Version 10 of aes

Updated 2009-07-20 17:44:42 by bch

The Advanced Encryption Standard is the U.S. National Institute of Standards and Technology proposed replacement for the DES cipher. See US FIPS PUB 197 [L1 ]

AES is a block cipher once known as Rijndael which supports variable key and block sizes. As part of the NIST standardization the block size in AES is fixed at 128 bits and the permitted key sizes limited to 128, 192 or 256 bits. AES should be used in preference to DES in all new protocol designs.

A pure-Tcl implementation of AES is now included in tcllib and will be present in the 1.8 release.

SLB Using aes 1.0.0 in Tcl 8.5.0 on Windows, there are some quirks to be aware of:

  • Decrypting an invalid string can cause the error 'integer value too large to represent'
  • If you decrypt using -in, the error is still reported even if you wrap a catch around the call, apparently due to use of fileevent in the implementation.
  • One source of invalid data is from encrypting a string whose length is not a multiple of 16 bytes. The documentation does tell you not to do this but if you forget, the encryption apparently succeeds yet fails in this obscure manner when decrypting.

Example:

 package require aes
 set key [string repeat - 16]
 set fullData {MalletData 9 q q q2 22}
 set encryptedData [aes::aes -dir encrypt -key $key $fullData]
 aes::aes -dir decrypt -key $key $encryptedData
 puts $errorInfo

 integer value too large to represent
    while executing
 "binary format I4 $data"
    (procedure "DecryptBlock" line 25)
    invoked from within
 "DecryptBlock $Key $block"
    (procedure "Decrypt" line 10)
    invoked from within
 "Decrypt $Key $data"
    (procedure "aes::aes" line 41)
    invoked from within
 "aes::aes -dir decrypt -key $key $encryptedData"

LV 2008 June 27.

Here's what I get using ActiveTcl 8.5.2 (and teacup update):

 $ tclsh8.5
% package require aes
 set key [string repeat - 16]
 set fullData {MalletData 9 q q q2 22}
 set encryptedData [aes::aes -dir encrypt -key $key $fullData]
 aes::aes -dir decrypt -key $key $encryptedData
 puts $errorInfo
1.0.1
% ----------------
% MalletData 9 q q q2 22
% I9â3òÌH£í<¯CUÜËÚ¤N|úÙdÜp
% MalletData 9 q q q2 22
%

I added aes with critcl

LV Anyone have an example of successfully using this?

It's a bug in aes.tcl. After calling "binary scan binary-array I var", the numbers in var should be converted to unsigned 32-bit integers. You can define a procedure to do this.

        proc ::aes::to_unsigned {data} {
                upvar $data d
                set i 0
                foreach num $d {
                        lset d $i [expr { $num & 0xffffffff }]
                        incr i
                }
        }

There are 5 places to do the convertion, 2 in ::aes::EncryptBlock, 2 in ::aes::DecryptBlock and 1 in ::aes::ExpandKey. You should call to_unsigned after calling of binary scan, like this:

    # original code
    if {[binary scan $block I4 data] != 1} {
        return -code error "invalid block size: blocks must be 16 bytes"
    }
    # bug-fix add here
    to_unsigned data

See also des, blowfish, rc4

Category Cryptography Category Package