CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Bernd Eckenfels bernd-2014 at eckenfels.net
Thu Mar 6 13:01:57 PST 2014


Am Thu, 6 Mar 2014 21:14:06 +0100
schrieb Philipp Heckel <philipp.heckel at gmail.com>:

> - Using org.bouncycaslte.crypto.io.CipherInputStream with a cipher in
> GCM mode and the BC provider is secure and can be used for large
> files. However it does not work exactly like the GCM spec defined;
> namely, it returns unauthenticated data before the tag has been
> checked.

My thinking was, that the "streamed" mode is usefull, but the "secure"
mode is also usefull. At least for BC I would recommend to have two
different cipher specs. A /GCM/ and a /GCMSTREAM/ mode. The later one
would not be enabled in FIPS mode. (Ideally BC uses the same secure
semantics with the JCE compatible spec).

> Do you think it would be possible to at least mention possible issues
> like this in the JavaDoc for CipherInputStream?

I think this is very important to be mentioned that it suppresses
padding and authentication exceptions in the Javadoc.

Greetings
Bernd


More information about the security-dev mailing list