[openssl-users] AES-GCM cipher in TLS

PS mytechlist at gmail.com
Thu Apr 5 17:35:22 UTC 2018


Thanks Matt.

I did read those RFC as well. And here is the confusion. The RFC5116 says
this section 2.1

  There is a *single output:*

      A ciphertext C, which is at least as long as the plaintext, or

      an indication that the requested encryption operation could not be
      performed.

Note the emphasis on "single output". So, encryption output is just a
single output ciphertext C. This C is the ciphertext + tag from what I
understand in a single output. Similarly, section 2.2, does not mention
anything about separating the tag from the Ciphertext and just takes C as
input.

Now assuming that openssl follows this, shouldn't the example at
https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
just give a single output per the RFC. Instead the example requires Cipher
text and tag to be extracted separately. Conversely, decryption should just
take the ciphertext C (which includes the tag) and output the plaintext.
But again the example requires separating the tag for verification.

In summary, per my understanding of the RFC, the auth tag is seamless and
the application should not have to deal with it separately. Yet, the
openssl example using EVP deals with tag separately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180405/80b604e0/attachment.html>


More information about the openssl-users mailing list