[slides] Authenticated Encryption GCM - CCM
-
Upload
project-symphony-collection -
Category
Documents
-
view
1.225 -
download
3
description
Transcript of [slides] Authenticated Encryption GCM - CCM
![Page 1: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/1.jpg)
Authenticated Authenticated
encryptionencryption
GCM and CCM modesGCM and CCM modes
Lorenzo Peraldo and Vittorio PiccoLorenzo Peraldo and Vittorio Picco
![Page 2: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/2.jpg)
Authenticated encryptionAuthenticated encryption
DefinitionDefinition
““ Authenticated Encryption (AE)Authenticated Encryption (AE) is a term used is a term used
to describe encryption systems which to describe encryption systems which to describe encryption systems which to describe encryption systems which
simultaneously protect simultaneously protect confidentialityconfidentiality, ,
authenticityauthenticity and and integrityintegrity of communications ”of communications ”
![Page 3: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/3.jpg)
Basic componentsBasic components
Message Authentication Message Authentication
Code (MAC)Code (MAC)
++
Symmetric encryptionSymmetric encryption
![Page 4: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/4.jpg)
Why?Why?
�� MACMAC
�� IntegrityIntegrity: an attacker can’t modify the data and then : an attacker can’t modify the data and then
compute a new MAC, because a secret key is neededcompute a new MAC, because a secret key is needed
�� AuthenticationAuthentication: only the user who has got the : only the user who has got the AuthenticationAuthentication: only the user who has got the : only the user who has got the
secret key can authenticate the messagesecret key can authenticate the message
�� Symmetric encryptionSymmetric encryption
�� ConfidentialityConfidentiality: data are encrypted: data are encrypted
�� AuthenticationAuthentication: if only 2 users share the secret key: if only 2 users share the secret key
![Page 5: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/5.jpg)
A nonA non--computer examplecomputer example
A letter from a lover by ordinary mail:A letter from a lover by ordinary mail:
�� Envelope: confidentiality and integrityEnvelope: confidentiality and integrity
�� Signature: authenticationSignature: authentication
![Page 6: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/6.jpg)
Sender AE black boxSender AE black box
�� InputInput
�� A plaintext messageA plaintext message
�� A keyA key
�� Possibly a noncePossibly a nonce�� Possibly a noncePossibly a nonce
�� OutputOutput
�� The encrypted message (ciphertext)The encrypted message (ciphertext)
�� An authentication tagAn authentication tag
![Page 7: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/7.jpg)
Recipient AE black boxRecipient AE black box
�� InputInput
�� An encrypted messageAn encrypted message
�� A tagA tag
�� The nonce, if usedThe nonce, if used�� The nonce, if usedThe nonce, if used
�� The keyThe key
�� OutputOutput
�� If the tag is verified: the plaintextIf the tag is verified: the plaintext
�� else: FAILelse: FAIL
![Page 8: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/8.jpg)
AE securityAE security
�� PrivacyPrivacy
�� An attacker can sniff the ciphertext and the nonce, An attacker can sniff the ciphertext and the nonce,
but must not be able to recover the plaintextbut must not be able to recover the plaintext
�� The ciphertext should look like random bitsThe ciphertext should look like random bits�� The ciphertext should look like random bitsThe ciphertext should look like random bits
�� AuthenticationAuthentication
�� An attacker shouldn’t be able to construct a An attacker shouldn’t be able to construct a
ciphertext, a tag and a nonce such that the recipient ciphertext, a tag and a nonce such that the recipient
accept them as valid.accept them as valid.
�� Protection from replay attacksProtection from replay attacks
![Page 9: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/9.jpg)
AE implementations AE implementations
�� Usually with “modes”Usually with “modes”
�� A mode is a sequence of operations applied to a A mode is a sequence of operations applied to a
block cipher, like DES or AESblock cipher, like DES or AES
Examples: CBC, ECB, CTR, …Examples: CBC, ECB, CTR, …�� Examples: CBC, ECB, CTR, …Examples: CBC, ECB, CTR, …
�� CCM and GCM provide authenticated CCM and GCM provide authenticated
encryptionencryption
![Page 10: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/10.jpg)
Generic compositionGeneric composition
�� Immediate solutionImmediate solution
�� PRO: easy, secure, no need to develop specific appsPRO: easy, secure, no need to develop specific apps
�� CON: not optimized, 2 keys needed for best securityCON: not optimized, 2 keys needed for best security
�� 3 ways3 ways�� 3 ways3 ways
�� MtE: MAC then EncryptMtE: MAC then Encrypt
�� EtM: Encrypt then MACEtM: Encrypt then MAC
�� E&M: Encrypt and MACE&M: Encrypt and MAC
�� EtM is the bestEtM is the best
![Page 11: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/11.jpg)
SingleSingle--pass combined modepass combined mode
�� 2000: IBM developed IAPM2000: IBM developed IAPM
�� Comparison with generic compositionComparison with generic composition
�� Split the plaintext in m partsSplit the plaintext in m parts
Generic composition: 2m calls of the block cipherGeneric composition: 2m calls of the block cipher�� Generic composition: 2m calls of the block cipherGeneric composition: 2m calls of the block cipher
�� SingleSingle--pass: about m invocationspass: about m invocations
�� Many followed: XCBC, XECB, OCB, …Many followed: XCBC, XECB, OCB, …
�� There is only a problem…There is only a problem…
![Page 12: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/12.jpg)
Oh no, Intellectual Properties !!Oh no, Intellectual Properties !!
