AES CTR Does not increment the nonce when iv is less than 16 bytes

[NBFinanceTech]

Description

There seem to be an issue in the AES-CTR encryption implementation where the counter does not increment, resulting in keystream reuse. This vulnerability can allow an attacker to break the encryption under certain conditions.

Relevant Code

Here is the problematic code snippet where AES-CTR encryption is performed:

export async function encodeDescription(description, finalKeyHex) {
    try {
        // Convert hex key to WordArray
        const keyWords = CryptoJS.enc.Hex.parse(finalKeyHex);

        // Generate a 12-byte IV
        const ivBytes = new Uint8Array(12);
        crypto.getRandomValues(ivBytes); // Note: crypto is assumed to be defined elsewhere

        const ivWordArray = CryptoJS.lib.WordArray.create(ivBytes);

        // Convert plaintext to WordArray
        const plaintextWords = CryptoJS.enc.Utf8.parse(description);

        // Encrypt using AES-CTR with no padding
        const encrypted = CryptoJS.AES.encrypt(plaintextWords, keyWords, {
            iv: ivWordArray,
            mode: CryptoJS.mode.CTR,
            padding: CryptoJS.pad.NoPadding,
        });

        // Extract ciphertext as WordArray and convert to Uint8Array
        const ciphertextBytes = wordArrayToUint8Array(encrypted.ciphertext);

        // Combine IV and ciphertext
        const combined = new Uint8Array(ivBytes.length + ciphertextBytes.length);
        combined.set(ivBytes, 0);
        combined.set(ciphertextBytes, ivBytes.length);

        // Convert combined to base64
        const combinedString = String.fromCharCode(...combined);
        const base64Encoded = CryptoJS.enc.Base64.stringify(
            CryptoJS.enc.Utf8.parse(combinedString),
        );

        return base64Encoded;
    } catch (err) {
        console.log('ERROR encodeDescription', err);
        return '';
    }
}

[NBFinanceTech]

It works if the IV is padded with 4 zero bytes at the end.

So with a 16 bytes iv it works - not with a 12 bytes iv

So there must be an issue as it should auto-append the counter when given a 12 byte iv

e.g:

/**
 * Convert a CryptoJS WordArray to a Uint8Array.
 */
function wordArrayToUint8Array(wordArray) {
  const words = wordArray.words;
  const sigBytes = wordArray.sigBytes;
  const u8 = new Uint8Array(sigBytes);
 
  let byteIndex = 0;
  for (let i = 0; i < words.length; i++) {
    let word = words[i];
    for (let j = 3; j >= 0; j--) {
      if (byteIndex < sigBytes) {
        u8[byteIndex++] = (word >> (8 * j)) & 0xff;
      }
    }
  }
  return u8;
}
 
/**
 * Encrypt plaintext using AES-CTR with a given hex key.
 * @param {string} description - The message to encrypt.
 * @param {string} finalKeyHex - 64-char hex string representing a 32-byte AES key.
 * @returns {string} Base64-encoded IV + ciphertext combined.
 */
export async function encodeDescription(description, finalKeyHex) {
  try {
    // Convert hex key to WordArray
    const keyWords = CryptoJS.enc.Hex.parse(finalKeyHex);
 
    // Generate a 12-byte IV and pad it to 16 bytes if needed for the encryption block size
    const ivBytes = new Uint8Array(12);
    crypto.getRandomValues(ivBytes);  // Securely generate random IV
    const paddedIvBytes = new Uint8Array(16);  // Pad the IV to the correct block size if necessary
    paddedIvBytes.set(ivBytes);
 
    const ivWordArray = CryptoJS.lib.WordArray.create(paddedIvBytes);
 
    // Convert plaintext to WordArray
    const plaintextWords = CryptoJS.enc.Utf8.parse(description);
 
    // Encrypt using AES-CTR with no padding
    const encrypted = CryptoJS.AES.encrypt(plaintextWords, keyWords, {
      iv: ivWordArray,
      mode: CryptoJS.mode.CTR,
      padding: CryptoJS.pad.NoPadding,
    });
 
    // Extract ciphertext as WordArray and convert to Uint8Array
    const ciphertextBytes = wordArrayToUint8Array(encrypted.ciphertext);
 
    // Combine IV and ciphertext
    const combined = new Uint8Array(ivBytes.length + ciphertextBytes.length);
    combined.set(ivBytes, 0);
    combined.set(ciphertextBytes, ivBytes.length);
 
    // Directly convert combined bytes to Base64
    const base64Encoded = btoa(String.fromCharCode(...combined));
 
    return base64Encoded;
  } catch (err) {
    console.error('Error in encodeDescription:', err);
    return '';
  }
}

[user163]

There seem to be an issue in the AES-CTR encryption implementation where the counter does not increment, resulting in keystream reuse.

tl;dr - The counter is incremented, but it is just incremented too late.

