Jump to content

AES implementations: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
m Implementation Considerations: cbc has its own redirect anyway
 
(34 intermediate revisions by 27 users not shown)
Line 1: Line 1:
{{Short description|Implementations of Advanced Encryption Standard}}
{{External links|date=July 2024}}
There are various implementations of the [[Advanced Encryption Standard]], also known as Rijndael.
There are various implementations of the [[Advanced Encryption Standard]], also known as Rijndael.


== Libraries ==
== Libraries ==
[[File:Cbc128192256.jpg|thumb|right|300px|AES speed at 128, 192 and 256-bit key sizes. {{Clarify|date=May 2011|reason=Which machine was used for this benchmark?}}{{citation needed|reason=This graph is unsourced.|date=December 2014}}]]
[[File:Cbc128192256.jpg|thumb|right|300px|AES speed at 128, 192 and 256-bit key sizes. {{Clarify|date=May 2011|reason=Which machine was used for this benchmark?}}{{citation needed|reason=This graph is unsourced.|date=December 2014}}]]
Rijndael is free for any use public or private, commercial or non-commercial.<ref>[http://csrc.nist.gov/archive/aes/rijndael/rijndael-ip.pdf Letter Submitted by creators Daemen and Rijndael]</ref> The authors of Rijndael used to provide a homepage<ref>[https://web.archive.org/web/20050830051506/http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ Original homepage] and [https://web.archive.org/web/20070503005400/http://homes.esat.kuleuven.be/~rijmen/rijndael/ archived copy]</ref> for the algorithm. Care should be taken when implementing AES in software. Like most encryption algorithms, Rijndael was designed on [[big-endian]] systems. For this reason, [[little-endian]] systems, which include the [[IBM PC compatible|common PC]], return correct test vector results only through swapping bytes of the input and output words.
Rijndael is free for any use public or private, commercial or non-commercial.<ref>[http://csrc.nist.gov/archive/aes/rijndael/rijndael-ip.pdf Letter Submitted by creators Daemen and Rijndael]</ref> The authors of Rijndael used to provide a homepage<ref>[https://web.archive.org/web/20050830051506/http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ Original homepage] and [https://web.archive.org/web/20070503005400/http://homes.esat.kuleuven.be/~rijmen/rijndael/ archived copy]</ref> for the algorithm. Care should be taken when implementing AES in software, in particular around side-channel attacks.


The algorithm operates on plaintext blocks of 16 bytes. Encryption of shorter blocks is possible only by [[padding (cryptography)|padding]] the source bytes, usually with [[null character|null bytes]]. This can be accomplished via several methods, the simplest of which assumes that the final byte of the cipher identifies the number of null bytes of padding added.
The algorithm operates on plaintext blocks of 16 bytes. Encryption of shorter blocks is possible only by [[padding (cryptography)|padding]] the source bytes, usually with [[null character|null bytes]]. This can be accomplished via several methods, the simplest of which assumes that the final byte of the cipher identifies the number of null bytes of padding added.


=== Implementation Considerations ===
=== Implementation Considerations ===
Careful choice must be made in selecting the [[block cipher modes of operation|mode of operation]] of the cipher. The simplest mode encrypts and decrypts each 128-bit block separately. In this mode, called [[electronic code book]] (ECB), blocks that are identical will be encrypted identically; this is entirely insecure. It makes some of the plaintext structure visible in the ciphertext. Selecting other modes, such as using a sequential counter over the block prior to encryption (i.e., CTR mode) and removing it after decryption avoids this problem. Another mode, [[Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)|Cipher Block Chaining (CBC)]] is one of the most commonly used modes of AES due to its use in TLS. CBC uses a random initialization vector (IV) to ensure that distinct ciphertexts are produced even when the same plaintext is encoded multiple times. The IV can be transmitted in the clear without jeopardizing security. A common practice is to prepend the 16 byte IV to the ciphertext, which gives the decrypter easy access to the IV. Care must be taken to use a new IV for every encryption operation, since otherwise an attacker can recover plaintext.
Careful choice must be made in selecting the [[block cipher modes of operation|mode of operation]] of the cipher. The simplest mode encrypts and decrypts each 128-bit block separately. In this mode, called [[electronic code book]] (ECB), blocks that are identical will be encrypted identically; this is entirely insecure. It makes some of the plaintext structure visible in the ciphertext. Selecting other modes, such as using a sequential counter over the block prior to encryption (i.e., CTR mode) and removing it after decryption avoids this problem. Another mode, [[Cipher Block Chaining]] (CBC) is one of the most commonly used modes of AES due to its use in TLS. CBC uses a random initialization vector (IV) to ensure that distinct ciphertexts are produced even when the same plaintext is encoded multiple times. The IV can be transmitted in the clear without jeopardizing security. A common practice is to prepend the 16 byte IV to the ciphertext, which gives the decrypter easy access to the IV. Care must be taken to use a new IV for every encryption operation, since otherwise an attacker can recover plaintext.


