[openssl-dev] [openssl.org #4521] openssl GCM ordering
Praveen Kariyanahalli
praveen at viptela.com
Tue Apr 26 21:12:58 UTC 2016
See inline. Look for Praveen.
On Mon, Apr 25, 2016 at 7:20 PM, Brian Smith <brian at briansmith.org> wrote:
> Praveen Kariyanahalli via RT <rt at openssl.org> wrote:
>
>> Is there is a reason why openssl has restriction of auth before encrypt
>> order ? I dont believe there is an algo restriction, was wondering why
>> openssl has this.
>>
>
> It *is* inherent in the algorithm. The authentication tag for the AAD is
> computed first, then the authentication tag for the encrypted data is
> computed.
>
[praveen] From the NIST documentation it is not that clear (SP-800-38D page
15).
Steps: 1. Let H = CIPHK(0128).
2. Define a block, J0, as follows: If len(IV)=96, then let J0 = IV
|| 031 ||1. If len(IV) ≠ 96, then let s = 128 ⎡len(IV)/128⎤-len(IV), and
let J0=GHASHH(IV||0s+64||[len(IV)]64).
* 3. Let C=GCTRK(inc32(J0), P). *
4. Let u = ⋅⎡ ⎤ ( ) C − len128len128 (C) and let v = ⋅⎡ (A) ⎤ −
len128len128 ( ) A .
* 5. Define a block, S, as follows: S = GHASHH (A || 0v || C || 0u ||
[len(A)]64 || [len(C)]64). *
6. Let T ( ) SJ K , 0 ( ). = MSBt GCTR 7. Return (C, T).
Sorry my cut n paste swallowed some characters :). The steps mentioned
itself is NOT the order you mention.
>
>
>> The reason I bring this up, is that when I broadcast/multicast traffic
>> need
>> not encrypt the payload multiple times, but need to auth the header
>> differently and openssl is refusing to cooperate :)
>
>
> With AEADs, in general, you can't separate the authentication from the
> encryption like that.
>
>
[praveen]
I agree, but I was talking about auth only part. For example, in a packet
that need to be replicated, the outer header will change for each
recipient, but the payload will remain same. Was wondering if I can benefit
by skipping the C part for the subsequent copies.
I totally understand for HW implementation it does NOT make sense. But was
curious why this restriction?
Thanks
-Praveen
> Cheers,
> Brian
> --
> https://briansmith.org/
>
>
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
>
>
--
-Praveen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160426/3e0723bc/attachment.html>
More information about the openssl-dev
mailing list