doc updates
diff --git a/cryptography/hazmat/backends/openssl/backend.py b/cryptography/hazmat/backends/openssl/backend.py
index 559ace7..9697a4a 100644
--- a/cryptography/hazmat/backends/openssl/backend.py
+++ b/cryptography/hazmat/backends/openssl/backend.py
@@ -321,7 +321,7 @@
if operation == self._DECRYPT:
if not mode.tag or len(mode.tag) < 4:
raise ValueError("Authentication tag must be provided "
- "and >= 4 bytes when decrypting")
+ "and 4 bytes or longer when decrypting")
res = self._backend.lib.EVP_CIPHER_CTX_ctrl(
ctx, self._backend.lib.Cryptography_EVP_CTRL_GCM_SET_TAG,
len(mode.tag), mode.tag
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 8ed64c7..85d7d5b 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -354,8 +354,10 @@
.. note::
- Do not truncate the GCM authentication tag unless absolutely necessary.
- If you must truncate the minimum allowable length is 4 bytes.
+ `NIST SP-800-38D`_ recommends that GCM tags be 128, 120, 122, 104, or
+ 96-bits in length. Tags are shortened by truncating bytes. Longer tags
+ provide better security margins. If you must shorten the tag the minimum
+ allowed length is 4 bytes (32 bits).
:param bytes tag: The tag bytes to verify during decryption. When encrypting
this must be None.
@@ -395,3 +397,4 @@
.. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
.. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
+.. _`NIST SP-800-38D`: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf