CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Tim Whittington jdk-security-dev at whittington.net.nz
Sun Mar 9 09:50:27 UTC 2014


On 7/03/2014, at 9:14 am, Philipp Heckel <philipp.heckel at gmail.com> wrote:

> - Using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) is secure, but cannot be used large files, because it will buffer all data until the tag is verified (as defined by the GCM spec) [1]

This (the part about it being secure) is not correct - when using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) any tampering with the ciphertext will silently treat the result as a 0 byte authenticated stream.

cheers
tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20140309/a58a0f04/attachment.html>


More information about the security-dev mailing list