Fun with AES-128. Example Encryption with AES Trainer

Hello Folks!

We are still swamped with other projects and unable to post any updates on the SPMP8k project, but not to worry – SPMP8k development will continue soon!

Until then, we have a short article about an AES encryption trainer that we had lying around and decided to spruce up for your entertainment.
As you probably know, AES (the Advanced Encryption Standard) is the latest encryption standard endorsed by NIST, generator and owner of US standards. It’s main advantage over the previous standard, DES, is the ease of hardware implementation.

It mainly consists of byte swapping, rotation, and XOR’s and is extremely annoying to try to trace. It’s actually not too bad up until the MixRows phase if you’re using lookup tables but can be easy to get lost in if you’re not paying attention or taking good notes. We were once looking for a way to inspect the output of each individual operation of each round – we resorted to hacking in printf’s into someone else’s code but didn’t like their implementation in a few points.

What we really wanted was a printout that closely followed the round-by-round example given in the official AES implementation pdf (FIPS 197), including an example of the AES key expansion. That is a beautiful document with clear and concise descriptions of all aspects of the encryption – a truly excellent read. In addition, examples of both the AES key expansion and state data for every round is given – but not the same example, unfortunately! What we wanted was a similar style example printout for any input and key pair we could think of, for either encryption or decryption. And we wanted to change keys and inputs on-the-fly and watch nuances propagate through the algorithm. Not for any hacking sense, just to verify some ideas about optimizing some implementations of AES in FPGA’s and other circuitry. In the end, we developed our own little tiny AES-128 encryptor/decryptor that pukes out all of the internals of key expansion and encryption rounds so you can inspect them line-by-line.

Behold the Openschemes AES-128 Trainer!

Screenshot of the Openschemes AES Encryption Trainer

Fig 1 – Screenshot of Openschemes AES128 Encryption Trainer


The trainer is an AES encryptor/decryptor example program written in VB6. We call it a trainer, or example program because it only works on one 16-byte block at a time so it is really no good for encryption. In addition, the source code is optimized for readability and understanding instead of speed or efficiency.

Table lookups abound to avoid implementing Galois multiplication in VB – not a terrribly hard thing to understand but it really interrupts the flow of the read if you know what we’re saying…! And the number one reason it’s unsuitable for heavy-duty encryption – it’s in VB! It runs fast enough for our needs and still has a nice “hold on, I’m doing something” delay that makes you feel like something really important is going on. :)

In case you’re unable to read the screenshot data, the default data filled in the key and plaintext fields are the hex data from the 00112233… example from the FIPS document. The key expansion of hex key 000102030405060708090A0B0C0D0E0F follows:

Key Expansion Example:

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE
B6 92 CF 0B 64 3D BD F1 BE 9B C5 00 68 30 B3 FE
B6 FF 74 4E D2 C2 C9 BF 6C 59 0C BF 04 69 BF 41
47 F7 F7 BC 95 35 3E 03 F9 6C 32 BC FD 05 8D FD
3C AA A3 E8 A9 9F 9D EB 50 F3 AF 57 AD F6 22 AA
5E 39 0F 7D F7 A6 92 96 A7 55 3D C1 0A A3 1F 6B
14 F9 70 1A E3 5F E2 8C 44 0A DF 4D 4E A9 C0 26
47 43 87 35 A4 1C 65 B9 E0 16 BA F4 AE BF 7A D2
54 99 32 D1 F0 85 57 68 10 93 ED 9C BE 2C 97 4E
13 11 1D 7F E3 94 4A 17 F3 07 A7 8B 4D 2B 30 C5

Followed by the fully annotated encryption workbook on the right side, showing the state of the ciphertext as it propagates through each round. As in FIPS197, the ciphertext (in hex) is 00112233445566778899AABBCCDDEEFF. Workbook data for all ten rounds of AES-128 are as follows:

AES Encryption Internals Example:

Encryption Workbook…
round[0].in 00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
round[0].k 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

round[1].in 00 10 20 30 40 50 60 70 80 90 A0 B0 C0 D0 E0 F0
round[1].sb 63 CA B7 04 09 53 D0 51 CD 60 E0 E7 BA 70 E1 8C
round[1].sr 63 53 E0 8C 09 60 E1 04 CD 70 B7 51 BA CA D0 E7
round[1].mc 5F 72 64 15 57 F5 BC 92 F7 BE 3B 29 1D B9 F9 1A
round[1].k D6 AA 74 FD D2 AF 72 FA DA A6 78 F1 D6 AB 76 FE

round[2].in 89 D8 10 E8 85 5A CE 68 2D 18 43 D8 CB 12 8F E4
round[2].sb A7 61 CA 9B 97 BE 8B 45 D8 AD 1A 61 1F C9 73 69
round[2].sr A7 BE 1A 69 97 AD 73 9B D8 C9 CA 45 1F 61 8B 61
round[2].mc FF 87 96 84 31 D8 6A 51 64 51 51 FA 77 3A D0 09
round[2].k B6 92 CF 0B 64 3D BD F1 BE 9B C5 00 68 30 B3 FE

round[3].in 49 15 59 8F 55 E5 D7 A0 DA CA 94 FA 1F 0A 63 F7
round[3].sb 3B 59 CB 73 FC D9 0E E0 57 74 22 2D C0 67 FB 68
round[3].sr 3B D9 22 68 FC 74 FB 73 57 67 CB E0 C0 59 0E 2D
round[3].mc 4C 9C 1E 66 F7 71 F0 76 2C 3F 86 8E 53 4D F2 56
round[3].k B6 FF 74 4E D2 C2 C9 BF 6C 59 0C BF 04 69 BF 41

round[4].in FA 63 6A 28 25 B3 39 C9 40 66 8A 31 57 24 4D 17
round[4].sb 2D FB 02 34 3F 6D 12 DD 09 33 7E C7 5B 36 E3 F0
round[4].sr 2D 6D 7E F0 3F 33 E3 34 09 36 02 DD 5B FB 12 C7
round[4].mc 63 85 B7 9F FC 53 8D F9 97 BE 47 8E 75 47 D6 91
round[4].k 47 F7 F7 BC 95 35 3E 03 F9 6C 32 BC FD 05 8D FD

round[5].in 24 72 40 23 69 66 B3 FA 6E D2 75 32 88 42 5B 6C
round[5].sb 36 40 09 26 F9 33 6D 2D 9F B5 9D 23 C4 2C 39 50
round[5].sr 36 33 9D 50 F9 B5 39 26 9F 2C 09 2D C4 40 6D 23
round[5].mc F4 BC D4 54 32 E5 54 D0 75 F1 D6 C5 1D D0 3B 3C
round[5].k 3C AA A3 E8 A9 9F 9D EB 50 F3 AF 57 AD F6 22 AA

round[6].in C8 16 77 BC 9B 7A C9 3B 25 02 79 92 B0 26 19 96
round[6].sb E8 47 F5 65 14 DA DD E2 3F 77 B6 4F E7 F7 D4 90
round[6].sr E8 DA B6 90 14 77 D4 65 3F F7 F5 E2 E7 47 DD 4F
round[6].mc 98 16 EE 74 00 F8 7F 55 6B 2C 04 9C 8E 5A D0 36
round[6].k 5E 39 0F 7D F7 A6 92 96 A7 55 3D C1 0A A3 1F 6B

round[7].in C6 2F E1 09 F7 5E ED C3 CC 79 39 5D 84 F9 CF 5D
round[7].sb B4 15 F8 01 68 58 55 2E 4B B6 12 4C 5F 99 8A 4C
round[7].sr B4 58 12 4C 68 B6 8A 01 4B 99 F8 2E 5F 15 55 4C
round[7].mc C5 7E 1C 15 9A 9B D2 86 F0 5F 4B E0 98 C6 34 39
round[7].k 14 F9 70 1A E3 5F E2 8C 44 0A DF 4D 4E A9 C0 26

round[8].in D1 87 6C 0F 79 C4 30 0A B4 55 94 AD D6 6F F4 1F
round[8].sb 3E 17 50 76 B6 1C 04 67 8D FC 22 95 F6 A8 BF C0
round[8].sr 3E 1C 22 C0 B6 FC BF 76 8D A8 50 67 F6 17 04 95
round[8].mc BA A0 3D E7 A1 F9 B5 6E D5 51 2C BA 5F 41 4D 23
round[8].k 47 43 87 35 A4 1C 65 B9 E0 16 BA F4 AE BF 7A D2

round[9].in FD E3 BA D2 05 E5 D0 D7 35 47 96 4E F1 FE 37 F1
round[9].sb 54 11 F4 B5 6B D9 70 0E 96 A0 90 2F A1 BB 9A A1
round[9].sr 54 D9 90 A1 6B A0 9A B5 96 BB F4 0E A1 11 70 2F
round[9].mc E9 F7 4E EC 02 30 20 F6 1B F2 CC F2 35 3C 21 C7
round[9].k 54 99 32 D1 F0 85 57 68 10 93 ED 9C BE 2C 97 4E

round[A].in BD 6E 7C 3D F2 B5 77 9E 0B 61 21 6E 8B 10 B6 89
round[A].sb 7A 9F 10 27 89 D5 F5 0B 2B EF FD 9F 3D CA 4E A7
round[A].sr 7A D5 FD A7 89 EF 4E 27 2B CA 10 0B 3D 9F F5 9F
round[A].k 13 11 1D 7F E3 94 4A 17 F3 07 A7 8B 4D 2B 30 C5

ciphertext 69 C4 E0 D8 6A 7B 04 30 D8 CD B7 80 70 B4 C5 5A

Which should give you just about all the data you’d need for debugging your own AES hardware or software. You can input the key as 16 hex bytes (32 characters) or 16 ASCII characters, or even convert back and forth with clever misuse of the software. So this trainer should be able to generate encryption/decryption examples for damn near any AES128 situation you can think of.

For continued discussion as well as the source code and binaries (and a small puzzle from us to you!), please continue on to the next page.

Continued on Next Page Jump to Page 2

This entry was posted in Miscellaneous. Bookmark the permalink.

7 Responses to "Fun with AES-128. Example Encryption with AES Trainer"

Leave a replyLeave a Reply to Benito