RFC 5084, "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", November 2007Source of RFC: smime (sec)
Errata ID: 4774
Reported By: QUAN NGUYEN
Date Reported: 2016-08-11
Section 3.2 says:
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 A length of 12 octets is RECOMMENDED.
It should say:
aes-ICVlen AES-GCM-ICVlen DEFAULT 16 A length of 16 octets is RECOMMENDED.
Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path  uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked.
 In other code paths, all providers use 16 bytes authentication tag as default.