SlideShare a Scribd company logo

AES-GCM common pitfalls and how to work around them.pptx

S
skantos

Talk about AES-GCM documented and largely unknown limitations. We won’t get into the cryptographic details of the algorithm, so no need to worry about that. I’ll propose some workarounds to the limitations too. There is some basic math involved :)

Software
1 of 62
AES-GCM common pitfalls and how to work around them Santiago Kantorowicz - 2022 medium.com/@skantos
Who am I ● Working in CyberSecurity since 2008 ● Working at Twilio since 2015 ○ 6 years as Authy / Account Security Security Officer ○ Now Staff Product Security Engineer ● Not a cryptographer, an enthusiast!
Why this talk? ● Organizations need to implement encryption. ● “someone” creates a library for specific use* when needed and many years later everyone still uses the same. ● * usually when the use case is very simple and undemanding. ● Most companies can’t afford cryptography experts. ● Security professionals are not always into cryptography either. ● So many/most small to large companies wing it.
● You need to store some sensitive data in a database. ○ API Keys, PII, Credit card, etc. ● Someone says: let’s encrypt! ● AES-GCM is mentioned a lot on google searches! ● stackoverflow.com → copy/paste Introduction
Key Management
With great power comes great responsibility
With great power comes great responsibility managing keys
Key management: Key Life Key Rotation ● Why? ○ Key compromised ○ Standards ○ Compliance (PCI) ● When? ○ Based on time ○ Amount of encryption ○ Total number of Bytes encrypted
CryptoPeriod
CryptoPeriod “NIST Special Publication 800-57 Part 1 - Revision 5”, named: “Recommendation for Key Management: Part 1 – General” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf “The time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect.”
CryptoPeriod “NIST Special Publication 800-57 Part 1 - Revision 5”, named: “Recommendation for Key Management: Part 1 – General” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
Extending Key Life ● We will focus on extending Key life! ○ “7. Limitations for algorithm usage (e.g., the maximum number of invocations to avoid nonce reuse)” ● Extending key life may or may not affect the cryptoperiod.
CryptoPeriod vs Key life ● Cryptoperiod != maximum amount of encryptions you can perform with one the key. ● Cryptoperiod: suggested/enforced through standards like NIST and regulations like PCI.
IV / nonce (Initialization Vector)
● Used interchangeable ● IV = initialization vector ● nonce = number used once ● 1 plain-texts → encrypted twice → 2 different ciphertexts IV / Nonce
AES-GCM Wins popularity contest ● AES-GCM is recommended by many experts. ● It’s AEAD (authenticated + integrity built-in) ● Efficient and Performant ● Specially compared to CBC the mode it replaced as most popular
AES-GCM: what’s wrong with it?
AES-GCM: what’s wrong with it? GCM is CTR with GMAC for integrity/authentication https://datatracker.ietf.org/doc/html/rfc3686
AES-GCM: what’s wrong with it? https://datatracker.ietf.org/doc/html/rfc3686
AES-GCM: what’s wrong with it? Encrypt Nonce 1 E(N1) ⊕ PlainA = CipherA Encrypt Nonce 1 E(N1) ⊕ PlainB = CipherB E(N1) ⊕ PlainA ⊕ E(N1) ⊕ PlainB (PlainA ⊕ PlainB) ⊕ PlainA ● PlainA is known ● PlainB is unknown, CipherB is known. ⊕
AES-GCM: what’s wrong with it? Encrypt Nonce 1 E(N1) ⊕ PlainA = CipherA Encrypt Nonce 1 E(N1) ⊕ PlainB = CipherB E(N1) ⊕ PlainA ⊕ E(N1) ⊕ PlainB (PlainA ⊕ PlainB) ⊕ PlainA ● PlainA is known ● PlainB is unknown, CipherB is known. ⊕
AES-GCM: what’s wrong with it? ● It doesn’t end here! ● Different cipher texts, same nonce and key → auth key is leaked ● Forge and tamper ciphertexts
