Abstract
Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCM-like polynomial-based MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previously proposed by Procter and Cid. Based on these new discoveries on forgery attacks, we show that all subsets with no less than two authentication keys are weak key classes, if the final block cipher masking is computed additively. In addition, by utilizing a special structure of GCM, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Furthermore, we provide a method to fix GCM in order to avoid the security proof flaw discovered by Iwata, Ohashi and Minematsu. By applying the method, the security bounds of GCM can be improved by a factor of around 220. Lastly, we show that these forgery attacks will still succeed if GCM adopts MAC-then-Enc paradigm to protect its MAC scheme as one of the options mentioned in previous papers.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013)
Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005)
CAESAR. Competition for Authenticated Encryption: Security, Applicability, and Robustness, http://competitions.cr.yp.to/caesar.html
Dworkin, M.J.: SP 800-38D. Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, Gaithersburg, MD, United States (2007)
Ferguson, N.: Authentication weaknesses in GCM. Comments Submitted to NIST Modes of Operation Process (2005)
Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)
IEEE 802.1AE. Media access control (MAC) security (2006), http://www.ieee802.org/1/pages/802.1ae.html
Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012)
Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. Cryptology ePrint Archive, Report 2012/438 (2012), http://eprint.iacr.org/
Joux, A.: Authentication failures in NIST version of GCM. NIST Comment (2006)
Katz, J., Lindell, Y.: Introduction to modern cryptography. Chapman & Hall (2008)
McGrew, D., Viega, J.: The Galois/Counter Mode of operation (GCM). Submission to NIST Modes of Operation Process (2004)
McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)
McGrew, D.A.: Counter mode security: Analysis and recommendations (2002), http://www.mindspring.com/~dmcgrew/ctr-security.pdf
NSA. Suite B Cryptography (2005), http://www.nsa.gov/ia/programs/suiteb_cryptography/
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Fast Software Encryption.LNCS. Springer (to appear, 2013)
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. Cryptology ePrint Archive, Report 2013/144 (2013), http://eprint.iacr.org/
Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 98–107. ACM, New York (2002)
Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012)
Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)
Viega, J., McGrew, D.A.: The use of Galois/Counter Mode (GCM) in IPsec encapsulating security payload, ESP (2005), http://tools.ietf.org/html/rfc4106.html
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhu, B., Tan, Y., Gong, G. (2013). Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds) Cryptology and Network Security. CANS 2013. Lecture Notes in Computer Science, vol 8257. Springer, Cham. https://doi.org/10.1007/978-3-319-02937-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-02937-5_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-02936-8
Online ISBN: 978-3-319-02937-5
eBook Packages: Computer ScienceComputer Science (R0)