-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Additional validation of tag length in AES GCM decryption #17523
Comments
Can you post a concrete API proposal? |
@bnoordhuis Updated the description to include an API proposal. |
cc @nodejs/crypto - your input please. |
I'll try to clarify your proposal just to make sure I did not miss anything:
Even though If this is correct, I can probably put together a PR on the weekend. There are three relevant changes here:
|
@tniessen That’s exactly what I meant and those semver assessments seem correct. In my opinion semver-patch would make sense for the first change: I was pretty surprised to discover |
Oh except I’ve only been talking about |
Ref #13941 |
Right now, any 1 <= tag length <= 16 is accepted (because openssl accepts it) and there might therefore be code in the wild that uses odd sizes. Throwing an exception must be semver-major for that reason but logging a warning for e.g. lengths < 8 can be semver-patch.
Call me a pessimist but I predict most usage is going to look like this... var tag = getTagFromSomewhere();
var dec = crypto.createDecipheriv(algo, key, iv, { minimumTagBytes: tag.length });
dec.setAuthTag(tag); More boilerplate, zero extra security. We'll probably get better results from improving the documentation and adding big fat warnings that people must check that the tag is what they expect it to be. |
@bnoordhuis If we decide to set the default value of |
I'll give a short update on the status of this proposal:
A minimum tag length has not been implemented and, according to NIST SP 800 38d, would be insufficient as the permitted tag length should be restricted to a "single, fixed value [...] associated with each key". |
@bnoordhuis Could you take a look at #18138? If we decide to land the proposed API, we could use the |
@nodejs/crypto What do you think about #17523 (comment)? The API was landed as proposed, the main question is: Will people use it, and will they do so correctly? We cannot force them to check the auth tag length, but we can help them. |
No objections, sounds like a good idea. |
This change allows users to restrict accepted GCM authentication tag lengths to a single value. Fixes: nodejs#17523
This change allows users to restrict accepted GCM authentication tag lengths to a single value. PR-URL: nodejs#20039 Fixes: nodejs#17523 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yihong Wang <yh.wang@ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
I notice here that validation of tag length is planned when using authenticated decryption:
node/src/node_crypto.cc
Line 3713 in 50ec9bf
I'm assuming this comment addresses the fact that the current implementation doesn't check whether the provided tag conforms to the valid tag lengths for GCM: 128, 120, 112, 104, or 96 (or 64 or 32 for certain applications) according to this document).
Even with such validation however, if no default minimum tag length is enforced, there is a lot of scope for insecure use of authenticated encryption, where developers authenticate decryption in a manner that accepts shorter tags than necessary (e.g. 32 bits when they only ever intend to use 128-bit tags).
A solution would be to validate tag length against not only the list of valid lengths according to the specification, but also a minimum length (128 bits by default, but configurable by users who have a good reason to allow shorter tags).
For example:
Caveats with the above proposal:
minimumTagBytes
value or when calling.final()
) or how to word error messages.The text was updated successfully, but these errors were encountered: