On Mon, Feb 2, 2015 at 3:58 AM, Leigh <lei...@gmail.com> wrote: > On 2 February 2015 at 10:57, Leigh <lei...@gmail.com> wrote: > > length (not sure how of > > Not sure how often tag lengths aside from 16 are used. >
According to documentation provided about the OCB mode of AES it says the following: Section 3: The scheme > The tag length is an integer τ ∈ [0 .. n]. ... As for the tag length, a > suggested default of τ = 64 is reasonable. Tags of 32 bits are standard in > retail banking. Tags of 96 bits are used in IPSec. Using a tag of more than > 80 bits adds questionable security benefit, though it does lengthen each > cipher text. > http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ocb/ocb-spec.pdf Maybe E_WARNING on any tag length less than 64 would also be useful in OCB mode(s). The GCM mode is somewhat different regarding the allowed tag length(s). Section 5.2.1.2 Output Data > The bit length of the tag, denoted t, is a security parameter, as > discussed in Appendix B. In general, t may be any one of the following five > values: 128, 120, 112, 104, or 96. For certain applications, t may be 64 > or 32; guidance for the use of these two tag lengths, including > requirements on the length of the input data and the lifetime of the key in > these cases, is given in Appendix C. > http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf Tag lengths of 32 & 96 are common in lower level desktop based applications as noted for IPSec & retail banking applications. I am not sure how common these smaller tag lengths would apply to PHP, however, given the age of the bug report compared to the age of the mode(s) requesting use of these mode(s) doesn't seem to be common.
