Link to this headingGCM
GCM is a Combination of Counter Mode (CTR) with a Message Authentication Code (MAC) using an algorithm GMAC.
Link to this headingSecurity
This provides both authentication and encryption.
- Vulnerable to nonce Reuse
- Might not be timing safe
https://github.com/SalusaSecondus/CryptoGotchas#aes-gcmgmac
Link to this headingZero Nonce
If the nonce is set to All Zeros then the first block of the encryption can leak the authentication key.
This is because the Authentication key is the encryption of zero data. Using XOR you can recover the keystream if you know the plaintext.
This does depend on how GCM creates its IVs. If the IV starts off at 1 then it is possible to over flow the counter and get all IV and counter to 0.
Example:
= b
#Generate the GCM Key using the encryption_key and null data
=
=
# IV is 96 bytes
=
#Encrypt plaintext in Counter Mode
=
#Use the IV as Additional authenticated data (AAD)
#So if the iv changes then the tag changes
=
#Then Encrypt the new data with the
=
#auth_key: aa1908ba6ab97a18ea6349b72eb1ba15, tag_iv: 00000000000000000000000000000000, iv: 000000000000000000000000, ciphertext: aa1908ba6ab97a18ea6349b72eb1ba15, tag: d387e6b9293ead8758976e85dd9e064b
Link to this headingStatic/Repeated IV
Since AES-GCM encrypts the message by XORing it with the output of AES-CTR, a duplicate nonce will result in identical AES-CTR output. If you know a plaintext and the ciphertext of one message then you can decrypt the other message
Duplicate Keystream:
= b
= b
#Initialize AES Key
#encryption_key = os.urandom(16)
=
=
#Do AES GCM for message 1
, , =
#iv: 4ff34dcd6d2738f70bdab5f7, ciphertext: 9c4f37ccd0f521bd2dc4437ebe0c1a0b87e909a6dc, tag: 11944bc91a02aaf0b72b3f1b06d6d207
#### Do AES GCM for message 2
#Do AES GCM for message 1
, , =
#iv: 4ff34dcd6d2738f70bdab5f7, ciphertext: 8b4831d3d0f237ea6c895268be19300bd4ee00a0cd, tag: 9d316f98882a5cf704a2e5d6bdf44474
#### XOR the known plaintext to get the keystream data
=
#Keystream: df2058a0f09b44ca0da9260dcd6d7d6ea79d61c7a8
#### XOR The keystream data to get the unknown message2
=
#plaintext: b'This is a testMessage'
assert ==
Source
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
Link to this headingForgery Attacks with nonce Reuse
When an IV is Reused with a different message or aad it can be used to recover the GMAC secret. Using this Secret you can forge messages
Example Code
"""
VolgaCTF Quals 2018 forbidden crypto task
This implements the forbidden attack on Galois/Counter Mode AES
useage: sage -python forb_expl.py
"""
=
= +
return
=
return +
+= b *
return
= +
=
return
assert
return
=
return * +
assert
=
+=
return
= 0
+= * **
return
= 0
|= <<
return
return
# Assuming aad1 == aad2 and len1 == len2
# => (tagA + tagB) = ( CTA[0] x CTB[0]) * H ** 2
# => H ** 2 = (tagA + tagB) * Inv( CTA[0] x CTB[0])
# => H = sqrt((tagA + tagB) * Inv( CTA[0] x CTB[0]))
assert ==
assert ==
= * 8
= * 8
=
=
=
=
, =
, =
#Set up f1
#f1 = A1_p * H**5 + C1_p[0] * H**4 + C1_p[1] * H**3 + C1_p[2] * H**2 + L_p * H + T1_p
