Demo of AES GCM Misuse Problems
This is really neat demo of the security problems arising from reusing nonces with a symmetric cipher in GCM mode.
Comments
What Price common sense? • June 14, 2024 11:16 AM
@ALL
So you now know that the “nonce” has to be “unique” that is “number used only once”.
Easy to say but how do you do it?
Obviously you can not just use a counter because that would make all past and future nonces “obvious” to an attacker.
Oh and whilst you could just randomly select a nonce you would need a large database to store every one you use in to ensure you don’t reuse it.
So you get caught between the “devil” of determinism and the “deep blue sea” of a bottomless database.
The solution is go with the devil but be smart about it.
In theory you can use a counter and encrypt it and use that. But then… So some argue you have to double or multiply encrypt…
But do you need to use a simple counter?
No you can use a “Linear Feedback Shift Register”(LFSR) or variation there on such as a Mitchell-Moore generator.
The point is it’s a very long discussion and knowing about the subtle weaknesses of some techniques is mostly unknown to most people.
Hence the advice,
“Never roll your own crypto!”.
But just remember even cryptographers do not know it all, the best they can usually do is know all that is “publicly known”.
The saying
“Another day another dollar”
Could equally well be rephrased as
“Another day another new way”
To make a crypto or other information system attack.
And to quote the song
“And we’ll have fun fun fun,
Till daddy takes the T-Bird away
And since he took your set of keys
You’ve been thinking that your fun is all through now
But you can come along with me
‘Cause we gotta a lot of things to do now”
Richard • June 17, 2024 3:48 AM
“Obviously you can not just use a counter because that would make all past and future nonces “obvious” to an attacker.”
Yes, you can use a counter. The requirement on a nonce is that it is only used once; not that it is not predictable.
What Price common sense? • June 17, 2024 4:45 AM
@ Richard,
“Yes, you can use a counter. The requirement on a nonce is that it is only used once; not that it is not predictable.”
In a secure communications context such as the use of AES-GCM which is what is being talked about here, what percentage of times have you actually seen a case where “not made unguessable” is as securely acceptable for a nonce as “unguessable”?
Frederik • June 17, 2024 5:49 AM
In a secure communications context such as the use of AES-GCM which is what is being talked about here, what percentage of times have you actually seen a case where “not made unguessable” is as securely acceptable for a nonce as “unguessable”?
In AES-GCM, “not made unguessable” (i.e. monotonic incrementing counter) is MORE secure than a random 96-bit nonce. 96-bit is not enough to guarantee no repetitions when you send a lot of messages under the same key (see birthday paradox). After 2^48 messages, the chance of two messages randomly having the same nonce is 50%, see 1.
Winter • June 17, 2024 6:34 AM
@Frederik
after 2^48 messages, the chance of two messages randomly having the same nonce is 50%, see 1.
That is indeed less than 3 * 10^14 messages.
As I understand it, the risk comes from someone having both the ciphertext and a (partial) plaintext for a single repeated nonce that can be used to decrypt the other ciphertexts encrypted with the same nonce.
If that nonce has been reused, than the matching cipherext with the reused nonce can easily be found for anyone who has it, even among millions of messages.
The real risk is then the probability of a repeated nonce times the probability an attacker has a plaintext of the ciphertext encrypted with the repeated nonce AND access to the ciphertext that used the reused nonce.
I think that, for most organizations, the risk here is not in an accidentally repeated nonce out of 2^48 messages, but in the much higher risk of badly chosen non-random nonces.
1001 • June 21, 2024 7:38 PM
https://www.israel21c.org/bye-bye-tinder-new-ai-app-aims-to-sweep-dating-off-its-feet/
“All personal messages [on Heyoosh] are encrypted, and no effort is made to keep the users active for the sake of it,” he says.
A one-month Heyoosh subscription costs $1.99, or 1.99 euros if you’re based in a EU country.
Founders say Heyoosh is the world’s first AI-based personal matchmaker that steers away from predatory tactics of Tinder and similar services.”
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
What Price common sense? • June 14, 2024 10:26 AM
@ALL
One of the problems in all security systems is “communication of information” requires “redundancy” and any redundance can be used to form a communications channel inside of any information system used for
Which covers just about every thing you can do with “information”.
Making such a channel can be “covert” or as a “side” effect.
Finding hidden channels can be shown to be impossible to do as the necessary redundance has to be be able to carry “random”…