Analyzing the TLS record, Exams of IT, GHASH function, IT Certification, Plaintext integrity

GHASH function – The Galois Counter Mode
Posted by Whitney Koehler

16.1.2 GHASH function

GCM’s authentication mechanism is based on a hash function called GHASH. The function contains a multiplication by a fixed parameter H within GCM’s 𝔽2128 field. Effectively, the parameters act like a key and GHASH can, therefore, be viewed as a keyed hash function.

Alice and Bob compute the hash key H by encrypting an all-zeros block 0128 using their shared secret key k. GHASH is then used for compressing the encoding of the additional authenticated data A and the ciphertext C into a single block. Finally, GCM encrypts this block to obtain the authentication tag T.

Notably, while GHASH is a keyed hash function, it is not a cryptographic hash function. This means, it does not have the security properties of cryptographic hash functions we discussed in Chapter 11, Hash Functions and Message Authentication Codes. As a result, it cannot be used for cryptographic purposes outside of the GCM construction.

Like with other GCM functions, the intermediate values of GHASH must be kept secret. The function takes the following arguments as input:

  • Additional authenticated data A
  • Ciphertext blocks Ci
  • H, the encryption of 0128 (a block of all zeros) obtained under the shared secret key k

GHASH then outputs GHASH(H,A,C) = Xm+n+1, which is computed as shown in Algorithm 5. The term m denotes the rounded up number of 128-bit blocks in A and n denotes the rounded up number of 128-bit blocks in P. In other words, the additional data A consists of (m − 1)128 + v bits with 1 ≤ v ≤ 128, and plaintext P consists of of (n − 1)128 + u bits with 1 ≤ u ≤ 128.

Algorithm 5: GCM GHASH function.

16.1.3 The AES-GCM authenticated cipher

GCM is specified in the NIST Special Publication 800-38D [57]. Its great importance for TLS is shown by the fact that it is also a mandatory-to-implement algorithm in TLS 1.3, meaning that every TLS 1.3 endpoint must implement this algorithm. Since [57] requires the use of a NIST-approved 128-bit block cipher, the AES algorithm [127] is the only reasonable choice. As a result, GCM is de facto a mode of operation of the AES algorithm [57].

The GCM authenticated encryption operation takes the following four inputs:

  • A shared secret key k
  • An initialization vector IV (which must be distinct for every GCM invocation under the same key)
  • A plaintext message P
  • Additional authenticated data A (this data is authenticated, but not encrypted)

Additional data A is used when the information transmitted must be protected in terms of its integrity and authenticity, but must not be encrypted. As an example, the header of a network packet contains information needed for its routing that must be available to intermediate gateways. Thus, while the payload of the packet may be encrypted if confidentiality is desired, the header may not. However, it is desirable to protect the header’s integrity and authenticity. There may also be scenarios where is it legally prohibited to encrypt the plaintext message P.

Related Post

Leave A Comment