search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
46 stars 16 forks source link

AES XTS multi-dataUnit incorrect results from ACVP Server #241

Closed KCWhitfield closed 1 year ago

KCWhitfield commented 1 year ago

environment Demo

testSessionId 355294

vsId 1426828

Algorithm registration { "algorithm": "ACVP-AES-XTS", "revision": "2.0", "direction": [ "encrypt", "decrypt" ], "keyLen": [ 128, 256 ], "payloadLen": [ { "max": 65536, "min": 256, "increment": 256 } ], "tweakMode": [ "number" ], "dataUnitLenMatchesPayload": false, "dataUnitLen": [ 4096 ] }

Endpoint in which the error is experienced https://demo.acvts.nist.gov:443/acvp/v1/testSessions/355294/vectorSets/1426828 GET

Expected behavior For AES-XTS, the ciphertext of the second dataUnit should match that obtained by encrypting the plaintext's second dataUnit with a sequenceNumber advanced by one. In tcId 31, with sequenceNumber=133/85000000000000000000000000000000, the advanced tweak value should be 134/86000000000000000000000000000000.

The expected results provided by the ACVP server contain second dataUnit ciphertext that appears to correspond to a tweak value of 85000000000000000000000000000001.

Additional context Ref the BitString constructor in https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/common/src/NIST.CVP.ACVTS.Libraries.Math/BitString.cs:

/// The MSB hexadecimal string public BitString(string hexMSB, int bitLength = -1, bool truncateBitsFromEndOfLastByte = true) { . . . if (bitLength < 0) { _bits = Helper.MostSignificantByteArrayToLeastSignificantBitArray(bytesInMSB); } . . . }

Also ref https://github.com/usnistgov/ACVP-Server/blob/master/gen-val/src/crypto/test/NIST.CVP.ACVTS.Libraries.Crypto.AES_XTS.Tests/AesXtsTests.cs:

    [TestCase(149, "95000000000000000000000000000000")]
    [TestCase(49, "31000000000000000000000000000000")]
    public void ShouldComputeProperIValueFromInteger(int dataUnitSeqNumber, string hex)
    {
        . . .
    }
livebe01 commented 1 year ago

Apologize for the slow response on this. We're looking into this and will get back to you.

-Ben

EH-Acumen commented 1 year ago

Has any progress been made on this issue? This affects one of my customers.

KCWhitfield commented 1 year ago

A stand-alone test case demonstrating the issue, affording others a means of reproduction:

Test Case:

{
  "tcId": 52,
  "key": "84765DB1FF4078A2185ED357BFAEC98F50E577E4A700C444BBFD53F55F6D7F3D",
  "dataUnitLen": 4096,
  "payloadLen": 5632,
  "pt": "A5E5A15A5E7DC51C479CCC2C02EB4C2A86CA616E6692ED25D1BB2EC55CC03FE48AD5420BD85059B254DD7795269500EAC2B0B59F510A13E8F179AAB82F19FABE31F2C202D60EDB3B69B278797ADF9F7B735EDE577F71D74DD8181AB38BC364CC57F175C5117349A10834102857EB010C2D367B94E651B0A7B8D3761FB0E36F79DBCF657BECCCB2EFF2C5A92F188F204F38CB96FB3D409CBC6D6192C4633B67B26329B7783B39D7C431B8D4830E1D094A97D95B1795D3A39348A0B5C491E3A7C749B84D21DAB82993E22CCEE0D3E45C222623A70A03B06AB14A913064CDBAF00098A8686B402F6E3FE45EC7FF84EE257804827E81E4406FB1238D5048F80EF2AA2C53CEF95D61A5A4A58C4B73628D3E9BDA2972BF651D5467A1C5CCE5D314CB30D2298CC389FFA17642E49E38A81177EF72245CC43EC4D4B91758F9FFD8E78844C4F385D97CB1C037EDB08439D66BBF9AC5A4CC5C589024570309754A378F27C71D75A467AC3D933F81B555621CD8C28CA2308FFFAEA6B9695B311610F142EC4213A01298F862CA54A47B0312FA7F881A19668C23D13B68300D9CC9779137BB85C74FE2A4F2DBF22E53613B16D7C70625A8A847ACC7B491F6450574EB901EB5DF92DBDA00A531C3611354D86331AD3582875A9547164D60A24F87D6B63D06822BC46CC40C4A8D803EF05EFA2856E17E1BBBB1F1134A7A4C56E7248E256FB3BF0D7C2E45AFC9F034786EDFC163A448C6DEAD4569FC13FF5A0A1C8EFC7E06EE1DB1C19E701DC02B6124AE0413A48468E4E4A295138D6581ACED4B05DA2B14E37D818446CB892C6873C0D3CE7EC0EDA60FF7B91161846FA2F88D289D8633EB34F22DC4004B945F9EF5041982305D0FD48BD139C66007104281D0DB2B27226D8C43032B8D94787848BD191872C6F073D3B84FBFF3C02F381EBB5978C4DD1DB80D76DF73A331C7244AC5F9F59825CB9BF994B848DF2FE36CB7A65D55B9C23D42B3B23D",
  "sequenceNumber": 16
}

