[Cryptography-dev] GCM tag truncation, backwards compatibility
Alex Gaynor
alex.gaynor at gmail.com
Mon Jun 30 18:29:04 CEST 2014
Background:
Right now when you provide a tag to GCM for decryption/verification, we
allow it to be truncated, always. This means that applications that don't
want truncation must add their own length checking.
Analysis:
This is terrible, because it means most applications will silently allow
truncation down to a 4-byte MAC (32-bits), which is much easier to brute
force to otherwise exploit than the full 16-byte MAC.
Proposal:
Changing the constructor to disallow truncated MACs by default, and require
the user to explicitly opt in to truncation.
This is technically backwards-incompatible, but I think it's a good change,
because of the enormity of the improvement in security.
A patch doing this is here: https://github.com/pyca/cryptography/pull/1201
Feedback please!
Alex
--
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: 125F 5C67 DFE9 4084
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20140630/63e45c72/attachment.html>
More information about the Cryptography-dev
mailing list