- From: Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
- Date: Tue, 4 Sep 2012 09:04:43 +0000
- To: Wan-Teh Chang <wtc@google.com>
- CC: Ryan Sleevi <sleevi@google.com>, Web Cryptography Working Group <public-webcrypto@w3.org>
This seems like a good start. It meets the needs of CCM and GCM, and we can wait for feedback to see if people need more.
-----Original Message-----
From: Wan-Teh Chang [mailto:wtc@google.com]
Sent: Friday, August 31, 2012 4:12 PM
To: Vijay Bharadwaj
Cc: Ryan Sleevi; Web Cryptography Working Group
Subject: Re: crypto-ISSUE-27 (aes ctr): Specification of AES-CTR mode counter bits [Web Cryptography API]
Applying the standard incrementing function to the least significant m bits of the counter block should meet the requirements of most use cases of the Counter Mode. This is what PKCS #11 supports:
CK_AES_CTR_PARAMS is a structure that provides the parameters to the
CKM_AES_CTR mechanism. It is defined as follows:
typedef struct CK_AES_CTR_PARAMS {
CK_ULONG ulCounterBits;
CK_BYTE cb[16];
} CK_AES_CTR_PARAMS;
The fields of the structure have the following meanings:
ulCounterBits the number of bits in the counter block (cb) that shall
be incremented. This number shall be such that 0 <
ulCounterBits ≤128. For any values outside this range
the mechanism shall return
CKR_MECHANISM_PARAM_INVALID.
cb specifies the counter block. It's up to the caller to
initialize all of the bits in the counter block including
the counter bits. The counter bits are the least
significant bits of the counter block. They are a bigendian
value usually starting with 1. The rest of cb is for the nonce,
and maybe an optional IV.
This matches the definition of in the current draft:
http://www.w3.org/2012/webcrypto/WebCryptoAPI/#aes-ctr-params
So I suggest that we specify:
The least significant |length| bits of the counter block are incremented
using the standard incrementing function specified in NIST SP 800-38A
Appendix B.1.
Wan-Teh
Received on Tuesday, 4 September 2012 09:05:21 UTC