Mastodawn

I've done it! After literal months of work, I've finally finished my (rather long) blog post about how AES-GCM works and how it's security guarantees can be completely broken when a nonce is reused:

https://frereit.de/aes_gcm/

It includes more than 10 interactive widgets for you to try out AES-GCM, GHASH and the nonce reuse attack right in your browser! (Powered by #RustLang and #WASM )

If you're interested in #cryptography , #math (or #maths ) or #infosec you might find it interesting.

If you do read it, I'm all ears for feedback and criticism!

AES-GCM and breaking it on nonce reuse

In this post, we will look at how the security of the AES-GCM mode of operation can be completely compromised when a nonce is reused.

frereit's blog

Frederik Jun 9, 2024

Fun-ish fact: All the images in the post are handwritten SVGs, which makes the text selectable (when the SVG is open in a separate tab) and means the SVG is responsive to dark mode and light mode.
Unfortunately, I ran into a Firefox Bug while developing these SVGs 😢 https://bugzilla.mozilla.org/show_bug.cgi?id=1901414

1901414 - SVG text does somtimes not show up with an embedded font

NEW (nobody) in Core - Layout: Text and Fonts. Last updated 2024-06-09.

@fre I didn't read it all, but damn, this is very well done! I love the interactivity!

Share it on more platforms, this is a gem! ✨

Dustin Mitchell Jun 9, 2024

@fre That's great! I've read other descriptions but this is by far the clearest!

@fre ooo... gonna read that. (You'll need another month to go into how aes-gcm-siv reduces (not eliminate) the severity of nonce reuse :) )

Erik Jun 9, 2024

@fre Most of the math is way over my head so I might miss the point entirely, but isn’t it easier to use an asymmetric key to authenticate/sign the AES key to verify the sender?

Frederik Jun 9, 2024

@erikvanbeek Great question! Asymmetric encryption does indeed offer authentication "by default" but I'd say it's debatable if it is really "easier".

First, you need some kind of key management system, either a private key infrastrucutre (PKI), a Trust on First Use (TOFU) model (like SSH), etc. This adds complexity in places where you might not want any additional complexity.

Secondly, most applications of asymmetric encryption are used to exchange a symmetric key, and all further communication is then performed using the symmetric key exchanged over the asymmetric encryption. The main benefit of symmetric encryption is really performance. All modern CPUs have built-in instructions for AES (such as the AESENC instruction), which makes AES insanely fast on these CPUs.

So, the asymmetric encryption is used to establish "Yes, the entity sending this symmetric key is who they claim", and then authenticated symmetric encryption is used to ensure that any traffic after the initial key agreement is not tampered with.

Edit: I'm sorry, I think I saw "asymmetric encryption" and kinda missed what you were actually asking. While the above stands, let me try to specifically answer your question:

If I understand you correctly, you're proposing to send a "signature" of the AES key with each ciphertext, to prove ownership of the key?

This, unfortunately, doesn't work. The signature of the AES key will still be valid, even if the ciphertext has been tampered with, thus allowing an attacker control over the ciphertext (and thus, the plaintext). You'd need to sign the entire ciphertext, at which point we arrive at AES-GCM.

Erik Jun 9, 2024

@fre No I didn’t mean sign every cypher text with pki, without doing the math I can see that wouldn’t be a solution. I’ll forward your blog to my colleagues who will understand all of this!

abacabadabacaba Jun 9, 2024

@fre https://cryptopals.com/sets/8/challenges/63.txt
https://aes.cryptohack.org/forbidden_fruit/

Jordan Jun 10, 2024

@fre Weird thing for me to get hung up on: "nonce" does not come from "number used once"! It does come from "once" but the use predates cryptography. "Number used once" is a handy mnemonic though!

https://www.etymonline.com/word/nonce
https://en.wikipedia.org/wiki/Nonce_word

nonce | Etymology of nonce by etymonline

for a special occasion, for a particular purpose, a misdivision (see N for other… See origin and meaning of nonce.

Frederik Jun 10, 2024

@jrose You're right! I had heard this somewhere before and I didn't fact check it. I'll update the post later. Thanks!

Juan Manuel Cabrera Jun 10, 2024

@fre A job well done 👏

Antwan van Houdt Jun 12, 2024

@fre @saraislet This is such a great post, would've helped me a lot years ago when I was implementing AES-GCM based encryption, but to get there had a lot of "but why?” and searching.

Siguza Jun 15, 2024

@fre found a typo: "This will gives us"

ﾌմ尺Ǥ乇刀ｷЦ乃 Jun 15, 2024

@fre I love it. I am pretty sure a crypto hacking challenge involving this is going to be happening to my students soon. And I hope that they will love it, too.

Alex Cohn Jun 16, 2024

@fre Your "Activate Windows" message is cute :)