On 6 March 2013 11:40, Dr. Stephen Henson <st...@openssl.org> wrote: > On Wed, Mar 06, 2013, Matej Kenda wrote: > > > > > I am working on a solution which includes encryption of files of > arbitrary > > size (at least up to 2 GB) to be encrypted with AES CCM with 256-bit key > > and uploaded to a server. > > > > CCM isn't really the mode to use for that, GCM is better. > > There are two reasons. One is that you need to know the length of the AAD > and > plaintext in advance before you can process any data: this makes it > unusable > for things like streaming for CMS. >
Right. But in the scenario the OP mentions this is file based so potentially the length of the AAD and plaintext could be known in advance, so this doesn't really apply in this situation. > The second reason is that the stanard (RFC 3610) has this requirement (T is > the tag): > > If the T value is not correct, the receiver MUST NOT reveal any > information except for the fact that T is incorrect. The receiver > MUST NOT reveal the decrypted message, the value T, or any other > information. > > You can only check the tag if you've processed all the ciphertext so if you > were handling it in parts you'd have to either buffer everything or perform > two passes. > > The only way round this is to violate the standard and reveal some of the > plaintext on the fly. > Hmmm...this doesn't really seem right though does it? The way we've got it implemented at the moment makes CCM completely unusable for large amounts of data (the OP mentions not getting it to work beyond 16MB - which isn't really even that large). I take your point about not violating the standard - but I doubt the author of the standard meant to imply from that statement that you have to do everything in memory and not buffer anything. Surely, this statement should really be implemented by the application using OpenSSL, not by OpenSSL itself? That's really just a documentation issue - we should make it clear that users of the library should not do anything with the decrypted content if it fails to verify. This is actually no different to the advice we would give for GCM. At the very least I think we should be providing the capability to switch this "feature" off by some call to EVP_CIPHER_CTX_ctrl. Matt
