From acc0869983ce776232f9292870460f473463d6e1 Mon Sep 17 00:00:00 2001
From: Gus Narea <gnarea@users.noreply.github.com>
Date: Mon, 29 Jul 2024 11:06:17 +0100
Subject: [PATCH] RS-018: Recommend RBG method when using GCM

---
 rs018-algorithms.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rs018-algorithms.md b/rs018-algorithms.md
index 589f3ed..e5f7c8d 100644
--- a/rs018-algorithms.md
+++ b/rs018-algorithms.md
@@ -46,7 +46,7 @@ Implementations MUST support SHA-256 (OID `2.16.840.1.101.3.4.2.1`) and they SHO
 
 Implementations MUST support AES-128, and they SHOULD also support AES-192 and AES-256. They MUST NOT support DES for security reasons.
 
-More specifically, [Key Wrap mode](https://tools.ietf.org/html/rfc3394.html) MUST be used when encrypting cryptographic key materials and [GCM](https://tools.ietf.org/html/rfc5084) MUST be used when encrypting payloads. Consequently, the following ciphers are required or recommended:
+More specifically, [Key Wrap mode](https://tools.ietf.org/html/rfc3394.html) MUST be used when encrypting cryptographic key materials and [Galois/Counter Mode GCM](https://tools.ietf.org/html/rfc5084) MUST be used when encrypting payloads. Consequently, the following ciphers are required or recommended:
 
 - AES-128-KW (required, OID `2.16.840.1.101.3.4.1.5`).
 - AES-192-KW (recommended, OID `2.16.840.1.101.3.4.1.25`).
@@ -55,6 +55,10 @@ More specifically, [Key Wrap mode](https://tools.ietf.org/html/rfc3394.html) MUS
 - AES-192-GCM (recommended, OID `2.16.840.1.101.3.4.1.26`).
 - AES-256-GCM (recommended, OID `2.16.840.1.101.3.4.1.46`).
 
+When using GCM,
+the implementation SHOULD use the Random Bit Generator (RBG) method for IV construction as defined in [NIST SP 800-38D](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf) (Section 8.2.2),
+to avoid the operational overhead of securely persisting sensitive values as required by the alternative method.
+
 ### Asymmetric Ciphers
 
 Implementations MUST support RSA-OAEP (OID `1.2.840.113549.1.1.7`). They SHOULD also support Curve25519 (OID `1.3.101.110`), and they MAY support Curve448 (OID `1.3.101.111`).