Add note on IV re-use in AES-GCM #209
Comments
|
I dug a bit the archive and I found this old kind of related issue https://www.w3.org/2012/webcrypto/track/actions/86 |
|
There's two separate issues here:
To the first point, it was intentional to expose the IV, for deterministic control over the encryption. This matches other APIs that expose GCM. To the second point, documentation about cryptographic design and the security considerations of algorithms was intentionally decided as out of scope. There was an (abandoned) attempt at documenting some of these at https://www.w3.org/2012/webcrypto/draft-irtf-cfrg-webcrypto-algorithms-01.html , but it was by design that the API focus on the API, and cryptographic best practices, which constantly evolve, left separate. |
|
(Pretty sure this is a WontFix) |
|
Closing per #209 (comment) |
This issue was originally reported by @asanso.
The AesGcmParams dictionary allows to set an IV. It's well known that IV re-use is bad in AES-GCM. For example, it allows to recover a key that is marked as unwrap only and not extractable.
It's probably not a good idea to not allow setting IVs. But a note warning of these pitfalls would be good.
The text was updated successfully, but these errors were encountered: