CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible
Tim Whittington
jdk-security-dev at whittington.net.nz
Sun Mar 9 18:31:23 UTC 2014
On 9/03/2014, at 10:50 pm, Tim Whittington <jdk-security-dev at whittington.net.nz> wrote:
>
> On 7/03/2014, at 9:14 am, Philipp Heckel <philipp.heckel at gmail.com> wrote:
>
>> - Using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) is secure, but cannot be used large files, because it will buffer all data until the tag is verified (as defined by the GCM spec) [1]
>
> This (the part about it being secure) is not correct - when using javax.crypto.CipherInputStream with a cipher in GCM mode and the SunJCE provider (JDK8+) any tampering with the ciphertext will silently treat the result as a 0 byte authenticated stream.
>
Sorry, I should have been clearer here - this problem occurs with any provider (and any AE mode) not just the SunJCE GCM implementation.
tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140310/526d3807/attachment.htm>
More information about the security-dev
mailing list