[Ach] GCM in real time applications

Aaron Zauner azet at azet.org
Tue Jun 21 19:00:52 CEST 2016 

> On 21 Jun 2016, at 20:42, timo <timog24 at mailbox.org> wrote:
> 
> Thanks for te reply.

Sure. I'm always happy to get rid of Crypto FUD. And debunk articles like the one you've cited earlier.

> 
> On Tue, Jun 21, 2016 at 01:16:57PM +0800, Aaron Zauner wrote:
>> Hi,
>> 
>> Full disclosure: we (Hanno, a couple of other people and myself) are working on GCM/GHASH attacks in real world implementations. A recent result of our research can be found here: https://eprint.iacr.org/2016/475
>> 
>> I've put extensive effort into reading up on past research w.r.t. GCM/GHASH since December.
>> 
>>> On 21 Jun 2016, at 04:25, timo <timog24 at mailbox.org> wrote:
>>> 
>>> I recently came across this story about NSA employees messing with crypto standards regarding internet telephony.
>>> Whats interesting is some details about the use of GCM in real time applications like SRTP and ssh.
>> 
>> This article is entirely false and makes false assumptions. I've written to the author and his security advisor back when it was published in 2014 that it should be retracted or at least corrected.
>> 
>>> 
>>> The story is in german therefore I'm translating the relevant parts:
>>> 
>>> 
>>> "Dieser aktuelle NSA-Entwurf betrifft das Protokoll zur Verschlüsselung von Internettelefonie. Der dafür vorgesehene Blockchiffre-Modus namens "Galois
>>> Counter Mode" (GCM) aber wurde bereits 2005 von einem namhaften Kryptografie-Eperten von Microsoft als generell angreifbar bezeichnet und vernichtend
>>> kritisiert. Speziell und eindringlich wurde davor gewarnt, diese Chiffre für Echtzeit-Protokolle einzusetzen, als negatives Praxisbeispiel dafür wurde
>>> die Verschlüsselung von Internettelefonie angeführt."
>>> 
>>> [...] The "Galois Counter Mode" (GCM) was heavely criticised in 2005 by a renowned  Cryptoexpert at Microsoft and described as generally vulnerable. It
>>> was warned that especially in realtime application this cipher should not be used. [...]
>> 
>> Ferguson's critique is specifically on GCM with short tags. These aren't employed by many protocols and difficult to exploit. TLS is certainly not one of them.
> 
> So there are no common GCM implementations with those short tags.

There is a protocol that makes use of them and we're currently researching if attacks are possible. You'll have to find out yourself which one it it ;)

> Neither TLS nor SSH are affected by this then?

Correct. Some TLS implementations (none are wide-spread and no open-source implementation like OpenSSL is affected) are affected by Joux' forbidden attack -- which was also outlined in a comment during the NIST standardisation process --, it's the topic and research of the paper I've posted in my previous message and due to be a BlackHat USA Talk in August.

I think have to say this: this isn't an NSA backdoor and anyone that suggestion in that direction is just tinfoilhattery. NIST, IETF and other specs. clearly state that nonces should not be re-used (this isn't unique to GCM, but to nonce-based AEADs in general). Implementers that get this wrong are to blame here, not BigBrother. The IETF specifications for ChaCha20/Poly1305 as well as TLS 1.3 use a nonce construction that effectively mitigates this issue - if an implementer gets the nonce wrong, it'll simply be not interoperable with any other implementations, hence this will show up very early during development and QA phase in vendor/open-source engineering. I've also switched to this construction for my AES-OCB TLS cipher-suite draft. In essence this makes it nonce-misuse resistant without using a nonce misuse resistant AEAD (see https://www.lvh.io/posts/nonce-misuse-resistance-101.html for a good introduction on the topic of nonce misuse resistance).

> Or you can use good old ctr mode. Nothing against that as far as I know.
> In the end performance isn't the most important thing with ssh
> connections. Thats rather something I worry about with TLS.

AES in counter mode is not an AEAD construct. It'll simply produce a stream cipher in protocols like TLS. For example: you won't find pure AES-CTR in TLS (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). GCM is basically AES in counter mode (CTR) with GHASH and then you've got an AEAD. The same applies to SSH: There're aes-ctr constructions but all of them rely on an HMAC/UMAC for the authenticity/integrity part. Recent research by Kenny Paterson showed weaknesses in their implementation of encrypt-then-mac decryption operations for these in OpenSSH (see the next Thread on this mailing list). Though Kenny says they could not find a suitable candidate cipher for which this would be exploitable. I think other researchers will also look into this in the future as has been the case with many of Paterson's papers.

> BTW. chacha20/poly1305 is now also available in firefox.

I know.

Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20160622/9a259d34/attachment.sig>

More information about the Ach mailing list