Project

General

Profile

Issue #2062

Encrypted data length isn't a multiple of block size

Added by Jeonghoon Lee about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.1.2
Resolution:
No change required

Description

Hello,

It shows "Encrypted data length isn't a multiple of block size" in both initiator and responder's IKE auth packet, as below decrypted packet.
Can you provide help to resolve this issue?

Selected proposal: IKE:AES-CBC [RFC3602]_256/HMAC-SHA-256-128 [RFC4868]/PRF_HMAC_SHA2_256/MODP_1536

140    2016-07-15 18:46:23.079052    31.30.69.9    192.168.0.116    ISAKMP    585    IKE_SA_INIT MID=00 Responder Response

Frame 140: 585 bytes on wire (4680 bits), 585 bytes captured (4680 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 31.30.69.9, Dst: 192.168.0.116
User Datagram Protocol, Src Port: 500 (500), Dst Port: 32012 (32012)
Internet Security Association and Key Management Protocol
    Initiator SPI: a9bc21cc0b6c7430
    Responder SPI: 0114e09dd8a0aa2f
    Next payload: Security Association (33)
    Version: 2.0
    Exchange type: IKE_SA_INIT (34)
    Flags: 0x20 (Responder, No higher version, Response)
    Message ID: 0x00000000
    Length: 541
    Type Payload: Security Association (33)
        Next payload: Key Exchange (34)
        0... .... = Critical Bit: Not Critical
        Payload length: 48
        Type Payload: Proposal (2) # 1
            Next payload: NONE / No Next Payload  (0)
            0... .... = Critical Bit: Not Critical
            Payload length: 44
            Proposal number: 1
            Protocol ID: IKE (1)
            SPI Size: 0
            Proposal transforms: 4
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 12
                Transform Type: Encryption Algorithm (ENCR) (1)
                Transform ID (ENCR): ENCR_AES_CBC (12)
                Transform IKE2 Attribute Type (t=14,l=2) Key-Length : 256
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Integrity Algorithm (INTEG) (3)
                Transform ID (INTEG): AUTH_HMAC_SHA2_256_128 (12)
            Type Payload: Transform (3)
                Next payload: Transform (3)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Pseudo-random Function (PRF) (2)
                Transform ID (PRF): PRF_HMAC_SHA2_256 (5)
            Type Payload: Transform (3)
                Next payload: NONE / No Next Payload  (0)
                0... .... = Critical Bit: Not Critical
                Payload length: 8
                Transform Type: Diffie-Hellman Group (D-H) (4)
                Transform ID (D-H): 1536 bit MODP group (5)
    Type Payload: Key Exchange (34)
        Next payload: Nonce (40)
        0... .... = Critical Bit: Not Critical
        Payload length: 200
        DH Group #: 1536 bit MODP group (5)
        Key Exchange Data: f30a3e61b08e6d0b3f54e854ff51a8ec811fa0b78a9acba4...
    Type Payload: Nonce (40)
        Next payload: Notify (41)
        0... .... = Critical Bit: Not Critical
        Payload length: 209
        Nonce DATA: d02ee0895fa4be180e77808c8368acf248e43b9f20d0bcfd...
    Type Payload: Notify (41) - NAT_DETECTION_DESTINATION_IP
        Next payload: Notify (41)
        0... .... = Critical Bit: Not Critical
        Payload length: 28
        Protocol ID: IKE (1)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_DESTINATION_IP (16389)
        Notification DATA: d5684fadfbdb406c7d09f06ae5eca0b3cdb81caf
    Type Payload: Notify (41) - NAT_DETECTION_SOURCE_IP
        Next payload: NONE / No Next Payload  (0)
        0... .... = Critical Bit: Not Critical
        Payload length: 28
        Protocol ID: IKE (1)
        SPI Size: 0
        Notify Message Type: NAT_DETECTION_SOURCE_IP (16388)
        Notification DATA: 6849dd80e01977bf2a1c24c5e95765a3733026d9

141    2016-07-15 18:46:23.123792    192.168.0.116    31.30.69.9    ISAKMP    432    IKE_AUTH MID=01 Initiator Request

Frame 141: 432 bytes on wire (3456 bits), 432 bytes captured (3456 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 192.168.0.116, Dst: 31.30.69.9
User Datagram Protocol, Src Port: 32014 (32014), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol
    Initiator SPI: a9bc21cc0b6c7430
    Responder SPI: 0114e09dd8a0aa2f
    Next payload: Encrypted and Authenticated (46)
    Version: 2.0
    Exchange type: IKE_AUTH (35)
    Flags: 0x08 (Initiator, No higher version, Request)
    Message ID: 0x00000001
    Length: 384
    Type Payload: Encrypted and Authenticated (46)
        Next payload: Identification - Initiator (35)
        0... .... = Critical Bit: Not Critical
        Payload length: 356
        Initialization Vector: e604e3622a2457efe12441c53e783594 (16 bytes)
        Encrypted Data (324 bytes)[Invalid length, should be a multiple of block size (16)]
            [Expert Info (Warn/Malformed): Encrypted data length isn't a multiple of block size]
                [Encrypted data length isn't a multiple of block size]
                [Severity level: Warn]
                [Group: Malformed]
        Integrity Checksum Data: 3008a2e8764ca41d1c9010ef (12 bytes)[incorrect, should be 1b59d6dcb405bbde63e00add]
            [Expert Info (Warn/Checksum): IKEv2 Integrity Checksum Data is incorrect]
                [IKEv2 Integrity Checksum Data is incorrect]
                [Severity level: Warn]
                [Group: Checksum]

History

#1 Updated by Tobias Brunner about 6 years ago

  • Description updated (diff)
  • Status changed from New to Feedback

Whatever tool you use to analyze these packets uses the wrong truncation for HMAC-SHA256 or the wrong algorithm (e.g. HMAC-SHA1). It assumes the ICV is 96 bits (12 bytes) long, which is not the case. It's actually 128 bits (16 bytes) for HMAC-SHA256 (as the 128 suffix of the algorithm identifier indicates). So the length of the encrypted data is actually 320 bytes and that's a multiple of the block size of AES-256 (16 bytes).

#2 Updated by Jeonghoon Lee about 6 years ago

From your comment I found out that wrong algorithm is chosen in wireshark.
Thank you!

#3 Updated by Tobias Brunner about 6 years ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF