8-bit cfb-mode support (CFB8), versus only 128-bit (CFB128)

[iceiix]

Hi thanks for making the cfb-mode crate, think it will work well for my purposes, so I started converting from openssl, however, I'm seeing different decryption output after the first call as compared to openssl. Reduced to this example:

extern crate aes;
extern crate cfb_mode;

use aes::Aes128;
use cfb_mode::Cfb; 

type Aes128Cfb = Cfb<Aes128>;

fn main() {
    let key = &[17, 72, 215, 19, 142, 61, 79, 230, 54, 89, 66, 160, 184, 156, 232, 31];

    let mut cipher = Aes128Cfb::new_var(key, key).unwrap();
    let mut data = [130];

    cipher.decrypt(&mut data);
    println!("decrypted = {:?}", data);

    let mut data2 = [238, 158, 146];
    cipher.decrypt(&mut data2);
    println!("decrypted2 = {:?}", data2);
}

and for ease of comparison (although I also see the correct output with the openssl 0.7.8 crate), this Python script using PyCrypto decrypting the same data:

from Crypto.Cipher import AES

key=b'\x11H\xd7\x13\x8e=O\xe66YB\xa0\xb8\x9c\xe8\x1f'
iv=key

cipher=AES.new(key, AES.MODE_CFB, iv, segment_size=8)
print "decrypted =",map(ord, cipher.decrypt("\x82")) # expect [3]
print "decrypted2 =",map(ord, cipher.decrypt("\xee\x9e\x92")) # expect [3, 128, 2]

Python (and OpenSSL) decrypts to what I expect:

decrypted = [3]
decrypted2 = [3, 128, 2]

Rust with cfb-mode decrypts the first time ok, but then the second decrypted2 result is different:

decrypted = [3]
decrypted2 = [210, 218, 215]

[iceiix]

Found these test vectors: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf F.3.8 CFB8-AES128.Decrypt (8-bit CFB)

Example in Python:

from Crypto.Cipher import AES

key="2b7e151628aed2a6abf7158809cf4f3c".decode("hex")
iv="000102030405060708090a0b0c0d0e0f".decode("hex")

cipher=AES.new(key, AES.MODE_CFB, iv, segment_size=8)
decrypted=cipher.decrypt("3b79424c9c0dd436bace9e0ed4586a4f32b9".decode("hex"))
print "decrypted = ",decrypted.encode("hex")
print "expected  = ","6bc1bee22e409f96e93d7e117393172aae2d"

Rust:

use aes::Aes128;
use cfb_mode::Cfb;

type Aes128Cfb = Cfb<Aes128>;

fn main() {
    let key = hex!("2b7e151628aed2a6abf7158809cf4f3c");
    let iv = hex!("000102030405060708090a0b0c0d0e0f");
    let mut cipher = Aes128Cfb::new_var(&key, &iv).unwrap();

    let mut data = hex!("3b79424c9c0dd436bace9e0ed4586a4f32b9");
    cipher.decrypt(&mut data);
    println!("decrypted = {:?}", data);

    let expected = hex!("6bc1bee22e409f96e93d7e117393172aae2d");
    println!("expected  = {:?}", expected);
}

output:

decrypted = [107, 135, 37, 128, 5, 96, 230, 128, 96, 199, 169, 231, 79, 247, 134, 47, 174, 70]
expected  = [107, 193, 190, 226, 46, 64, 159, 150, 233, 61, 126, 17, 115, 147, 23, 42, 174, 45]

[newpavlov]

cfb-mode currently implements CFB which XORs with full blocks (i.e. for AES it's CFB128). It's successfully passes CFB128 tests from the recommendations. Do you need CFB8 for compatibility reasons? Because they only differ in the rate of error recovery, while performance is significantly worse.

It shouldn't be that difficult to add CFB8, but I will be able to work on it probably only on this weekend,

[iceiix]

Yes I'm porting a client where the server uses CFB8 for some reason. Appreciate your work on this

[iceiix]

How would this be implemented? Should Cfb be generic over the block size (Cfb<8>, Cfb<128>, can you do that in Rust?) Or separate classes? (Cfb8, Cfb128, etc.)

[newpavlov]

Sorry for the delay!

I've published cfb8 crate. Feel free to open new issues if you'll have any problems with RustCrypto crates or will need additional primitives!

[iceiix]

Thanks! Ported my code over to use cfb8, works great.