New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: crypto/cipher: allow short tags in NewGCMWithNonceAndTagSize #24171

Open
ashi009 opened this Issue Feb 28, 2018 · 4 comments

Comments

Projects
None yet
4 participants
@ashi009
Copy link

ashi009 commented Feb 28, 2018

With the new API for customizing GCM tag size, it's finally possible to reduce the GCM tag overhead for some applications. However, the new API comes with a hard limit on the minimal tag size, 12 bytes, which is just a 4 bytes saving compare to the default value.

For our use case, we use AES128-GCM to perform EtA on an IP packet flow. The data to encrypt has a bounded max size, and we call the authenticated decryption function for a limited times. As we meets the circumstances described in Appendix C of the NIST 800-38D, using an 8-byte tag would be an overkill (<1400B payload and <2^31 invocations).

For the above reason, I'm proposing to relax the limit on the minimal tag size, and add a longer doc string for this function. It's understandable that a crypto library should be safe to use with it's default parameters without further mangling, but for an API designed to customize the behavior should provide more flexibility.

@gopherbot gopherbot added this to the Proposal milestone Feb 28, 2018

@gopherbot gopherbot added the Proposal label Feb 28, 2018

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Mar 5, 2018

It seems like NewGCMWithNonceAndTagSize should at least be NewGCMWithSizes or NewSizedGCM or something shorter like that.

I don't know the security implications of allowing < 12 byte tags. /cc @agl @FiloSottile

@rsc rsc changed the title proposal: Relax the tag size limit of cipher.NewGCMWithNonceAndTagSize proposal: crypto/cipher: allow short tags in NewGCMWithNonceAndTagSize Mar 5, 2018

@ashi009

This comment has been minimized.

Copy link

ashi009 commented Mar 16, 2018

@rsc I can send a 3-line CL for this one -- probably not the renaming bit but just change the const and add some extra doc strings ;)

@rsc

This comment has been minimized.

Copy link
Contributor

rsc commented Apr 20, 2018

Two issues:

  1. NewGCMWithNonceAndTagSize should maybe be just NewGCMWithTagSize. The ability to change the nonce was a workaround for one special protocol, not a typical general need.
  2. Using the smaller tags is not always safe. We're worried about people misusing small tags and ending up with security problems. One possibility is to panic if too large a packet is used with too small a tag.

It's not clear from the original report what tag size you are asking for, @ashi009, since you said "8 byte would be overkill". What are you looking for?

@ashi009

This comment has been minimized.

Copy link

ashi009 commented Apr 21, 2018

  1. Understood. (Also noticed that the naming issue is tracked in #24977)
  2. Choosing a secure tag size should be the user's responsibility, as they have diverged from the safe default. I'd say just put a big warning on top, and let them to decide.

I'd go with 6 bytes tag. My calculations shows that it's sufficient for our use case (data obfuscation and weak integration check, as the cleartext is encrypted already).

Also as shown in NIST 800-38D Appendix C, 8 bytes tag can be used to encrypt cleartext up to 2^15B for no more than 2^32 times. Which exceeds our need by magnitudes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment