[Cryptography-dev] GCM tag truncation, backwards compatibility

Terry Chia terrycwk1994 at gmail.com
Tue Jul 1 08:56:45 CEST 2014 

I don't think we should remove the ability to truncate tags given that
it is explicitly allowed by the standards and that this is in the
hazmat layer after all. Requiring opt-in for truncation should be good
enough.

On Tue, Jul 1, 2014 at 5:06 AM, Alex Stapleton <alexs at prol.etari.at> wrote:
> Do we know any GCM using applications that actually use this feature at all?
> Using sub 80 bit MACs hasn't been a good idea for quite a while so
> truncation doesn't seem terribly attractive. If anything 128 bits might seem
> a little small?
>
> On 30 June 2014 19:33:23 Alex Gaynor <alex.gaynor at gmail.com> wrote:
>>
>> Yes. FWIW I think making truncation opt-in can be a first step to
>> disabling it entirely, with my patch there's now a clear place to apply
>> deprecation warnings (and I think we do need a deprecation cycle to
>> completely remove it).
>>
>>
>> On Mon, Jun 30, 2014 at 11:29 AM, Paul Kehrer <paul.l.kehrer at gmail.com>
>> wrote:
>>>
>>> If we entirely disable truncation we have a significant set of NIST
>>> vectors we can’t run tests against. It might be worth it though. I’ve never
>>> heard a good case for truncation outside of “well NIST allows it”.
>>>
>>>
>>> On June 30, 2014 at 12:27:32 PM, Glyph (glyph at twistedmatrix.com) wrote:
>>>
>>> On Jun 30, 2014, at 10:12 AM, Laurens Van Houtven <_ at lvh.io> wrote:
>>>
>>> Yes, yes, a thousand times yes!
>>>
>>> Keep in mind that if you truncate a GCM tag at all, let's say down to
>>> your 32 bit example, the security level for existential forgery is much
>>> lower than 32 bits. Furthermore, successful forgeries may reveal the
>>> authentication key. [Ferguson05]
>>>
>>>
>>> I don't entirely understand the attack here, but this sounds very much to
>>> me like truncation should simply be disabled, not opt-in.
>>>
>>> -glyph
>>> _______________________________________________
>>> Cryptography-dev mailing list
>>> Cryptography-dev at python.org
>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>
>>>
>>> _______________________________________________
>>> Cryptography-dev mailing list
>>> Cryptography-dev at python.org
>>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>>
>>
>>
>>
>> --
>> "I disapprove of what you say, but I will defend to the death your right
>> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
>> "The people's good is the highest law." -- Cicero
>> GPG Key fingerprint: 125F 5C67 DFE9 4084
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>

More information about the Cryptography-dev mailing list