Re: [TLS] [Errata Verified] RFC5288 (4694)
RFC Errata System writes: >The following errata report has been verified for RFC5288, >"AES Galois Counter Mode (GCM) Cipher Suites for TLS". I think the erratum needs an erratum. Firstly, nonce doesn't mean "number used once". Secondly, nonce reuse doesn't just result in a failure of integrity-protection, it also results in a loss of confidentiality protection. In other words it leads to total breach of the encryption mode's security, both properties that it's supposed to provide are no longer present. Peter. ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
[TLS] [Errata Verified] RFC5288 (4694)
The following errata report has been verified for RFC5288, "AES Galois Counter Mode (GCM) Cipher Suites for TLS". -- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5288&eid=4694 -- Status: Verified Type: Technical Reported by: Aaron Zauner Date Reported: 2016-05-14 Verified by: Stephen Farrell (IESG) Section: 6.1 Original Text - AES-GCM security requires that the counter is never reused. The IV construction in Section 3 is designed to prevent counter reuse. Implementers should also understand the practical considerations of IV handling outlined in Section 9 of [GCM]. Corrected Text -- Security of AES-GCM requires that the "nonce" (number used once) is never reused. The IV construction in Section 3 does not prevent implementers from reusing the nonce by mistake. It is paramount that the implementer be aware of the security implications when a nonce is reused even once. Nonce reuse in AES-GCM allows for the recovery of the authentication key resulting in complete failure of the mode's authenticity. Hence, TLS sessions can be effectively attacked through forgery by an adversary. This enables an attacker to inject data into the TLS allowing for XSS and other attack vectors. Notes - Obviously the original wording is so ambiguous that implementers got it wrong in the real world. Related to: https://www.blackhat.com/us-16/briefings.html#nonce-disrespecting-adversaries-practical-forgery-attacks-on-gcm-in-tls It may be worth adding a reference to [JOUX] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/...38.../GCM/Joux_comments.pdf and maybe the paper we're intending to release on the actual HTTPS forgery/injection attack. I'd actually like to change the nonce construction to that of the ChaCha20/Poly1305 document, but I figure this will cause massive breakage for already deployed implementations. TLS 1.3 fixes this issue per design. -- RFC5288 (draft-ietf-tls-rsa-aes-gcm-03) -- Title : AES Galois Counter Mode (GCM) Cipher Suites for TLS Publication Date: August 2008 Author(s) : J. Salowey, A. Choudhury, D. McGrew Category: PROPOSED STANDARD Source : Transport Layer Security Area: Security Stream : IETF Verifying Party : IESG ___ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
