CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible
Bernd Eckenfels
bernd-2014 at eckenfels.net
Thu Mar 6 21:01:57 UTC 2014
Am Thu, 6 Mar 2014 21:14:06 +0100
schrieb Philipp Heckel <philipp.heckel at gmail.com>:
> - Using org.bouncycaslte.crypto.io.CipherInputStream with a cipher in
> GCM mode and the BC provider is secure and can be used for large
> files. However it does not work exactly like the GCM spec defined;
> namely, it returns unauthenticated data before the tag has been
> checked.
My thinking was, that the "streamed" mode is usefull, but the "secure"
mode is also usefull. At least for BC I would recommend to have two
different cipher specs. A /GCM/ and a /GCMSTREAM/ mode. The later one
would not be enabled in FIPS mode. (Ideally BC uses the same secure
semantics with the JCE compatible spec).
> Do you think it would be possible to at least mention possible issues
> like this in the JavaDoc for CipherInputStream?
I think this is very important to be mentioned that it suppresses
padding and authentication exceptions in the Javadoc.
Greetings
Bernd
More information about the security-dev
mailing list