CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible
Matthew Hall
mhall at mhcomputing.net
Thu Mar 6 23:44:27 UTC 2014
On Thu, Mar 06, 2014 at 10:01:57PM +0100, Bernd Eckenfels wrote:
> My thinking was, that the "streamed" mode is usefull, but the "secure"
> mode is also usefull. At least for BC I would recommend to have two
> different cipher specs. A /GCM/ and a /GCMSTREAM/ mode. The later one
> would not be enabled in FIPS mode. (Ideally BC uses the same secure
> semantics with the JCE compatible spec).
Then you get very poor performance, with double-buffering, when the product is
put into the FIPS mode.
Matthew.
More information about the security-dev
mailing list