AES GCM should use a 12 byte nonce instead of 16

[archseer]

I've been working on an interop module for decrypting cloak fields from rust. The nonce/IV is set to 16 bytes, but rust libraries have it specifically hardcoded to 12 bytes (support was removed even).

Related discussion here: https://github.com/siacs/Conversations/issues/2578

NIST guidelines say

For IVs, it is recommended that implementations restrict support to the length of 96 bits, to promote interoperability, efficiency, and simplicity of design.

&

Essentially anything greater than 12 bytes gets hashed down to 12 bytes, which increases the chance of (catastrophic) IV collisions compared to simply supplying a random 12 byte IV in the first place.

I'm not sure exactly how to patch this without breaking compatibility though. Maybe forking the module and specifying a different tag would be the way to go?

[danielberkompas]

I think a new cipher is the correct solution in this case. You can probably implement it locally in your project, using Cloak.Ciphers.AES.GCM as a guide.

In Cloak 2.0, we can change the default IV length while providing an upgrade path.

[danielberkompas]

This has been partially addressed by #95. In Cloak 2.0, the default iv length will be 12-bytes.

For now, you can switch to 12-byte IVs like so:

1. Add a 12-byte key configuration to your Cloak vault:

ciphers: [
    default: {Cloak.Ciphers.AES.GCM, tag: "AES.GCM.V2", key: <<...>>, iv_length: 12},
    retired: {Cloak.Ciphers.AES.GCM, tag: "AES.GCM.V1, key: <<...>>, iv_length: 16}
]

This will cause your vault to gradually re-encrypt all your data to 12 byte IVs as it is read and written.

2. To eagerly re-encrypt your data, see cloak_ecto's migrate feature.

[Neustradamus]

Linked to:

• https://github.com/xsf/xeps/pull/894