From ca73504e62e2c55a7235f94c78cb8ee4d3718590 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Dec 2013 17:31:48 -0600
Subject: add note regarding not truncating tags

---
 docs/hazmat/primitives/symmetric-encryption.rst | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'docs/hazmat')

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index f4d0457a..8ed64c7c 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -352,6 +352,11 @@ Modes
                                         Do not reuse an ``initialization_vector``
                                         with a given ``key``.
 
+    .. note::
+
+        Do not truncate the GCM authentication tag unless absolutely necessary.
+        If you must truncate the minimum allowable length is 4 bytes.
+
     :param bytes tag: The tag bytes to verify during decryption. When encrypting
                       this must be None.
 
-- 
cgit v1.2.3


From a7fbf07a3e96133b40df05ac5be159bbf6f1fc91 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Dec 2013 18:12:25 -0600
Subject: doc updates

---
 docs/hazmat/primitives/symmetric-encryption.rst | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'docs/hazmat')

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 8ed64c7c..85d7d5b1 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -354,8 +354,10 @@ Modes
 
     .. note::
 
-        Do not truncate the GCM authentication tag unless absolutely necessary.
-        If you must truncate the minimum allowable length is 4 bytes.
+        `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or
+        96-bits in length. Tags are shortened by truncating bytes. Longer tags
+        provide better security margins. If you must shorten the tag the minimum
+        allowed length is 4 bytes (32 bits).
 
     :param bytes tag: The tag bytes to verify during decryption. When encrypting
                       this must be None.
@@ -395,3 +397,4 @@ Insecure Modes
 
 .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
 .. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
+.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
-- 
cgit v1.2.3


From fc73e2d04315e21011869fbd925df9e7a99d21ae Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Dec 2013 18:41:38 -0600
Subject: prose updates for GCM tag

---
 docs/hazmat/primitives/symmetric-encryption.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'docs/hazmat')

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 85d7d5b1..f009bb78 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -354,10 +354,12 @@ Modes
 
     .. note::
 
-        `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or
-        96-bits in length. Tags are shortened by truncating bytes. Longer tags
-        provide better security margins. If you must shorten the tag the minimum
-        allowed length is 4 bytes (32 bits).
+        Cryptography will emit a 128-bit tag when finalizing encryption.
+        You can shorten a tag by truncating it to the desired length, but this
+        is **not recommended** as it lowers the security margins of the
+        authentication (`NIST SP-800-38D`_ recommends 96-bit or greater).
+        If you must shorten the tag the minimum allowed length is 4 bytes
+        (32 bit).
 
     :param bytes tag: The tag bytes to verify during decryption. When encrypting
                       this must be None.
-- 
cgit v1.2.3


From 048d6cb43a0757f3b4cca385e788d30173ebcb17 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sat, 21 Dec 2013 18:53:19 -0600
Subject: a few more doc changes to gcm tag info

---
 docs/hazmat/primitives/symmetric-encryption.rst | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'docs/hazmat')

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index f009bb78..6e3c1024 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -357,9 +357,10 @@ Modes
         Cryptography will emit a 128-bit tag when finalizing encryption.
         You can shorten a tag by truncating it to the desired length, but this
         is **not recommended** as it lowers the security margins of the
-        authentication (`NIST SP-800-38D`_ recommends 96-bit or greater).
+        authentication (`NIST SP-800-38D`_ recommends 96-bits or greater).
         If you must shorten the tag the minimum allowed length is 4 bytes
-        (32 bit).
+        (32-bits). Applications **must** verify the tag is the expected length
+        to guarantee the expected security margin.
 
     :param bytes tag: The tag bytes to verify during decryption. When encrypting
                       this must be None.
-- 
cgit v1.2.3