Authentication Key Recovery on Galois/Counter Mode (GCM)

  • John Mattsson
  • Magnus Westerlund
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9646)


GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST standardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.


Secret-key cryptography Message Authentication Codes Block ciphers Cryptanalysis Galois/Counter Mode GCM Authentication key recovery AES-GCM Suite B IPsec ESP SRTP Re-forgery 


  1. 1.
    NIST SP 800–38D.: Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007.
  2. 2.
  3. 3.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness.
  4. 4.
    IETF RFC 4543.: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, May 2006.
  5. 5.
    IETF RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS, August 2008.
  6. 6.
    IETF RFC 5647.: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol, August 2009.
  7. 7.
    IETF RFC 7518.: JSON Web Algorithms (JWA), May 2015.
  8. 8.
    IEEE 802.1AE-2006.: Media Access Control (MAC) Security, August 2006.
  9. 9.
    IEEE 802.11ad-2012.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band, October 2012 .
  10. 10.
    IEEE 802.11ac-2013.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz, December 2013.
  11. 11.
    IEEE 1619.1-2007.: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, May 2008Google Scholar
  12. 12.
    ANSI INCITS 496–2012.: Information technology - Fibre Channel Security Protocol 2 (FC-SP-2)Google Scholar
  13. 13.
    IETF RFC 7714.: AES-GCM Authenticated Encryption in Secure RTP (SRTP), December 2015.
  14. 14.
    Kim, W., Lee, J., Park, J., Kwon, D.: The ARIA Algorithm and Its Use with the Secure Real-time Transport Protocol (SRTP). (IETF work in progress), November 2015.
  15. 15.
    IETF RFC 4106.: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), June 2005.
  16. 16.
    IETF RFC 5084.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), November 2007.
  17. 17.
    ECMA-409.: NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM, December 2014.
  18. 18.
    ECMA-411.: NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography, December 2014.
  19. 19.
  20. 20.
    W3C.: Web Cryptography API, December 2014.
  21. 21.
    Oracle: Java Platform, Standard 8th edn. API Specification.
  22. 22.
    OASIS: PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40, September 2014.
  23. 23.
    Microsoft: Cryptography API: Next Generation.
  24. 24.
    Ferguson.: Authentication weaknesses in GCM, May 2005.
  25. 25.
    Kabatianskii, G., Smeets, B., Johansson, T.: On the cardinality of systematic authentication codes via error-correcting codes. IEEE Trans. Inf. Theory 42(2), 566–578 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM), May 2005.
  27. 27.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation, October 2004.
  28. 28.
    ISO, IEC 9772: 2009.: Information technology - Security techniques - Authenticated encryption, July 2008.
  29. 29.
  30. 30.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). CrossRefGoogle Scholar
  31. 31.
    Saarinen.: GCM, GHASH and Weak Keys (2011).
  32. 32.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). Google Scholar
  33. 33.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). Google Scholar
  34. 34.
    CRYPTREC TR No. 2012.: Evaluation of Some Blockcipher Modes of Operation, February 2011.
  35. 35.
  36. 36.
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against Message Authentication Codes, May 2005.
  37. 37.
    IETF RFC 5374.: Multicast Extensions to the Security Architecture for the Internet Protocol, November 2008.
  38. 38.
    IETF RFC 3550.: RTP: A Transport Protocol for Real-Time Applications, July 2003.
  39. 39.
    IETF RFC 3711.: The Secure Real-time Transport Protocol (SRTP), March 2004.
  40. 40.
    IETF RFC 6284.: Port Mapping between Unicast and Multicast RTP Sessions, June 2011.
  41. 41.
    IETF RFC 6051.: Rapid Synchronisation of RTP Flows, November 2010.
  42. 42.
    IETF RFC 6464.: A Real-time Transport Protocol (RTP) Header Extension for Client-to-Mixer Audio Level Indication, December 2011.
  43. 43.
    NIST SP 800–57 Part 3-Rev.1.: Recommendation for Key Management: Part 3 - Application-Specific Key Management Guidance, January 2015.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Ericsson ResearchStockholmSweden

Personalised recommendations