The AesCtrParams
dictionary of the Web Crypto API represents the object that should be passed as the algorithm
parameter into SubtleCrypto.encrypt()
, SubtleCrypto.decrypt()
, SubtleCrypto.wrapKey()
, or SubtleCrypto.unwrapKey()
, when using the AES-CTR algorithm.
AES is a block cipher, meaning that it splits the message into blocks and encrypts it a block at a time. In CTR mode, every time a block of the message is encrypted, an extra block of data is mixed in. This extra block is called the "counter block".
A given counter block value must never be used more than once with the same key:
- Given a message n blocks long, a different counter block must be used for every block.
- If the same key is used to encrypt more than one message, a different counter block must be used for all blocks across all messages.
Typically this is achieved by splitting the initial counter block value into two concatenated parts:
- A nonce (that is, a number that may only be used once). The nonce part of the block stays the same for every block in the message. Each time a new message is to be encrypted, a new nonce is chosen. Nonces don't have to be secret, but they must not be reused with the same key.
- A counter. This part of the block gets incremented each time a block is encrypted.
Essentially: the nonce should ensure that counter blocks are not reused from one message to the next, while the counter should ensure that counter blocks are not reused within a single message.
Note: See Appendix B of the NIST SP800-38A standard for more information.