W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

Re: GCM ciphertext + tag ambiguity

From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 17 Apr 2013 18:36:20 -0700
Message-ID: <CALTJjxH_mQxvvw3BAaCZahhfpBx2G1xQBorbdDaX19Ro=GFivQ@mail.gmail.com>
To: Richard Barnes <rbarnes@bbn.com>
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
On Wed, Apr 17, 2013 at 6:00 PM, Richard Barnes <rbarnes@bbn.com> wrote:
> Actually, I would be OK if we got rid of tagLength and always just returned the full tag.
> That would be compatible with RFC 5116, and applications could always truncate the
> tag if they want it shorter.

In RFC 5116, the authentication tag length is hardcoded for each AEAD algorithm.
(But so is the key size. In Web Crypto API, the key size is implied by
the Key object.)
It seems inconvenient to make applications truncate the tag when this
can be easily
done by the native AES GCM implementations.

Wan-Teh
Received on Thursday, 18 April 2013 01:36:47 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC