10

AES is a standard encryption routine that can be used consistently across multiple languages, assuming all the variables match up. My question is, what are the variables. I am aware of the following

  • Variant (is this AES-256, or just plain AES-128)

  • Data to encrypt

  • Key (128 bits is common)

  • Initialization Vector - now what is this? Is it also 128 predetermined bits?

    I understand from reading Wikipedia, that the IV is used to prevent two identical 16-bit blocks in the overall stream from being identical after encryption, as that would make the data more guessable.

  • Is there also a mode?

    I'm guessing this is gonna be padding/streaming, vs required 128bit length.. but how many modes are there, or is this diverse?

Sorry if I got some of this wrong, but I confused, and would like a clear list of the variables. I think I got them all, but I am not sure if I got them right.

700 Software
  • 13,897
  • 3
  • 53
  • 82

2 Answers2

11

The AES cipher has only one parameter: the key. Indirectly, also the AES variant is defined. You have AES-128 for 16 byte keys, AES-192 for 24 byte keys, and AES-256 for 32 byte keys.

I don't consider input data to be a parameter.

Orthogonal to that you have the chaining mode, which is the way you manage to encrypt/decrypt pieces of data that do not match the block size of the cipher. For instance ECB, CBC, CFB, etc. I use the generic term cipher because a chaining mode is applicable to any block cipher, and AES happens to be one amongst many (e.g. you have TDES, Blowfish, etc), with a constant block size of 16 bytes.

Some chaining modes (CBC, OFB, CFB, GCM) require an Initialization Vector, which very often matches the block size of the cipher. In some cases, the IV is called nonce and it may be smaller than the block size (e.g. for CTR).

Finally, some chaining modes may require the plaintext to have a length multiple of some value (e.g. block size for CBC, segment size for CFB). In those cases, you may need to also define the specific padding algorithm (e.g. PKCS7-style).

10

AES itself has three variants: AES-128, AES-192 and AES-256. Internally, the algorithms have very similar constructions. The number is the length of the key (in bits), i.e. the length of the prearranged secret (AES is a shared-secret cipher). A higher number means not only a longer key, but also more work done with the key and the input to produce the output.

Each of these three algorithms specifies two functions encrypt and decrypt; both functions take as input one n-bit value (n = 128, 192 or 256) called the key and one 128-bit value called the input block, and produce as output one 128-bit value called the output block. The input block to encrypt is called the plaintext and the output block is called the ciphertext; for decrypt, the roles are reversed.

encrypt(key, plaintext) = ciphertext
decrypt(key, ciphertext) = plaintext

AES is a block cipher. It only specifies how to encrypt or decrypt a 128-bit block. If your data is shorter or longer than that, you need something more sophisticated: you need to have a mode of operation, often called chaining mode because it specifies how to process one block after the other. The choice of chaining mode is largely independent of the choice of block processing algorithm.

Some chaining modes only require the key and the input. For example, ECB, the simplest mode of all, only says to cut the input into blocks of the appropriate size, apply the encryption/decryption algorithm, and paste the output blocks together. This mode has many flaws (for example, you can spot repetitions in the input if they are aligned with a block boundary; you can tell whether two encrypted messages are the same because they then have the same ciphertext).

Many chaining modes require an additional piece of input, typically one block in size. It is usually mixed with the first input block in some way, and called an initialization vector (often abbreviated IV). The IV is usually chosen randomly; this is a requirement for some modes, while for others it is enough never to choose the same IV twice for the same key (which a random draw ensures). The IV serves (at least) to make two encryptions of the same plaintext with the same key distinct. A popular mode using a random IV is CBC. Another popular mode is CTR (counter); its IV is more properly called a nonce, because it does not have to be random, only non-repeated.

Breaking up the input into blocks only works when it is a multiple of the block size. Otherwise, the usual process is to split off as many blocks as possible at the beginning and apply a padding scheme to the last, partial block. Although padding tends to imply that some bits are added to make up a full block, padding securely isn't that simple: a partial block B with some padding P appended risks being confused with a full block that happens to be BP. Good padding schemes have to apply some padding to all messages, even the ones that happen to be an exact number of blocks. Some modes of operation impose a particular padding schemes, while others are padding-agnostic. Crypto libraries often require that the input to block cipher functions be only full blocks, leaving the task of padding to the caller.

There are modes that make something else than an encryption/decryption algorithm out of block ciphers. Modes such as CMAC make a message authentication code, i.e. a signature based on a shared secret. Modes such as GCM do both encryption and signature (the output of AES-n-GCM-encrypt(key, IV, tag, plaintext) is both a ciphertext and a MAC).

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180