Authentication Failures in NIST version of GCM
نویسنده
چکیده
In this note, we study the security of the Galois/Counter mode authenticated encryption recently published by NIST. We show how an adversary can recover the secret key of the keyed hash function underlying the authentication, using a chosen IV attack. Once this secret key is known, the encryption mode is no longer authenticated. As a con sequence, all chosen ciphertext attacks against the confidentiality become feasible. Moreover, since the encryption mode is a counter mode, i.e. a stream cipher, the XOR malleability of the encrypted plaintext becomes a major security issue.
منابع مشابه
Authentication Key Recovery on Galois/Counter Mode (GCM)
GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST standardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the ...
متن کاملGCM Update
Recently, Niels Ferguson submitted comments to NIST detailing an attack on GCM message authentication when authentication tags are truncated [3]. This work underscores the risks of using GCM with very short tags, and highlights the need for guidance on tag length. However, it does not violate the claims of GCM’s security analysis [4], nor does it present any weakness that was not described in t...
متن کاملGCM, GHASH and Weak Keys
The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial universal hashes that operate in the field GF (2). GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial. In present li...
متن کاملCycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes
The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide singlepass authenticated encryption. The GHASH authentication component of GCM belongs to a class of WegmanCarter polynomial hashes that operate in the field GF(2). We present message forgery attacks that are made possible by its extremely smooth-order multiplicative group which splits into 512 subgroups. GCM us...
متن کاملHigh Speed VLSI Architecture for AES-Galois/Counter Mode
Galois/Counter Mode of Operation (GCM) is a block cipher mode operation used to provide encryption and authentication using universal Hashing based on multiplication over binary Galois/Finite Field.GCM can be implemented on both hardware and software effectively and efficiently. GCM supports pipelined and parallelized implementations to have minimal computational latency in order to be useful a...
متن کامل