000018774 - Why are there so many AIs for AES? Which one do I use?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018774
Applies ToRSA BSAFE Crypto-C 5.2 and later versions
AES (Advanced Encryption Standard)
AES allows for different key lengths.  There are several flavors of AIs (Crypto-C algorithm identifiers) which deal with AES.  All specify a feedback mode, some have key sizes associated with it, and some deal with setting an algorithm object with a BER-encoded algorithm identifier or getting the BER-encoded algorithm identifiers from the algorithm object.
IssueWhy are there so many AIs for AES? Which one do I use?
ResolutionThe algorithm OID (object identifier) is dependent on which size key is being used.  Therefore, if you want to obtain the OID for a given algorithm, then you need to use an AI that contains the number in it.  For example AI_AES128_CBCPad.  Note that these AIs have corresponding BER AIs - in this case AI_AES128_CBCPadBER.

To get a BER-encoded algorithm identifer from an algorithm object, you would need to do the following:

B_ALGORITHM_OBJ algObj = NULL;
unsigned char initVector[16];
ITEM *algId = NULL;

status = B_CreateAlgorithmObject (&algObj);
if (status != 0)
 goto CLEANUP;

status = B_SetAlgorithmInfo (algObj, AI_AES128_CBCPad, (POINTER)initVector);
if (status != 0)
 goto CLEANUP;

status = B_GetAlgorithmInfo ((POINTER *)&algId, algObj, AI_AES128_CBCPadBER);
if (status != 0)
 goto CLEANUP;

Another reason for using the AIs that correspond to given key sizes is that it is easy to validate that you are using a given key size.

The main reason for using an AI that doesn't correspond to a given key size (i.e. AI_AES_CBC, AI_AES_CFB, etc.) is that the code does not have to change to accommodate a different key size.  If your algorithm key size is going to vary, this is what you would want to use.

You can also use AI_FeedbackCipher with "aes" as the B_BLK_CIPHER_W_FEEDBACK_PARAMS.encryptionMethodName.
Legacy Article IDa3366

Attachments

    Outcomes