=
= * +
= * +
= * +
= * +
#Setup F3
#f3 = A3_p * H**5 + C3_p[0] * H**4 + C3_p[1] * H**3 + C3_p[2] * H**2 + L_p * H
=
= * +
= * +
= * +
= *
#Setup P
#p = A_p * H**5 + C_p[0] * H**4 + C_p[1] * H**3 + C_p[2] * H**2 + T_p
=
= * +
= * +
= *
= * +
=
=
=
return ,
=
=
, =
=
, =
=
, =
=
=
= +
# tagA = (((((aad1 * H) + CTA[0]) * H) + len1) * H) + X
# tagB = (((((aad2 * H) + CTB[0]) * H) + len2) * H) + X
# tagA + tagB = ((((aad1 * H) + CTA[0]) * H) + len1) * H) + (((((aad * H) + CB1) * H) + len2) * H) + (X xor X)
# = (aad1 * H^3 + CA1 * H^2 + len1 * H) + (aad2 * H^3 + CB1 * H^2 + len2 * H)
# = (aad1 x aad2) * H^3 + (CA1 x CB2) * H^2 + (len1 x len2) * H
# Assuming aad1 == aad2 and len1 == len2
# => (tagA + tagB) = ( CTA[0] x CTB[0]) * H ** 2
# => H ** 2 = (tagA + tagB) * Inv( CTA[0] x CTB[0])
# => H = sqrt((tagA + tagB) * Inv( CTA[0] x CTB[0]))
, =
"""
368b81e98fe704c132229db5a2f2f61fc34cb88f1fd42e20904fc1a7d55c95740f0144978f224cda, e27ee66ab816204123cab7eb243ac616
368b81e98fe718c1362bdcb299d1f61fc34cb8931fd027619774e2a7d55c95740f005a968f224cda, 98c5ccf4ebce1cd2e2db5fc854a2dce4
368b81e98fe704c132229db5a2f2f61fc34cb8931fd027619774e2a7d55c95740f7138eb8f224cda, b04867e368349d384d963b5150d6660d
Auth Key: 5d8f12b1723fad9cc6e60ad0258def6f
GMAC Key: ['62771BC867FD0D2CF6144C43E3F4A15A', '5D8F12B1723FAD9CC6E60AD0258DEF6F']
Forged Tag: ['87A972FB4AE90C941E72E5E47A61DA36', 'B04867E368349D384D963B5150D6660D']
"""
Link to this headingImplementation
Implications change depending on library
= 16
=
"""Multiply two polynomials in GF(2^m)/g(w)
g(w) = w^128 + w^7 + w^2 + w + 1
(operands and result bits reflected)"""
=
=
= 0
#print(temp_key,y,z)
^=
<<= 1
= ^
>>= 1
return
#print("p = {}, q = {}".format(p,q))
=
#print("xor {}".format(test))
=
=
#print("output {}".format(test))
#print()
return
#Get Byte length * 8
return
= b*16
#Pad additional_authenticated_data
= +
#print("Padded Authenticated Data: {}".format(additional_authenticated_data_padded))
#Pad Input Data
= +
#print("Input Data: {}".format(input_data_padded))
#For each block of Padded additional_authenticated_data xor and mult with the auth key
=
#print("ADD OutputData: {}".format(input_data_padded))
#For each block of Padded input_data xor and mult with the auth key
=
#Also XOR and mult with the length of the data
= +
return
#Generate the GCM Key using the encryption_key and null data
=
=
# IV is 96 bytes
=
#iv = os.urandom(16)
# If tag is 96 bytes then shift and add 1 to make it 128 bits long
# Else GMAC the IV
= + b
=
#Encrypt plaintext in Counter Mode
=
#Use the IV as Additional authenticated data (AAD)
#So if the iv changes then the tag changes
=
#Then Encrypt the new data with the
=
#print(f"auth_key: {auth_key.hex()}, tag_iv: {tag_iv.hex()}, iv: {iv.hex()}, ciphertext: {ciphertext.hex()}, tag: {tag.hex()}")
return
= b
#Initialize AES Key
#encryption_key = os.urandom(16)
=
=
#Do AES GCM for message 1
, , =
#iv: 4ff34dcd6d2738f70bdab5f7, ciphertext: 9c4f37ccd0f521bd2dc4437ebe0c1a0b87e909a6dc, tag: 11944bc91a02aaf0b72b3f1b06d6d207