[Cryptography-dev] GCM tag truncation, backwards compatibility

Laurens Van Houtven _ at lvh.io
Mon Jun 30 22:35:00 CEST 2014 

This is hazmat, right? Keep in mind that some protocols may insist on
truncated tags, and, as bad of an idea as that may be, it should be
supported (if actively discouraged and certainly something you have to very
consciously opt in to).


On Mon, Jun 30, 2014 at 8:33 PM, Alex Gaynor <alex.gaynor at gmail.com> wrote:

> Yes. FWIW I think making truncation opt-in can be a first step to
> disabling it entirely, with my patch there's now a clear place to apply
> deprecation warnings (and I think we do need a deprecation cycle to
> completely remove it).
>
>
> On Mon, Jun 30, 2014 at 11:29 AM, Paul Kehrer <paul.l.kehrer at gmail.com>
> wrote:
>
>> If we entirely disable truncation we have a significant set of NIST
>> vectors we can’t run tests against. It might be worth it though. I’ve never
>> heard a good case for truncation outside of “well NIST allows it”.
>>
>>
>> On June 30, 2014 at 12:27:32 PM, Glyph (glyph at twistedmatrix.com) wrote:
>>
>> On Jun 30, 2014, at 10:12 AM, Laurens Van Houtven <_ at lvh.io> wrote:
>>
>>  Yes, yes, a thousand times yes!
>>
>>  Keep in mind that if you truncate a GCM tag at all, let's say down to
>> your 32 bit example, the security level for existential forgery is much
>> lower than 32 bits. Furthermore, successful forgeries may reveal the
>> authentication key. [Ferguson05]
>>
>>
>> I don't entirely understand the attack here, but this sounds very much to
>> me like truncation should simply be disabled, not opt-in.
>>
>> -glyph
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>> _______________________________________________
>> Cryptography-dev mailing list
>> Cryptography-dev at python.org
>> https://mail.python.org/mailman/listinfo/cryptography-dev
>>
>>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right
> to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/aa3c0ffd/attachment-0001.html>

More information about the Cryptography-dev mailing list