Results obtained:

{
  "tcId": 52,
  "ct": "A85FE4BC312F81E4ADCAC928184B070E95602890E93DF0A39C06076AE32665D25DBE1E5CC3DBAEB118E301C1DB403CB6BCA5F957E699230E2CFAF2160F906035C459253809A6ACD3ACA91CA2452FF5029C8062E0F6B5B28FA713D20D9CD5C74A7C987AA9DBBAE5D85E7F6E0D0BFD24133CB39FDAE1F2896E0FB3569D8F135A97A1DB5F55FB6A1B6ACDCB122A32198DF61AA0CEBAEF626AAAF22F2312C07E8DC6AC4C47F63E48F3310F2354F166C1914B5916464241DE153F3FE3278998EF63A77CF5FCF7EF4A23A31C8C48D88EA7F12A3C2C9B30A34F9C8F2D8284580FB08589277A8E1214D04F099A9782709BACA58CC70FFA1A2D562F327C4177A6C8ED43278586EC09D86BFC799CF96BC98D42F742B6C1C060450B3DAAFD097D49E0E505DB7830ABEF0AA3EB9531DC017A13173C6C2F8FA018C4B1CA152FF48DEFFB7E99814642196EB570AB9C9ED33917EF443F6CE5863D48D77C6E22EFFD8F3476512139D161B1CC6D53C49E03407E3BAC9E68B67E870EA1A750F773EB19240F7FE2EA7850C83D24A4B1345CE968631C7B95163A3961C8004AEAAD39DFE7FCAB8BC5096E392DB0C8E94E49557F06AD1857C59890619E801B4EA66EE987E2C4503279DDDCE1083D2DC98C21E5321EB7B4D6B624A99D0A292042D3D78C870F5A6BDF382F9976B69A68305FA9B49EF09BC0081889459C73881B88EC5AF2042A3C069B7868C6989EBA21087AE89DCA4B12D396447534A97D82E2AF4BF203AE69A1D7F6A29C9C74ED01B5EFDE4DD052C038A32717197A430EEAF2B52AAEF45F6983FB5AFE5C8B879E0F6920C212F215BC2C70036C43A1977404EE6E1B7753AF33FFFD2249EA633CD7D3110A456C4933D6ED81EBBBE8607B84FB2F8906C08161F927CC08DD0DC68179E04EA5A367131200F65F7BCBDD3187D8B75B25F8A40FB9A160571ACE7B637CAB157EDC9CD9DF1F71E5C4338A1EA15B470F4EF798BE973BA2C28DBA472467"
}

ACVP Server expected results:

