Advertisement

Authentication Key Recovery on Galois/Counter Mode (GCM)

  • John Mattsson
  • Magnus Westerlund
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9646)

Abstract

GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST standardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

Keywords

Secret-key cryptography Message Authentication Codes Block ciphers Cryptanalysis Galois/Counter Mode GCM Authentication key recovery AES-GCM Suite B IPsec ESP SRTP Re-forgery 

References

  1. 1.
    NIST SP 800–38D.: Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
  2. 2.
  3. 3.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
  4. 4.
    IETF RFC 4543.: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, May 2006. https://tools.ietf.org/html/rfc4543
  5. 5.
    IETF RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS, August 2008. https://tools.ietf.org/html/rfc5288
  6. 6.
    IETF RFC 5647.: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol, August 2009. https://tools.ietf.org/html/rfc5647
  7. 7.
    IETF RFC 7518.: JSON Web Algorithms (JWA), May 2015. https://tools.ietf.org/html/rfc7518
  8. 8.
    IEEE 802.1AE-2006.: Media Access Control (MAC) Security, August 2006. http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf
  9. 9.
    IEEE 802.11ad-2012.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band, October 2012 . http://standards.ieee.org/getieee802/download/802.11ad-2012.pdf
  10. 10.
    IEEE 802.11ac-2013.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz, December 2013. http://standards.ieee.org/getieee802/download/802.11ac-2013.pdf
  11. 11.
    IEEE 1619.1-2007.: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, May 2008Google Scholar
  12. 12.
    ANSI INCITS 496–2012.: Information technology - Fibre Channel Security Protocol 2 (FC-SP-2)Google Scholar
  13. 13.
    IETF RFC 7714.: AES-GCM Authenticated Encryption in Secure RTP (SRTP), December 2015. https://tools.ietf.org/html/rfc7714
  14. 14.
    Kim, W., Lee, J., Park, J., Kwon, D.: The ARIA Algorithm and Its Use with the Secure Real-time Transport Protocol (SRTP). (IETF work in progress), November 2015. https://tools.ietf.org/html/draft-ietf-avtcore-aria-srtp-09
  15. 15.
    IETF RFC 4106.: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), June 2005. https://tools.ietf.org/html/rfc4106
  16. 16.
    IETF RFC 5084.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), November 2007. https://tools.ietf.org/html/rfc5084
  17. 17.
    ECMA-409.: NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-409.pdf
  18. 18.
    ECMA-411.: NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-411.pdf
  19. 19.
  20. 20.
    W3C.: Web Cryptography API, December 2014. http://www.w3.org/TR/WebCryptoAPI/
  21. 21.
    Oracle: Java Platform, Standard 8th edn. API Specification. https://docs.oracle.com/javase/8/docs/api/index.html
  22. 22.
    OASIS: PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40, September 2014. http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf
  23. 23.
    Microsoft: Cryptography API: Next Generation. https://msdn.microsoft.com/en-us/library/windows/desktop/aa376210
  24. 24.
    Ferguson.: Authentication weaknesses in GCM, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
  25. 25.
    Kabatianskii, G., Smeets, B., Johansson, T.: On the cardinality of systematic authentication codes via error-correcting codes. IEEE Trans. Inf. Theory 42(2), 566–578 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM), May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
  27. 27.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation, October 2004. http://eprint.iacr.org/2004/193.pdf
  28. 28.
    ISO, IEC 9772: 2009.: Information technology - Security techniques - Authenticated encryption, July 2008. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46345
  29. 29.
  30. 30.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). http://www.cosic.esat.kuleuven.be/publications/article-1150.pdf CrossRefGoogle Scholar
  31. 31.
    Saarinen.: GCM, GHASH and Weak Keys (2011). http://www.iacr.org/archive/fse2012/75490220/75490220.pdf
  32. 32.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). https://eprint.iacr.org/2013/144.pdf Google Scholar
  33. 33.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). https://eprint.iacr.org/2015/1224.pdf Google Scholar
  34. 34.
    CRYPTREC TR No. 2012.: Evaluation of Some Blockcipher Modes of Operation, February 2011. http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf
  35. 35.
  36. 36.
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against Message Authentication Codes, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/multi-forge-01.pdf
  37. 37.
    IETF RFC 5374.: Multicast Extensions to the Security Architecture for the Internet Protocol, November 2008. https://tools.ietf.org/html/rfc5374
  38. 38.
    IETF RFC 3550.: RTP: A Transport Protocol for Real-Time Applications, July 2003. https://tools.ietf.org/html/rfc3550
  39. 39.
    IETF RFC 3711.: The Secure Real-time Transport Protocol (SRTP), March 2004. https://tools.ietf.org/html/rfc3711
  40. 40.
    IETF RFC 6284.: Port Mapping between Unicast and Multicast RTP Sessions, June 2011. https://tools.ietf.org/html/rfc6284
  41. 41.
    IETF RFC 6051.: Rapid Synchronisation of RTP Flows, November 2010. https://tools.ietf.org/html/rfc6051
  42. 42.
    IETF RFC 6464.: A Real-time Transport Protocol (RTP) Header Extension for Client-to-Mixer Audio Level Indication, December 2011. https://tools.ietf.org/html/rfc6464
  43. 43.
    NIST SP 800–57 Part 3-Rev.1.: Recommendation for Key Management: Part 3 - Application-Specific Key Management Guidance, January 2015. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Ericsson ResearchStockholmSweden

Personalised recommendations