mirror of
https://github.com/jedisct1/libsodium.git
synced 2024-12-20 02:25:14 -07:00
Document crypto_aead_aes256gcm_*() limitations
This commit is contained in:
parent
cde31281d1
commit
9b7db7c3f3
@ -1,6 +1,24 @@
|
||||
#ifndef crypto_aead_aes256gcm_H
|
||||
#define crypto_aead_aes256gcm_H
|
||||
|
||||
/*
|
||||
* WARNING: Despite being the most popular AEAD construction due to its
|
||||
* use in TLS, safely using AES-GCM in a different context is tricky.
|
||||
*
|
||||
* No more than ~ 350 GB of input data should be encrypted with a given key.
|
||||
* This is for ~ 16 KB messages -- Actual figures vary according to the
|
||||
* message sizes.
|
||||
*
|
||||
* In addition, repeated nonces would totally destroy the security of this
|
||||
* scheme. Nonces should thus come from atomic counters, which can be
|
||||
* difficult to set up in a distributed environment.
|
||||
*
|
||||
* Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*()
|
||||
* instead. It doesn't have any of these limitations.
|
||||
* Or, if you don't need to authenticate additional data, just stick to
|
||||
* crypto_secretbox().
|
||||
*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include "export.h"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user