The '''Advanced Encryption Standard''' is the U.S. National Institute of Standards and Technology proposed replacement for the [DES] cipher. See US FIPS PUB 197 [http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf] AES is a block cipher once known as Rijndael which supports variable key and block sizes. As part of the NIST standardization the block size in AES is fixed at 128 bits and the permitted key sizes limited to 128, 192 or 256 bits. AES should be used in preference to DES in all new protocol designs. A pure-Tcl implementation of AES is now included in [tcllib] and will be present in the 1.8 release. ---- [SLB] Using aes 1.0.0 in Tcl 8.5.0 on Windows, there are some quirks to be aware of: * Derypting an invalid string can cause the error 'integer value too large to represent' * If you decrypt using -in, the error is still reported even if you wrap a catch around the call, apparently due to use of fileevent in the implementation. * One source of invalid data is from encrypting a string whose length is not a multiple of 16 bytes. The documentation does tell you not to do this but if you forget, the encryption apparently succeeds yet fails in this obscure manner when decrypting. Example: package require aes set key [string repeat - 16] set fullData {MalletData 9 q q q2 22} set encryptedData [aes::aes -dir encrypt -key $key $fullData] aes::aes -dir decrypt -key $key $encryptedData puts $errorInfo integer value too large to represent while executing "binary format I4 $data" (procedure "DecryptBlock" line 25) invoked from within "DecryptBlock $Key $block" (procedure "Decrypt" line 10) invoked from within "Decrypt $Key $data" (procedure "aes::aes" line 41) invoked from within "aes::aes -dir decrypt -key $key $encryptedData" ---- [LV] 2008 June 27. Here's what I get using ActiveTcl 8.5.2 (and teacup update): ====== $ tclsh8.5 % package require aes set key [string repeat - 16] set fullData {MalletData 9 q q q2 22} set encryptedData [aes::aes -dir encrypt -key $key $fullData] aes::aes -dir decrypt -key $key $encryptedData puts $errorInfo 1.0.1 % ---------------- % MalletData 9 q q q2 22 % I9â3òÌH£í<¯CUÜËÚ¤N|úÙdÜp % MalletData 9 q q q2 22 % ====== ---- I added [aes with critcl] ---- [LV] Anyone have an example of successfully using this? ---- It's a bug in aes.tcl. After calling "binary scan binary-array I var", the numbers in var should be converted to unsigned 32-bit integers. You can define a procedure to do this. proc ::aes::to_unsigned {data} { upvar $data d set i 0 foreach num $d { lset d $i [expr { $num & 0xffffffff }] incr i } } There are 5 places to do the convertion, 2 in ::aes::EncryptBlock, 2 in ::aes::DecryptBlock and 1 in ::aes::ExpandKey. You should call to_unsigned after calling of binary scan, like this: # original code if {[binary scan $block I4 data] != 1} { return -code error "invalid block size: blocks must be 16 bytes" } # bug-fix add here to_unsigned data ---- See also [des], [blowfish], [rc4] ---- !!!!!! %| [Category Cryptography] | [Category Package] |% !!!!!!