[RFC 2/2] FIXME: initial implementation of GCM

Dmitry Eremin-Solenikov dbaryshkov at gmail.com
Mon Aug 5 17:17:58 CEST 2013


On Mon, Aug 5, 2013 at 6:01 PM, Werner Koch <wk at gnupg.org> wrote:
> On Mon,  5 Aug 2013 14:28, dbaryshkov at gmail.com said:
>
>> I will probably add a note that to be fully compatible with NIST
>> recommendations,
>> one have to generate IV according to the specification.
>
> If the standard requires a certain way to generate an IV we need to make
> sure that it is done in this way.  If there is an application which
> can't work with such a high-level approach we may revisit this and
> decide whether to add a low-level API for this case.

The problem is that IETF standards (RFC 5116/5288) are not _that_strict.
As far as I understand text, it only proposes a way to generate nonce (which
looks like 8.2.1). And 5288 requires distinct explicit nonce, but then it tells
that it may be a TLS sequence number (and thus might be not).

To make things worse:
libgcrypt should permit using any IV for decryption. Thus we should not impose
any additional requirements on setiv() if the user wants only to
decrypt a message.

What about the following construction:
* setiv() permits any iv, but then sets a special flag 'explicit IV' (?)
* We add a special API like gcry_cipher_generate_nonce(), which will generate
  noonce. In case of GCM it will use additional data and a counter (or
clock_gettime(?))
  to generate IV according to SP800-38D, 8.2.1).
* GCM decrypt() works with any IV set or generated.
* In FIPS mode GCM encrypt() fails, if 'explicit IV' flag is set (and works
  if IV was generated).

-- 
With best wishes
Dmitry



More information about the Gcrypt-devel mailing list