RFR: 8374317: Change GCM IV size to 12 bytes when encrypting/decrypting TLS session ticket
Bernd
duke at openjdk.org
Wed Dec 24 02:46:53 UTC 2025
On Wed, 24 Dec 2025 00:40:05 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> 12 bytes is the recommended size for GCM per NIST SP 800-38D:
>
> For IVs, it is recommended that implementations restrict support to the length of 96 bits, to
> promote interoperability, efficiency, and simplicity of design.`
>
> Larger IV size requires an extra hashing step (GHASH). Currently we have it set to 16 bytes.
Hm, if there are no test changes needed. We might Need to add some. Should we dynamically accept 12-16 Byte IVs? Not sure why the mail talked about 96 Bits for Mac as well, but I think even NIST prefers 128 (in fact that’s a major weakness going forward that’s its limited to the blockiere)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28971#issuecomment-3688471422
More information about the security-dev
mailing list