* Current list of FIPS 197 validated cryptographic modules (hosted by NIST)
* Current list of FIPS 197 validated cryptographic modules (hosted by NIST)
Line 20: Line 22:
* [[OpenSSL]]
* [[OpenSSL]]
* [[LibreSSL]]
* [[LibreSSL]]
* [[BoringSSL]]
* [[mbed TLS]] (previously PolarSSL)
* [[mbed TLS]] (previously PolarSSL)
* [http://embeddedsw.net/Cipher_Reference_Home.html Reference original implementation]
* [http://embeddedsw.net/Cipher_Reference_Home.html Reference original implementation]
* [[axTLS]]
* [[axTLS]]
* [[Microsoft CryptoAPI]] uses [[Cryptographic Service Provider]]s to offer encryption implementations. The Microsoft AES Cryptographic Provider was introduced in Windows XP and can be used with any version of the Microsoft CryptoAPI.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/aa386979(v=VS.85).aspx|title=Microsoft AES Cryptographic Provider}}</ref>
* [[Microsoft CryptoAPI]] uses [[Cryptographic Service Provider]]s to offer encryption implementations. The Microsoft AES Cryptographic Provider was introduced in Windows XP and can be used with any version of the Microsoft CryptoAPI.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/aa386979(v=VS.85).aspx|title=Microsoft AES Cryptographic Provider|date=9 July 2021 }}</ref>
* [https://github.com/kokke/tiny-AES-c tiny-AES-c] Small portable AES128/192/256 in C (suitable for embedded systems)
* [https://github.com/kokke/tiny-AES-c tiny-AES-c] Small portable AES128/192/256 in C (suitable for embedded systems)
* [[AES-256 (software)|AES-256]] a byte-oriented portable AES-256 implementation in C
* [http://www.literatecode.com/aes256 AES-256] A byte-oriented portable AES-256 implementation in C
* [[Solaris Cryptographic Framework]] offers multiple implementations, with kernel providers for hardware acceleration on [[x86]] (using the Intel [[AES instruction set]]) and on [[SPARC]] (using the SPARC AES instruction set). It is available in [[Solaris (operating system)|Solaris]] and derivatives, as of Solaris 10.<ref>{{cite web|url=http://docs.oracle.com/cd/E19253-01/816-4557/scf-1/index.html|title=System Administration Guide: Security Services, Chapter 13 Solaris Cryptographic Framework (Overview)|date=September 2010|publisher=Oracle|accessdate=2012-11-27}}</ref>
* [[Solaris Cryptographic Framework]] offers multiple implementations, with kernel providers for hardware acceleration on [[x86]] (using the Intel [[AES instruction set]]) and on [[SPARC]] (using the SPARC AES instruction set). It is available in [[Solaris (operating system)|Solaris]] and derivatives, as of Solaris 10.<ref>{{cite web|url=http://docs.oracle.com/cd/E19253-01/816-4557/scf-1/index.html|title=System Administration Guide: Security Services, Chapter 13 Solaris Cryptographic Framework (Overview)|date=September 2010|publisher=Oracle|accessdate=2012-11-27}}</ref>
* [[OpenAES]] portable C cryptographic library
* [[OpenAES]] portable C cryptographic library
Line 31: Line 34:
* [https://umbrella.cisco.com/blog/blog/2013/03/06/announcing-sodium-a-new-cryptographic-library/ libSodium] API for [http://nacl.cr.yp.to/ NaCl]
* [https://umbrella.cisco.com/blog/blog/2013/03/06/announcing-sodium-a-new-cryptographic-library/ libSodium] API for [http://nacl.cr.yp.to/ NaCl]
*[https://github.com/odzhan/aes_dust AES Dust] Compact implementation of AES-128 encryption in C, x86, AMD64, ARM32 and ARM64 assembly.
*[https://github.com/odzhan/aes_dust AES Dust] Compact implementation of AES-128 encryption in C, x86, AMD64, ARM32 and ARM64 assembly.
* [https://e2e.ti.com/cfs-file/__key/communityserver-discussions-components-files/156/slaa397a.pdf MSP430 AES] Implementation for embedded 16-bit microcontroller
* [http://ccgi.gladman.plus.com/oldsite/cryptography_technology/index.php Gladman AES] AES code with optional support for Intel AES NI and VIA ACE by Dr. Brian Gladman.


