[英]Java AES/GCM/NoPadding encryption does not increment the counter of the IV after doFinal
When I initialize a Cipher object with the default AES/GCM algorithm, it has a reandom 12 bytes IV but the first 4 byte does not get incremented ater doFinal is called and throws the java.lang.IllegalStateException: Cannot re-use same key and IV for multiple encryptions exception.当我使用默认的 AES/GCM 算法初始化 Cipher 对象时,它有一个随机的 12 个字节的 IV,但前 4 个字节在调用 doFinal 后没有增加并抛出java.lang.IllegalStateException:无法重新使用相同的密钥和IV 用于多重加密例外。
SecretKey secretKey = ...
final Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
byte[] iv1 = encCipher.getIV();
byte[] ctext = encCipher.doFinal("a".getBytes());
cipher.update("b".getBytes());
byte[] iv2 = encCipher.getIV();
ctext = encCipher.doFinal();
java.lang.IllegalStateException: Cannot re-use same key and IV for multiple encryptions exception.
java.lang.IllegalStateException:无法为多重加密异常重用相同的密钥和 IV。
This is for your protection and hopefully, the library keeps this behavior at least when used under the same Cipher object.这是为了您的保护,希望库至少在同一个 Cipher 对象下使用时保持这种行为。
The AES-GCM internally uses AES in CTR mode for encryption and for CTR mode the reuse of the (key,IV) pair is a catastrophic failure of the confidentiality by the crib-dragging. AES-GCM 内部在 CTR 模式下使用 AES 进行加密,对于 CTR 模式,(key,IV) 对的重用是由拖拽造成机密性的灾难性失败。
The AES-GCM uses 12-byte IV/nonce and the remaining is used for the counter. AES-GCM 使用 12 字节的 IV/nonce,其余的用于计数器。 The first two counter values are reserved so you can encrypt at most 2^32-2 blocks and that makes 2^39-256 bits and makes around 68-GB under a single (IV, key) pair.
前两个计数器值是保留的,因此您最多可以加密 2^32-2 个块,这将产生 2^39-256 位,并在单个(IV,密钥)对下产生大约 68-GB。
The 12-byte nonce is standard by the NIST 800-38d . 12 字节随机数是NIST 800-38d 的标准。 If you supply a nonce not equal to 12-byte, then it will be processed with
GHASH
and the size will be 12-byte after that.如果您提供的 nonce 不等于 12 字节,则它将使用
GHASH
进行处理, GHASH
大小将为 12 字节。
if len(IV) = 96 then
J_0 = IV || 0^{31}1
else
J_0=GHASH_H(IV||0^{s+64}||len(IV_64))
It is not advised if you use counter-based IV generation as suggested by NIST because it will make it random.如果您按照 NIST 的建议使用基于计数器的 IV 生成,则不建议这样做,因为它会使它变得随机。 Also, it will make your encryption a bit slower due to the GHASH call.
此外,由于 GHASH 调用,它会使您的加密速度变慢。
When I initialize a Cipher object with the default AES/GCM algorithm, it has a reandom 12 bytes IV but the first 4 byte does not get incremented
当我使用默认的 AES/GCM 算法初始化 Cipher 对象时,它有一个随机的 12 个字节的 IV,但前 4 个字节没有增加
This is what expected.这是预期的。 The counterpart is set to zero again.
对应物再次设置为零。 Do you want to continue where it is left since your file is larger than the counter supports?
由于您的文件比计数器支持的大,您想继续留在原处吗? Divide the file and make chain .
分割文件并制作链。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.