RFC Errata

Errata Search

Source of RFC  
Summary Table Full Records

RFC 5084, "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", November 2007

Source of RFC: smime (sec)

Errata ID: 4774

Status: Reported
Type: Technical

Reported By: QUAN NGUYEN
Date Reported: 2016-08-11

Section 3.2 says:

aes-ICVlen       AES-GCM-ICVlen DEFAULT 12

A length of 12 octets is RECOMMENDED.

It should say:

aes-ICVlen       AES-GCM-ICVlen DEFAULT 16

A length of 16 octets is RECOMMENDED.


Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked.

[1] In other code paths, all providers use 16 bytes authentication tag as default.

Report New Errata