=== C++ library ===
=== C++ library ===
* [[Botan (programming library)|Botan]] has implemented Rijndael since its very first release in 2001
* [[Botan (programming library)|Botan]] has implemented Rijndael since its very first release in 2001
* [[Crypto++]] A comprehensive C++ public-domain implementation of encryption and hash algorithms. FIPS validated
* [[Crypto++]] A comprehensive C++ public-domain implementation of encryption and hash algorithms. FIPS validated

=== C/CUDA library ===
* [https://gkrypt.com/ gKrypt] has implemented Rijndael on CUDA with its first release in 2012


=== C# /.NET ===
=== C# /.NET ===
* As of version 3.5 of the [[.NET Framework]], the System.Security.Cryptography namespace contains both a fully managed implementation of AES and a managed wrapper around the [[Cryptographic Application Programming Interface|CAPI]] AES implementation.
* As of version 3.5 of the [[.NET Framework]], the System.Security.Cryptography namespace contains both a fully managed implementation of AES and a managed wrapper around the [[Cryptographic Application Programming Interface|CAPI]] AES implementation.
* [[Bouncy Castle (cryptography)|Bouncy Castle Crypto Library]]
* [[Bouncy Castle (cryptography)|Bouncy Castle Crypto Library]]

=== Delphi ===
* Delphi Encryption Compendium [https://github.com/MHumm/DelphiEncryptionCompendium] has a cross platform capable AES implementation, among implementations of various other cryptographic algorithms


=== Go ===
=== Go ===
Line 44: Line 55:


=== Java ===
=== Java ===
* [[Java Cryptography Extension]], integrated in the [[JRE|Java Runtime Environment]] since version 1.4.2
* [[Java Cryptography Extension]], integrated in the [[Java Runtime Environment]] since version 1.4.2
* [[IAIK]] JCE
* [[IAIK]] JCE
* [[Bouncy Castle (cryptography)|Bouncy Castle Crypto Library]]
* [[Bouncy Castle (cryptography)|Bouncy Castle Crypto Library]]
Line 62: Line 73:
* [[asmCrypto]] – JavaScript implementation of popular cryptographic utilities with focus on performance. Supports CBC, CFB, CCM modes.
* [[asmCrypto]] – JavaScript implementation of popular cryptographic utilities with focus on performance. Supports CBC, CFB, CCM modes.
* [[pidCrypt]] – open source JavaScript library. Only supports the CBC and CTR modes.
* [[pidCrypt]] – open source JavaScript library. Only supports the CBC and CTR modes.

=== Rust ===
* [https://docs.rs/aes/0.7.5/aes/ aes] – Rust implementation.


