Hi, Full disclosure: we (Hanno, a couple of other people and myself) are working on GCM/GHASH attacks in real world implementations. A recent result of our research can be found here: https://eprint.iacr.org/2016/475
I've put extensive effort into reading up on past research w.r.t. GCM/GHASH since December. > On 21 Jun 2016, at 04:25, timo <[email protected]> wrote: > > I recently came across this story about NSA employees messing with crypto > standards regarding internet telephony. > Whats interesting is some details about the use of GCM in real time > applications like SRTP and ssh. This article is entirely false and makes false assumptions. I've written to the author and his security advisor back when it was published in 2014 that it should be retracted or at least corrected. > > The story is in german therefore I'm translating the relevant parts: > > > "Dieser aktuelle NSA-Entwurf betrifft das Protokoll zur Verschlüsselung von > Internettelefonie. Der dafür vorgesehene Blockchiffre-Modus namens "Galois > Counter Mode" (GCM) aber wurde bereits 2005 von einem namhaften > Kryptografie-Eperten von Microsoft als generell angreifbar bezeichnet und > vernichtend > kritisiert. Speziell und eindringlich wurde davor gewarnt, diese Chiffre für > Echtzeit-Protokolle einzusetzen, als negatives Praxisbeispiel dafür wurde > die Verschlüsselung von Internettelefonie angeführt." > > [...] The "Galois Counter Mode" (GCM) was heavely criticised in 2005 by a > renowned Cryptoexpert at Microsoft and described as generally vulnerable. It > was warned that especially in realtime application this cipher should not be > used. [...] Ferguson's critique is specifically on GCM with short tags. These aren't employed by many protocols and difficult to exploit. TLS is certainly not one of them. > > and > > "Der finnische Kryptograf Markku-Juhani Saarinen hatte 2012 auf der > Sicherheitskonferenz FSE 2012 in Washington ebenfalls vor dem Einsatz der > Blockchiffre gewarnt. Gerade bei Echtzeitprotokollen wie Secure Shell für > Virtual Private Networks sei von GCM dringend abzuraten." > > [...] The finnish cryptoexpert Markku-Juhani Saarinen had also warned not to > use the blockcipher in 2012 at the securityconferenc FSE in Washington. > Especially the use with realtime applications like ssh for VPN is not > recommended. [...] That's a very specific and rather theoretical attack. Saarinen notes in his paper that this isn't exploitable in any of the mentioned protocols and just gives a recommendation in that regard. I recently had a mail exchange with Saarinen on improving his (again; rather theoretical) attack. > So my question is: Why is nobody talking about this? Everybody is, as we note in our paper, no cryptographer (except for intel and the original designers) are really happy with GCM. But it's the best deployed choice we currently have for authenticated encryption. I have a individual draft for AES-OCB for TLS that's going to be discussed at the next IETF meeting in Berlin: https://tools.ietf.org/html/draft-zauner-tls-aes-ocb-04 (patent issues resolved!) > Even though it seems ok to use GCM with most https applications, it is also > widely used and recommended with ssh and SRTP (like xmpp). I'm not aware of any practical GCM related attacks on SSH nor SRTP. Neither are (very) well known cryptographers I've talked to about this issue. > Should it not be recommended to avoid the use of GCM in these later cases? Certainly not. The alternative you currently have in these protocols is CCM mode, which is a two-pass scheme, meaning it's performance is *very* slow compared to GCM. On intel architectures you get AESNI which speeds up AES and GCM due to instructions for multiplications of polynomials over finite fields (Google: "Intel CMUL"). On architectures that do not support these instructions you now have ChaCha20/Poly1305 as an alternative option (OpenSSH added support for that in I think late 2013 already, by now it's an IETF standard and will be available in TLS 1.2 and TLS 1.3, some implementations do already support it. Google has supported it for a couple of years now given that you're on an Android plattform and talking to their front-end servers). BTW - OpenSSL achieved outstanding cycle/per-byte numbers for AES-OCB on AESNI architectures with patch due to Polyakov late last year: https://github.com/openssl/openssl/commit/bd30091c9725bdad1c82bce10839f33ceaa5623b Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
