Java AES/GCM/NoPadding 加密在 doFinal 后不会增加 IV 的计数器
[英]Java AES/GCM/NoPadding encryption does not increment the counter of the IV after doFinal
问题描述
When I initialize a Cipher object with the default AES/GCM algorithm, it has a reandom 12 bytes IV but the first 4 byte does not get incremented ater doFinal is called and throws the java.lang.IllegalStateException: Cannot re-use same key and IV for multiple encryptions exception.
当我使用默认的 AES/GCM 算法初始化 Cipher 对象时,它有一个随机的 12 个字节的 IV,但前 4 个字节在调用 doFinal 后没有增加并抛出java.lang.IllegalStateException:无法重新使用相同的密钥和IV 用于多重加密例外。
SecretKey secretKey = ...
final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] iv1 = encCipher.getIV();
byte[] ctext = encCipher.doFinal("a".getBytes());
cipher.update("b".getBytes());
byte[] iv2 = encCipher.getIV();
ctext = encCipher.doFinal();
1 个解决方案
解决方案1
5 已采纳 2020-10-23 20:49:45
java.lang.IllegalStateException: Cannot re-use same key and IV for multiple encryptions exception.
This is for your protection and hopefully, the library keeps this behavior at least when used under the same Cipher object.这是为了您的保护,希望库至少在同一个 Cipher 对象下使用时保持这种行为。
The AES-GCM internally uses AES in CTR mode for encryption and for CTR mode the reuse of the (key,IV) pair is a catastrophic failure of the confidentiality by the crib-dragging. AES-GCM 内部在 CTR 模式下使用 AES 进行加密,对于 CTR 模式,(key,IV) 对的重用是由拖拽造成机密性的灾难性失败。
The AES-GCM uses 12-byte IV/nonce and the remaining is used for the counter. AES-GCM 使用 12 字节的 IV/nonce,其余的用于计数器。 The first two counter values are reserved so you can encrypt at most 2^32-2 blocks and that makes 2^39-256 bits and makes around 68-GB under a single (IV, key) pair.前两个计数器值是保留的,因此您最多可以加密 2^32-2 个块,这将产生 2^39-256 位,并在单个(IV,密钥)对下产生大约 68-GB。
The 12-byte nonce is standard by the NIST 800-38d . 12 字节随机数是NIST 800-38d 的标准。 If you supply a nonce not equal to 12-byte, then it will be processed with GHASH and the size will be 12-byte after that.如果您提供的 nonce 不等于 12 字节,则它将使用GHASH进行处理, GHASH大小将为 12 字节。
if len(IV) = 96 then
J_0 = IV || 0^{31}1
else
J_0=GHASH_H(IV||0^{s+64}||len(IV_64))
It is not advised if you use counter-based IV generation as suggested by NIST because it will make it random.如果您按照 NIST 的建议使用基于计数器的 IV 生成,则不建议这样做,因为它会使它变得随机。 Also, it will make your encryption a bit slower due to the GHASH call.此外,由于 GHASH 调用,它会使您的加密速度变慢。
When I initialize a Cipher object with the default AES/GCM algorithm, it has a reandom 12 bytes IV but the first 4 byte does not get incremented
This is what expected.这是预期的。 The counterpart is set to zero again.对应物再次设置为零。 Do you want to continue where it is left since your file is larger than the counter supports?由于您的文件比计数器支持的大,您想继续留在原处吗? Divide the file and make chain .分割文件并制作链。
- Additionally, see What are the rules for using AES-GCM correctly?此外,请参阅正确使用 AES-GCM 的规则是什么?
- Whenever a tag is incorrect, don't use the plaintext at all.每当标签不正确时,根本不要使用明文。
- There is an AES-GCM-SIV mode that eliminates the (IV,key) pair misuse.有一种 AES-GCM-SIV 模式可以消除 (IV,key) 对滥用。 It only leaks that the same message is sent again under the same IV and key.它只会泄漏在相同的IV和密钥下再次发送相同的消息。
- TLS actually uses a new (key,IV) pair per record which has at most 2^14-byte this prevents memory fill attacks. TLS 实际上每条记录使用一个新的 (key,IV) 对,最多有 2^14 字节,这可以防止内存填充攻击。 Consider you spend your memory on decryption of 68-GB then you have seen that the tag is incorrect.考虑到您在解密 68-GB 内存上花费了您的内存,那么您就会发现该标签是不正确的。 Nice DOS attack point for servers.不错的服务器 DOS 攻击点。
- Using ChaCha20-Poly1305 much easier than AES-GCM where available.在可用的情况下,使用 ChaCha20-Poly1305 比 AES-GCM 容易得多。 It has still (IV,key)-reuse problem, though.不过,它仍然存在 (IV,key) 重用问题。
- There is an XChaCha20 that uses a 192-bit nonce and 64-bit counter.有一个 XChaCha20 使用 192 位随机数和 64 位计数器。 That can handle very large data sizes and random nonces securely.这可以安全地处理非常大的数据大小和随机数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.