[Ach] GCM in real time applications
timo
timog24 at mailbox.org
Mon Jun 20 22:25:45 CEST 2016
I recently came across this story about NSA employees messing with crypto standards regarding internet telephony.
Whats interesting is some details about the use of GCM in real time applications like SRTP and ssh.
The story is in german therefore I'm translating the relevant parts:
"Dieser aktuelle NSA-Entwurf betrifft das Protokoll zur Verschlüsselung von Internettelefonie. Der dafür vorgesehene Blockchiffre-Modus namens "Galois
Counter Mode" (GCM) aber wurde bereits 2005 von einem namhaften Kryptografie-Eperten von Microsoft als generell angreifbar bezeichnet und vernichtend
kritisiert. Speziell und eindringlich wurde davor gewarnt, diese Chiffre für Echtzeit-Protokolle einzusetzen, als negatives Praxisbeispiel dafür wurde
die Verschlüsselung von Internettelefonie angeführt."
[...] The "Galois Counter Mode" (GCM) was heavely criticised in 2005 by a renowned Cryptoexpert at Microsoft and described as generally vulnerable. It
was warned that especially in realtime application this cipher should not be used. [...]
and
"Der finnische Kryptograf Markku-Juhani Saarinen hatte 2012 auf der Sicherheitskonferenz FSE 2012 in Washington ebenfalls vor dem Einsatz der
Blockchiffre gewarnt. Gerade bei Echtzeitprotokollen wie Secure Shell für Virtual Private Networks sei von GCM dringend abzuraten."
[...] The finnish cryptoexpert Markku-Juhani Saarinen had also warned not to use the blockcipher in 2012 at the securityconferenc FSE in Washington.
Especially the use with realtime applications like ssh for VPN is not recommended. [...]
Source: http://fm4.orf.at/stories/1737330/
There is also this paper from Niels Ferguson discribing the technical issues:
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf
So my question is: Why is nobody talking about this?
Even though it seems ok to use GCM with most https applications, it is also widely used and recommended with ssh and SRTP (like xmpp).
Should it not be recommended to avoid the use of GCM in these later cases?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20160620/6a705129/attachment.sig>
More information about the Ach
mailing list