W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2013

RE: GCM ciphertext + tag ambiguity

From: Jim Schaad <ietf@augustcellars.com>
Date: Thu, 18 Apr 2013 09:57:39 -0700
To: "'Richard Barnes'" <rbarnes@bbn.com>, "'Web Cryptography Working Group'" <public-webcrypto@w3.org>
Message-ID: <046601ce3c55$d62aa9d0$827ffd70$@augustcellars.com>
Just to make things even a bit more complex.  If I were to implement AES-SIV
then I get even more fun as the IV is computed based on the message to be
encrypted.  The SIV value then becomes both the IV and the authentication
tag.  So I would need to be able to figure out how to get the IV back and
feed it incorrectly at encryption time.  Additionally the GCM functions are
not currently setup to be able to feed the authentication value in.

Jim


> -----Original Message-----
> From: Richard Barnes [mailto:rbarnes@bbn.com]
> Sent: Wednesday, April 17, 2013 6:01 PM
> To: Web Cryptography Working Group
> Subject: GCM ciphertext + tag ambiguity
> 
> The GCM mode returns two outputs, a ciphertext and an authentication tag.
> As I read the current spec, the only output from GCM is the
> CryptoOperation.result ArrayBufferView.  It seems like there's a need to
do
> one of the following:
> 
> (1) Define how the ciphertext and tag are packed into the result
> ArrayBufferView, or
> (2) Define separate fields to hold the ciphertext and tag
> 
> For simplicity, I have a slight preference for (1), simply concatenating
the two
> (result = ciphertext || tag).  Actually, I would be OK if we got rid of
tagLength
> and always just returned the full tag.  That would be compatible with RFC
> 5116, and applications could always truncate the tag if they want it
shorter.
> 
> Either way, it seems like we need to resolve the ambiguity.
> 
> --Richard
Received on Thursday, 18 April 2013 17:27:45 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:16 UTC