RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

Found 2 records.

Status: Held for Document Update (1)

RFC 5084, "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", November 2007

Source of RFC: smime (sec)

Errata ID: 4727
Status: Held for Document Update
Type: Editorial

Reported By: Peter Dettman
Date Reported: 2016-07-01
Held for Document Update by: Stephen Farrell
Date Held: 2016-07-01

Section 3.2 says:

   The AES-GCM authenticated encryption algorithm is described in [GCM].
   A brief summary of the properties of AES-CCM is provided in Section
   1.5.

It should say:

   The AES-GCM authenticated encryption algorithm is described in [GCM].
   A brief summary of the properties of AES-GCM is provided in Section
   1.5.

Notes:

Section 3.2 discusses AES-GCM, and links to Section 1.5 (titled "AES-GCM"), so the text "AES-CCM" in the second sentence should be "AES-GCM".

Status: Rejected (1)

RFC 5084, "Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)", November 2007

Source of RFC: smime (sec)

Errata ID: 4774
Status: Rejected
Type: Technical

Reported By: QUAN NGUYEN
Date Reported: 2016-08-11
Rejected by: Kathleen Moriarty
Date Rejected: 2018-03-19

Section 3.2 says:

aes-ICVlen       AES-GCM-ICVlen DEFAULT 12

A length of 12 octets is RECOMMENDED.

It should say:

aes-ICVlen       AES-GCM-ICVlen DEFAULT 16

A length of 16 octets is RECOMMENDED.

Notes:

Many JCE providers including OpenJDK, BouncyCastle, Conscrypt have a bug to use 12 bytes authentication tag (aes-ICVlen) as default if the code path [1] uses CMS. According to Ferguson's attack (http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf), if a user encrypts 2^32 block length message, then 12 bytes authentication tag length has only 96 - 32 = 64 bits security which is not good enough nowadays. Furthermore, once a forgery happens then authentication is leaked.

[1] In other code paths, all providers use 16 bytes authentication tag as default.

------
AD Note: through on list discussions, it is clear this errata should be rejected.

The first half of this errata must be rejected. We do not change the ASN.1
for something like this under just about any circumstances.

Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document. We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.

A possible way forward is a short draft that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations.
--VERIFIER NOTES--
AD Note: through on list discussions, it is clear this errata should be rejected.

The first half of this errata must be rejected. We do not change the ASN.1
for something like this under just about any circumstances.

Changing the recommendation of a value should probably not be done by an
erratum but by publishing a new document. We could make discuss and make
the recommendation change in the new S/MIME document in the LAMPS group
rather than in this document.

A possible way forward is a short draft that updates RFC 5084 to recommend the use of 16 octet authentication tags in all situations.

Report New Errata