| Andrew Cooke | Contents | Latest | RSS | Twitter | Previous | Next

C[omp]ute

Welcome to my blog, which was once a mailing list of the same name and is still generated by mail. Please reply via the "comment" links.

Always interested in offers/projects/new ideas. Eclectic experience in fields like: numerical computing; Python web; Java enterprise; functional languages; GPGPU; SQL databases; etc. Based in Santiago, Chile; telecommute worldwide. CV; email.

Personal Projects

Lepl parser for Python.

Colorless Green.

Photography around Santiago.

SVG experiment.

Professional Portfolio

Calibration of seismometers.

Data access via web services.

Cache rewrite.

Extending OpenSSH.

C-ORM: docs, API.

Last 100 entries

New TLS Implementation; Maths for Physicists; How I Am 8; 1000 Word Philosophy; Cyberpunk Reading List; Detailed Discussion of Message Dispatch in ParserCombinator Library for Julia; FizzBuzz in Julia w Dependent Types; kokko - Design Shop in Osaka; Summary of Greece, Currently; LLVM and GPUs; See Also; Schoolgirl Groyps (Maths); Japanese Lit; Another Example - Modular Arithmetic; Music from United; Read Agatha Christie for the Plot; A Constructive Look at TempleOS; Music Thread w Many Recommendations; Fixed Version; A Useful Julia Macro To Define Equality And Hash; k3b cdrom access, OpenSuse 13.1; Week 2; From outside, the UK looks less than stellar; Huge Fonts in VirtualBox; Keen - Complex Emergencies; The Fallen of World War II; Some Spanish Fiction; Calling C From Fortran 95; Bjork DJ Set; Z3 Example With Python; Week 1; Useful Guide To Starting With IJulia; UK Election + Media; Review: Reinventing Organizations; Inline Assembly With Julia / LLVM; Against the definition of types; Dumb Crypto Paper; The Search For Quasi-Periodicity...; Is There An Alternative To Processing?; CARDIAC (CARDboard Illustrative Aid to Computation); The Bolivian Case Against Chile At The Hague; Clear, Cogent Economic Arguments For Immigration; A Program To Say If I Am Working; Decent Cards For Ill People; New Photo; Luksic And Barrick Gold; President Bachelet's Speech; Baltimore Primer; libxml2 Parsing Stream; configure.ac Recipe For Library Path; The Davalos Affair For Idiots; Not The Onion: Google Fireside Chat w Kissinger; Bicycle Wheels, Inertia, and Energy; Another Tax Fraud; Google's Borg; A Verion That Redirects To Local HTTP Server; Spanish Accents For Idiots; Aluminium Cans; Advice on Spray Painting; Female View of Online Chat From a Male; UX Reading List; S4 Subgroups - Geometric Interpretation; Fucking Email; The SQM Affair For Idiots; Using Kolmogorov Complexity; Oblique Strategies in bash; Curses Tools; Markov Chain Monte Carlo Without all the Bullshit; Email Para Matias Godoy Mercado; The Penta Affair For Idiots; Example Code To Create numpy Array in C; Good Article on Bias in Graphic Design (NYTimes); Do You Backup github?; Data Mining Books; SimpleDateFormat should be synchronized; British Words; Chinese Govt Intercepts External Web To DDOS github; Numbering Permutations; Teenage Engineering - Low Price Synths; GCHQ Can Do Whatever It Wants; Dublinesque; A Cryptographic SAT Solver; Security Challenges; Word Lists for Crosswords; 3D Printing and Speaker Design; Searchable Snowden Archive; XCode Backdoored; Derived Apps Have Malware (CIA); Rowhammer - Hacking Software Via Hardware (DRAM) Bugs; Immutable SQL Database (Kinda); Tor GPS Tracker; That PyCon Dongle Mess...; ASCII Fluid Dynamics; Brandalism; Table of Shifter, Cassette and Derailleur Compatability; Lenovo Demonstrates How Bad HTTPS Is; Telegraph Owned by HSBC; Smaptop - Sunrise (Music); Equation Group (NSA); UK Torture in NI; And - A Natural Extension To Regexps; This Is The Future Of Religion

© 2006-2015 Andrew Cooke (site) / post authors (content).

