[Cryptography-dev] GCM tag truncation, backwards compatibility
Paul Kehrer
paul.l.kehrer at gmail.com
Mon Jun 30 20:29:35 CEST 2014
If we entirely disable truncation we have a significant set of NIST vectors we can’t run tests against. It might be worth it though. I’ve never heard a good case for truncation outside of “well NIST allows it”.
On June 30, 2014 at 12:27:32 PM, Glyph (glyph at twistedmatrix.com) wrote:
On Jun 30, 2014, at 10:12 AM, Laurens Van Houtven <_ at lvh.io> wrote:
Yes, yes, a thousand times yes!
Keep in mind that if you truncate a GCM tag at all, let's say down to your 32 bit example, the security level for existential forgery is much lower than 32 bits. Furthermore, successful forgeries may reveal the authentication key. [Ferguson05]
I don't entirely understand the attack here, but this sounds very much to me like truncation should simply be disabled, not opt-in.
-glyph
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev at python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/375cabe1/attachment.html>
More information about the Cryptography-dev
mailing list