AES-GCM: what’s wrong with it? “Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS” https://eprint.iacr.org/2016/475.pdf “…This results in catastrophic failure of authenticity, even if a nonce is only re-used a single time and enables us to carry out a practical forgery attack against HTTPS…” … A single repeated nonce is usually enough to fully recover the connection’s authentication key…” https://csrc.nist.gov/csrc/media/projects/block-cipher- techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf …an adversary can recover the secret key of the keyed hash function underlying the authentication, using a chosen IV attack. Once this secret key is known, the encryption mode is no longer authenticated. As a consequence, all chosen ciphertext attacks against the confidentiality become feasible. Moreover, since the encryption mode is a counter mode, i.e. a stream cipher, the XOR malleability of the encrypted plaintext becomes a major security issue.
GCM nonces ● OK, so I just won’t repeat nonces and I’m done. Right? ● Distributed infrastructure makes counters almost impossible. ● Random nonces ● GCM nonces are standardized to 96 bit long.
GCM nonces ● NIST SP 800-38D (Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC) specifies: “...The IVs in GCM must fulfill the following “uniqueness” requirement: The probability that the authenticated encryption function ever will be invoked with the same IV and the same key on two (or more) distinct sets of input data shall be no greater than 2-32...” “...The total number of invocations of the authenticated encryption function shall not exceed 232, including all IV lengths and all instances of the authenticated encryption function with the given key...”
GCM nonces ● P(collision) = 2-32 ≃ 10-10 ● We can’t encrypt more than 232 times (with same key) ● Risk of random nonce repetition. If you encrypt 500 records/second you will hit 232 after 100 days! Days! Not years!
● Why 96 bits? Why not 256 bits? https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/ gcm/gcm-spec.pdf “96-bit IV values can be processed more efficiently, so that length is recommended for situations in which efficiency is critical.” ● Could be longer! but it’s not standardized. GCM nonce length
● Libraries expects the implementer to keep the number of encryptions under 232. ● I checked LibSodium and Google Tink. ● Golang std library: “Never use more than 232 random nonces with a given key because of the risk of a repeat.” Cryptographic libraries solve this, right?
Why random numbers repeat?
Birthday Paradox
Why random numbers repeat? ● Birthday paradox! ● In cryptographic layman terms ○ If you don’t want any 2 random numbers to repeat, you must limit the amount of random numbers you generate. ● If your numbers go from 1 to 10, it’s extremely likely that if you generate 5 random numbers, 2 will repeat (~70%).
Birthday paradox
Birthday paradox NIST GCM recommended max encryptions: 232 ~ 109 https://en.wikipedia.org/wiki/Birthday_problem#Probability_table
GCM nonce collision acceptance ● NIST: Acceptable probability of collision of around 2-32 ~ 10-10 ● We will use the table from now on ○ So safe is <= 10-12
Workarounds
● Use AES-GCM, with NO changes ● Keep it NIST compliance → FIPS 140-2* / FedRAMP ● Probability of collision <= 10-10 ● At least 264 encryptions. ● No requirements for performance. ● No requirements for efficiency Workaround requirements * or FIPS 140-3
Workaround: Random Salt
Workaround: Random Salt ● Derive Keys from a Master Key ○ “Synthetically emulate larger nonces” ● NO changes to how nonces are created ● NIST/FIPS 140-2 compliant ○ NOT changing the algorithm at all ● If a nonce were to repeat, it should happen with a different Key.
Workaround: Random Salt ● For AES with 256 bit keys: ○ Derived Key = HMAC-SHA256(Master Key, Salt) ● Salts are random → Figure out the required size. ● Master Key is never used to encrypt.
Workaround: Random Salt ● Let’s calculate Salt size! ● Salts are random too → Birthday paradox is applicable!
Workaround: Random Salt ● 264 is ~1019