Using AES CTR mode with Java / Clojure

From: andrew cooke <andrew@...>

Date: Sun, 27 May 2012 08:49:45 -0400

I needed to generate a sequence of "random" bytes and, for various reasons I
won't get into here, decided that running AES in CTR mode would be the best
solution.

Background:
https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29

The general procedure is described in detail in RFC2686, along with some test
vectors (thanks!) - http://www.ietf.org/rfc/rfc3686.txt - but it wasn't clear
to me how this mapped to the Java Cipher API.

It turns out that you need to do the following:

 - create a cipher instance for AES/CTR/NoPadding
 - create the CTRBLK as described in the RFC
 - initialise the cipher with CTRBLK as the IV
 - encoding blocks of zero bytes then returns the key stream

The two main sources fo confusion are:

 - What the RFC calls the CTRBLK is what Java calls the IV (what RFC calls
   the IV is the central 8 bytes of the Java IV).

 - Java automatically increments CTRBLK on successive calls to update.

And I verified all this by testing against the 128-bit test vectors in the
RFC (that is the ONLY verification made - I have not looked at any source and
I am not an expert at this...).


Here is the equivalent Clojure code (cut+pasted from a more complete module
that I will be releasing soon - you can see the code at
https://github.com/andrewcooke/particl/blob/master/src/cl/parti/random.clj):

(ns cl.parti.random
  (:use (cl.parti utils))
  (:import javax.crypto.Cipher)
  (:import javax.crypto.spec.SecretKeySpec)
  (:import javax.crypto.spec.IvParameterSpec)
  (:import java.security.MessageDigest))


;; Constants for AES in counter mode.

(def ^:private CIPHER "AES")
(def ^:private CIPHER_SPEC (str CIPHER "/CTR/NoPadding"))
(def ^:private BLOCK_SIZE 16)
(def ^:private NONCE_SIZE 4)
(def ^:private IV_SIZE 8)
(def ^:private CTR_SIZE 4)
(def ^:private KEY_SIZE 16)

(def ^:private ^{:doc "The hash used for nonce and IV."} HASH "SHA-1")


;; ## Basic counter mode operation
;;
;; The general approach follows
;; [RFC3686](http://www.faqs.org/rfcs/rfc3686.html), except that Java
;; handles the increment of the counter.

(def ^:private ^{:doc "An array of zeroes; used as the 'plaintext' since we
want to access the key stream."}
  BLANK (byte-array BLOCK_SIZE (byte 0)))

(defn- stream-blocks
  "Run the given cipher, generating a lazy stream of blocks.  The underlying
  Java code increments the counter after each loop, generating a lazy stream
  of blocks."
  [cipher]
  (lazy-seq
    (let [block (.update cipher BLANK)]
      (cons block (stream-blocks cipher)))))

(defn- stream-bytes
  "Convert a stream of blocks to a stream of bytes.

  The first form re-calls with the head block and a zero offset.

  The second form recurses through the available bytes in the block and
  then re-calls with the remaining blocks."
  ([blocks] (stream-bytes (first blocks) 0 (rest blocks)))
  ([block i blocks]
    (lazy-seq
      (if (= i BLOCK_SIZE)
        (stream-bytes blocks)
        (cons (nth block i) (stream-bytes block (inc i) blocks))))))

(defn- init-ctrblk
  "Create a counter block with CTR set to 1 (lsb)."
  [nonce iv]
  (byte-array
    (for [i (range BLOCK_SIZE)]
      (let [j (- i NONCE_SIZE)]
        (cond
          (< i NONCE_SIZE) (nth nonce i)
          (< j IV_SIZE) (nth iv j)
          (not= i (dec BLOCK_SIZE)) (byte 0)
          :else (byte 1))))))

(defn stream-aes-ctr
  "Generate a stream of bytes from the initial data, using AES in counter
  mode.

  This is tested against the three 128-bit test vectors in
  [RFC3686](http://www.faqs.org/rfcs/rfc3686.html) - the bytes returned
  match those expected for the key stream."
  [key nonce iv]
  (let [cipher (Cipher/getInstance CIPHER_SPEC)
        key (SecretKeySpec. key CIPHER)
        ctrblk (init-ctrblk nonce iv)]
    (do (.init cipher Cipher/ENCRYPT_MODE key (IvParameterSpec. ctrblk))
      (stream-bytes (stream-blocks cipher)))))


Andrew

Comment on this post