Skip to main content
SpringerLink
Log in

Authentication Key Recovery on Galois/Counter Mode (GCM)

  • Conference paper
  • First Online:
Progress in Cryptology – AFRICACRYPT 2016 (AFRICACRYPT 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9646))

Included in the following conference series:

Abstract

GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST standardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The Internet Drafts specifying the use of GCM in SRTP did originally allow also 64-bit and 96-bit tags, but this was removed after the publication of this paper on the Cryptology ePrint Archive and the discussion of this paper on the IETF AVTCORE mailing list.

  2. 2.

    The calculations below lead us to the hypothesis that \(p_n \approx \frac{q^n}{n!} \prod _{j=0}^{n-1} \phi _j + \mathcal {O} \left( \frac{\phi _0 q^{n+1}}{(n+1)!} \prod _{j=0}^{n-1} \phi _j \right) \). This is however something that we do not use and that we do not prove, but by dividing q into n intervals, it is easy to prove that \(p_n \ge \frac{q^n}{n!} \prod _{j=0}^{n-1} \phi _j\).

References

  1. NIST SP 800–38D.: Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

  2. NSA: Suite B Cryptography. https://www.nsa.gov/ia/programs/suiteb_cryptography/

  3. CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html

  4. IETF RFC 4543.: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, May 2006. https://tools.ietf.org/html/rfc4543

  5. IETF RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS, August 2008. https://tools.ietf.org/html/rfc5288

  6. IETF RFC 5647.: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol, August 2009. https://tools.ietf.org/html/rfc5647

  7. IETF RFC 7518.: JSON Web Algorithms (JWA), May 2015. https://tools.ietf.org/html/rfc7518

  8. IEEE 802.1AE-2006.: Media Access Control (MAC) Security, August 2006. http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf

  9. IEEE 802.11ad-2012.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band, October 2012 . http://standards.ieee.org/getieee802/download/802.11ad-2012.pdf

  10. IEEE 802.11ac-2013.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz, December 2013. http://standards.ieee.org/getieee802/download/802.11ac-2013.pdf

  11. IEEE 1619.1-2007.: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, May 2008

    Google Scholar 

  12. ANSI INCITS 496–2012.: Information technology - Fibre Channel Security Protocol 2 (FC-SP-2)

    Google Scholar 

  13. IETF RFC 7714.: AES-GCM Authenticated Encryption in Secure RTP (SRTP), December 2015. https://tools.ietf.org/html/rfc7714

  14. Kim, W., Lee, J., Park, J., Kwon, D.: The ARIA Algorithm and Its Use with the Secure Real-time Transport Protocol (SRTP). (IETF work in progress), November 2015. https://tools.ietf.org/html/draft-ietf-avtcore-aria-srtp-09

  15. IETF RFC 4106.: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), June 2005. https://tools.ietf.org/html/rfc4106

  16. IETF RFC 5084.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), November 2007. https://tools.ietf.org/html/rfc5084

  17. ECMA-409.: NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-409.pdf

  18. ECMA-411.: NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-411.pdf

  19. Langley, A., Chang, W.T.: QUIC Crypto, July 2015. https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit

  20. W3C.: Web Cryptography API, December 2014. http://www.w3.org/TR/WebCryptoAPI/

  21. Oracle: Java Platform, Standard 8th edn. API Specification. https://docs.oracle.com/javase/8/docs/api/index.html

  22. OASIS: PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40, September 2014. http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf

  23. Microsoft: Cryptography API: Next Generation. https://msdn.microsoft.com/en-us/library/windows/desktop/aa376210

  24. Ferguson.: Authentication weaknesses in GCM, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf

  25. Kabatianskii, G., Smeets, B., Johansson, T.: On the cardinality of systematic authentication codes via error-correcting codes. IEEE Trans. Inf. Theory 42(2), 566–578 (1996)

    Article  MathSciNet  MATH  Google Scholar 

  26. McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM), May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf

  27. McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation, October 2004. http://eprint.iacr.org/2004/193.pdf

  28. ISO, IEC 9772: 2009.: Information technology - Security techniques - Authenticated encryption, July 2008. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46345

  29. Joux.: Authentication Failures in NIST version of GCM (2006). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf

  30. Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). http://www.cosic.esat.kuleuven.be/publications/article-1150.pdf

    Chapter  Google Scholar 

  31. Saarinen.: GCM, GHASH and Weak Keys (2011). http://www.iacr.org/archive/fse2012/75490220/75490220.pdf

  32. Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). https://eprint.iacr.org/2013/144.pdf

    Google Scholar 

  33. Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). https://eprint.iacr.org/2015/1224.pdf

    Google Scholar 

  34. CRYPTREC TR No. 2012.: Evaluation of Some Blockcipher Modes of Operation, February 2011. http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf

  35. McGrew, D.A., Viega, J.: GCM Update, May 2005, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/gcm-update.pdf

  36. McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against Message Authentication Codes, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/multi-forge-01.pdf

  37. IETF RFC 5374.: Multicast Extensions to the Security Architecture for the Internet Protocol, November 2008. https://tools.ietf.org/html/rfc5374

  38. IETF RFC 3550.: RTP: A Transport Protocol for Real-Time Applications, July 2003. https://tools.ietf.org/html/rfc3550

  39. IETF RFC 3711.: The Secure Real-time Transport Protocol (SRTP), March 2004. https://tools.ietf.org/html/rfc3711

  40. IETF RFC 6284.: Port Mapping between Unicast and Multicast RTP Sessions, June 2011. https://tools.ietf.org/html/rfc6284

  41. IETF RFC 6051.: Rapid Synchronisation of RTP Flows, November 2010. https://tools.ietf.org/html/rfc6051

  42. IETF RFC 6464.: A Real-time Transport Protocol (RTP) Header Extension for Client-to-Mixer Audio Level Indication, December 2011. https://tools.ietf.org/html/rfc6464

  43. NIST SP 800–57 Part 3-Rev.1.: Recommendation for Key Management: Part 3 - Application-Specific Key Management Guidance, January 2015. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf

Download references

Author information

Authors and Affiliations

  1. Ericsson Research, Stockholm, Sweden

    John Mattsson & Magnus Westerlund

Authors
  1. John Mattsson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Magnus Westerlund
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to John Mattsson .

Editor information

Editors and Affiliations

  1. Ecole Normale Supérieure, Paris, France

    David Pointcheval

  2. University of Caen, Caen, France

    Abderrahmane Nitaj

  3. Al Akhawayn University in Ifrane, Ifrane, Morocco

    Tajjeeddine Rachidi

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Mattsson, J., Westerlund, M. (2016). Authentication Key Recovery on Galois/Counter Mode (GCM). In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2016. AFRICACRYPT 2016. Lecture Notes in Computer Science(), vol 9646. Springer, Cham. https://doi.org/10.1007/978-3-319-31517-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31517-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31516-4

  • Online ISBN: 978-3-319-31517-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation