Re: GCM ciphertext + tag ambiguity from Wan-Teh Chang on 2013-04-18 (public-webcrypto@w3.org from April 2013)

From: Wan-Teh Chang <wtc@google.com>
Date: Wed, 17 Apr 2013 18:36:20 -0700
To: Richard Barnes <rbarnes@bbn.com>
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
Message-ID: <CALTJjxH_mQxvvw3BAaCZahhfpBx2G1xQBorbdDaX19Ro=GFivQ@mail.gmail.com>

On Wed, Apr 17, 2013 at 6:00 PM, Richard Barnes <rbarnes@bbn.com> wrote:
> Actually, I would be OK if we got rid of tagLength and always just returned the full tag.
> That would be compatible with RFC 5116, and applications could always truncate the
> tag if they want it shorter.

In RFC 5116, the authentication tag length is hardcoded for each AEAD algorithm.
(But so is the key size. In Web Crypto API, the key size is implied by
the Key object.)
It seems inconvenient to make applications truncate the tag when this
can be easily
done by the native AES GCM implementations.

Wan-Teh

Received on Thursday, 18 April 2013 01:36:47 UTC