I use OpenSSL EVP interfaces to implement AES encryption using GCM mode.
Now, GCM, as one of the authentication modes, ensures the integrity of the encryption text. This means that it generates a tag (MAC message authentication code) in the encryption text (and additional data, if provided). You can check this tag later before decryption to make sure that the encryption text has not been changed.
I have implemented encryption according to this blog post: http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html
When decrypting, I use the following API calls (in that order):
// setting cipher, key and iv EVP_DecryptInit (ctx, EVP_aes_128_gcm(), key, iv); // setting tag EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, taglength, tagbuffer); // adding Additional Authenticated Data (AAD) EVP_DecryptUpdate (ctx, NULL, &length, aad, aadlength); // decrypting data EVP_DecryptUpdate (ctx, decrypteddata, &length, encrypteddata, encryptedlength); // authentication step EVP_DecryptFinal(ctx, outbuffer, &length);
The problem is that if I modify the ciphertext or AAD, the ciphertext is still decrypted and the error is detected in the last call of the decryption process, that is, in the EVP_DecryptFinal call. A null value is returned indicating an error.
In my opinion, the error should be caused in the EVP_DecryptUpdate call, and decryption should fail. Late error detection hits the goal of authenticated encryption.
What is the problem?