In SymmetricCipher.java, the IV length constant is set to 128:
private static final int GCM_IV_LENGTH = 128;
This is used as a byte count in getInitializationVector():
byte[] iv = new byte[GCM_IV_LENGTH]; // 128 bytes = 1024 bits
For AES-GCM, NIST SP 800-38D (Section 5.2.1.1) recommends 96-bit (12-byte) IVs. While GCM does support arbitrary-length IVs, any length other than 96 bits triggers an additional GHASH computation to derive the actual IV, which:
- Reduces the security bound of the construction
- Introduces a higher collision probability for the counter block
- Goes against NIST's explicit recommendation
Suggested Fix
private static final int GCM_IV_LENGTH = 12; // 96 bits, per NIST SP 800-38D
References
In
SymmetricCipher.java, the IV length constant is set to 128:This is used as a byte count in
getInitializationVector():For AES-GCM, NIST SP 800-38D (Section 5.2.1.1) recommends 96-bit (12-byte) IVs. While GCM does support arbitrary-length IVs, any length other than 96 bits triggers an additional GHASH computation to derive the actual IV, which:
Suggested Fix
References