[Cryptography-dev] GCM tag truncation, backwards compatibility

Mon Jun 30 20:33:09 CEST 2014

Yes. FWIW I think making truncation opt-in can be a first step to disabling
it entirely, with my patch there's now a clear place to apply deprecation
warnings (and I think we do need a deprecation cycle to completely remove
it).

On Mon, Jun 30, 2014 at 11:29 AM, Paul Kehrer <paul.l.kehrer at gmail.com>
wrote:

> If we entirely disable truncation we have a significant set of NIST
> vectors we can’t run tests against. It might be worth it though. I’ve never
> heard a good case for truncation outside of “well NIST allows it”.
>
>
> On June 30, 2014 at 12:27:32 PM, Glyph (glyph at twistedmatrix.com) wrote:
>
> On Jun 30, 2014, at 10:12 AM, Laurens Van Houtven <_ at lvh.io> wrote:
>
>  Yes, yes, a thousand times yes!
>
>  Keep in mind that if you truncate a GCM tag at all, let's say down to
> your 32 bit example, the security level for existential forgery is much
> lower than 32 bits. Furthermore, successful forgeries may reveal the
> authentication key. [Ferguson05]
>
>
> I don't entirely understand the attack here, but this sounds very much to
> me like truncation should simply be disabled, not opt-in.
>
> -glyph
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>

-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/d56f60e8/attachment.html>