[botan-devel] Got different AES-256/CBC result with Botan and another AES calculator

Yang Fan missdeer at gmail.com
Fri Jul 22 12:48:15 EDT 2016


Thanks Jack. It does make sense.

On Thu, Jul 21, 2016 at 8:38 PM, Jack Lloyd <lloyd at randombit.net> wrote:

> On Thu, Jul 21, 2016 at 11:10:03AM +0800, Yang Fan wrote:
> > Hi list,
> >
> > I'm trying to use Botan in my application, but I find that Botan returns
> > different result for AES-256/CBC with other calculator, for example there
> > is an online calculator:
> >
> >
> http://extranet.cryptomathic.com/aescalc/index?key=603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4&iv=000102030405060708090a0b0c0d0e0f&input=6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51&mode=cbc&action=Encrypt&output=
> >
> > In this case, key in hex format is
> > "603DEB1015CA71BE2B73AEF0857D77811F352C073B6108D72D9810A30914DFF4", IV in
> > hex format is "000102030405060708090A0B0C0D0E0F", and original message in
> > hex is
> "6BC1BEE22E409F96E93D7E117393172AAE2D8A571E03AC9C9EB76FAC45AF8E51",
> > then that online calculator returns result in hex format is
> > F58C4C04D6E5F1BA779EABFB5F7BFBD69CFC4E967EDB808D679F777BC6702C7D". But
> > Botan returns result is
> > "f58c4c04d6e5f1ba779eabfb5f7bfbd69cfc4e967edb808d679f777bc6702c7d
> > *3a3aa5e0213db1a9901f9036cf5102d2*", its first 64 chars are identical to
> > the other result, but there are more 32 chars left.
>
> I think the issue is how the calculator is doing CBC padding. Normally
> at least 1 extra (non-plaintext) padding byte is required, which can
> be used to indicate how many bytes of padding to remove. When the
> input is an exact multiple of the block size, a full entire block is
> required (since CBC only processes a block at a time).
>
> The calculator seems to be zero-padding the plaintext instead and just
> unilaterally strips trailing zeros on decryption. But that produces an
> incorrect result if the original plaintext ended with 0x00 bytes,
> since upon decryption they are treated as padding bytes and removed.
>
> You could get the same result as the calculator by using
> AES-128/CBC/NoPadding, and then manually adding any necessary trailing
> zero bytes to get the input up to an exact multiple of the block size.
>
> Cheers,
>  Jack
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://lists.randombit.net/mailman/listinfo/botan-devel
>



-- 
Regards,
Fan Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20160723/fcc051e1/attachment.html>


More information about the botan-devel mailing list