Re: applying AES-GCM to secure shell: proposed "tweak"

To: Tim Polk <tim.polk%nist.gov@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Tue, 21 Apr 2009 11:42:42 -0500

I've confirmed with an expert who should know (Darren Moffat) that the
PKCS#11 AEAD interfaces DO NOT allow retrieval of any plaintext before
the authentication tag has been found and verified.

It makes sense even for AEAD modes which can be seen composed
generically with a MAC (and especially for those that can't be).
Suppose we do something like C_DecryptInit(), C_DecryptUpdate(), ...,
C_DecryptFinal(), and the first bit of input is just long enough to
contain an authentication tag, then the mechanism can't know whether it
is ciphertext or a tag until more of the message is provided via
C_DecryptUpdate().

Nico
--

References:
- applying AES-GCM to secure shell: proposed "tweak"
  - From: Tim Polk

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: Fwd: New Version Notification for draft-green-secsh-ecc-07
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: RE: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index