W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

Re: GCM ciphertext + tag ambiguity

From: Ryan Sleevi <sleevi@google.com>
Date: Wed, 17 Apr 2013 18:15:53 -0700
Message-ID: <CACvaWvYNM1aQpsdsW3NHZkU4vADXw7ZwEveCtS+sXQCmiZ0TSQ@mail.gmail.com>
To: Richard Barnes <rbarnes@bbn.com>
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
I don't know if it's so much as ambiguity as "It's not presently defined"

That said, the intent was 1.

I don't agree with the point about tagLength, nor do I see RFC 5116
being relevant here. It also doesn't match any of the existing
cryptographic APIs.

On Wed, Apr 17, 2013 at 6:00 PM, Richard Barnes <rbarnes@bbn.com> wrote:
> The GCM mode returns two outputs, a ciphertext and an authentication tag.   As I read the current spec, the only output from GCM is the CryptoOperation.result ArrayBufferView.  It seems like there's a need to do one of the following:
> (1) Define how the ciphertext and tag are packed into the result ArrayBufferView, or
> (2) Define separate fields to hold the ciphertext and tag
> For simplicity, I have a slight preference for (1), simply concatenating the two (result = ciphertext || tag).  Actually, I would be OK if we got rid of tagLength and always just returned the full tag.  That would be compatible with RFC 5116, and applications could always truncate the tag if they want it shorter.
> Either way, it seems like we need to resolve the ambiguity.
> --Richard
Received on Thursday, 18 April 2013 01:16:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC