W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

Re: Defaults issues with AES-GCM

From: Richard Barnes <rbarnes@bbn.com>
Date: Thu, 18 Apr 2013 10:05:43 -0400
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-Id: <2234582C-4DA2-496E-8D0B-00925ED9B0DB@bbn.com>
To: Wan-Teh Chang <wtc@google.com>

On Apr 17, 2013, at 10:02 PM, Wan-Teh Chang <wtc@google.com> wrote:

> On Wed, Apr 17, 2013 at 5:52 PM, Richard Barnes <rbarnes@bbn.com> wrote:
>> 
>> Proposed revised AesGcmParams:
>> 
>> dictionary AesGcmParams : AlgorithmParameters {
>>  ...
>>  // The desired length of the authentication tag. May be 0 - 128.
>>  [EnforceRange] octet? tagLength = 128;
> 
> The comment should say "length in bits".
> 
> A tagLength of 0 should be disallowed. Perhaps "May be 32 - 128" or
> "May be 64 - 128".

The relevant quote from SP800-38D:
"""
The bit length of the tag, denoted t, is a security parameter, as discussed in Appendix B. In 
general, t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain 
applications, t may be 64 or 32; guidance for the use of these two tag lengths, including 
requirements on the length of the input data and the lifetime of the key in these cases, is given in 
Appendix C.
"""

I would be comfortable with "May be 128, 120, 112, 104, or 96".


> We probably should also restrict tagLength to be a multiple of 8.

+1

--Richard
Received on Thursday, 18 April 2013 14:06:11 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC