When creating a SealedBox, one of the parameters which needs to be passed is an authentication tag:
https://developer.apple.com/documentation/cryptokit/aes/gcm/sealedbox/init(nonce:ciphertext:tag:)
I have 2 questions about this:
- What should this authentication tag be? I have seen quite a few examples online where they simply pass an empty data buffer:
Data(). For example here:
they say: "You should not provide a pre determined tag while encrypting."
Is passing an empty data buffer okay from a security point of view?
- If I pass something else - lets say some random data - as the authentication tag, how would the person decrypting it know about this tag? Can it be safely sent publicly? How should both parties come up with the same
authentication tag?
EDIT:
Here's my encryptedData function which has an authenticating parameter.
func encryptedData(decryptedData : Data, key : SymmetricKey) throws -> Data {
let sealedMessage = try AES.GCM.seal(decryptedData, using: key, nonce: AES.GCM.Nonce(), authenticating: Data())
guard let encryptedData = sealedMessage.combined else {
throw "Error in sealedMessage"
}
return encryptedData
}
