As a hobby right now, I am writing a fork of archive/zip to allow reading/writing of password protected .zip files that use Winzip’s AES encryption method http://www.winzip.com/aes_info.htm. There was a request for this feature here and on the golang issue tracker. But, I’ve hit a brick wall when it comes to the initialization vector used as input in to AES-CTR. I’ve written a small demo that helps explain my problem: http://play.golang.org/p/YTByCFClJZ. You will have to run this outside of the playground to work. But that example successfully decrypts the contents “Hello World\r\n”.
My confusion comes from the lines:
// Generate the IV (or counter?)
var iv [aes.BlockSize]byte
iv[0] = 1 // Why is this 1 instead of 0?!?!?!?
When I first implemented this I left off the iv[0]=1 which failed to decrypt the correct contents. It was just by chance that I decided to try out iv[0]=1 and it worked! The reason I’m confused is because all the information that I’ve read says that the IV (or counter) starts off at 0 not 1. See the 9th slide here: https://www.cs.jhu.edu/~astubble/dss/winzip.pdf. Maybe I have the IV and counter confused?
Anyone have any insights into this?
EDIT: I believe I have an answer to my question. I looked at the source for DotNetZip library for C# to see how they do it. It looks like the IV is called “nonce” that they set to 1 and is concatenated together with an internal counter. I need to do some more testing to confirm.