Workaround: Random Salt ● 264 is ~1019 (< 1.1 x 1023). We are actually getting better than P=10-18
Workaround: Random Salt ● We need 192 bits random in TOTAL. ● We have 96 bits already from nonce ● So Salt → 96 bits (12 bytes)
Workaround: Random Salt ● Use SecureRandom ● Seeding should use fresh entropy when having many instances, to avoid different instances having the same seed.
Workaround: Random Salt Extra cost compared to plain AES-GCM: ● 96 bits SecureRandom ● 1 HMAC ● 12 extra bytes It’s not that bad :) ● You can adapt salt size based on need. https://github.com/kantos/go_encryption_library
Workaround: Time-based salts
Workaround: Time-based salts ● Derived Key = HMAC-SHA256(Master Key, Salt) ● Counters are good nonces! ● Hard to sync among instances. ● Let’s uses salts based on time! ● Time doesn’t repeat itself ○ It does repeat among different instances though. ○ Or on local time adjustments
Workaround: Time-based salts ● 32-bit Unix time → 4 bytes ● Birthday paradox doesn’t apply → 232 by 232 = 264 encryptions. ● As long as you don’t perform more than 232 encryptions in 1 second, you should be fine.
Workaround: Time-based salts ● No need to worry about time shifts between instances, they end up cancelling each other. ● If clocks are not working at all, i.e. stuck, then you have to worry.
Workaround: Time-based salts Side effects: ● You are storing the time of record encryption. ○ If you are for example encrypting Bank account creation date, then “salt” = “account creation date” ○ Useful for scheduling re- encryptions (for key rotations)
Workaround: Time-based salts Side effects: ● Unix 32 bits timestamps are “signed int”. Overflows in the year 2038. ○ Overflow won’t break the scheme → Useful until year 2106. ○ Prepare your Operating System for overflows. ○ You could end up finding every record to be old, even immediately after encrypting.
AES-GCM-SIV
AES-GCM-SIV ● SIV = Synthetic Initialization Vector ● “Nonce Misuse-Resistant Authenticated Encryption” ● 2017: Shay Gueron, Adam Langley, Yehuda Lindell. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-gcmsiv-05 https://eprint.iacr.org/2017/168.pdf
AES-GCM-SIV Pros ● Resistant to nonce repetition ● Less performant than plain AES-GCM, but still pretty good. ● Available in multiple programming languages. ● Encrypt 264 messages of length 4KiB
AES-GCM-SIV Cons ● Still not available in every programming language [1] ● Support is up to individual projects ● Not FIPS 140-2 (nor NIST approved. Submitted in 2019 [2]) [1] It’s getting better every year though. [2] https://csrc.nist.gov/projects/block-cipher-techniques/bcm/modes-development
AES-GCM-SIV ● Repeating nonces still leaks that the plain text is the same. ● You can mix AES-GCM-SIV with the proposed solutions. ● AES-GCM-SIV is likely secure, but it’s too new.
Should we really worry about AES-GCM collisions?
Should we really worry about AES-GCM collisions? ● 248 encryptions → chance of a nonce collision is around 50%. ● An attacker needs to capture/retrieve and store, 15 petabytes* of records to have 50% chance of success of collision. ○ If your plain-text records are 32 bytes, when encrypted (with tag and nonce) they are 60 bytes long. ● This will only allow decrypting 1 record. ● And forging any new record. * in average, you never know when a repetition will happen.
Should we really worry about this? ● You decide! ● Implementing these solutions it’s pretty easy, so why not do them. ● You never know how your system will be abused. ● You never know how your encryption library will be used by engineers. ● Encryption libraries live for a long time in organizations.
Why use AES-GCM then? ● AES-GCM is FIPS 140-2* compliant ● Less error prone to AES-CBC ● FedRAMP requires FIPS 140-2* ● If you don’t need any of those (beware your org may change their mind) a. NaCl/libsodium b. XChaCha20-Poly1305-IETF c. AES-GCM-SIV * / FIPS 140-3
Thank you https://xkcd.com/538/ medium.com/@skantos

