Skip to content

Commit

Permalink
doc: update notes about GCM decryption
Browse files Browse the repository at this point in the history
Given that #17825 and
#20039 have landed on master, this
statement is no longer true.

PR-URL: #21445
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
  • Loading branch information
tniessen authored and targos committed Jun 24, 2018
1 parent fd520e7 commit 193d6d1
Showing 1 changed file with 2 additions and 10 deletions.
12 changes: 2 additions & 10 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -441,16 +441,8 @@ supported), the `decipher.setAuthTag()` method is used to pass in the
received _authentication tag_. If no tag is provided, or if the cipher text
has been tampered with, [`decipher.final()`][] will throw, indicating that the
cipher text should be discarded due to failed authentication. If the tag length
is invalid according to [NIST SP 800-38D][], `decipher.setAuthTag()` will throw
an error.

Note that this Node.js version does not verify the length of GCM authentication
tags. Such a check *must* be implemented by applications and is crucial to the
authenticity of the encrypted data, otherwise, an attacker can use an
arbitrarily short authentication tag to increase the chances of successfully
passing authentication (up to 0.39%). It is highly recommended to associate one
of the values 16, 15, 14, 13, 12, 8 or 4 bytes with each key, and to only permit
authentication tags of that length, see [NIST SP 800-38D][].
is invalid according to [NIST SP 800-38D][] or does not match the value of the
`authTagLength` option, `decipher.setAuthTag()` will throw an error.

The `decipher.setAuthTag()` method must be called before
[`decipher.final()`][].
Expand Down

0 comments on commit 193d6d1

Please sign in to comment.