[openssl-users] AES-GCM cipher in TLS

Matt Caswell matt at openssl.org
Thu Apr 5 21:57:19 UTC 2018

On 05/04/18 18:35, PS wrote:
> Thanks Matt.
> I did read those RFC as well. And here is the confusion. The RFC5116
> says this section 2.1
>   There is a *single output:*
>       A ciphertext C, which is at least as long as the plaintext, or
>       an indication that the requested encryption operation could not be
>       performed.
> Note the emphasis on "single output". So, encryption output is just a
> single output ciphertext C. This C is the ciphertext + tag from what I
> understand in a single output. Similarly, section 2.2, does not mention
> anything about separating the tag from the Ciphertext and just takes C
> as input.
> Now assuming that openssl follows this, shouldn't the example at
> https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
> just give a single output per the RFC. Instead the example requires
> Cipher text and tag to be extracted separately. Conversely, decryption
> should just take the ciphertext C (which includes the tag) and output
> the plaintext. But again the example requires separating the tag for
> verification.
> In summary, per my understanding of the RFC, the auth tag is seamless
> and the application should not have to deal with it separately. Yet, the
> openssl example using EVP deals with tag separately.

Right - I understand where your confusion is. The EVP interface is *not*
an RFC5116 API. RFC5116 is itself built on top of another standard -
SP800-38D. The EVP API gives you an interface to GCM as defined in that
standard. RFC5116 wraps that standard with some additional requirements
such as the fact that tag is 16 octets in length and appended to the end
of the ciphertext. OpenSSL implements RFC5116 only in as much as it is
required to implement the TLS ciphersuites in libssl. The EVP interface
is just a building block provided by libcrypto to create those ciphersuites.


More information about the openssl-users mailing list