Analyzing the TLS record, Exams of IT, GHASH function, IT Certification, Security of generic composition

GCM security – The Galois Counter Mode
Posted by Whitney Koehler

16.2 GCM security

GCM’s biggest security risk is its fragility in case of nonce repetition. NIST’s GCM standard [57] requires the following:

The probability that the authenticated encryption function ever will be invoked with the same IV and the same key on two (or more) distinct sets of input data shall be no greater than 2−32.

Moreover, care must be taken that the nonces do not repeat: if the same nonce N is used twice in an AES-GCM computation, an attacker would be able to compute the authentication key H. With the help of H, tags for any ciphertext, associated data, or both can be fabricated.

This is easy to see with a little bit of math. The authentication tag is computed as:

Now, if we have two tags T1 and T2 computed with the same nonce N, we can XOR T1 and T2 to obtain the following expression:

Because x ⊕ x = 0, the term EK(N∥0) (the AES encryption of N∥0 under the secret key K) will vanish. As a result, the attacker obtains the following expression:

Since the values A1,C1,A2,C2 are known to the attacker and the GHASH function is linear, the attacker can easily determine the hash key H. That, in turn, gives her the ability to forge the authentication tag T for any ciphertext C or associated data A (or both).

In 2016, Böck et al [36] performed an internet-wide scan to investigate issues resulting from nonce reuse within the GCM block cipher mode used in TLS, with particular focus on AES-GCM. In this study, 184 HTTPS servers with repeating nonces were identified. As we have seen previously, this fully breaks the authenticity of the TLS connections. The affected servers included large corporations, financial institutions, and a credit card company. Furthermore, over 70,000 HTTPS servers were discovered that used random nonces. This puts the servers at risk of nonce reuse if a large amount of data is sent over the same connection.

Note in this respect that the NIST GCM standard requires that the total number of invocations of the authenticated encryption function shall not exceed 232, including all IV lengths and all instances of the authenticated encryption function with the given key.

Related Post

Leave A Comment