-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCM: Allow nonces of any length #62
Comments
The That said, you almost certainly want to use a 96-bit nonce with AES-GCM. Notice what it actually does if the nonce isn't 96-bits: much like something like HMAC, it tolerates an "unusual sized" nonce via a special computation for this case. My understanding is there are some issues with it which make it somewhat undesirable versus specifying your own 96-bit nonce, but I don't have a citation offhand. This post covers some of the tradeoffs: https://crypto.stackexchange.com/posts/66500/revisions If you're really concerned with nonces, may I perhaps suggest AES-GCM-SIV? Otherwise, the only real argument for other nonce sizes for AES-GCM is protocols which have (mis)specified a different nonce size, e.g. Apple Pay's use of 128-bit nonces. I think it would be ok to add some specific nonce sizes used in protocols like this for interoperability in weird cases like this, with a note that a 96-bit nonce should be preferred. |
My use-case is interoperability with a Java implementation using BouncyCastle. The Java implementation uses variable-length nonces (for whatever weird reason). As such having preconfigured fixed lengths for some protocols doesn't solve my use-case directly. I could imagine a special trait or just method for GCM and similar algorithms allowing variable-length nonces, which takes the nonce as For now I'll use openssl. |
I'd suggest opening an issue on https://github.com/RustCrypto/traits requesting variable length nonce support as part of the AEAD trait. You can reference my comment here: |
So it seems I may have been a bit hasty to suggest that we need to modify the Non-standard-sized GCM nonces work a bit like XChaCha20/XSalsa20 vs ChaCha20/Salsa20: you compute a standard 96-bit sized nonce from a longer one. So rather than dealing with this in the trait, it can have separate Anyway, it should be possible to implement those methods in terms of That said, RustCrypto/traits#65 (i.e. fixing this upstream in the trait) is still worth considering. |
FYI, prospective PR to add support for non-96-bit nonces in #126. I ended up making |
Fixed in #126 |
Now released in |
How does this work? |
@drkslv the https://docs.rs/aes-gcm/latest/aes_gcm/struct.AesGcm.html You'll still need to specify the nonce size at compile time, currently using a |
@tarcieri Thank you very much! I had already figured it out myself by looking at your tests! what i did to make it compile, for reference: type Aes256GcmWith16BitNonce = AesGcm<Aes256, typenum::U16>;
let key = GenericArray::clone_from_slice(&master_key);
let cipher = Aes256GcmWith16BitNonce::new(&key);
cipher.decrypt_in_place( GenericArray::from_slice(&iv), &[], &mut ciphertext)
.expect("decrytion_failure"); also, at some point it might be worth the time to convert the code to actual const-generics, as it would allow people to just pass in the fixed-size array and have it automatically detect what constant to use |
We'd need to change the See the tracking issue here: RustCrypto/traits#970 |
yeah const-generics are a little fresh out of the oven right now - really looking forward to when they're fully stable and adopted tho- it's just so much cleaner |
Currently, AesGcm only allows nonces with a length of 12 bytes. However, the the AES-GCM specification allows nonces of any length:
Is there a way to use
AesGcm
with a nonce of a length ≠ 12 bytes?The text was updated successfully, but these errors were encountered: