Question regarding AES-128 XTS and partial encryption and decryption.

[tingmwu]

I'm beginning to learn the ropes around encryption/decryption in general so apologies in advance if this is a silly question.

For AES-XTS encryption, I want to perform segmented input calculations on the data, but it has a problem.
this is my code

#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdio.h>
#include <string.h>

void handleErrors(void)
{
    ERR_print_errors_fp(stderr);
    abort();
}

int sca_aes_xts_encrypt(const uint8_t *key, size_t klen, uint8_t *iv, const uint8_t *text, size_t len, uint8_t *out) {
    EVP_CIPHER_CTX *ctx;

    size_t ciphertext_len;

    if(!(ctx = EVP_CIPHER_CTX_new()))
            handleErrors();

    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_xts(), NULL, NULL, NULL))
            handleErrors();

    if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_KEY_LENGTH, klen, NULL))
            handleErrors();

    if(1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
            handleErrors();

    // if(1 != EVP_EncryptUpdate(ctx, out, &len, text, len))
    //         handleErrors();
    int block_size = 16;

    for(int i = 0; i < len; i += block_size) {
        int cipher_len = (len - i) >= block_size ? block_size : (len - i);
        if(1 != EVP_EncryptUpdate(ctx, out + i, &cipher_len, text + i, cipher_len))
            handleErrors();
    }

    ciphertext_len = len;
    if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len))
            handleErrors();
    ciphertext_len += len;

    return ciphertext_len;
}

The calculation result of the entire data is correct, but the result after segmentation using EVP_EncryptUpdate is wrong. Any help appreciated. Thank you.

[t8m]

The XTS implementation in OpenSSL does not support streaming. That is there must only be one EVP_EncryptUpdate() call per EVP_EncryptInit_ex() call (and similarly with the "Decrypt" functions).

[t8m]

I've raised a PR #23028 to improve the documentation.

[tingmwu]

ok, thank you.
By the way, does the GCM implementation in OpenSSL support streaming?
refer to this link: https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption

    /*
    * Provide the message to be encrypted, and obtain the encrypted output.
     * EVP_EncryptUpdate can be called multiple times if necessary
     */
    if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
        handleErrors();

I try this just like my xts code, but the result is wrong.

[slontis]

There is an example in demos/cipher/aesgcm.c

[slontis]

There is a stream update function, but it only works on the blocksize...
You would only use a partial block on the final update call.
See https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS for a ref to why this is so (The CipherText Stealing can only happen on the last block).

[tingmwu]

Thank you, I get it.

[Mohammed-Latreche18]

Hello, i'm working on a software emulation for XTS mode using openSSL, so i should reproduce Hardware behavior, i have some questions, if u can help me

XTS mode have 3 phases in our IP:

1. TWEAK ENCRIPTION:
   here i receive the iv (tweak) and tweak_key
   i khnow that in this phase i should create the context, but i dont know what to do else

2. INIT:
   here i receive key_data (second key) and the input
   here i should do the init operation, but i don't know what key to use tweak or data one

3. Update:
   here i do the update

we know that in XTS mode we have two keys, but why i see in your implementation just one (or u combined them in one key ?)

[Mohammed-Latreche18]

Thank you i understand,

final question, should i do init before each update ?

[t8m]

Yes, XTS cannot do streaming. You can keep key as NULL if you're using the same key, but there will have to be a new IV.

[Mohammed-Latreche18]

Ok, but how can i get this new iv, because the driver keeps giving me the same iv as init and tweak enc operation ?
and for the first init should i put the iv or not, because i see in some implementations, they don't pass it as argument at the first init ,but they pass it within the init before update
thank you for youre responses

[slontis]

The reason for multiple init calls is normally because you want to control the order of operations.
You might have noticed that the EVP_CipherInit related functions dont pass the length of the key or iv (it just uses default values for these), If you are happy with the defaults then only one init call is needed. If you needed to change what the defaults are you would init with NULLS to create an object e.g. EVP_EncryptInit_ex2(ctx, cipher, NULL, NULL, params) and pass the 'params' you want to set here. The second call that passes the iv could then use this non default value for the ivlen.

[Mohammed-Latreche18]

Thank you for your response

[slontis]

I recommend reading https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS so that you understand what the algorithm does.

[Mohammed-Latreche18]

I've seen the documentation, thank you. I understand now that I need to recalculate the new IV with modular multiplication before every update iteration. I will use the init operation to set the new IV and then perform the update. It seems that OpenSSL does not handle this internally. is this right ?

[slontis]

Not sure you should be doing the modular multiply..
Have a look at CRYPTO_xts128_encrypt()