=== LabVIEW ===
=== LabVIEW ===
* [https://github.com/IgorTitov/LabVIEW-Advanced-Encryption-Standard AES LabVIEW] – LabVIEW implementation.
* [https://github.com/IgorTitov/LabVIEW-Advanced-Encryption-Standard AES LabVIEW] – LabVIEW implementation.

=== Zig ===
* [https://ziglang.org/documentation/master/std/#std.crypto.aes std.crypto.aes] - Zig Standard Library. Includes hardware support for AES-NI on x86_64 and ARM AES Extensions on AArch64.


== Applications ==
== Applications ==
Line 71: Line 88:
*[[7z]]
*[[7z]]
*[[Advanced Maryland Automatic Network Disk Archiver|Amanda Backup]]
*[[Advanced Maryland Automatic Network Disk Archiver|Amanda Backup]]
*[[B1 (archive format)|B1]]
*[[PeaZip]]
*[[PeaZip]]
*[[PKZIP]]
*[[PKZIP]]
*[[RAR (file format)|RAR]]
*[[RAR (file format)|RAR]]
*[[WinZip]]
*[[UltraISO]]
*[[UltraISO]]
*[[WinZip]]


=== File encryption ===
=== File encryption ===
* Away RJN Cryptography <ref>https://www.away32.com/spec2AG.html</ref> uses Rijndael Algorithm (NIST AES) 256-bit Data Blocks, Cipher Key and CTR (Counter Mode) for any and all Document or picture encryption in Windows only.
* Away RJN Cryptography <ref>{{Cite web|url=https://www.away32.com/spec2AG.html|title = Untitled 1}}</ref> uses Rijndael Algorithm (NIST AES) 256-bit Data Blocks, Cipher Key and CTR (Counter Mode) for any and all Document or picture encryption in Windows only.
*[[Gpg4win]]
*[[Gpg4win]]
*[[Ncrypt]]
*[[Ncrypt]]
Line 92: Line 110:
* [[GBDE]]
* [[GBDE]]
* [[Geli (software)]]
* [[Geli (software)]]
* [[LibreCrypt]]
* [[LibreCrypt]] (discontinued)
* [[LUKS]]
* [[LUKS]]
* [[Private Disk]]
* [[Private Disk]]
* [[TrueCrypt]] (discontinued)
* [[TrueCrypt]] (discontinued)
* [[VeraCrypt]]
* [[VeraCrypt]]

=== Storage encryption ===
* [[Bloombase]] StoreSafe
* [[Brocade_Communications_Systems|Brocade]] Encryption Switch
* [[IBM]] Encryption Blade
* [[Vormetric]] Transparent Encryption (VTE)


