- From: Bruce Rich <brich@us.ibm.com>
- Date: Tue, 13 Dec 2011 10:21:17 -0600
- To: public-xmlsec@w3.org
- Message-ID: <OF1689A315.524393AC-ON86257965.00585491-86257965.0059D7FE@us.ibm.com>
The NIST spec for Galois Counter Mode is http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf The high-level logic for the decrypt step is in section 7.2. Step 8 of this algorithm is returning plaintext iff the tag verifies. It says, "8. If T = T′, then return P; else return FAIL" The problematic text immediately follows the algorithm description (see page 17). It says, "Equivalent sets of steps that produce the correct output are permitted. In particular, the verification of the tag may precede the computation of the plaintext". The intent in the spec is clearly to permit the tag verification before ANY plaintext is computed, never mind returned to the caller, so it takes some mental gymnastics to twist that into allowing plaintext to be computed and returned, pending a successful tag verification. And as Hal pointed out on today's call, it opens the door for the very same "oracle" attack that we were trying to prevent by using GCM. Bruce A Rich brich at-sign us dot ibm dot com
Received on Tuesday, 13 December 2011 16:22:29 UTC