On 3/10/2014 2:31 AM, Tim Whittington wrote: > > On 9/03/2014, at 10:50 pm, Tim Whittington > <[email protected] > <mailto:[email protected]>> wrote: > >> >> On 7/03/2014, at 9:14 am, Philipp Heckel <[email protected] >> <mailto:[email protected]>> wrote: >> >>> - Using javax.crypto.CipherInputStream with a cipher in GCM mode and >>> the SunJCE provider (JDK8+) is secure, but cannot be used large >>> files, because it will buffer all data until the tag is verified (as >>> defined by the GCM spec) [1] >> >> This (the part about it being secure) is not correct - when using >> javax.crypto.CipherInputStream with a cipher in GCM mode and the >> SunJCE provider (JDK8+) any tampering with the ciphertext will >> silently treat the result as a 0 byte authenticated stream. >> > > Sorry, I should have been clearer here - this problem occurs with any > provider (and any AE mode) not just the SunJCE GCM implementation. > It only happens before the authentication tag get checked. If the authN tag get read, the tampering can be detected.
Your concerns happen to any mode, even CBC mode. Better to make an improvement here if possible. Thanks, Xuelei
