Authenticated

encryption
GCM and CCM modes

Lorenzo Peraldo and Vittorio Picco

 Authenticated encryption

Definition

“ Authenticated Encryption (AE) is a term used

to describe encryption systems which
simultaneously protect confidentiality
confidentiality,,
authenticity and integrity of communications ”
Basic components

Message Authentication
Code (MAC)

+
Symmetric encryption
 Why?

MAC

Integrity: an attacker can’t modify the data and then
Integrity:
compute a new MAC, because a secret key is needed

Authentication
Authentication:: only the user who has got the
secret key can authenticate the message

Symmetric encryption

Confidentiality: data are encrypted
Confidentiality:

Authentication
Authentication:: if only 2 users share the secret key
 A non-
non-computer example
A letter from a lover by ordinary mail:

Envelope: confidentiality and integrity

Signature: authentication
 Sender AE black box

Input

A plaintext message

A key

Possibly a nonce

Output

The encrypted message (ciphertext)

An authentication tag
 Recipient AE black box

Input

An encrypted message

A tag

The nonce, if used

The key

Output

If the tag is verified: the plaintext

else: FAIL
 AE security

Privacy

An attacker can sniff the ciphertext and the nonce,
but must not be able to recover the plaintext

The ciphertext should look like random bits

Authentication

An attacker shouldn’t be able to construct a
ciphertext, a tag and a nonce such that the recipient
accept them as valid.

Protection from replay attacks
 AE implementations

Usually with “modes”

A mode is a sequence of operations applied to a
block cipher, like DES or AES

Examples: CBC, ECB, CTR, …

CCM and GCM provide authenticated
encryption
 Generic composition

Immediate solution

PRO: easy, secure, no need to develop specific apps

CON: not optimized, 2 keys needed for best security

3 ways

MtE: MAC then Encrypt

EtM: Encrypt then MAC

E&M: Encrypt and MAC

EtM is the best

 Single--pass combined mode
Single

2000: IBM developed IAPM

Comparison with generic composition

Split the plaintext in m parts

Generic composition: 2m calls of the block cipher

Single
Single--pass: about m invocations

Many followed: XCBC, XECB, OCB, …

There is only a problem…
 Oh no, Intellectual Properties !!

Single--pass modes were all patented
Single
IAPM OCB
XCBC XECB

By Rogaway,
Bellare, Black,By Gligor and
By By
IBMGligor and
Donescuand Krovetz Donescu
 As a result …

Probably some of the patents are interrelated

Nobody has gone to court to prove it (yet…)

The possible users of these technologies has
been scared by the legal implications

The researchers have moved toward other
directions

All single-
single-pass combined mode are used by
anybody, even though they are the best solution
 Two--pass combined mode
Two

Not that different from generic composition

Some advantages

Use of only one key

Patent free

Better performances than generic composition

CCM, EAX, CWC, GCM

 CCM
A brief introduction
 What is CCM

Counter with CBC-
CBC-MAC

An authenticated encryption solution

Encryption

Use of the block cipher AES-
AES-128

Counter (CTR) mode

Authentication

MAC computed with CBC (Cipher Block Chaining)
 Main features

Symmetric key

Designed for AES-
AES-128

Use in packet environment (no stream data)

Arbitrary length MAC

Only one key for authentication and encryption

No intellectual property restrictions
 How does it work ?

Generation - encryption
 How does it work ? (cont’d)

Decryption - verification
 Generation--encryption
Generation
1. The MAC (Message Authentication Code) is computed
applying CBC to the formatted input data
(N, P, A) m1, m2, …, mx
 Generation--encryption (cont’d)
Generation
2. Counter mode is applied to encrypt data and MAC
 Generation--encryption (cont’d)
Generation
3. Output ciphertext

C= MAC Payload
K
 Decryption--verification
Decryption

Counter mode decryption

Computation of MAC with CBC-
CBC-MAC

(N, A, P’)

Verification of authenticity

Output: Payload / INVALID
 Hardware implementation

CCM cannot be parallelized

Operations to be implemented:

Encryption: hw implementation of AES cipher

XOR

Counter increment

Formatting function
 Security

Recommendations

Keys must be secret and “fresh”

IV: 0 for CBC-
CBC-MAC

Never use the same nonce twice

n° of nonce with the same key: 261

Max n°

Choose an appropriate MAC length

Replay attacks: use of timestamps / number packets

 A possible attack
“be conservative in what you send, and
liberal in what you accept”

16-byte MAC
12-byte MAC
16-byte MAC 8-byte MAC
4-byte MAC
A possible attack (cont’d)
Here comes the bad guy !!

