[Cryptography-dev] GCM tag truncation, backwards compatibility
Alex Stapleton
alexs at prol.etari.at
Mon Jun 30 19:41:58 CEST 2014
+1. Nice find.
On 30 June 2014 17:29:19 Alex Gaynor <alex.gaynor at gmail.com> wrote:
> Background:
>
> Right now when you provide a tag to GCM for decryption/verification, we
> allow it to be truncated, always. This means that applications that don't
> want truncation must add their own length checking.
>
> Analysis:
>
> This is terrible, because it means most applications will silently allow
> truncation down to a 4-byte MAC (32-bits), which is much easier to brute
> force to otherwise exploit than the full 16-byte MAC.
>
> Proposal:
>
> Changing the constructor to disallow truncated MACs by default, and require
> the user to explicitly opt in to truncation.
>
> This is technically backwards-incompatible, but I think it's a good change,
> because of the enormity of the improvement in security.
>
> A patch doing this is here: https://github.com/pyca/cryptography/pull/1201
>
> Feedback please!
> Alex
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
>
>
>
> ----------
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/92d72e84/attachment.html>
More information about the Cryptography-dev
mailing list