CipherInputStream for AEAD modes is insecure (GCM, etc.): ciphertext tampering without detection possible

Xuelei Fan xuelei.fan at oracle.com
Mon Mar 10 00:12:48 UTC 2014


On 3/10/2014 2:31 AM, Tim Whittington wrote:
> 
> On 9/03/2014, at 10:50 pm, Tim Whittington
> <jdk-security-dev at whittington.net.nz
> <mailto:jdk-security-dev at whittington.net.nz>> wrote:
> 
>>
>> On 7/03/2014, at 9:14 am, Philipp Heckel <philipp.heckel at gmail.com
>> <mailto:philipp.heckel at gmail.com>> wrote:
>>
>>> - Using javax.crypto.CipherInputStream with a cipher in GCM mode and
>>> the SunJCE provider (JDK8+) is secure, but cannot be used large
>>> files, because it will buffer all data until the tag is verified (as
>>> defined by the GCM spec) [1]
>>
>> This (the part about it being secure) is not correct - when using
>> javax.crypto.CipherInputStream with a cipher in GCM mode and the
>> SunJCE provider (JDK8+) any tampering with the ciphertext will
>> silently treat the result as a 0 byte authenticated stream.
>>
> 
> Sorry, I should have been clearer here - this problem occurs with any
> provider (and any AE mode) not just the SunJCE GCM implementation.
> 
It only happens before the authentication tag get checked.  If the authN
tag get read, the tampering can be detected.

Your concerns happen to any mode, even CBC mode.  Better to make an
improvement here if possible.

Thanks,
Xuelei



More information about the security-dev mailing list