating completely insecurely.

More Related Contents:

  1. AES (aes-cbc-128, aes-cbc-192, aes-cbc-256) encryption/decryption with openssl C
  2. How to do encryption using AES in Openssl
  3. How to generate RSA private key using OpenSSL?
  4. How to implement Server Name Indication (SNI)
  5. Password to key function compatible with OpenSSL commands?
  6. How to compile .c file with OpenSSL includes?
  7. OpenSSL encryption using .NET classes
  8. Directly Read/Write Handshake data with Memory BIO
  9. Error: “invalid use of incomplete type ‘RSA {aka struct rsa_st}” in OpenSSL 1.1.0
  10. How do I build OpenSSL statically linked against Windows runtime?
  11. x509 certificate verification in C
  12. Build OpenVPN with specific OpenSSL version
  13. Serving multiple domains in one box with SNI
  14. optimized sum of an array of doubles in C [duplicate]
  15. How to get all possible combination of 2xn matrix [closed]
  16. How to resolve a variable for char length? [closed]
  17. How to correctly use the extern keyword in C
  18. ‘float’ vs. ‘double’ precision
  19. Are parallel calls to send/recv on the same socket valid?
  20. How Recursion works in C
  21. Does either ANSI C or ISO C specify what -5 % 10 should be?
  22. How to find the element of an array that is repeated at least N/2 times?
  23. Efficient integer compare function
  24. What does __init mean in the Linux kernel code?
  25. Getting absolute path of a file
  26. How to decode a string encoded with openssl aes-128-cbc using java?
  27. Why can’t I create an array with size determined by a global variable?
  28. Why can’t the size of a static array be made variable?
  29. Difference between “pointer to int” and “pointer to array of ints”
  30. What is the meaning of a dot (.) after an integer in c?

Leave a Comment