Short AES GCM Tags?

Bernd Eckenfels ecki at
Mon Apr 17 21:12:21 UTC 2017


I also think there is no short version for TLS anyway. RFC 5288 states that the Tag is 128 bit and the hmac truncation extension (which would allow 80 bit) is not valid for GCM.

From: security-dev <security-dev-bounces at> on behalf of Valerie Peng <valerie.peng at>
Sent: Monday, April 17, 2017 10:31:29 PM
To: security-dev at
Subject: Re: Short AES GCM Tags?

The short tag length is not for general applications and their usage
comes with additional requirements such as length of input data and
lifetime of the key which SunJCE provider does not implement. Thus,
SunJCE provider limits the supported tag length to the 5 values defined
for general-purpose applications.


On 4/13/2017 1:58 PM, Mike Duigou wrote:
> I've discovered that the Java 8 JSSE doesn't allow 64 or 32 bit tags
> to be used with AES GCM. (Enforced in CipherCore) I had hoped to use
> short tags per the guidance of NIST Special Publication 800-38D
> Appendix C. The Javadoc for GCMParameterSpec mentions 32 and 64 bit
> tags but I can't find an explanation of why small tags are not
> supported by Java 8 JSSE.
> Is there a reason that the short tags aren't offered?
> Thanks,
> Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list