Recommended

Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
Vittorio Giovara
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For Authentication
Vittorio Giovara
 
DES
DESDES
DES
Naga Srimanyu Timmaraju
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
Sam Bowne
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryption
Sri Manakula Vinayagar Engineering College
 
I mage encryption using rc5
I mage encryption using rc5I mage encryption using rc5
I mage encryption using rc5
Suramrit Singh
 

Recommended

Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
Vittorio Giovara
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
Sam Bowne
 
Block Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For AuthenticationBlock Cipher Modes of Operation And Cmac For Authentication
Block Cipher Modes of Operation And Cmac For Authentication
Vittorio Giovara
 
DES
DESDES
DES
Naga Srimanyu Timmaraju
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
Sam Bowne
 
encryption and decryption
encryption and decryptionencryption and decryption
encryption and decryption
Sri Manakula Vinayagar Engineering College
 
I mage encryption using rc5
I mage encryption using rc5I mage encryption using rc5
I mage encryption using rc5
Suramrit Singh
 
AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functions
Dr.Florence Dayana
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem
Grokking VN
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
Yusuf Uzun
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES)
Hardik Manocha
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
Asad Ali
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
Hossain Md Shakhawat
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
Sam Bowne
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
Grokking VN
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptography
Perfect Training Center
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
Aditya Kamat
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 

More Related Content

What's hot

AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functions
Dr.Florence Dayana
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem
Grokking VN
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
Ramesh Nagappan
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
JacobBrazeal
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
Sam Bowne
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
sarhadisoftengg
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
Yusuf Uzun
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES)
Hardik Manocha
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
Asad Ali
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
Hossain Md Shakhawat
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
drewz lin
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
Sam Bowne
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
Eoin Woods
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
Grokking VN
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptography
Perfect Training Center
 

What's hot (20)

AES by example
AES by exampleAES by example
AES by example
 
Public Key Encryption & Hash functions
Public Key Encryption & Hash functionsPublic Key Encryption & Hash functions
Public Key Encryption & Hash functions
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem Grokking Techtalk #37: Data intensive problem
Grokking Techtalk #37: Data intensive problem
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Post Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical OverviewPost Quantum Cryptography: Technical Overview
Post Quantum Cryptography: Technical Overview
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
ECDSA/EdDSA
ECDSA/EdDSAECDSA/EdDSA
ECDSA/EdDSA
 
CNIT 1417. Keyed Hashing
CNIT 1417. Keyed HashingCNIT 1417. Keyed Hashing
CNIT 1417. Keyed Hashing
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES)
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptography
 
13 asymmetric key cryptography
13 asymmetric key cryptography13 asymmetric key cryptography
13 asymmetric key cryptography
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
Secure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of UsSecure by Design - Security Design Principles for the Rest of Us
Secure by Design - Security Design Principles for the Rest of Us
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
 
Basic cryptography
Basic cryptographyBasic cryptography
Basic cryptography
 

Similar to AES-GCM common pitfalls and how to work around them.pptx

Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
Aditya Kamat
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
Charles Southerland
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptography
Samy Shehata
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
Nisheed KM
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
Sam Bowne
 
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
DataStax
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
Sam Bowne
 
Introduction to cryptography for software developers
Introduction to cryptography for software developersIntroduction to cryptography for software developers
Introduction to cryptography for software developers
Intopalo Digital Oy
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
jemtallon
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Alex Chepurnoy
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
Anthony Ferrara
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
Tal Shmueli
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
Sam Bowne
 
Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
mdhar123
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
Sam Bowne
 
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
Sam Bowne
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
Nate Lawson
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
Anthony Ferrara
 
Best practices to build secure smart contracts
Best practices to build secure smart contractsBest practices to build secure smart contracts
Best practices to build secure smart contracts
Gautam Anand
 

Similar to AES-GCM common pitfalls and how to work around them.pptx (20)

Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
Post quantum cryptography
Post quantum cryptographyPost quantum cryptography
Post quantum cryptography
 
Go paranoid
Go paranoidGo paranoid
Go paranoid
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
Using Approximate Data for Small, Insightful Analytics (Ben Kornmeier, Protec...
 
CNIT 141 6. Hash Functions
CNIT 141 6. Hash FunctionsCNIT 141 6. Hash Functions
CNIT 141 6. Hash Functions
 
Introduction to cryptography for software developers
Introduction to cryptography for software developersIntroduction to cryptography for software developers
Introduction to cryptography for software developers
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
 
Cryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHPCryptography For The Average Developer - Sunshine PHP
Cryptography For The Average Developer - Sunshine PHP
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
 
CNIT 141: 6. Hash Functions
CNIT 141: 6. Hash FunctionsCNIT 141: 6. Hash Functions
CNIT 141: 6. Hash Functions
 
Symmetric key encryption new approach
Symmetric key encryption new approachSymmetric key encryption new approach
Symmetric key encryption new approach
 
CNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic SecurityCNIT 141: 3. Cryptographic Security
CNIT 141: 3. Cryptographic Security
 
3. Cryptographic Security
3. Cryptographic Security3. Cryptographic Security
3. Cryptographic Security
 
Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)Crypto Strikes Back! (Google 2009)
Crypto Strikes Back! (Google 2009)
 
Cryptography For The Average Developer
Cryptography For The Average DeveloperCryptography For The Average Developer
Cryptography For The Average Developer
 
Best practices to build secure smart contracts
Best practices to build secure smart contractsBest practices to build secure smart contracts
Best practices to build secure smart contracts
 

Recently uploaded

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
Hironori Washizaki
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
lorraineandreiamcidl
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Undress Baby
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
Gerardo Pardo-Castellote
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
Drona Infotech
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 

Recently uploaded (20)

Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024SWEBOK and Education at FUSE Okinawa 2024
SWEBOK and Education at FUSE Okinawa 2024
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptxLORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
LORRAINE ANDREI_LEQUIGAN_HOW TO USE WHATSAPP.pptx
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfRevolutionizing Visual Effects Mastering AI Face Swaps.pdf
Revolutionizing Visual Effects Mastering AI Face Swaps.pdf
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
DDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systemsDDS-Security 1.2 - What's New? Stronger security for long-running systems
DDS-Security 1.2 - What's New? Stronger security for long-running systems
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Mobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona InfotechMobile App Development Company In Noida | Drona Infotech
Mobile App Development Company In Noida | Drona Infotech
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 