16-byte MAC
12-byte MAC
4-byte MAC 8-byte MAC
4-byte MAC
A possible attack (cont’d)

232 4-byte MAC computed

At least one valid ciphertext

!!!
 Countermeasures

Fix the tag length parameter

During key negotiation

Never change it during the current session
 GCM
Galois/Counter Mode of operations
 What is GCM - GMAC

An authenticated encryption solution

Encryption

Use of the block cipher AES

Mode of operation similar to the CTR

Authentication

The MAC provided is a sort of keyed digest

Can provide authentication only → GMAC
 Main features

Extremely fast, more than 10Gbps

Easy to implement in software and hardware

Can be used for authentication only, if desired

Designed for AES, optimized for 128 bits

Arbitrary length IV, optimized for 96 bits

Only one key for authentication and encryption

No intellectual property restrictions
Authenticated encryption function

WHAT ?!?!
 Version for human beings
1. The hash sub-
sub-key H is computed and stored
0000000000000000
0000000000000000
0000000000000000
0000000000000000 Enc K H
0000000000000000
0000000000000000
0000000000000000
0000000000000000
 Version for human beings
2. The IV length is checked

If it’s 96 bits is padded to 128

If it’s different is computed a 128 bit IV using
a special function (GHASH)

The IV is the starting value of the counter
 Version for human beings
3. Encryption
 Version for human beings
4. Authentication

GF(2128)
 Hardware implementation

The only way to manage more than 10Gbps

GCM can be parallelized

Operations to be implemented:

Encryption: hw implementation of AES cipher

XOR

Increment of the counter

Multiplication within GF(2128)

Hardware implementation
 The multiplication in GF(2q)

Different approaches

Parallel

Serial: super serial, bit serial, etc

Serial solutions

Time and area linear with q

Parallel solution

Time: 1 clock cycle

Area: quadratic with q, but only 30% of AES cipher

GO PARALLEL, BOYS!
 Security

Recommendations

Keys: secret and “fresh”

IV: probability of using same IV and key < 2-32

Known security problem with reused IVs

Appropriate tag length

Replay attacks: use of timestamps

 Oracles...

Permutation oracle

Outputs random number of PRF

The PRF represent an encrypted message

Distinguishing advantage
 Oracles...

Tag--generation oracle
Tag

Input: a message

Output: a valid tag

Tag--validation oracle
Tag

Input: a message and a tag

Output: is the tag correct for the given message?

Forgery advantage
 CTR known issue
Hello world, 72dd0294rth%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9

Hello Sarah
Sarah,
, 72dd023&F7j%p
72dd023&F7j%p
this is me, 29sj!5z/k=p
life should be akd'^3sddG#/ap5
fun for everyone 97;7*h2?375ba+?9
 Beware !

Attacker with access to a tag-
tag-generation oracle

If IVs are not changed the output will be function
of the hash sub-
sub-key H

Analyzing the resulting tags the attacker could
recover H

With H he can generate valid authentication tags,
thus pretending to be your friend !
 Solution

This attack is possible only if you use at least
twice the same key with the same IV

NEVER DO THAT!
 References

NIST Special Publication 800-
800-38C (CCM)

NIST Special Publication 800-
800-38D (GCM)

Authenticated Encryption (J. Black)

A Critique of CCM (P. Rogaway, D. Wagner)

On The Security of CTR + CBC-
CBC-MAC (J. Jonsson)

Counter with CBC-
CBC-MAC (D. Whiting, R. Housley, N. Ferguson)

Flexible and Efficient Message Authentication in Hardware and
Software (D. A. McGrew, J. Viega)

The Security and Performance of the Galois/Counter Mode
(GCM) of Operation (D. A. McGrew, J. Viega)

www.wikipedia.org
Questions ?