[Swan] AES-GCM and message length hiding
Paul Wouters
paul at nohats.ca
Wed May 28 18:46:43 EEST 2014
On Wed, 28 May 2014, Mike C wrote:
> I have a question regarding AES-GCM usage in IPsec, and the impact of the lack of padding. In RFC 4106 section 3 it states that
> "Implementations that do not seek to hide the length of the plaintext SHOULD use the minimum amount of padding required, which
> will be less than four octets.". RFC 3602 for AES-CBC usage does not make any comment regarding hiding message length, presumably
> because the authors are happy at the minimum 16-byte padding?
>
> The RFC does not state if implementations should or should not seek to hide the length of the plaintext. I'm curious as to the
> approach taken by libreswan: Does it use padding > 4 octets, and if so/if not, what's the rationale behind the decision?
We currently do not support AES_GCM for IKE, only for IPsec. So you
should be looking at the kernel code and kernel people to answer that
question for you.
We do plan to add AES_GCM support for IKE, most likely in libreswan
3.10. Then, your question can be answered by the NSS people.
The fact that the RFC does not state this as a requirement most likely
means that there was no clear consensus on whether it was a required
or useful feature or not - people didn't care enough and probably
thought it was an uninteresting edge case?
Paul
More information about the Swan
mailing list