AES/GCM如何处理小于块大小的数据？-HowAES/GCMdealswithdatasmallerthanblocksize?

0  

Unfortunately the Bouncy Castle and Oracle / Java implementations are not online. That is, the online properties of the underlying CTR mode encryption aren't kept. Online in this context means that bytes are directly encrypted/decrypted when they arive. This may have to do with how the encryption is handled and how the authentication tags are handled.

不幸的是，Bouncy Castle和Oracle / Java实现不在线。也就是说，不保留基础CTR模式加密的在线属性。在此上下文中，联机意味着字节在到达时直接加密/解密。这可能与处理加密的方式以及如何处理身份验证标记有关。

AES-CTR can be implemented in multiple ways. You can either first encrypt the counter and then directly XOR with plaintext/ciphertext when it arrives. You can also first buffer the plaintext and then, once you have a full block, create the counter, encrypt it and then XOR a full block of plaintext. This had advantages in the sense that it more closely resembles other modes of operation such as CBC. Furthermore you may not have to buffer the key stream in memory all that time.

AES-CTR可以通过多种方式实现。您可以先对计数器进行加密，然后在到达时直接使用明文/密文进行异或。您也可以先缓冲明文，然后，一旦您有一个完整的块，创建计数器，加密它然后XOR整个明文块。这在某种意义上具有优势，因为它更像CBC等其他操作模式。此外，您可能不必一直在内存中缓冲密钥流。

The authentication tag can also be handled differently. Here there are basically three options. You could simply regard the authentication tag as a separate entity to the ciphertext. This lets you keep the online properties of CTR mode and should, in my opinion, be the preferred option. You could also see it as part of the ciphertext, but in that case you lose the online properties during decryption; you would need to know where the ciphertext ends before you can handle the last number of bytes that make up the authentication tag. So you'd need to buffer at least the size in bytes of the authentication tag. Finally, still during decryption, you might only want to return plaintext bytes after verification of the plaintext bytes. In that case you'd need to buffer the entire ciphertext and return the plaintext in one go.

身份验证标记也可以不同方式处理。这里基本上有三种选择。您可以简单地将身份验证标记视为密文的单独实体。这使您可以保留CTR模式的在线属性，并且在我看来应该是首选选项。您也可以将其视为密文的一部分，但在这种情况下，您会在解密期间丢失在线属性;在处理构成身份验证标记的最后一个字节数之前，您需要知道密文的结束位置。因此，您需要至少缓冲身份验证标记的字节大小。最后，仍然在解密期间，您可能只想在验证明文字节后返回明文字节。在这种情况下，您需要缓冲整个密文并一次性返回明文。

As the authentication tag issues are only for decryption it is likely that Bouncy will just buffer because of the way CTR is implemented. You'd indeed have to call doFinal - as Robert already mentioned in the comments - to retrieve the last block of ciphertext as well as the authentication tag. It could be that the encryption is not yet performed because the encryption routine is kept somewhat symmetrical to the decryption routine as well.

由于认证标签问题仅用于解密，因此实施CTR的方式可能只是缓冲Bouncy。您确实必须调用doFinal - 正如Robert在评论中已经提到的那样 - 检索最后一个密文块以及身份验证标记。可能由于加密例程与解密例程保持某种程度的对称，因此尚未执行加密。