W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

GCM ciphertext + tag ambiguity

From: Richard Barnes <rbarnes@bbn.com>
Date: Wed, 17 Apr 2013 21:00:40 -0400
Message-Id: <85D6742F-35E5-4336-A198-AB8225086771@bbn.com>
To: Web Cryptography Working Group <public-webcrypto@w3.org>
The GCM mode returns two outputs, a ciphertext and an authentication tag.   As I read the current spec, the only output from GCM is the CryptoOperation.result ArrayBufferView.  It seems like there's a need to do one of the following:

(1) Define how the ciphertext and tag are packed into the result ArrayBufferView, or
(2) Define separate fields to hold the ciphertext and tag

For simplicity, I have a slight preference for (1), simply concatenating the two (result = ciphertext || tag).  Actually, I would be OK if we got rid of tagLength and always just returned the full tag.  That would be compatible with RFC 5116, and applications could always truncate the tag if they want it shorter.

Either way, it seems like we need to resolve the ambiguity.

--Richard
Received on Thursday, 18 April 2013 01:01:08 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC