[Top] [All Lists]

Re: [smime] [Technical Errata Reported] RFC5084 (4774)

2016-08-15 16:47:11
On Thu, Aug 11, 2016 at 11:47 AM, RFC Errata System <
rfc-editor(_at_)rfc-editor(_dot_)org> wrote:

The following errata report has been submitted for RFC5084,
"Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic
Message Syntax (CMS)".

You may review the report below and at:

Type: Technical
Reported by: QUAN NGUYEN <quannguyen(_at_)google(_dot_)com>

Section: 3.2

Original Text
aes-ICVlen       AES-GCM-ICVlen DEFAULT 12

A length of 12 octets is RECOMMENDED.

Corrected Text
aes-ICVlen       AES-GCM-ICVlen DEFAULT 16

A length of 16 octets is RECOMMENDED.

Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug
to use 12 bytes authentication tag (aes-ICVlen) as default if the code path
[1] uses CMS. According to Ferguson's attack (
ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user
encrypts 2^32 block length message, then 12 bytes authentication tag length
has only 96 - 32 = 64 bits security which is not good enough nowadays.
Furthermore, once a forgery happens then authentication is leaked.

Sorry, I meant "authentication *key*" is leaked.

[1] In other code paths, all providers use 16 bytes authentication tag as

This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

RFC5084 (draft-ietf-smime-cms-aes-ccm-and-gcm-03)
Title               : Using AES-CCM and AES-GCM Authenticated Encryption
in the Cryptographic Message Syntax (CMS)
Publication Date    : November 2007
Author(s)           : R. Housley
Category            : PROPOSED STANDARD
Source              : S/MIME Mail Security
Area                : Security
Stream              : IETF
Verifying Party     : IESG

smime mailing list