[Cryptography-dev] GCM tag truncation, backwards compatibility

Alex Stapleton alexs at prol.etari.at
Mon Jun 30 23:06:53 CEST 2014 

Do we know any GCM using applications that actually use this feature at 
all? Using sub 80 bit MACs hasn't been a good idea for quite a while so 
truncation doesn't seem terribly attractive. If anything 128 bits might 
seem a little small?


On 30 June 2014 19:33:23 Alex Gaynor <alex.gaynor at gmail.com> wrote:

> Yes. FWIW I think making truncation opt-in can be a first step to disabling
> it entirely, with my patch there's now a clear place to apply deprecation
> warnings (and I think we do need a deprecation cycle to completely remove
> it).
>
>
> On Mon, Jun 30, 2014 at 11:29 AM, Paul Kehrer <paul.l.kehrer at gmail.com>
> wrote:
>
> > If we entirely disable truncation we have a significant set of NIST
> > vectors we can’t run tests against. It might be worth it though. I’ve never
> > heard a good case for truncation outside of “well NIST allows it”.
> >
> >
> > On June 30, 2014 at 12:27:32 PM, Glyph (glyph at twistedmatrix.com) wrote:
> >
> > On Jun 30, 2014, at 10:12 AM, Laurens Van Houtven <_ at lvh.io> wrote:
> >
> >  Yes, yes, a thousand times yes!
> >
> >  Keep in mind that if you truncate a GCM tag at all, let's say down to
> > your 32 bit example, the security level for existential forgery is much
> > lower than 32 bits. Furthermore, successful forgeries may reveal the
> > authentication key. [Ferguson05]
> >
> >
> > I don't entirely understand the attack here, but this sounds very much to
> > me like truncation should simply be disabled, not opt-in.
> >
> > -glyph
> > _______________________________________________
> > Cryptography-dev mailing list
> > Cryptography-dev at python.org
> > https://mail.python.org/mailman/listinfo/cryptography-dev
> >
> >
> > _______________________________________________
> > Cryptography-dev mailing list
> > Cryptography-dev at python.org
> > https://mail.python.org/mailman/listinfo/cryptography-dev
> >
> >
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: 125F 5C67 DFE9 4084
>
>
>
> ----------
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/504ee693/attachment.html>

More information about the Cryptography-dev mailing list