[Swan] AES-GCM and message length hiding
Mike C
smith.not.western at gmail.com
Wed May 28 23:09:58 EEST 2014
Makes sense, thank you for the quick response.
Mike
On Wed, May 28, 2014 at 4:46 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 28 May 2014, Mike C wrote:
>
> I have a question regarding AES-GCM usage in IPsec, and the impact of the
>> lack of padding. In RFC 4106 section 3 it states that
>> "Implementations that do not seek to hide the length of the plaintext
>> SHOULD use the minimum amount of padding required, which
>> will be less than four octets.". RFC 3602 for AES-CBC usage does not make
>> any comment regarding hiding message length, presumably
>> because the authors are happy at the minimum 16-byte padding?
>>
>> The RFC does not state if implementations should or should not seek to
>> hide the length of the plaintext. I'm curious as to the
>> approach taken by libreswan: Does it use padding > 4 octets, and if so/if
>> not, what's the rationale behind the decision?
>>
>
> We currently do not support AES_GCM for IKE, only for IPsec. So you
> should be looking at the kernel code and kernel people to answer that
> question for you.
>
> We do plan to add AES_GCM support for IKE, most likely in libreswan
> 3.10. Then, your question can be answered by the NSS people.
>
> The fact that the RFC does not state this as a requirement most likely
> means that there was no clear consensus on whether it was a required
> or useful feature or not - people didn't care enough and probably
> thought it was an uninteresting edge case?
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20140528/702df002/attachment.html>
More information about the Swan
mailing list