More detailed: If only the 12 bytes nonce is passed to CryptoJS instead of the complete 16 bytes IV, this is implicitly completed to a 16 bytes IV by appending a 4 bytes counter (with 0x00 values). So far so good.
The problem arises because CryptoJS does not increment this counter for the second block during encryption, but only for the third block and the subsequent ones. This means that the first and second blocks are encrypted with the same counter or IV which results in an incorrect ciphertext from the second block onwards.
This can be verified by encrypting the blocks individually with CTR and comparing them, see jsfiddle:

var plaintext = '01234567890abcdef01234567890abcdef01234567890abcdef01234567890abcdef01234'
var key = CryptoJS.enc.Utf8.parse('01234567890123456789012345678901')

// correct encryption with iv = nonce + counter, s. CyberChef: https://gchq.github.io/CyberChef/#recipe=AES_Encrypt(%7B'option':'UTF8','string':'01234567890123456789012345678901'%7D,%7B'option':'Hex','string':'2301cd4ef785690a1b2c3dab00000000'%7D,'CTR','Raw','Hex',%7B'option':'Hex','string':''%7D)&input=MDEyMzQ1Njc4OTBhYmNkZWYwMTIzNDU2Nzg5MGFiY2RlZjAxMjM0NTY3ODkwYWJjZGVmMDEyMzQ1Njc4OTBhYmNkZWYwMTIzNA
var iv = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000000') // 16 Bytes
var encryption = CryptoJS.AES.encrypt(plaintext, key, { iv: iv, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
console.log("correct:", encryption.ciphertext.toString())

// single encryption with nonce only
var nonce = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab'); // 12 Bytes
var encryption = CryptoJS.AES.encrypt(plaintext, key, { iv: nonce, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
console.log("wrong:  ", encryption.ciphertext.toString())

// block-by-block encryption
var plaintext1 = '01234567890abcde'
var plaintext2 = 'f01234567890abcd'
var plaintext3 = 'ef01234567890abc'
var plaintext4 = 'def01234567890ab'
var plaintext5 = 'cdef01234'
var iv1 = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000000')
var encryption1 = CryptoJS.AES.encrypt(plaintext1, key, { iv: iv1, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
var iv2 = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000000')
var encryption2 = CryptoJS.AES.encrypt(plaintext2, key, { iv: iv2, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
var iv3 = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000001')
var encryption3 = CryptoJS.AES.encrypt(plaintext3, key, { iv: iv3, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
var iv4 = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000002')
var encryption4 = CryptoJS.AES.encrypt(plaintext4, key, { iv: iv4, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
var iv5 = CryptoJS.enc.Hex.parse('2301cd4ef785690a1b2c3dab00000003')
var encryption5 = CryptoJS.AES.encrypt(plaintext5, key, { iv: iv5, mode: CryptoJS.mode.CTR, padding: CryptoJS.pad.NoPadding })
console.log("wrong:  ", encryption1.ciphertext.toString() + encryption2.ciphertext.toString() + encryption3.ciphertext.toString() + encryption4.ciphertext.toString() + encryption5.ciphertext.toString())

Output:

correct: 76dc60b39740ec3a848759e171715cbb75980df072036f2d44d9878807e316941e2064c1e4109b8d2d7bbc15a17b1ba1ef9b9844db55399fd90e9b4c629435c4afed8151344514fd3c
wrong:   76dc60b39740ec3a848759e171715cbb20dd63b29041ef3b8b8650b072705bba76ce0cf373046e2e45d6868156e017931f2332c0e7119c8c2e7ab314a82a18a0e89a9b12da563898d8
wrong:   76dc60b39740ec3a848759e171715cbb20dd63b29041ef3b8b8650b072705bba76ce0cf373046e2e45d6868156e017931f2332c0e7119c8c2e7ab314a82a18a0e89a9b12da563898d8

---

So with a 16 bytes iv it works

Yep, the problem does not occur if the complete 16 bytes IV is passed to CryptoJS from the start.