Hi Aaron, If AES-GCM ever generates two ciphertexts using the same key and the same 96-bit nonce, then the underlying CTR-mode keystreams will be the same. XORing the ciphertexts together then produces the XOR of the plaintexts, from which the two individual plaintexts can be recovered (usually) with high probability using standard techniques (see the paper by Mason et al at CCS 2006 for a full account of this step).
In the TLS context, this means using the same 64-bit nonce_explicit in a given connection - because then opaque salt will be the same 32-bit value. This condition is detectable by an adversary because the nonce_explicit part is sent on the wire (the clue is in the name!). You don't need to know the full 96-bit nonce to carry out the attack. Once you've recovered a plaintext, you can also recover the corresponding CTR-mode keystream. Together with the integrity key, this now enables packet forgery attacks for arbitrary plaintexts (of length limited by that of the known keystream). IIRC, we discussed this by e-mail some months back... Regards, Kenny On 16/05/2016 10:04, "TLS on behalf of Aaron Zauner" <tls-boun...@ietf.org on behalf of a...@azet.org> wrote: >Hi, > >In the TLS case, RFC5288 defines the following IV construction (Section >3): > >``` > struct { > opaque salt[4]; > opaque nonce_explicit[8]; > } GCMNonce; > > > The salt is the "implicit" part of the nonce and is not sent in the > packet. Instead, the salt is generated as part of the handshake > process: it is either the client_write_IV (when the client is > sending) or the server_write_IV (when the server is sending). The > salt length (SecurityParameters.fixed_iv_length) is 4 octets. >``` > >As you can see the salt is is implicitly derived from the *_write_IV. We >have no influence on this part of the IV construction, whereas the >`nonce_explicit` is generated by the implementer. I don't see a way how >we could XOR some records and compromise confidentiality, we've checked, >believe me. If somebody can come up with an attack though, that'd be nice. > >On the catastrophic part: I'd like to keep it around. I don't think it >deserves a name like a hurricane, but catastrophic is pretty spot on in >this regard. > >w.r.t. nonce/n-nonce: either we keep the parentheses with "number used >once" around or we change it to n-once as suggested by Tony and >beautifully pronounced by Adam Langley :) > >Aaron _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls