diff options
| -rw-r--r-- | cryptography/hazmat/backends/openssl/backend.py | 4 | ||||
| -rw-r--r-- | docs/hazmat/primitives/symmetric-encryption.rst | 10 |
2 files changed, 8 insertions, 6 deletions
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py index 9697a4a6..b0ea96ea 100644 --- a/cryptography/hazmat/backends/openssl/backend.py +++ b/cryptography/hazmat/backends/openssl/backend.py @@ -320,8 +320,8 @@ class _CipherContext(object): assert res != 0 if operation == self._DECRYPT: if not mode.tag or len(mode.tag) < 4: - raise ValueError("Authentication tag must be provided " - "and 4 bytes or longer when decrypting") + raise ValueError("Authentication tag must be provided and " + "be 4 bytes or longer when decrypting") res = self._backend.lib.EVP_CIPHER_CTX_ctrl( ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG, len(mode.tag), mode.tag diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst index 85d7d5b1..f009bb78 100644 --- a/docs/hazmat/primitives/symmetric-encryption.rst +++ b/docs/hazmat/primitives/symmetric-encryption.rst @@ -354,10 +354,12 @@ Modes .. note:: - `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or - 96-bits in length. Tags are shortened by truncating bytes. Longer tags - provide better security margins. If you must shorten the tag the minimum - allowed length is 4 bytes (32 bits). + Cryptography will emit a 128-bit tag when finalizing encryption. + You can shorten a tag by truncating it to the desired length, but this + is **not recommended** as it lowers the security margins of the + authentication (`NIST SP-800-38D`_ recommends 96-bit or greater). + If you must shorten the tag the minimum allowed length is 4 bytes + (32 bit). :param bytes tag: The tag bytes to verify during decryption. When encrypting this must be None. |