> On 21 Jun 2016, at 20:42, timo <[email protected]> wrote: > > Thanks for te reply.
Sure. I'm always happy to get rid of Crypto FUD. And debunk articles like the one you've cited earlier. > > On Tue, Jun 21, 2016 at 01:16:57PM +0800, Aaron Zauner wrote: >> Hi, >> >> Full disclosure: we (Hanno, a couple of other people and myself) are working >> on GCM/GHASH attacks in real world implementations. A recent result of our >> research can be found here: https://eprint.iacr.org/2016/475 >> >> I've put extensive effort into reading up on past research w.r.t. GCM/GHASH >> since December. >> >>> On 21 Jun 2016, at 04:25, timo <[email protected]> wrote: >>> >>> I recently came across this story about NSA employees messing with crypto >>> standards regarding internet telephony. >>> Whats interesting is some details about the use of GCM in real time >>> applications like SRTP and ssh. >> >> This article is entirely false and makes false assumptions. I've written to >> the author and his security advisor back when it was published in 2014 that >> it should be retracted or at least corrected. >> >>> >>> The story is in german therefore I'm translating the relevant parts: >>> >>> >>> "Dieser aktuelle NSA-Entwurf betrifft das Protokoll zur Verschlüsselung von >>> Internettelefonie. Der dafür vorgesehene Blockchiffre-Modus namens "Galois >>> Counter Mode" (GCM) aber wurde bereits 2005 von einem namhaften >>> Kryptografie-Eperten von Microsoft als generell angreifbar bezeichnet und >>> vernichtend >>> kritisiert. Speziell und eindringlich wurde davor gewarnt, diese Chiffre >>> für Echtzeit-Protokolle einzusetzen, als negatives Praxisbeispiel dafür >>> wurde >>> die Verschlüsselung von Internettelefonie angeführt." >>> >>> [...] The "Galois Counter Mode" (GCM) was heavely criticised in 2005 by a >>> renowned Cryptoexpert at Microsoft and described as generally vulnerable. >>> It >>> was warned that especially in realtime application this cipher should not >>> be used. [...] >> >> Ferguson's critique is specifically on GCM with short tags. These aren't >> employed by many protocols and difficult to exploit. TLS is certainly not >> one of them. > > So there are no common GCM implementations with those short tags. There is a protocol that makes use of them and we're currently researching if attacks are possible. You'll have to find out yourself which one it it ;) > Neither TLS nor SSH are affected by this then? Correct. Some TLS implementations (none are wide-spread and no open-source implementation like OpenSSL is affected) are affected by Joux' forbidden attack -- which was also outlined in a comment during the NIST standardisation process --, it's the topic and research of the paper I've posted in my previous message and due to be a BlackHat USA Talk in August. I think have to say this: this isn't an NSA backdoor and anyone that suggestion in that direction is just tinfoilhattery. NIST, IETF and other specs. clearly state that nonces should not be re-used (this isn't unique to GCM, but to nonce-based AEADs in general). Implementers that get this wrong are to blame here, not BigBrother. The IETF specifications for ChaCha20/Poly1305 as well as TLS 1.3 use a nonce construction that effectively mitigates this issue - if an implementer gets the nonce wrong, it'll simply be not interoperable with any other implementations, hence this will show up very early during development and QA phase in vendor/open-source engineering. I've also switched to this construction for my AES-OCB TLS cipher-suite draft. In essence this makes it nonce-misuse resistant without using a nonce misuse resistant AEAD (see https://www.lvh.io/posts/nonce-misuse-resistance-101.html for a good introduction on the topic of nonce misuse resistance). > Or you can use good old ctr mode. Nothing against that as far as I know. > In the end performance isn't the most important thing with ssh > connections. Thats rather something I worry about with TLS. AES in counter mode is not an AEAD construct. It'll simply produce a stream cipher in protocols like TLS. For example: you won't find pure AES-CTR in TLS (https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4). GCM is basically AES in counter mode (CTR) with GHASH and then you've got an AEAD. The same applies to SSH: There're aes-ctr constructions but all of them rely on an HMAC/UMAC for the authenticity/integrity part. Recent research by Kenny Paterson showed weaknesses in their implementation of encrypt-then-mac decryption operations for these in OpenSSH (see the next Thread on this mailing list). Though Kenny says they could not find a suitable candidate cipher for which this would be exploitable. I think other researchers will also look into this in the future as has been the case with many of Paterson's papers. > BTW. chacha20/poly1305 is now also available in firefox. I know. Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
