Re: crypto-ISSUE-27 (aes ctr): Specification of AES-CTR mode counter bits [Web Cryptography API]

Applying the standard incrementing function to the least significant m
bits of the counter block should meet the requirements of most use
cases of the Counter Mode. This is what PKCS #11 supports:

  CK_AES_CTR_PARAMS is a structure that provides the parameters to the
  CKM_AES_CTR mechanism.  It is defined as follows:
  typedef struct CK_AES_CTR_PARAMS {
          CK_ULONG ulCounterBits;
          CK_BYTE cb[16];

  The fields of the structure have the following meanings:
      ulCounterBits  the number of bits in the counter block (cb) that shall
              be incremented. This number  shall be such that 0 <
              ulCounterBits ≤128. For any values outside this range
              the mechanism shall return
      cb  specifies the counter block. It's up to the caller to
              initialize all of the bits in the counter block including
              the counter bits. The counter bits are the least
              significant bits of the counter block. They are a bigendian
              value usually starting with 1. The rest of cb is for the nonce,
              and maybe an optional IV.

This matches the definition of in the current draft:

So I suggest that we specify:
    The least significant |length| bits of the counter block are incremented
    using the standard incrementing function specified in NIST SP 800-38A
    Appendix B.1.


Received on Friday, 31 August 2012 23:12:43 UTC