From: Noob on
Globemaker wrote:

> Please recommend where I can download an AES program with the
> following attributes:
> 1 The program should allow me to enter the key, not a passphrase.
> 2 It should be free
> 3 For Windows XP
> 4 The ciphertext must have the same number of bytes as the plaintext
> that is padded to 128 bit blocks
> 5 The ciphertext must succeed in one test vector from NIST for
> Electronic Code Book mode
> KEY = 00000000000000000000000000000000
> PLAINTEXT = 80000000000000000000000000000000
> CIPHERTEXT expected = 3ad78e726c1ec02b7ebfe92b23d9ec34

OpenSSL perhaps?
http://en.wikipedia.org/wiki/OpenSSL

$ openssl aes-128-ecb -e -in temp.in -out temp.out -nosalt -nopad -iv 0 -K 0
$ hexdump -C temp.in
00000000 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
$ hexdump -C temp.out
00000000 3a d7 8e 72 6c 1e c0 2b 7e bf e9 2b 23 d9 ec 34 |:..rl..+~..+#..4|
From: Globemaker on
On Jul 6, 7:32 am, Kristian Gj steen <kristiag+n...(a)math.ntnu.no>
wrote:
> Globemaker  <alanfolms...(a)cabanova.com> wrote:
> >Yes, this is the most basic and simple test. There is no reason to
> >avoid the basic test using ECB. I am doing validation work and all
> >candidaates failed to be validated for the very simple task.
>
> Why do you want the software to do something it's not supposed to do?

I do not want "to do something it's not supposed to do". I want to get
software that lets me control the key and the mode. It is bizarre that
cryto enthusiasts fight against simple validation and basic test
vectors being successfully demonstrated. I want to make a ciphertext
with my AES software that can be decrypted by a stranger using
different AES software. That is a practical power.

> How would that validate the software?

A successful duplication of inputs and outputs of the Known Answer
Test from NIST is how it would be validated.

>
> If you want to validate the AES implementation in some software, wouldn't
> a unit test be more appropriate?
>
> --
> kg

I am interested in the "unit test". With a search engine "unit test
aes" mostly brings audio websites. Can you recommend a website on the
"unit test"?
From: Maaartin on
On Jul 6, 3:54 pm, Globemaker <alanfolms...(a)cabanova.com> wrote:
> I am interested in the "unit test". With a search engine "unit test
> aes" mostly brings audio websites. Can you recommend a website on the
> "unit test"?

This has nothing to do with crypto.
http://en.wikipedia.org/wiki/Unit_testing

In computer programming, unit testing is a software verification and
validation method in which a programmer tests if individual units of
source code are fit for use. A unit is the smallest testable part of
an application. In procedural programming a unit may be an individual
function or procedure.

Each software implementing anything should be accompanied by unit (and
other) tests, showing it really does what it's supposed to do, see
e.g.
http://bouncycastle.sourcearchive.com/documentation/1.39-2/jdk1_80_2org_2bouncycastle_2crypto_2test_2AESTest_8java-source.html
From: Kristian Gj�steen on
Globemaker <alanfolmsbee(a)cabanova.com> wrote:
>I do not want "to do something it's not supposed to do". I want to get
>software that lets me control the key and the mode. It is bizarre that
>cryto enthusiasts fight against simple validation and basic test
>vectors being successfully demonstrated.

No. Most of us prefer fail-safe software. If software allows users to
do something stupid, some user will do something stupid, and this being
security, he will not notice. Such software should be discouraged.

If you are writing software and want to test your AES module, then test
the AES module, don't implement additional insecure functionality.

--
kg
From: Tom St Denis on
On Jul 6, 3:04 pm, Kristian Gjøsteen <kristiag+n...(a)math.ntnu.no>
wrote:
> Globemaker  <alanfolms...(a)cabanova.com> wrote:
> >I do not want "to do something it's not supposed to do". I want to get
> >software that lets me control the key and the mode. It is bizarre that
> >cryto enthusiasts fight against simple validation and basic test
> >vectors being successfully demonstrated.
>
> No.  Most of us prefer fail-safe software.  If software allows users to
> do something stupid, some user will do something stupid, and this being
> security, he will not notice.  Such software should be discouraged.
>
> If you are writing software and want to test your AES module, then test
> the AES module, don't implement additional insecure functionality.

Not only that, but good crypto programs are open source and therefore
open to peer review. If I don't trust the AES in OpenSSL I can put
traces in the code and make sure it's doing what I think it's doing
(indeed I have done this, but not because I thought OpenSSL was broken
I was trying to reverse engineer the sslRSA format used in old private
keys).

The guys request is stupid. He could encrypt his articles with gpg -c
using a known password if he wants to encourage his users to a) use
crypto and b) use good crypto. But "globemaker" doesn't know squat
about cryptography [let alone enough to write a blog, sorry,
"magazine" worth reading].

Tom