{
   "tcId": 52,
   "ct": "A85FE4BC312F81E4ADCAC928184B070E95602890E93DF0A39C06076AE32665D25DBE1E5CC3DBAEB118E301C1DB403CB6BCA5F957E699230E2CFAF2160F906035C459253809A6ACD3ACA91CA2452FF5029C8062E0F6B5B28FA713D20D9CD5C74A7C987AA9DBBAE5D85E7F6E0D0BFD24133CB39FDAE1F2896E0FB3569D8F135A97A1DB5F55FB6A1B6ACDCB122A32198DF61AA0CEBAEF626AAAF22F2312C07E8DC6AC4C47F63E48F3310F2354F166C1914B5916464241DE153F3FE3278998EF63A77CF5FCF7EF4A23A31C8C48D88EA7F12A3C2C9B30A34F9C8F2D8284580FB08589277A8E1214D04F099A9782709BACA58CC70FFA1A2D562F327C4177A6C8ED43278586EC09D86BFC799CF96BC98D42F742B6C1C060450B3DAAFD097D49E0E505DB7830ABEF0AA3EB9531DC017A13173C6C2F8FA018C4B1CA152FF48DEFFB7E99814642196EB570AB9C9ED33917EF443F6CE5863D48D77C6E22EFFD8F3476512139D161B1CC6D53C49E03407E3BAC9E68B67E870EA1A750F773EB19240F7FE2EA7850C83D24A4B1345CE968631C7B95163A3961C8004AEAAD39DFE7FCAB8BC5096E392DB0C8E94E49557F06AD1857C59890619E801B4EA66EE987E2C4503279DDDCE1083D2DC98C21E5321EB7B4D6B624A99D0A292042D3D78C870F5A6BDF382F9976B69A68305FA9B49EF09BC0081889459C73881B88EC5AF2042A3C069B7868C6C9A77E6F646C267F2EF3ABF4339D4D1B92322F91F0D00D7FCA98B2AAC6047A1E73E50197FE275051E665EBF83A6BE63837D31161C33C500275DA4E628E006B5C250966D75D3675F64DDF927A5271581A1F541E174E620A6C72A06E794F4A5D68BDFB4361F01061DB4373A1CB4B99460E7ABDD12F5E75D66B2EF3787F9DFA22C41C32CEBFF66F84C00C10E6A05C2A1FFBA9B979A078EA6B9D80FE38D044BCEC8D876C77B8756C440B8C7983CD8C460B888F7556106C406835794407E1395B8D4A"
}

The obtained and expected results differ, beginning at Data Unit #2:

