I am using OpenSSL's EVP interfaces to implement AES encryption using GCM mode.
Now GCM, being one of the authentication modes, provides cipher text integrity. Meaning it generates a tag (MAC - message authentication code) on the cipher text (and additional data, if provided). This tag can later be checked before decryption, to ensure that the cipher text has not been modified.
I have implemented the encryption as per this blog post: http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html
While decrypting I am using the following API calls (in that order):
// setting cipher, key and iv
EVP_DecryptInit (ctx, EVP_aes_128_gcm(), key, iv);
// setting tag
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_TAG, taglength, tagbuffer);
// adding Additional Authenticated Data (AAD)
EVP_DecryptUpdate (ctx, NULL, &length, aad, aadlength);
// decrypting data
EVP_DecryptUpdate (ctx, decrypteddata, &length, encrypteddata, encryptedlength);
// authentication step
EVP_DecryptFinal(ctx, outbuffer, &length);
The problem is that, if I modify the cipher text or the AAD, the cipher text is still decrypted and the error is detected in the final call of the decryption process i.e. in the call to EVP_DecryptFinal . A zero value is returned indicating error.
In my opinion error should be thrown in EVP_DecryptUpdate call itself and decryption should fail. The late error detection defeats the purpose of Authenticated Encryption.
What is the problem here?