[Top] [All Lists]

Re: [smime] [Technical Errata Reported] RFC5084 (4774)

2016-08-13 12:03:59
The first half of this errata must be rejected.  We do not change the ASN.1
for something like this under just about any circumstances.

Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document.  We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.


-----Original Message-----
From: smime [mailto:smime-bounces(_at_)ietf(_dot_)org] On Behalf Of RFC 
Errata System
Sent: Thursday, August 11, 2016 11:48 AM
To: housley(_at_)vigilsec(_dot_)com; 
Cc: quannguyen(_at_)google(_dot_)com; rfc-editor(_at_)rfc-editor(_dot_)org; 
Subject: [smime] [Technical Errata Reported] RFC5084 (4774)

The following errata report has been submitted for RFC5084, "Using AES-CCM
and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax

You may review the report below and at:

Type: Technical
Reported by: QUAN NGUYEN <quannguyen(_at_)google(_dot_)com>

Section: 3.2

Original Text
aes-ICVlen       AES-GCM-ICVlen DEFAULT 12

A length of 12 octets is RECOMMENDED.

Corrected Text
aes-ICVlen       AES-GCM-ICVlen DEFAULT 16

A length of 16 octets is RECOMMENDED.

Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug
use 12 bytes authentication tag (aes-ICVlen) as default if the code path
[1] uses
CMS. According to Ferguson's attack
GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12
bytes authentication tag length has only 96 - 32 = 64 bits security which
is not
good enough nowadays. Furthermore, once a forgery happens then
authentication is leaked.

[1] In other code paths, all providers use 16 bytes authentication tag as

This erratum is currently posted as "Reported". If necessary, please use
All" to discuss whether it should be verified or rejected. When a decision
reached, the verifying party (IESG) can log in to change the status and
edit the
report, if necessary.

RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
Title               : Using AES-CCM and AES-GCM Authenticated Encryption
in the
Cryptographic Message Syntax (CMS)
Publication Date    : November 2007
Author(s)           : R. Housley
Category            : PROPOSED STANDARD
Source              : S/MIME Mail Security
Area                : Security
Stream              : IETF
Verifying Party     : IESG

smime mailing list

smime mailing list