CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible
Xuelei Fan
xuelei.fan at oracle.com
Thu Mar 6 23:03:27 UTC 2014
On 3/7/2014 4:14 AM, Philipp Heckel wrote:
> - Using org.bouncycaslte.crypto.io.CipherInputStream with a cipher in
> GCM mode and the BC provider is secure and can be used for large files.
> However it does not work exactly like the GCM spec defined; namely, it
> returns unauthenticated data before the tag has been checked.
In such a case, if the the bytes read from the stream
(CipherInputStream) is used in applications (for example, save the
bytes, and then close the stream. Even you can catch the exception, did
the dev really program to rollback the previous actions, especially for
large chunk of data? In some cases, one have to buffer something, here
or there, this way or that way.), it cannot be granted that the bytes
are the expected bytes, as the tag has not been checked. Therefore, it
is not secure from my point.
Xuelei
More information about the security-dev
mailing list