Currently passes:
AESGCM(key).encrypt(iv, data, None)
Meaning:
header is NOT authenticated
attacker can flip MAGIC/VERSION without breaking decryption logic early
BETTER (include header as AAD):
AESGCM(key).encrypt(iv, data, HEADER)
and:
AESGCM(key).decrypt(iv, ct_and_tag, HEADER)
Currently passes:
AESGCM(key).encrypt(iv, data, None)
Meaning:
header is NOT authenticated
attacker can flip MAGIC/VERSION without breaking decryption logic early
BETTER (include header as AAD):
AESGCM(key).encrypt(iv, data, HEADER)
and:
AESGCM(key).decrypt(iv, ct_and_tag, HEADER)