Defaults issues with AES-GCM from Richard Barnes on 2013-04-18 (public-webcrypto@w3.org from April 2013)

From: Richard Barnes <rbarnes@bbn.com>
Date: Wed, 17 Apr 2013 20:52:29 -0400
To: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-Id: <55FD8610-946C-4D88-9763-044C078423A9@bbn.com>

Two minor issues with AesGcmParams:

1. AdditionalData is optional, but GCM requires an AAD string, even if it's empty (SP800-38D, Section 5.2.1.1).  So it might be helpful to note that if not present, it MUST be set to an ArrayBufferView representing the empty byte string.

2. Why is the default tagLength zero?  If that's the case, you might as well just use CTR and save some effort.  Suggest changing the default to 128, the full tag length.  As a bonus, this is compatible with RFC 5116.   

Proposed revised AesGcmParams:

dictionary AesGcmParams : AlgorithmParameters {
  // The initialization vector to use. May be up to 2^56 bytes long.
  ArrayBufferView? iv;
  // The additional authentication data to include.
  // If not present, MUST be set to an ArrayBufferView representing 
  // the empty byte string.
  ArrayBufferView? additionalData;
  // The desired length of the authentication tag. May be 0 - 128.
  [EnforceRange] octet? tagLength = 128;
};

Received on Thursday, 18 April 2013 00:52:57 UTC