Here's a possible re-write of the second paragraph:
Nonce re-use in AES-GCM results in failure of both confidentiality and
authenticity. Not only will confidentiality be breached by leaking the
XOR of any two packets processed under the same nonce, but TLS sessions
can also be attacked through forgery by an adversary. For example, in
the case of HTTPS sessions content injection, XSS, and other attack
vectors are possible.
Original text:
Security of AES-GCM requires that the "nonce" (number used once) is
never reused. The IV construction in Section 3 does not prevent
implementers from reusing the nonce by mistake. It is paramount that
the implementer be aware of the security implications when a nonce
is re-used even once.
Nonce re-use in AES-GCM results in catastrophic failure of it's
authenticity. Hence, TLS sessions can be effectively attacked through
forgery by an adversary. In the case of e.g. HTTPS sessions content
injection is possible, XSS and other attack vectors.
On 2016-05-16 05:32, Peter Gutmann wrote:
Aaron Zauner <[email protected]> writes:
If so, could you suggest better wording for this specific paragraph?
I would just leave it as "nonce", with no attempt at a definition. If
there
are any cryptographers who don't know what a nonce is they can look it
up. If
they use an authoritative source they'll get the correct definition,
and if
they use Wikipedia they'll get Wikipedia's definition.
I wouldn't cite Wikipedia in an academic publication, but it's what
pops up
first if someone looks for "nonce" via a Google search
That doesn't make it correct, it just makes it the most popular
misconception.
For another crypto example, look up HDCP and Blom's Scheme on
Wikipedia, and
see how much resemblance that bears to reality.
This document is on TLS cipher-suites, not AES-GCM in general. This
attack
isn't applicable here for various reasons. But I agree that the errata
could
be clearer here. What'd be your suggestion as an addition or change?
I'm sure
the relevant editors will be willing to amend/change my wording in
this
errata.
Since the paper for the Black Hat talk hasn't been published, I don't
know
what the actual problem is (and by extension what the various reasons
are),
but if you reuse a nonce I can't see how it would affect auth but not
confidentiality, since you'd be generating a repeated cipher stream.
If
confidentiality isn't affected then there should probably be a note
explaining
why, since my immediate reaction to a comment about nonce reuse would
be
"complete failure of the entire mode".
Peter.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
