On 05/04/18 05:12, PS wrote: > I am trying to decrypt TLS 1.2 records that is using the > TLS_AES_128_GCM_SHA256 cipher-suite using openssl's EVP API. > > Per RFC 5246, decryption needs 4 inputs. > " > > In order to decrypt and verify, the cipher takes as input the key, > nonce, the "additional_data", and the AEADEncrypted value. The > output is either the plaintext or an error indicating that the > decryption failed. There is no separate integrity check. That is: > > TLSCompressed.fragment = AEAD-Decrypt(write_key, nonce, > AEADEncrypted, > additional_data) > > " > > But, in the AES-GCM decryption example on openssl wiki at > https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption > shows the decryption also takes as input the*tag *to be verified. > > I know that the Authentication tag is the last 16 bytes of the TLS 1.2 > record payload. But, my confusion is why the RFC has no mention of the > Authentication tag.
Well you have to look in the right RFC :-). TLSv1.2 is specified in RFC5246. This contains some high level information about how to use AEAD ciphersuites in TLSv1.2 (in particular see section 184.108.40.206). Then there is RFC5288. This should be read in conjunction with RFC5246 and provides information on a set of specific AEAD ciphersuites - including all of the GCM ones. This provides information on how to construct the nonce from the explicit and implicit parts. The ciphersuites make use of the AEAD_AES_128_GCM algorithm as specified in RFC5116. RFC5116 has this to say on the authentication tag: The AEAD_AES_128_GCM authenticated encryption algorithm works as specified in [GCM], using AES-128 as the block cipher, by providing the key, nonce, and plaintext, and associated data to that mode of operation. An authentication tag with a length of 16 octets (128 bits) is used. The AEAD_AES_128_GCM ciphertext is formed by appending the authentication tag provided as an output to the GCM encryption operation to the ciphertext that is output by that operation. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users