You're reading from TLS Cryptography In-Depth Explore the intricacies of modern cryptography and the inner workings of TLS

Product type Paperback

Published in Jan 2024

Publisher Packt

ISBN-13 9781804611951

Length 712 pages

Edition 1st Edition

Concepts

Cryptography

Authors (2):

Dr. Roland Schmitz

Dr. Paul Duplys

View More author details

Table of Contents (30) Chapters

Preface

1. Part I Getting Started

2. Chapter 1: The Role of Cryptography in the Connected World FREE CHAPTER

3. Chapter 2: Secure Channel and the CIA Triad

4. Chapter 3: A Secret to Share

5. Chapter 4: Encryption and Decryption

6. Chapter 5: Entity Authentication

7. Chapter 6: Transport Layer Security at a Glance

8. Part II Shaking Hands

9. Chapter 7: Public-Key Cryptography

10. Chapter 8: Elliptic Curves

11. Chapter 9: Digital Signatures

12. Chapter 10: Digital Certificates and Certification Authorities

13. Chapter 11: Hash Functions and Message Authentication Codes

14. Chapter 12: Secrets and Keys in TLS 1.3

15. Chapter 13: TLS Handshake Protocol Revisited

16. Part III Off the Record

17. Chapter 14: Block Ciphers and Their Modes of Operation

18. Chapter 15: Authenticated Encryption

19. Chapter 16: The Galois Counter Mode

20. Chapter 17: TLS Record Protocol Revisited

21. Chapter 18: TLS Cipher Suites

22. Part IV Bleeding Hearts and Biting Poodles

23. Chapter 19: Attacks on Cryptography

24. Chapter 20: Attacks on the TLS Handshake Protocol

25. Chapter 21: Attacks on the TLS Record Protocol

26. Chapter 22: Attacks on TLS Implementations

27. Bibliography

28. Index

29. Other Books You Might Enjoy

16.2 GCM security

GCM’s biggest security risk is its fragility in case of nonce repetition. NIST’s GCM standard [57] requires the following:

The probability that the authenticated encryption function ever will be invoked with the same IV and the same key on two (or more) distinct sets of input data shall be no greater than 2⁻³².

Moreover, care must be taken that the nonces do not repeat: if the same nonce N is used twice in an AES-GCM computation, an attacker would be able to compute the authentication key H. With the help of H, tags for any ciphertext, associated data, or both can be fabricated.

This is easy to see with a little bit of math. The authentication tag is computed as:

T = GHASH (H, A,C )⊕ E (N ∥0) K

Now, if we have two tags T₁ and T₂ computed with the same nonce N, we can XOR T₁ and T₂ to obtain the following expression:

GHASH (H, A1,C1 )⊕ EK (N ∥0)⊕ GHASH (H,A2, C2)⊕ EK (N ∥0)

Because x ⊕ x = 0, the term E_K(N∥0) (the AES encryption of N∥0 under the secret key K) will vanish. As a result, the attacker obtains...

The rest of the chapter is locked

You're reading from TLS Cryptography In-Depth Explore the intricacies of modern cryptography and the inner workings of TLS

Table of Contents (30) Chapters

16.2 GCM security

Unlock this book and the full library FREE for 7 days

Authors (2)

Personalised recommendations for you