- From: Jim Schaad <ietf@augustcellars.com>
- Date: Thu, 18 Apr 2013 09:57:39 -0700
- To: "'Richard Barnes'" <rbarnes@bbn.com>, "'Web Cryptography Working Group'" <public-webcrypto@w3.org>
Just to make things even a bit more complex. If I were to implement AES-SIV then I get even more fun as the IV is computed based on the message to be encrypted. The SIV value then becomes both the IV and the authentication tag. So I would need to be able to figure out how to get the IV back and feed it incorrectly at encryption time. Additionally the GCM functions are not currently setup to be able to feed the authentication value in. Jim > -----Original Message----- > From: Richard Barnes [mailto:rbarnes@bbn.com] > Sent: Wednesday, April 17, 2013 6:01 PM > To: Web Cryptography Working Group > Subject: GCM ciphertext + tag ambiguity > > The GCM mode returns two outputs, a ciphertext and an authentication tag. > As I read the current spec, the only output from GCM is the > CryptoOperation.result ArrayBufferView. It seems like there's a need to do > one of the following: > > (1) Define how the ciphertext and tag are packed into the result > ArrayBufferView, or > (2) Define separate fields to hold the ciphertext and tag > > For simplicity, I have a slight preference for (1), simply concatenating the two > (result = ciphertext || tag). Actually, I would be OK if we got rid of tagLength > and always just returned the full tag. That would be compatible with RFC > 5116, and applications could always truncate the tag if they want it shorter. > > Either way, it seems like we need to resolve the ambiguity. > > --Richard
Received on Thursday, 18 April 2013 17:27:45 UTC