�� SingleSingle--pass modes were all patentedpass modes were all patented
IAPMIAPMXCBCXCBC
OCBOCBXECBXECB
By IBMBy IBMBy Gligor and By Gligor and DonescuDonescu
By Rogaway, By Rogaway, Bellare, Black, Bellare, Black,
and Krovetzand KrovetzBy Gligor and By Gligor and
DonescuDonescu
![Page 13: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/13.jpg)
As a result …As a result …
�� Probably some of the patents are interrelatedProbably some of the patents are interrelated
�� Nobody has gone to court to prove it (yet…)Nobody has gone to court to prove it (yet…)
�� The possible users of these technologies has The possible users of these technologies has
been scared by the legal implicationsbeen scared by the legal implicationsbeen scared by the legal implicationsbeen scared by the legal implications
�� The researchers have moved toward other The researchers have moved toward other
directionsdirections
�� All singleAll single--pass combined mode are used by pass combined mode are used by
anybody, even though they are the anybody, even though they are the bestbest solutionsolution
![Page 14: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/14.jpg)
TwoTwo--pass combined modepass combined mode
�� Not that different from generic compositionNot that different from generic composition
�� Some advantagesSome advantages
�� Use of only one keyUse of only one key
Patent freePatent free�� Patent freePatent free
�� Better performances than generic compositionBetter performances than generic composition
�� CCM, EAX, CWC, GCMCCM, EAX, CWC, GCM
![Page 15: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/15.jpg)
CCMCCM
A brief introductionA brief introduction
![Page 16: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/16.jpg)
What is CCMWhat is CCM
�� Counter with CBCCounter with CBC--MACMAC
�� An authenticated encryption solutionAn authenticated encryption solution
�� EncryptionEncryption
Use of the block cipher AESUse of the block cipher AES--128128�� Use of the block cipher AESUse of the block cipher AES--128128
�� Counter (CTR) modeCounter (CTR) mode
�� AuthenticationAuthentication
�� MAC computed with CBC (Cipher Block Chaining)MAC computed with CBC (Cipher Block Chaining)
![Page 17: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/17.jpg)
Main featuresMain features
�� Symmetric keySymmetric key
�� Designed for AESDesigned for AES--128128
�� Use in packet environment (no stream data)Use in packet environment (no stream data)
�� Arbitrary length MACArbitrary length MAC
�� Only one key for authentication and encryptionOnly one key for authentication and encryption
�� No intellectual property restrictionsNo intellectual property restrictions
![Page 18: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/18.jpg)
How does it work ?How does it work ?
Generation - encryption
![Page 19: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/19.jpg)
How does it work ? (cont’d)How does it work ? (cont’d)
Decryption - verification
![Page 20: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/20.jpg)
GenerationGeneration--encryptionencryption1.1. The MAC (Message Authentication Code) is computed The MAC (Message Authentication Code) is computed
applying CBC to the formatted input dataapplying CBC to the formatted input data
(N, P, A)(N, P, A) m1, m2, …, mxm1, m2, …, mx
![Page 21: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/21.jpg)
GenerationGeneration--encryption (cont’d)encryption (cont’d)
2.2. Counter mode is applied to encrypt data and MACCounter mode is applied to encrypt data and MAC
![Page 22: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/22.jpg)
GenerationGeneration--encryption (cont’d)encryption (cont’d)
3.3. Output ciphertextOutput ciphertext
MAC PayloadC =K
![Page 23: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/23.jpg)
DecryptionDecryption--verificationverification
�� Counter mode decryptionCounter mode decryption
�� Computation of MAC with CBCComputation of MAC with CBC--MACMAC
�� (N, A, P’)(N, A, P’)
�� Verification of authenticityVerification of authenticity�� Verification of authenticityVerification of authenticity
�� Output: Payload / INVALIDOutput: Payload / INVALID
![Page 24: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/24.jpg)
Hardware implementationHardware implementation
�� CCM cannot be parallelizedCCM cannot be parallelized
�� Operations to be implemented:Operations to be implemented:
�� Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher
XORXOR�� XORXOR
�� Counter incrementCounter increment
�� Formatting functionFormatting function
![Page 25: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/25.jpg)
SecuritySecurity
�� RecommendationsRecommendations
�� Keys must be secret and “fresh”Keys must be secret and “fresh”
�� IV: 0 for CBCIV: 0 for CBC--MACMAC
�� Never use the same nonce twiceNever use the same nonce twice�� Never use the same nonce twiceNever use the same nonce twice
�� Max nMax n°° of nonce with the same key: 2of nonce with the same key: 26161
�� Choose an appropriate MAC lengthChoose an appropriate MAC length
�� Replay attacks: use of timestamps / number packetsReplay attacks: use of timestamps / number packets
![Page 26: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/26.jpg)
A possible attackA possible attack
“be conservative in what you send, and “be conservative in what you send, and liberal in what you accept”liberal in what you accept”
16-byte MAC
16-byte MAC12-byte MAC8-byte MAC4-byte MAC
![Page 27: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/27.jpg)
A possible attack (cont’d)A possible attack (cont’d)
Here comes the bad guy !!