# Match through Data Unit #1. Line-break at diff.
"ct": "A85FE4BC312F81E4ADCAC928184B070E95602890E93DF0A39C06076AE32665D25DBE1E5CC3DBAEB118E301C1DB403CB6BCA5F957E699230E2CFAF2160F906035C459253809A6ACD3ACA91CA2452FF5029C8062E0F6B5B28FA713D20D9CD5C74A7C987AA9DBBAE5D85E7F6E0D0BFD24133CB39FDAE1F2896E0FB3569D8F135A97A1DB5F55FB6A1B6ACDCB122A32198DF61AA0CEBAEF626AAAF22F2312C07E8DC6AC4C47F63E48F3310F2354F166C1914B5916464241DE153F3FE3278998EF63A77CF5FCF7EF4A23A31C8C48D88EA7F12A3C2C9B30A34F9C8F2D8284580FB08589277A8E1214D04F099A9782709BACA58CC70FFA1A2D562F327C4177A6C8ED43278586EC09D86BFC799CF96BC98D42F742B6C1C060450B3DAAFD097D49E0E505DB7830ABEF0AA3EB9531DC017A13173C6C2F8FA018C4B1CA152FF48DEFFB7E99814642196EB570AB9C9ED33917EF443F6CE5863D48D77C6E22EFFD8F3476512139D161B1CC6D53C49E03407E3BAC9E68B67E870EA1A750F773EB19240F7FE2EA7850C83D24A4B1345CE968631C7B95163A3961C8004AEAAD39DFE7FCAB8BC5096E392DB0C8E94E49557F06AD1857C59890619E801B4EA66EE987E2C4503279DDDCE1083D2DC98C21E5321EB7B4D6B624A99D0A292042D3D78C870F5A6BDF382F9976B69A68305FA9B49EF09BC0081889459C73881B88EC5AF2042A3C069B7868C6
989EBA21087AE89DCA4B12D396447534A97D82E2AF4BF203AE69A1D7F6A29C9C74ED01B5EFDE4DD052C038A32717197A430EEAF2B52AAEF45F6983FB5AFE5C8B879E0F6920C212F215BC2C70036C43A1977404EE6E1B7753AF33FFFD2249EA633CD7D3110A456C4933D6ED81EBBBE8607B84FB2F8906C08161F927CC08DD0DC68179E04EA5A367131200F65F7BCBDD3187D8B75B25F8A40FB9A160571ACE7B637CAB157EDC9CD9DF1F71E5C4338A1EA15B470F4EF798BE973BA2C28DBA472467"
"ct": "A85FE4BC312F81E4ADCAC928184B070E95602890E93DF0A39C06076AE32665D25DBE1E5CC3DBAEB118E301C1DB403CB6BCA5F957E699230E2CFAF2160F906035C459253809A6ACD3ACA91CA2452FF5029C8062E0F6B5B28FA713D20D9CD5C74A7C987AA9DBBAE5D85E7F6E0D0BFD24133CB39FDAE1F2896E0FB3569D8F135A97A1DB5F55FB6A1B6ACDCB122A32198DF61AA0CEBAEF626AAAF22F2312C07E8DC6AC4C47F63E48F3310F2354F166C1914B5916464241DE153F3FE3278998EF63A77CF5FCF7EF4A23A31C8C48D88EA7F12A3C2C9B30A34F9C8F2D8284580FB08589277A8E1214D04F099A9782709BACA58CC70FFA1A2D562F327C4177A6C8ED43278586EC09D86BFC799CF96BC98D42F742B6C1C060450B3DAAFD097D49E0E505DB7830ABEF0AA3EB9531DC017A13173C6C2F8FA018C4B1CA152FF48DEFFB7E99814642196EB570AB9C9ED33917EF443F6CE5863D48D77C6E22EFFD8F3476512139D161B1CC6D53C49E03407E3BAC9E68B67E870EA1A750F773EB19240F7FE2EA7850C83D24A4B1345CE968631C7B95163A3961C8004AEAAD39DFE7FCAB8BC5096E392DB0C8E94E49557F06AD1857C59890619E801B4EA66EE987E2C4503279DDDCE1083D2DC98C21E5321EB7B4D6B624A99D0A292042D3D78C870F5A6BDF382F9976B69A68305FA9B49EF09BC0081889459C73881B88EC5AF2042A3C069B7868C6
C9A77E6F646C267F2EF3ABF4339D4D1B92322F91F0D00D7FCA98B2AAC6047A1E73E50197FE275051E665EBF83A6BE63837D31161C33C500275DA4E628E006B5C250966D75D3675F64DDF927A5271581A1F541E174E620A6C72A06E794F4A5D68BDFB4361F01061DB4373A1CB4B99460E7ABDD12F5E75D66B2EF3787F9DFA22C41C32CEBFF66F84C00C10E6A05C2A1FFBA9B979A078EA6B9D80FE38D044BCEC8D876C77B8756C440B8C7983CD8C460B888F7556106C406835794407E1395B8D4A"

