[botan-devel] Got different AES-256/CBC result with Botan and another AES calculator

Jack Lloyd lloyd at randombit.net
Thu Jul 21 08:38:44 EDT 2016


On Thu, Jul 21, 2016 at 11:10:03AM +0800, Yang Fan wrote:
> Hi list,
> 
> I'm trying to use Botan in my application, but I find that Botan returns
> different result for AES-256/CBC with other calculator, for example there
> is an online calculator:
> 
> http://extranet.cryptomathic.com/aescalc/index?key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4&iv=000102030405060708090a0b0c0d0e0f&input=6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51&mode=cbc&action=Encrypt&output=
> 
> In this case, key in hex format is
> "603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4", IV in
> hex format is "000102030405060708090A0B0C0D0E0F", and original message in
> hex is "6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E51",
> then that online calculator returns result in hex format is
> F58C4C04D6E5F1BA779EABFB5F7BFBD69CFC4E967EDB808D679F777BC6702C7D". But
> Botan returns result is
> "f58c4c04d6e5f1ba779eabfb5f7bfbd69cfc4e967edb808d679f777bc6702c7d
> *3a3aa5e0213db1a9901f9036cf5102d2*", its first 64 chars are identical to
> the other result, but there are more 32 chars left.

I think the issue is how the calculator is doing CBC padding. Normally
at least 1 extra (non-plaintext) padding byte is required, which can
be used to indicate how many bytes of padding to remove. When the
input is an exact multiple of the block size, a full entire block is
required (since CBC only processes a block at a time).

The calculator seems to be zero-padding the plaintext instead and just
unilaterally strips trailing zeros on decryption. But that produces an
incorrect result if the original plaintext ended with 0x00 bytes,
since upon decryption they are treated as padding bytes and removed.

You could get the same result as the calculator by using
AES-128/CBC/NoPadding, and then manually adding any necessary trailing
zero bytes to get the input up to an exact multiple of the block size.

Cheers,
 Jack


More information about the botan-devel mailing list