4-byte MAC
16-byte MAC12-byte MAC8-byte MAC4-byte MAC
![Page 28: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/28.jpg)
A possible attack (cont’d)A possible attack (cont’d)
232 4-byte MAC computed
At least one valid ciphertext
!!!
![Page 29: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/29.jpg)
CountermeasuresCountermeasures
�� Fix the tag length parameterFix the tag length parameter
�� During key negotiationDuring key negotiation
�� Never change it during the current sessionNever change it during the current session
![Page 30: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/30.jpg)
GCMGCM
Galois/Counter Mode of operationsGalois/Counter Mode of operations
![Page 31: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/31.jpg)
What is GCM What is GCM -- GMACGMAC
�� An authenticated encryption solutionAn authenticated encryption solution
�� EncryptionEncryption
�� Use of the block cipher AESUse of the block cipher AES
Mode of operation similar to the CTRMode of operation similar to the CTR�� Mode of operation similar to the CTRMode of operation similar to the CTR
�� AuthenticationAuthentication
�� The MAC provided is a sort of keyed digestThe MAC provided is a sort of keyed digest
�� Can provide authentication only → GMACCan provide authentication only → GMAC
![Page 32: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/32.jpg)
Main featuresMain features
�� Extremely fast, more than 10GbpsExtremely fast, more than 10Gbps
�� Easy to implement in software and hardwareEasy to implement in software and hardware
�� Can be used for authentication only, if desiredCan be used for authentication only, if desired
�� Designed for AES, optimized for 128 bitsDesigned for AES, optimized for 128 bits
�� Arbitrary length IV, optimized for 96 bitsArbitrary length IV, optimized for 96 bits
�� Only one key for authentication and encryptionOnly one key for authentication and encryption
�� No intellectual property restrictionsNo intellectual property restrictions
![Page 33: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/33.jpg)
Authenticated encryption functionAuthenticated encryption function
WHAT ?!?!WHAT ?!?!
![Page 34: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/34.jpg)
Version for human beingsVersion for human beings
1.1. The hash subThe hash sub--key H is computed and storedkey H is computed and stored
00000000000000000000000000000000
00000000000000000000000000000000
Enc KEnc K
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
HH
![Page 35: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/35.jpg)
Version for human beingsVersion for human beings
2.2. The IV length is checkedThe IV length is checked
�� If it’s 96 bits is padded to 128If it’s 96 bits is padded to 128
�� If it’s different is computed a 128 bit IV using If it’s different is computed a 128 bit IV using
a special function (GHASH)a special function (GHASH)
�� The IV is the starting value of the counterThe IV is the starting value of the counter
![Page 36: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/36.jpg)
Version for human beingsVersion for human beings
3.3. EncryptionEncryption
![Page 37: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/37.jpg)
Version for human beingsVersion for human beings
4.4. AuthenticationAuthentication
GF(2GF(2128128))
![Page 38: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/38.jpg)
Hardware implementationHardware implementation
�� The only way to manage more than 10GbpsThe only way to manage more than 10Gbps
�� GCM can be parallelizedGCM can be parallelized
�� Operations to be implemented:Operations to be implemented:
Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher�� Encryption: hw implementation of AES cipherEncryption: hw implementation of AES cipher
�� XORXOR
�� Increment of the counterIncrement of the counter
�� Multiplication within GF(2Multiplication within GF(2128128))
![Page 39: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/39.jpg)
Hardware implementationHardware implementation
![Page 40: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/40.jpg)
The multiplication in GF(2The multiplication in GF(2qq))
�� Different approachesDifferent approaches
�� ParallelParallel
�� Serial: super serial, bit serial, etcSerial: super serial, bit serial, etc
�� Serial solutionsSerial solutions
Time and area linear with qTime and area linear with q�� Time and area linear with qTime and area linear with q
�� Parallel solutionParallel solution
�� Time: 1 clock cycleTime: 1 clock cycle
�� Area: quadratic with q, but only 30% of AES cipherArea: quadratic with q, but only 30% of AES cipher
GO PARALLEL, BOYS!GO PARALLEL, BOYS!
