I'm working on implementing a protocol and per the specification I need to encrypt / decrypt data using AES-128-CCM and AES-128-GCM. My question is: how do you use CCM mode while specifying the Cipher#auth_data ? All the examples I find online are using GCM mode which seems to be working, while CCM does not. The exception I encounter is a very generic OpenSSL::Cipher::CipherError
with no additional details.
The example code I have below works when algo
is either option (AES-128-CCM or AES-128-GCM), and no auth_data is nil
, or when algo is AES-128-GCM and the auth_data is non- nil
.
I'm using Ruby v2.5.5 and OpenSSL v2.1.2.
algo = 'AES-128-CCM' # AES-128-GCM works
auth_data = OpenSSL::Random.random_bytes(32) # nil works
cipher = OpenSSL::Cipher.new(algo).encrypt
if algo == 'AES-128-CCM'
cipher.auth_tag_len = 16
cipher.iv_len = 11
elsif algo == 'AES-128-GCM'
cipher.iv_len = 12
end
key = cipher.random_key
iv = cipher.random_iv
# has to be done in this order for unknown reasons
if algo == 'AES-128-CCM'
encrypted = cipher.update('Hello World') + cipher.final
cipher.auth_data = auth_data unless auth_data.nil?
elsif algo == 'AES-128-GCM'
cipher.auth_data = auth_data unless auth_data.nil?
encrypted = cipher.update('Hello World') + cipher.final
end
auth_tag = cipher.auth_tag
cipher = OpenSSL::Cipher.new(algo).decrypt
if algo == 'AES-128-CCM'
cipher.auth_tag_len = 16
cipher.iv_len = 11
elsif algo == 'AES-128-GCM'
cipher.iv_len = 12
end
cipher.key = key
cipher.iv = iv
cipher.auth_tag = auth_tag
cipher.update(encrypted) # crashes when auth_data != nil and algo == AES-128-CCM
You've switched the order of the authentication data and plaintext around in your call for CCM.
encrypted = cipher.update('Hello World') + cipher.final
cipher.auth_data = auth_data unless auth_data.nil?
In general, the additional authenticated data needs to be processed before the plaintext data. There are some tricks around that for GCM (which may be implemented or not) but not for CCM. EAX mode does allow any order of the arguments as it was explicitly made to be a more flexible implementation of an authenticating cipher.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.