Hi On 16/05/2016 10:37, "Aaron Zauner" <a...@azet.org> wrote:
>Hi Kenny, > >> On 16 May 2016, at 16:18, Paterson, Kenny <kenny.pater...@rhul.ac.uk> >>wrote: >> >> Hi Aaron, >> >> If AES-GCM ever generates two ciphertexts using the same key and the >>same >> 96-bit nonce, then the underlying CTR-mode keystreams will be the same. >> XORing the ciphertexts together then produces the XOR of the plaintexts, >> from which the two individual plaintexts can be recovered (usually) with >> high probability using standard techniques (see the paper by Mason et al >> at CCS 2006 for a full account of this step). >> >> In the TLS context, this means using the same 64-bit nonce_explicit in a >> given connection - because then opaque salt will be the same 32-bit >>value. >> >> This condition is detectable by an adversary because the nonce_explicit >> part is sent on the wire (the clue is in the name!). >> >> You don't need to know the full 96-bit nonce to carry out the attack. > >Yes, I understood that, of course. But: > >> Once you've recovered a plaintext, you can also recover the >>corresponding >> CTR-mode keystream. Together with the integrity key, this now enables >> packet forgery attacks for arbitrary plaintexts (of length limited by >>that >> of the known keystream). > >Right. Joux's attack doesn't recover a plaintext of the actual TLS >session, we attack GHASH in this case and factor possible candidate >polynomials of the /authentication key/. In this context I assume >'confidentiality compromise' with: somebody can recover plaintext from >captured TLS records. At least in our attack this isn't the case. We're >merely able to inject malicious content. Am I amiss? Or am I just >confused about nomenclature? I think you are amiss. Maybe the confusion is this: in your authenticity attack, you do recover the GHASH key, and the effect is catastrophic. In the confidentiality attack, one can recover plaintexts for the records with repeated nonces, but not the encryption key. The effect may be bad - but it's perhaps not as catastrophic in practice as the authenticity attack. Think about it this way: for your injection attack, you need to recover the CTR keystream - otherwise you couldn't properly AES-GCM-encrypt your chosen plaintext record for the injection. But if you recovered the keystream as part of your attack, then you've also recovered the plaintext for the original record. Or maybe in your injection attack you were assuming you already *knew* the plaintext? That would make sense, I guess - a lot easier then to recover the keystream than doing the "undoing the XOR" attack needed to recover P_1 and P_2 from P_1 XOR P_2. Cheers Kenny > >Thank you, >Aaron _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