![Page 41: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/41.jpg)
SecuritySecurity
�� RecommendationsRecommendations
�� Keys: secret and “fresh”Keys: secret and “fresh”
�� IV: probability of using same IV and key < 2IV: probability of using same IV and key < 2--3232
�� Known security problem with reused IVsKnown security problem with reused IVs�� Known security problem with reused IVsKnown security problem with reused IVs
�� Appropriate tag lengthAppropriate tag length
�� Replay attacks: use of timestampsReplay attacks: use of timestamps
![Page 42: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/42.jpg)
Oracles...Oracles...
�� Permutation oraclePermutation oracle
�� Outputs random number of PRFOutputs random number of PRF
�� The PRF represent an encrypted messageThe PRF represent an encrypted message
�� Distinguishing advantageDistinguishing advantage
![Page 43: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/43.jpg)
Oracles...Oracles...
�� TagTag--generation oraclegeneration oracle
�� Input: a messageInput: a message
�� Output: a valid tagOutput: a valid tag
�� TagTag--validation oraclevalidation oracle�� TagTag--validation oraclevalidation oracle
�� Input: a message and a tagInput: a message and a tag
�� Output: is the tag correct for the given message?Output: is the tag correct for the given message?
�� Forgery advantageForgery advantage
![Page 44: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/44.jpg)
CTR known issueCTR known issue
Hello world, Hello world, this is me,this is me,life should belife should befun for everyonefun for everyone
72dd0294rth%p72dd0294rth%p29sj!5z/k=p29sj!5z/k=pakd'^3sddG#/ap5akd'^3sddG#/ap597;7*h2?375ba+?997;7*h2?375ba+?9
Hello Hello SarahSarah , , this is me,this is me,life should belife should befun for everyonefun for everyone
72dd0272dd02 3&F7j3&F7j %p%p29sj!5z/k=p29sj!5z/k=pakd'^3sddG#/ap5akd'^3sddG#/ap597;7*h2?375ba+?997;7*h2?375ba+?9
![Page 45: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/45.jpg)
Beware !Beware !
�� Attacker with access to a tagAttacker with access to a tag--generation oraclegeneration oracle
�� If IVs are not changed the output will be function If IVs are not changed the output will be function of the hash subof the hash sub--key Hkey H
�� Analyzing the resulting tags the attacker could Analyzing the resulting tags the attacker could �� Analyzing the resulting tags the attacker could Analyzing the resulting tags the attacker could recover Hrecover H
�� With H he can generate valid authentication tags, With H he can generate valid authentication tags, thus pretending to be your friend !thus pretending to be your friend !
![Page 46: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/46.jpg)
SolutionSolution
�� This attack is possible only if you use at least This attack is possible only if you use at least twice the same key with the same IVtwice the same key with the same IV
NEVER DO THAT!NEVER DO THAT!
![Page 47: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/47.jpg)
ReferencesReferences�� NIST Special Publication 800NIST Special Publication 800--38C (CCM)38C (CCM)
�� NIST Special Publication 800NIST Special Publication 800--38D (GCM)38D (GCM)
�� Authenticated Encryption Authenticated Encryption (J. Black)(J. Black)
�� A Critique of CCM A Critique of CCM (P. Rogaway, D. Wagner)(P. Rogaway, D. Wagner)
�� On The Security of CTR + CBCOn The Security of CTR + CBC--MAC MAC (J. Jonsson)(J. Jonsson)
�� Counter with CBCCounter with CBC--MAC MAC (D. Whiting, R. Housley, N. Ferguson)(D. Whiting, R. Housley, N. Ferguson)�� Counter with CBCCounter with CBC--MAC MAC (D. Whiting, R. Housley, N. Ferguson)(D. Whiting, R. Housley, N. Ferguson)
�� Flexible and Efficient Message Authentication in Hardware and Flexible and Efficient Message Authentication in Hardware and
Software Software (D. A. McGrew, J. Viega)(D. A. McGrew, J. Viega)
�� The Security and Performance of the Galois/Counter Mode The Security and Performance of the Galois/Counter Mode
(GCM) of Operation (GCM) of Operation (D. A. McGrew, J. Viega)(D. A. McGrew, J. Viega)
�� www.wikipedia.orgwww.wikipedia.org
![Page 48: [slides] Authenticated Encryption GCM - CCM](https://reader034.fdocuments.net/reader034/viewer/2022051312/5464a3d0b4af9fda3f8b4717/html5/thumbnails/48.jpg)
Questions ?Questions ?Questions ?Questions ?