- From: Richard Barnes <rbarnes@bbn.com>
- Date: Thu, 18 Apr 2013 10:05:43 -0400
- To: Wan-Teh Chang <wtc@google.com>
- Cc: Web Cryptography Working Group <public-webcrypto@w3.org>
On Apr 17, 2013, at 10:02 PM, Wan-Teh Chang <wtc@google.com> wrote:
> On Wed, Apr 17, 2013 at 5:52 PM, Richard Barnes <rbarnes@bbn.com> wrote:
>>
>> Proposed revised AesGcmParams:
>>
>> dictionary AesGcmParams : AlgorithmParameters {
>> ...
>> // The desired length of the authentication tag. May be 0 - 128.
>> [EnforceRange] octet? tagLength = 128;
>
> The comment should say "length in bits".
>
> A tagLength of 0 should be disallowed. Perhaps "May be 32 - 128" or
> "May be 64 - 128".
The relevant quote from SP800-38D:
"""
The bit length of the tag, denoted t, is a security parameter, as discussed in Appendix B. In
general, t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain
applications, t may be 64 or 32; guidance for the use of these two tag lengths, including
requirements on the length of the input data and the lifetime of the key in these cases, is given in
Appendix C.
"""
I would be comfortable with "May be 128, 120, 112, 104, or 96".
> We probably should also restrict tagLength to be a multiple of 8.
+1
--Richard
Received on Thursday, 18 April 2013 14:06:11 UTC