EAX without a header
philips77 opened this issue · 3 comments
Hi,
The Cifra library produces an different TAG when AES-EAX encoding is used when no Header is set (length is 0 bytes) then other two souces: online tool and Bouncy Castle impl in Java. If Header is set to any non 0 data they all give the same result. See details below.
I'm encrypting a message using AES-EAX with the following data (all in HEX):
Plain data:
0x00001C400000004800000073
Key:
0x589417B0324B1B71D7A6751852867AE8
Nonce:
0x00010000F683
Header:
0 bytes
I get a correct cipher and, in my opinion, not correct TAG.
Cipher:
0xD5D89979AE79EBEE4E385FA5
Tag:
0x46A9F4BE8F4C92659DA6CD12368D8127
When I use the same input data and encrypt them using this: http://artjomb.github.io/cryptojs-extension/ website, or in Java:
try {
cipher = Cipher.getInstance("AES/EAX/NoPadding", "SC"); // SC = Spongy Castle, an Android variation of Bouncy Castle
cipher.init(Cipher.ENCRYPT_MODE, keySpec, new GCMParameterSpec(128, nonce));
ret = cipher.doFinal(toBeEncrypted);
Log.d("AA2", "Encoded->" + Arrays.toString(ret));
} catch (Exception e) {
Log.e("AA2", e.getLocalizedMessage());
}
I get a different Tag (the same in both cases):
0x0EFB21FAD714A25B44145F79221A2C9A
However, if I set the Header to any(?) non-null data all 3 libraries give the same result:
Plain text, key and nonce as above
Header:
0x0123
Cipher (same as above)
Tag:
0xCCDA2E4E0698E24E0377E3CD3ED61391
Thanks for the report and sorry for the inconvenience. It looks like CMAC and CMAC-used-by-EAX differ in this case: CMAC treats an empty message as not needing padding, CMAC-used-by-EAX treats it as needing padding. That's a massive pain.
In fact, that's not what's happening at all. The CMAC calculation isn't finalised properly if the last block is empty. I'm going to make that misuse fail at runtime, as well as fixing EAX.
Wow, thanks, that was quick!