glv2
commented
3 years ago -
Yes currently only IVs of 12 bytes are implemented, but supporting other lengths should not be too difficult. If I recall correctly, we would just need to hash the IV with gmac instead of using it as-is.
-
According to section 7.1 of the spec (NIST Special Publication 800-38D), the IV is first padded with
#(0 0 0 1)and then incremented before being passed to the cipher. Therefore the IV passed to the cipher is in fact padded with#(0 0 0 2).
At the moment, initialization-vector for aes-gcm can only be 12 bytes long.
Although it is not recommended, other values are possible. For example german Elektronisches Gerichts- und Verwaltungspostfach EGVP uses 16 bytes.
1) Does anybody know how to deal with other iv lengths?
2) Why is iv in ironclad initialized with trailing #(0 0 0 2) and not #(0 0 0 1)?