CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible
Tim Whittington
jdk-security-dev at whittington.net.nz
Sun Mar 9 09:50:27 UTC 2014
On 7/03/2014, at 9:14 am, Philipp Heckel <philipp.heckel at gmail.com> wrote:
> - Using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) is secure, but cannot be used large files, because it will buffer all data until the tag is verified (as defined by the GCM spec) [1]
This (the part about it being secure) is not correct - when using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) any tampering with the ciphertext will silently treat the result as a 0 byte authenticated stream.
cheers
tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140309/a58a0f04/attachment.htm>
More information about the security-dev
mailing list