diff options
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 2 | ||||
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 7 |
2 files changed, 6 insertions, 3 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 559ace7e..9697a4a6 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -321,7 +321,7 @@ class _CipherContext(object): if operation == self._DECRYPT: if not mode.tag or len(mode.tag) < 4: raise ValueError("Authentication tag must be provided " - "and >= 4 bytes when decrypting") + "and 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 8ed64c7c..85d7d5b1 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -354,8 +354,10 @@ Modes .. note:: - Do not truncate the GCM authentication tag unless absolutely necessary. - If you must truncate the minimum allowable length is 4 bytes. + `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or + 96-bits in length. Tags are shortened by truncating bytes. Longer tags + provide better security margins. If you must shorten the tag the minimum + allowed length is 4 bytes (32 bits). :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. @@ -395,3 +397,4 @@ Insecure Modes .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf +.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf |