GCM: Allow nonces of any length #62
Comments
|
The That said, you almost certainly want to use a 96-bit nonce with AES-GCM. Notice what it actually does if the nonce isn't 96-bits: much like something like HMAC, it tolerates an "unusual sized" nonce via a special computation for this case. My understanding is there are some issues with it which make it somewhat undesirable versus specifying your own 96-bit nonce, but I don't have a citation offhand. This post covers some of the tradeoffs: https://crypto.stackexchange.com/posts/66500/revisions If you're really concerned with nonces, may I perhaps suggest AES-GCM-SIV? Otherwise, the only real argument for other nonce sizes for AES-GCM is protocols which have (mis)specified a different nonce size, e.g. Apple Pay's use of 128-bit nonces. I think it would be ok to add some specific nonce sizes used in protocols like this for interoperability in weird cases like this, with a note that a 96-bit nonce should be preferred. |
|
My use-case is interoperability with a Java implementation using BouncyCastle. The Java implementation uses variable-length nonces (for whatever weird reason). As such having preconfigured fixed lengths for some protocols doesn't solve my use-case directly. I could imagine a special trait or just method for GCM and similar algorithms allowing variable-length nonces, which takes the nonce as For now I'll use openssl. |
|
I'd suggest opening an issue on https://github.com/RustCrypto/traits requesting variable length nonce support as part of the AEAD trait. You can reference my comment here: |
|
So it seems I may have been a bit hasty to suggest that we need to modify the Non-standard-sized GCM nonces work a bit like XChaCha20/XSalsa20 vs ChaCha20/Salsa20: you compute a standard 96-bit sized nonce from a longer one. So rather than dealing with this in the trait, it can have separate Anyway, it should be possible to implement those methods in terms of That said, RustCrypto/traits#65 (i.e. fixing this upstream in the trait) is still worth considering. |
|
FYI, prospective PR to add support for non-96-bit nonces in #126. I ended up making |
|
Fixed in #126 |
|
Now released in |
|
How does this work? |
|
@drkslv the https://docs.rs/aes-gcm/latest/aes_gcm/struct.AesGcm.html You'll still need to specify the nonce size at compile time, currently using a |
|
@tarcieri Thank you very much! I had already figured it out myself by looking at your tests! what i did to make it compile, for reference: type Aes256GcmWith16BitNonce = AesGcm<Aes256, typenum::U16>;
let key = GenericArray::clone_from_slice(&master_key);
let cipher = Aes256GcmWith16BitNonce::new(&key);
cipher.decrypt_in_place( GenericArray::from_slice(&iv), &[], &mut ciphertext)
.expect("decrytion_failure");also, at some point it might be worth the time to convert the code to actual const-generics, as it would allow people to just pass in the fixed-size array and have it automatically detect what constant to use |
|
We'd need to change the See the tracking issue here: RustCrypto/traits#970 |
|
yeah const-generics are a little fresh out of the oven right now - really looking forward to when they're fully stable and adopted tho- it's just so much cleaner |
Currently, AesGcm only allows nonces with a length of 12 bytes. However, the the AES-GCM specification allows nonces of any length:
Is there a way to use
AesGcmwith a nonce of a length ≠ 12 bytes?The text was updated successfully, but these errors were encountered: