Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

doc: update notes about GCM decryption #21445

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 2 additions & 10 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -434,16 +434,8 @@ supported), the `decipher.setAuthTag()` method is used to pass in the
received _authentication tag_. If no tag is provided, or if the cipher text
has been tampered with, [`decipher.final()`][] will throw, indicating that the
cipher text should be discarded due to failed authentication. If the tag length
is invalid according to [NIST SP 800-38D][], `decipher.setAuthTag()` will throw
an error.

Note that this Node.js version does not verify the length of GCM authentication
tags. Such a check *must* be implemented by applications and is crucial to the
authenticity of the encrypted data, otherwise, an attacker can use an
arbitrarily short authentication tag to increase the chances of successfully
passing authentication (up to 0.39%). It is highly recommended to associate one
of the values 16, 15, 14, 13, 12, 8 or 4 bytes with each key, and to only permit
authentication tags of that length, see [NIST SP 800-38D][].
is invalid according to [NIST SP 800-38D][] or does not match the value of the
`authTagLength` option, `decipher.setAuthTag()` will throw an error.

The `decipher.setAuthTag()` method must be called before
[`decipher.final()`][].
Expand Down