=== Security for communications in local area networks ===
=== Security for communications in local area networks ===
Line 104: Line 128:
=== Miscellaneous ===
=== Miscellaneous ===
* DataLocker Uses AES 256-bit CBC and XTS mode hardware encryption
* DataLocker Uses AES 256-bit CBC and XTS mode hardware encryption
* [[Get Backup Pro]]<ref>{{Cite web|url=https://www.engadget.com/2014/10/25/get-backup-pro-is-a-solid-backup-utility-for-macs/|title=Get Backup Pro is a solid backup utility for Macs|website=Engadget|access-date=2016-04-26}}</ref> uses AES-128 and AES-256
* [[Get Backup Pro]]<ref>{{Cite web|url=https://www.engadget.com/2014/10/25/get-backup-pro-is-a-solid-backup-utility-for-macs/|title=Get Backup Pro is a solid backup utility for Macs|website=Engadget|date=25 October 2014 |access-date=2016-04-26}}</ref> uses AES-128 and AES-256
* [[GNU Privacy Guard|GPG]], GPL-licensed, includes AES, AES-192, and AES-256 as options.
* [[GNU Privacy Guard|GPG]], GPL-licensed, includes AES, AES-192, and AES-256 as options.
* [[IPsec]]
* [[IPsec]]
Line 113: Line 137:
* [https://netlibsecurity.com/faq/encryption-algorithms-key-lengths-use/ NetLib Encryptionizer] supports AES 128/256 in CBC, ECB and CTR modes for file and folder encryption on the Windows platform.
* [https://netlibsecurity.com/faq/encryption-algorithms-key-lengths-use/ NetLib Encryptionizer] supports AES 128/256 in CBC, ECB and CTR modes for file and folder encryption on the Windows platform.
* [[Pidgin (software)]], has a plugin that allows for AES Encryption
* [[Pidgin (software)]], has a plugin that allows for AES Encryption
* [[Javascrypt]]<ref>[https://www.fourmilab.ch/javascrypt/] [[Web Browser]], [[fourmilab.ch/javascrypt]]</ref> Free open-source text encryption tool runs entirely in web browser, send encrypted text over insecure e-mail or fax machine.
* [[PyEyeCrypt]]<ref>[https://github.com/mi55ing/PyEyeCrypt PyEyeCrypt at github] [[Microsoft Windows|Windows]], [[OS X|OSX]] and [[Linux]] binaries and [[Python (programming language)|Python]] source code included in release v1.1</ref> Free open-source text encryption tool/GUI with user-selectable AES encryption methods and PBKDF2 iterations.
* [[PyEyeCrypt]]<ref>[https://github.com/mi55ing/PyEyeCrypt PyEyeCrypt at github] [[Microsoft Windows|Windows]], [[OS X|OSX]] and [[Linux]] binaries and [[Python (programming language)|Python]] source code included in release v1.1</ref> Free open-source text encryption tool/GUI with user-selectable AES encryption methods and PBKDF2 iterations.
* [[Signal Protocol]]
* [[Signal Protocol]]
** [[Google Allo]] (optional)
** [[Google Allo]] (optional)
** [[Facebook Messenger]] (optional)
** [[Facebook Messenger]] (optional)
** [[Signal (software)|Signal]]
** [[Signal (messaging app)|Signal]]
** [[TextSecure]]
** [[TextSecure]]
** [[WhatsApp]]
** [[WhatsApp]]
Line 125: Line 150:


== Hardware ==
== Hardware ==
* [[Intel]] and [[Advanced Micro Devices|AMD]] processors include the [[AES instruction set]].
* [[x86-64]] and [[ARM architecture|ARM]] processors include the [[AES instruction set]].
* On IBM [[zSeries]] mainframes, AES is implemented as the KM series of assembler opcodes when various Message Security Assist facilities are installed.
* On IBM [[zSeries]] mainframes, AES is implemented as the KM series of assembler opcodes when various Message Security Assist facilities are installed.
* [[SPARC]] S3 core processors include the AES instruction set, which is used with [[SPARC T4]] and [[SPARC T5]] systems.
* [[SPARC]] S3 core processors include the AES instruction set, which is used with [[SPARC T4]] and [[SPARC T5]] systems.

Latest revision as of 02:53, 21 December 2024

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

Libraries

[edit]
AES speed at 128, 192 and 256-bit key sizes. [clarification needed][citation needed]

Rijndael is free for any use public or private, commercial or non-commercial.[1] The authors of Rijndael used to provide a homepage[2] for the algorithm. Care should be taken when implementing AES in software, in particular around side-channel attacks.

The algorithm operates on plaintext blocks of 16 bytes. Encryption of shorter blocks is possible only by padding the source bytes, usually with null bytes. This can be accomplished via several methods, the simplest of which assumes that the final byte of the cipher identifies the number of null bytes of padding added.

Implementation Considerations

[edit]

Careful choice must be made in selecting the mode of operation of the cipher. The simplest mode encrypts and decrypts each 128-bit block separately. In this mode, called electronic code book (ECB), blocks that are identical will be encrypted identically; this is entirely insecure. It makes some of the plaintext structure visible in the ciphertext. Selecting other modes, such as using a sequential counter over the block prior to encryption (i.e., CTR mode) and removing it after decryption avoids this problem. Another mode, Cipher Block Chaining (CBC) is one of the most commonly used modes of AES due to its use in TLS. CBC uses a random initialization vector (IV) to ensure that distinct ciphertexts are produced even when the same plaintext is encoded multiple times. The IV can be transmitted in the clear without jeopardizing security. A common practice is to prepend the 16 byte IV to the ciphertext, which gives the decrypter easy access to the IV. Care must be taken to use a new IV for every encryption operation, since otherwise an attacker can recover plaintext.

  • Current list of FIPS 197 validated cryptographic modules (hosted by NIST)
  • Current list of FIPS 140 validated cryptographic modules with validated AES implementations (hosted by NIST) – Most of these involve a commercial implementation of AES algorithms. Look for "FIPS-approved algorithms" entry in the "Level / Description" column followed by "AES" and then a specific certificate number.

C/ASM library

[edit]

C++ library

[edit]
  • Botan has implemented Rijndael since its very first release in 2001
  • Crypto++ A comprehensive C++ public-domain implementation of encryption and hash algorithms. FIPS validated

C/CUDA library

[edit]
  • gKrypt has implemented Rijndael on CUDA with its first release in 2012

C# /.NET

[edit]

Delphi

[edit]
  • Delphi Encryption Compendium [2] has a cross platform capable AES implementation, among implementations of various other cryptographic algorithms

Go

[edit]

Java

[edit]

Python

[edit]
  • PyCrypto – The Python Cryptography Toolkit PyCrypto, extended in PyCryptoDome
  • keyczar – Cryptography Toolkit keyczar
  • M2Crypto – M2Crypto is the most complete OpenSSL wrapper for Python.
  • Cryptography – Python library which exposes cryptographic recipes and primitives.
  • PyNaCl – Python binding for libSodium (NaCl)

JavaScript

[edit]
  • SJCL library – contains JavaScript implementations of AES in CCM, CBC, OCB and GCM modes
  • AES-JS – portable JavaScript implementation of AES ECB and CTR modes
  • Forge – JavaScript implementations of AES in CBC, CTR, OFB, CFB, and GCM modes
  • asmCrypto – JavaScript implementation of popular cryptographic utilities with focus on performance. Supports CBC, CFB, CCM modes.
  • pidCrypt – open source JavaScript library. Only supports the CBC and CTR modes.

Rust

[edit]
  • aes – Rust implementation.

LabVIEW

[edit]

Zig

[edit]
  • std.crypto.aes - Zig Standard Library. Includes hardware support for AES-NI on x86_64 and ARM AES Extensions on AArch64.

Applications

[edit]

Archive and compression tools

[edit]

File encryption

[edit]
  • Away RJN Cryptography [5] uses Rijndael Algorithm (NIST AES) 256-bit Data Blocks, Cipher Key and CTR (Counter Mode) for any and all Document or picture encryption in Windows only.
  • Gpg4win
  • Ncrypt

Encrypting file systems

[edit]

Disk / partition encryption

[edit]

Storage encryption

[edit]

Security for communications in local area networks

[edit]

Miscellaneous

[edit]

Hardware

[edit]
  • x86-64 and ARM processors include the AES instruction set.
  • On IBM zSeries mainframes, AES is implemented as the KM series of assembler opcodes when various Message Security Assist facilities are installed.
  • SPARC S3 core processors include the AES instruction set, which is used with SPARC T4 and SPARC T5 systems.

References

[edit]
  1. ^ Letter Submitted by creators Daemen and Rijndael
  2. ^ Original homepage and archived copy
  3. ^ "Microsoft AES Cryptographic Provider". 9 July 2021.
  4. ^ "System Administration Guide: Security Services, Chapter 13 Solaris Cryptographic Framework (Overview)". Oracle. September 2010. Retrieved 2012-11-27.
  5. ^ "Untitled 1".
  6. ^ "Get Backup Pro is a solid backup utility for Macs". Engadget. 25 October 2014. Retrieved 2016-04-26.
  7. ^ AES 256-bit encryption with routinely-increased PBKDF2 iterations
  8. ^ [1] Web Browser, fourmilab.ch/javascrypt
  9. ^ PyEyeCrypt at github Windows, OSX and Linux binaries and Python source code included in release v1.1
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=AES_implementations&oldid=1264215383"