The fragility of AES-GCM authentication algorithm

Shay Gueron, Vlad Krasnov

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

A new implementation of the GHASH function has been recently committed to a Git version of Open SSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official Open SSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM's authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a 'polynomial evaluation' MAC, the bug can be exploited for actual message forgery.

Original languageEnglish
Title of host publicationITNG 2014 - Proceedings of the 11th International Conference on Information Technology
Subtitle of host publicationNew Generations
PublisherIEEE Computer Society
Pages333-337
Number of pages5
ISBN (Print)9781479931873
DOIs
StatePublished - 2014
Event11th International Conference on Information Technology: New Generations, ITNG 2014 - Las Vegas, NV, United States
Duration: 7 Apr 20149 Apr 2014

Publication series

NameITNG 2014 - Proceedings of the 11th International Conference on Information Technology: New Generations

Conference

Conference11th International Conference on Information Technology: New Generations, ITNG 2014
Country/TerritoryUnited States
CityLas Vegas, NV
Period7/04/149/04/14

Keywords

  • AES-GCM
  • Component
  • GHASH
  • Message forgery
  • OpenSSL
  • Polynomial evaluation MAC

ASJC Scopus subject areas

  • Information Systems

Fingerprint

Dive into the research topics of 'The fragility of AES-GCM authentication algorithm'. Together they form a unique fingerprint.

Cite this