Late authentication in OpenSSL GCM decryption

Question

I am using OpenSSL's EVP interfaces to implement AES encryption using GCM mode.

Now GCM, being one of the authentication modes, provides cipher text integrity. Meaning it generates a tag (MAC - message authentication code) on the cipher text (and additional data, if provided). This tag can later be checked before decryption, to ensure that the cipher text has not been modified.

I have implemented the encryption as per this blog post: http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html

While decrypting I am using the following API calls (in that order):

    // setting cipher, key and iv
    EVP_DecryptInit (ctx, EVP_aes_128_gcm(), key, iv);

    // setting tag
    EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, taglength, tagbuffer);

    // adding Additional Authenticated Data (AAD)
    EVP_DecryptUpdate (ctx, NULL, &length, aad, aadlength);

    // decrypting data
    EVP_DecryptUpdate (ctx, decrypteddata, &length, encrypteddata, encryptedlength);

    // authentication step
    EVP_DecryptFinal(ctx, outbuffer, &length);

The problem is that, if I modify the cipher text or the AAD, the cipher text is still decrypted and the error is detected in the final call of the decryption process i.e. in the call to EVP_DecryptFinal . A zero value is returned indicating error.

In my opinion error should be thrown in EVP_DecryptUpdate call itself and decryption should fail. The late error detection defeats the purpose of Authenticated Encryption.

What is the problem here?

Answer 1

How would it know that the MAC will fail before it reaches the end of the ciphertext? A streaming API needs to produce output before it knows it has reached the end.

To avoid this decrypt the whole message into an a temporary buffer, and only once you're finished decrypting work with the produced plaintext. There are APIs(such as NaCl's unbox) that only give you the ciphertext once it's verified, but those don't support streaming use.

Alternatively you could create a new encryption scheme that puts MACs at regular intervals into the ciphertext, which allows you to decrypt and verify those smaller blocks. Plain AES-GCM isn't enough for that.