Encryption of Data Unit #2 with an correctly advanced sequence number, reproduces the obtained results.:

centeval:~# /tftpboot/kwhitfield_eval/tests/aes-xts  84765DB1FF4078A2185ED357BFAEC98F50E577E4A700C444BBFD53F55F6D7F3D 11000000000000000000000000000000 7C2E45AFC9F034786EDFC163A448C6DEAD4569FC13FF5A0A1C8EFC7E06EE1DB1C19E701DC02B6124AE0413A48468E4E4A295138D6581ACED4B05DA2B14E37D818446CB892C6873C0D3CE7EC0EDA60FF7B91161846FA2F88D289D8633EB34F22DC4004B945F9EF5041982305D0FD48BD139C66007104281D0DB2B27226D8C43032B8D94787848BD191872C6F073D3B84FBFF3C02F381EBB5978C4DD1DB80D76DF73A331C7244AC5F9F59825CB9BF994B848DF2FE36CB7A65D55B9C23D42B3B23D
cipher: EVP_aes_128_xts
ciphertext:     989EBA21087AE89DCA4B12D396447534A97D82E2AF4BF203AE69A1D7F6A29C9C74ED01B5EFDE4DD052C038A32717197A430EEAF2B52AAEF45F6983FB5AFE5C8B879E0F6920C212F215BC2C70036C43A1977404EE6E1B7753AF33FFFD2249EA633CD7D3110A456C4933D6ED81EBBBE8607B84FB2F8906C08161F927CC08DD0DC68179E04EA5A367131200F65F7BCBDD3187D8B75B25F8A40FB9A160571ACE7B637CAB157EDC9CD9DF1F71E5C4338A1EA15B470F4EF798BE973BA2C28DBA472467

Encryption of Data Unit #2 with an incorrectly advanced sequence number, reproduces the ACVP Server expected results:

centeval:~# /tftpboot/kwhitfield_eval/tests/aes-xts  84765DB1FF4078A2185ED357BFAEC98F50E577E4A700C444BBFD53F55F6D7F3D 10000000000000000000000000000001 7C2E45AFC9F034786EDFC163A448C6DEAD4569FC13FF5A0A1C8EFC7E06EE1DB1C19E701DC02B6124AE0413A48468E4E4A295138D6581ACED4B05DA2B14E37D818446CB892C6873C0D3CE7EC0EDA60FF7B91161846FA2F88D289D8633EB34F22DC4004B945F9EF5041982305D0FD48BD139C66007104281D0DB2B27226D8C43032B8D94787848BD191872C6F073D3B84FBFF3C02F381EBB5978C4DD1DB80D76DF73A331C7244AC5F9F59825CB9BF994B848DF2FE36CB7A65D55B9C23D42B3B23D
cipher: EVP_aes_128_xts
ciphertext:     C9A77E6F646C267F2EF3ABF4339D4D1B92322F91F0D00D7FCA98B2AAC6047A1E73E50197FE275051E665EBF83A6BE63837D31161C33C500275DA4E628E006B5C250966D75D3675F64DDF927A5271581A1F541E174E620A6C72A06E794F4A5D68BDFB4361F01061DB4373A1CB4B99460E7ABDD12F5E75D66B2EF3787F9DFA22C41C32CEBFF66F84C00C10E6A05C2A1FFBA9B979A078EA6B9D80FE38D044BCEC8D876C77B8756C440B8C7983CD8C460B888F7556106C406835794407E1395B8D4A
livebe01 commented 1 year ago

Thanks @KCWhitfield @EH-Acumen, we have someone looking at this.

livebe01 commented 1 year ago

Thanks @KCWhitfield for reporting this. We've confirmed the issue and have prepared a fix. The fix for this will be included in our next release and we will update this ticket as soon as that release is deployed to ACVTS Demo.

livebe01 commented 1 year ago

Hi @KCWhitfield, I was just looking through our open tickets and noticed that this was still open. The fix for this actually went to demo on 2023-7-13 and is currently on prod as part of the v1.1.0.30 release. I apologize for just noticing this. Please let us know if you have any further issues with the algorithm.