[openssl-users] AES-GCM cipher in TLS
matt at openssl.org
Thu Apr 5 08:26:07 UTC 2018
On 05/04/18 05:12, PS wrote:
> I am trying to decrypt TLS 1.2 records that is using the
> TLS_AES_128_GCM_SHA256 cipher-suite using openssl's EVP API.
> Per RFC 5246, decryption needs 4 inputs.
> In order to decrypt and verify, the cipher takes as input the key,
> nonce, the "additional_data", and the AEADEncrypted value. The
> output is either the plaintext or an error indicating that the
> decryption failed. There is no separate integrity check. That is:
> TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce,
> But, in the AES-GCM decryption example on openssl wiki at
> shows the decryption also takes as input the*tag *to be verified.
> I know that the Authentication tag is the last 16 bytes of the TLS 1.2
> record payload. But, my confusion is why the RFC has no mention of the
> Authentication tag.
Well you have to look in the right RFC :-). TLSv1.2 is specified in
RFC5246. This contains some high level information about how to use AEAD
ciphersuites in TLSv1.2 (in particular see section 18.104.22.168).
Then there is RFC5288. This should be read in conjunction with RFC5246
and provides information on a set of specific AEAD ciphersuites -
including all of the GCM ones. This provides information on how to
construct the nonce from the explicit and implicit parts. The
ciphersuites make use of the AEAD_AES_128_GCM algorithm as specified in
RFC5116 has this to say on the authentication tag:
The AEAD_AES_128_GCM authenticated encryption algorithm works as
specified in [GCM], using AES-128 as the block cipher, by providing
the key, nonce, and plaintext, and associated data to that mode of
operation. An authentication tag with a length of 16 octets (128
bits) is used. The AEAD_AES_128_GCM ciphertext is formed by
appending the authentication tag provided as an output to the GCM
encryption operation to the ciphertext that is output by that
More information about the openssl-users