IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



I've confirmed with an expert who should know (Darren Moffat) that the
PKCS#11 AEAD interfaces DO NOT allow retrieval of any plaintext before
the authentication tag has been found and verified.

It makes sense even for AEAD modes which can be seen composed
generically with a MAC (and especially for those that can't be).
Suppose we do something like C_DecryptInit(), C_DecryptUpdate(), ...,
C_DecryptFinal(), and the first bit of input is just long enough to
contain an authentication tag, then the mechanism can't know whether it
is ciphertext or a tag until more of the message is provided via
C_DecryptUpdate().

Nico
-- 



Home | Main Index | Thread Index | Old Index