First 16 bytes of AES-128 CFB-8 decryption are damaged

Question

I\'ve been working on a project recently that should connect to a server with the help of a protocol. So far so good, but when I combed to decrypt the packages, I quickly notice

Answer 1

EVP_EncryptInit_ex(m_EncryptCTX, EVP_aes_128_cfb8(), nullptr,
    (unsigned char*)sharedSecretKey.c_str(), (unsigned char*)sharedSecretKey.c_str()))

And:

CFB_Mode::Decryption AESDecryptor((byte*)sharedSecret.c_str(),
    (unsigned int)16, sharedSecret.c_str(), 1);

std::string sTarget("");
StringSource ss(data, true, new StreamTransformationFilter(AESDecryptor, new StringSink(sTarget)));

It is not readily apparent, but you need to set feedback size for the mode of operation of the block cipher in Crypto++. The Crypto++ feedback size is 128 by default.

The code to set the feedback size of CFB mode can be found at CFB Mode on the Crypto++ wiki. You want the 3rd or 4th example down the page.

AlgorithmParameters params =
        MakeParameters(Name::FeedbackSize(), 1 /*8-bits*/)
        (Name::IV(), ConstByteArrayParameter(iv));

That is kind of an awkward way to pass parameters. It is documented in the sources files and on the wiki at NameValuePairs. It allows you to pass arbitrary parameters through consistent interfaces. It is powerful once you acquire a taste for it.

And then use params to key the encryptor and decryptor:

CFB_Mode< AES >::Encryption enc;
enc.SetKey( key, key.size(), params );

// CFB mode must not use padding. Specifying
//  a scheme will result in an exception
StringSource ss1( plain, true, 
   new StreamTransformationFilter( enc,
      new StringSink( cipher )
   ) // StreamTransformationFilter      
); // StringSource

I believe your calls would look something like this (if I am parsing the OpenSSL correctly):

const byte* ptr = reinterpret_cast(sharedSecret.c_str());

AlgorithmParameters params =
        MakeParameters(Name::FeedbackSize(), 1 /*8-bits*/)
        (Name::IV(), ConstByteArrayParameter(ptr, 16));

CFB_Mode< AES >::Encryption enc;
enc.SetKey( ptr, 16, params );

---

In your production code you should use unique key and iv. So do something like this using HKDF:

std::string seed(AES_BLOCK_SIZE, '0');
std::generate(seed, seed + AES_BLOCK_SIZE,
    std::bind(&RandomGenerator::GetInt, &m_RNG, 0, 255));

SecByteBlock sharedSecret(32);
const byte usage[] = "Key and IV v1";

HKDF hkdf;
hkdf.DeriveKey(sharedSecret, 32, &seed[0], 16, usage, COUNTOF(usage), nullptr, 0);

AlgorithmParameters params =
        MakeParameters(Name::FeedbackSize(), 1 /*8-bits*/)
        (Name::IV(), ConstByteArrayParameter(sharedSecret+16, 16));

CFB_Mode< AES >::Encryption enc;
enc.SetKey(sharedSecret+0, 0, params);

In the code above, sharedSecret is twice as large as it needs to be. You derive the key and iv from the seed using HDKF. sharedSecret+0 is the 16-byte key, and sharedSecret+16 is the 16-byte iv.