This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code)

GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a message. This is one of the stronger means of combining encryption and message authentication (Authenticated Encryption is better than Encrypt-Then-Authenticate, which is better than Authenticate-Then-Encrypt).

The Nonce Disrespect attack exploits reuse of random Nonce values for a given key. Repeating Nonce values for the same symmetric key results in collisions which enable attacks against the GCM message authentication function. Although not a cryptanalytic attack per se, it’s interesting to see yet another attack against the software implementation of TLS.

Unfortunately, the standards are not clear on how to ensure just how random these Nonce values are and how to ensure they are not re-used. Having dealt with various relevant standards (NIST, IETF, etc.) in a former life, I can understand this frustration. It really does feel like you have to be a bit of a cryptographer yourself if you’re writing code using a crypto API—and even more so if you’re writing a crypto library. Even if you’re pretty good at crypto, you’re still likely to get at least something wrong along the way—this Nonce Disrespect attack clearly demonstrates how even some of the stronger systems for cryptographically protecting your data can have implementation vulnerabilities.

Given that implementation of low-level functions is so difficult to get right, most people should be using higher levels of abstraction when dealing with crypto in software. I would really love to see some good consensus in industry and more work towards “a secure network connection”, “a secure storage container”, etc. instead of asking developers to work with lower-level concepts like “ciphered message”, “digital signature”, and “TLS 1.2 connection”.

About Tom Palarz

Tom Palarz is a Principal Security Researcher at Veracode. His primary research focus is on static analysis of languages and frameworks. He also has a bit of a knack for embedded systems and low level tech. Prior to joining Veracode, he spent several years building software and then several years breaking it. In his current role, he is helping developers and security folks alike build more secure software.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.