CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Bernd Eckenfels bernd-2014 at eckenfels.net
Tue Mar 4 22:16:03 UTC 2014


Am Tue, 4 Mar 2014 22:56:17 +0100
schrieb Philipp Heckel <philipp.heckel at gmail.com>:

> ad 3) FilterInputStream and InputStream have no special requirements
> with regard to how encrypted data is processed.

Actually there are examples in the JDK who does checksum after
returning data. For example the GZIPInputStream. And that is exactly
why I would expect CipherInputStream to do it as well.

In case of GZipInputStream the trailer CRC is actually checked in the
last read(), this has some advantages to the case when input streams
are silently closed. But if I use a integrity checked stream I normally
by definition make sure to read till the end and check the close().

Bernd

BTW: thanks Florian to mention it might not be a good idea to
uncompress unverified data. (but this point does not make me happy from
a streaming perspective :) 



More information about the security-dev mailing list