nach oben

Erschienen in:

2016 | OriginalPaper | Buchkapitel

Authentication Key Recovery on Galois/Counter Mode (GCM)

verfasst von : John Mattsson, Magnus Westerlund

Erschienen in: Progress in Cryptology – AFRICACRYPT 2016

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST standardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Cryptanalysis of PRINCE with Minimal Data

Nächstes Kapitel Extreme Pipelining Towards the Best Area-Performance Trade-Off in Hardware

The Internet Drafts specifying the use of GCM in SRTP did originally allow also 64-bit and 96-bit tags, but this was removed after the publication of this paper on the Cryptology ePrint Archive and the discussion of this paper on the IETF AVTCORE mailing list.

The calculations below lead us to the hypothesis that \(p_n \approx \frac{q^n}{n!} \prod _{j=0}^{n-1} \phi _j + \mathcal {O} \left( \frac{\phi _0 q^{n+1}}{(n+1)!} \prod _{j=0}^{n-1} \phi _j \right) \). This is however something that we do not use and that we do not prove, but by dividing q into n intervals, it is easy to prove that \(p_n \ge \frac{q^n}{n!} \prod _{j=0}^{n-1} \phi _j\).

NIST SP 800–38D.: Recommendations for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf

NSA: Suite B Cryptography. https://www.nsa.gov/ia/programs/suiteb_cryptography/

CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html

IETF RFC 4543.: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH, May 2006. https://tools.ietf.org/html/rfc4543

IETF RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS, August 2008. https://tools.ietf.org/html/rfc5288

IETF RFC 5647.: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol, August 2009. https://tools.ietf.org/html/rfc5647

IETF RFC 7518.: JSON Web Algorithms (JWA), May 2015. https://tools.ietf.org/html/rfc7518

IEEE 802.1AE-2006.: Media Access Control (MAC) Security, August 2006. http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf

IEEE 802.11ad-2012.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 3: Enhancements for Very High Throughput in the 60 GHz Band, October 2012 . http://standards.ieee.org/getieee802/download/802.11ad-2012.pdf

10.

IEEE 802.11ac-2013.: Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications - Amendment 4: Enhancements for Very High Throughput for Operation in Bands below 6 GHz, December 2013. http://standards.ieee.org/getieee802/download/802.11ac-2013.pdf

11.

IEEE 1619.1-2007.: IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices, May 2008

12.

ANSI INCITS 496–2012.: Information technology - Fibre Channel Security Protocol 2 (FC-SP-2)

13.

IETF RFC 7714.: AES-GCM Authenticated Encryption in Secure RTP (SRTP), December 2015. https://tools.ietf.org/html/rfc7714

14.

Kim, W., Lee, J., Park, J., Kwon, D.: The ARIA Algorithm and Its Use with the Secure Real-time Transport Protocol (SRTP). (IETF work in progress), November 2015. https://tools.ietf.org/html/draft-ietf-avtcore-aria-srtp-09

15.

IETF RFC 4106.: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP), June 2005. https://tools.ietf.org/html/rfc4106

16.

IETF RFC 5084.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS), November 2007. https://tools.ietf.org/html/rfc5084

17.

ECMA-409.: NFC-SEC-02: NFC-SEC Cryptography Standard using ECDH-256 and AES-GCM, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-409.pdf

18.

ECMA-411.: NFC-SEC-04: NFC-SEC Entity Authentication and Key Agreement using Symmetric Cryptography, December 2014. http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-411.pdf

19.

Langley, A., Chang, W.T.: QUIC Crypto, July 2015. https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LTaDUDwvZ5L6g/edit

20.

W3C.: Web Cryptography API, December 2014. http://www.w3.org/TR/WebCryptoAPI/

21.

Oracle: Java Platform, Standard 8th edn. API Specification. https://docs.oracle.com/javase/8/docs/api/index.html

22.

OASIS: PKCS #11 Cryptographic Token Interface Current Mechanisms Specification Version 2.40, September 2014. http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/cs01/pkcs11-curr-v2.40-cs01.pdf

23.

Microsoft: Cryptography API: Next Generation. https://msdn.microsoft.com/en-us/library/windows/desktop/aa376210

24.

Ferguson.: Authentication weaknesses in GCM, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf

25.

Kabatianskii, G., Smeets, B., Johansson, T.: On the cardinality of systematic authentication codes via error-correcting codes. IEEE Trans. Inf. Theory 42(2), 566–578 (1996)MathSciNetCrossRefMATH

26.

McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM), May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf

27.

McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation, October 2004. http://eprint.iacr.org/2004/193.pdf

28.

ISO, IEC 9772: 2009.: Information technology - Security techniques - Authenticated encryption, July 2008. http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=46345

29.

Joux.: Authentication Failures in NIST version of GCM (2006). http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf

30.

Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). http://www.cosic.esat.kuleuven.be/publications/article-1150.pdf CrossRef

31.

Saarinen.: GCM, GHASH and Weak Keys (2011). http://www.iacr.org/archive/fse2012/75490220/75490220.pdf

32.

Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). https://eprint.iacr.org/2013/144.pdf

33.

Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). https://eprint.iacr.org/2015/1224.pdf

34.

CRYPTREC TR No. 2012.: Evaluation of Some Blockcipher Modes of Operation, February 2011. http://www.cryptrec.go.jp/estimation/techrep_id2012_2.pdf

35.

McGrew, D.A., Viega, J.: GCM Update, May 2005, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/gcm-update.pdf

36.

McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against Message Authentication Codes, May 2005. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/multi-forge-01.pdf

37.

IETF RFC 5374.: Multicast Extensions to the Security Architecture for the Internet Protocol, November 2008. https://tools.ietf.org/html/rfc5374

38.

IETF RFC 3550.: RTP: A Transport Protocol for Real-Time Applications, July 2003. https://tools.ietf.org/html/rfc3550

39.

IETF RFC 3711.: The Secure Real-time Transport Protocol (SRTP), March 2004. https://tools.ietf.org/html/rfc3711

40.

IETF RFC 6284.: Port Mapping between Unicast and Multicast RTP Sessions, June 2011. https://tools.ietf.org/html/rfc6284

41.

IETF RFC 6051.: Rapid Synchronisation of RTP Flows, November 2010. https://tools.ietf.org/html/rfc6051

42.

IETF RFC 6464.: A Real-time Transport Protocol (RTP) Header Extension for Client-to-Mixer Audio Level Indication, December 2011. https://tools.ietf.org/html/rfc6464

43.

NIST SP 800–57 Part 3-Rev.1.: Recommendation for Key Management: Part 3 - Application-Specific Key Management Guidance, January 2015. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf

Titel: Authentication Key Recovery on Galois/Counter Mode (GCM)
verfasst von: John Mattsson
Magnus Westerlund
Verlag: Springer International Publishing
Buch: Progress in Cryptology – AFRICACRYPT 2016
Print ISBN: 978-3-319-31516-4

Electronic ISBN: 978-3-319-31517-1

Copyright-Jahr: 2016
DOI: https://doi.org/10.1007/978-3-319-31517-1_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner