search

pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
https://cryptography.io
Other
6.59k stars 1.51k forks source link

AES-SIV does not accept empty plaintext. #10958

Open bleichenbacher-daniel opened 4 months ago

bleichenbacher-daniel commented 4 months ago

This issue is possibly related to #10808, which observes a similar behavior for AES-GCM-SIV.

I'm using python version 3.12.3 and cryptography version 42.0.5

The following code

from cryptography.hazmat.primitives.ciphers import aead
import cryptography
import sys

def test_empty_pt():
    key = bytes(range(32))
    nonce = bytes(range(12))
    pt = b""
    aads = [b"row1", b"col2", b"timestamp"]
    crypter = aead.AESSIV(key)
    ct = crypter.encrypt(pt, aads)

if __name__ == "__main__":
    print(f"{sys.version=}")
    print(f"{cryptography.__version__=}")
    test_empty_pt()

gives the following result:

sys.version='3.12.3 (tags/v3.12.3:f6650f9, Apr 9 2024, 14:05:25) [MSC v.1938 64 bit (AMD64)]' cryptography.version='42.0.5' Traceback (most recent call last): File ".../aes_siv_test.py", line 16, in test_empty_pt() File ".../aes_siv_test.py", line 11, in test_empty_pt ct = crypter.encrypt(pt, aads) ValueError: data must not be zero length

The only restriction I could find is RFC 5297, section 6, where there is a lower bound of 1 byte for the nonce, when AES-SIV is being used as AEAD. However, AES-SIV is useful in many contexts, e.g., deterministically encrypting cells in a database using row and column as AAD. For such uses it would be helpful if all fields can be empty.

alex commented 4 months ago

Without being at a computer to test, this almost certainly is for the same reason -- n Limitations in OpenSSL

On Tue, May 7, 2024, 2:03 PM bleichenbacher-daniel @.***> wrote:

This issue is possibly related to #10808 https://github.com/pyca/cryptography/issues/10808, which observes a similar behavior for AES-GCM-SIV.

I'm using python version 3.12.3 and cryptography version 42.0.5

The following code

from cryptography.hazmat.primitives.ciphers import aead import cryptography import sys

def test_empty_pt(): key = bytes(range(32)) nonce = bytes(range(12)) pt = b"" aads = [b"row1", b"col2", b"timestamp"] crypter = aead.AESSIV(key) ct = crypter.encrypt(pt, aads)

if name == "main": print(f"{sys.version=}") print(f"{cryptography.version=}") test_empty_pt()

gives the following result:

sys.version='3.12.3 (tags/v3.12.3:f6650f9, Apr 9 2024, 14:05:25) [MSC v.1938 64 bit (AMD64)]' cryptography.version='42.0.5' Traceback (most recent call last): File ".../aes_siv_test.py", line 16, in test_empty_pt() File ".../aes_siv_test.py", line 11, in test_empty_pt ct = crypter.encrypt(pt, aads) ValueError: data must not be zero length

The only restriction I could find is RFC 5297, section 6, where there is a lower bound of 1 byte for the nonce, when AES-SIV is being used as AEAD. However, AES-SIV is useful in many contexts, e.g., deterministically encrypting cells in a database using row and column as AAD. For such uses it would be helpful if all fields can be empty.

— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/10958, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBDMFSUFJHDMLCESKQLZBEJOZAVCNFSM6AAAAABHLPMXPOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGI4DGOJTGI4TGNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

alex commented 2 months ago

Note: Someone should file an upstream bug with OpenSSL for this.