AES-GCM common pitfalls and how to work around them.pptx

  • 1. AES-GCM common pitfalls and how to work around them Santiago Kantorowicz - 2022 medium.com/@skantos
  • 2. Who am I ● Working in CyberSecurity since 2008 ● Working at Twilio since 2015 ○ 6 years as Authy / Account Security Security Officer ○ Now Staff Product Security Engineer ● Not a cryptographer, an enthusiast!
  • 3. Why this talk? ● Organizations need to implement encryption. ● “someone” creates a library for specific use* when needed and many years later everyone still uses the same. ● * usually when the use case is very simple and undemanding. ● Most companies can’t afford cryptography experts. ● Security professionals are not always into cryptography either. ● So many/most small to large companies wing it.
  • 4. ● You need to store some sensitive data in a database. ○ API Keys, PII, Credit card, etc. ● Someone says: let’s encrypt! ● AES-GCM is mentioned a lot on google searches! ● stackoverflow.com → copy/paste Introduction
  • 5.
  • 7. With great power comes great responsibility
  • 8. With great power comes great responsibility managing keys
  • 9. Key management: Key Life Key Rotation ● Why? ○ Key compromised ○ Standards ○ Compliance (PCI) ● When? ○ Based on time ○ Amount of encryption ○ Total number of Bytes encrypted
  • 11. CryptoPeriod “NIST Special Publication 800-57 Part 1 - Revision 5”, named: “Recommendation for Key Management: Part 1 – General” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf “The time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect.”
  • 12. CryptoPeriod “NIST Special Publication 800-57 Part 1 - Revision 5”, named: “Recommendation for Key Management: Part 1 – General” https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
  • 13. Extending Key Life ● We will focus on extending Key life! ○ “7. Limitations for algorithm usage (e.g., the maximum number of invocations to avoid nonce reuse)” ● Extending key life may or may not affect the cryptoperiod.
  • 14. CryptoPeriod vs Key life ● Cryptoperiod != maximum amount of encryptions you can perform with one the key. ● Cryptoperiod: suggested/enforced through standards like NIST and regulations like PCI.
  • 16. ● Used interchangeable ● IV = initialization vector ● nonce = number used once ● 1 plain-texts → encrypted twice → 2 different ciphertexts IV / Nonce
  • 17. AES-GCM Wins popularity contest ● AES-GCM is recommended by many experts. ● It’s AEAD (authenticated + integrity built-in) ● Efficient and Performant ● Specially compared to CBC the mode it replaced as most popular
  • 19. AES-GCM: what’s wrong with it? GCM is CTR with GMAC for integrity/authentication https://datatracker.ietf.org/doc/html/rfc3686
  • 20. AES-GCM: what’s wrong with it? https://datatracker.ietf.org/doc/html/rfc3686
  • 21. AES-GCM: what’s wrong with it? Encrypt Nonce 1 E(N1) ⊕ PlainA = CipherA Encrypt Nonce 1 E(N1) ⊕ PlainB = CipherB E(N1) ⊕ PlainA ⊕ E(N1) ⊕ PlainB (PlainA ⊕ PlainB) ⊕ PlainA ● PlainA is known ● PlainB is unknown, CipherB is known. ⊕
  • 22. AES-GCM: what’s wrong with it? Encrypt Nonce 1 E(N1) ⊕ PlainA = CipherA Encrypt Nonce 1 E(N1) ⊕ PlainB = CipherB E(N1) ⊕ PlainA ⊕ E(N1) ⊕ PlainB (PlainA ⊕ PlainB) ⊕ PlainA ● PlainA is known ● PlainB is unknown, CipherB is known. ⊕
  • 23. AES-GCM: what’s wrong with it? ● It doesn’t end here! ● Different cipher texts, same nonce and key → auth key is leaked ● Forge and tamper ciphertexts
  • 24. AES-GCM: what’s wrong with it? “Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS” https://eprint.iacr.org/2016/475.pdf “…This results in catastrophic failure of authenticity, even if a nonce is only re-used a single time and enables us to carry out a practical forgery attack against HTTPS…” … A single repeated nonce is usually enough to fully recover the connection’s authentication key…” https://csrc.nist.gov/csrc/media/projects/block-cipher- techniques/documents/bcm/comments/800-38-series-drafts/gcm/joux_comments.pdf …an adversary can recover the secret key of the keyed hash function underlying the authentication, using a chosen IV attack. Once this secret key is known, the encryption mode is no longer authenticated. As a consequence, all chosen ciphertext attacks against the confidentiality become feasible. Moreover, since the encryption mode is a counter mode, i.e. a stream cipher, the XOR malleability of the encrypted plaintext becomes a major security issue.
  • 25. GCM nonces ● OK, so I just won’t repeat nonces and I’m done. Right? ● Distributed infrastructure makes counters almost impossible. ● Random nonces ● GCM nonces are standardized to 96 bit long.
  • 26. GCM nonces ● NIST SP 800-38D (Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC) specifies: “...The IVs in GCM must fulfill the following “uniqueness” requirement: The probability that the authenticated encryption function ever will be invoked with the same IV and the same key on two (or more) distinct sets of input data shall be no greater than 2-32...” “...The total number of invocations of the authenticated encryption function shall not exceed 232, including all IV lengths and all instances of the authenticated encryption function with the given key...”
  • 27. GCM nonces ● P(collision) = 2-32 ≃ 10-10 ● We can’t encrypt more than 232 times (with same key) ● Risk of random nonce repetition. If you encrypt 500 records/second you will hit 232 after 100 days! Days! Not years!
  • 28. ● Why 96 bits? Why not 256 bits? https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/ gcm/gcm-spec.pdf “96-bit IV values can be processed more efficiently, so that length is recommended for situations in which efficiency is critical.” ● Could be longer! but it’s not standardized. GCM nonce length
  • 29. ● Libraries expects the implementer to keep the number of encryptions under 232. ● I checked LibSodium and Google Tink. ● Golang std library: “Never use more than 232 random nonces with a given key because of the risk of a repeat.” Cryptographic libraries solve this, right?
  • 32. Why random numbers repeat? ● Birthday paradox! ● In cryptographic layman terms ○ If you don’t want any 2 random numbers to repeat, you must limit the amount of random numbers you generate. ● If your numbers go from 1 to 10, it’s extremely likely that if you generate 5 random numbers, 2 will repeat (~70%).
  • 34. Birthday paradox NIST GCM recommended max encryptions: 232 ~ 109 https://en.wikipedia.org/wiki/Birthday_problem#Probability_table
  • 35. GCM nonce collision acceptance ● NIST: Acceptable probability of collision of around 2-32 ~ 10-10 ● We will use the table from now on ○ So safe is <= 10-12
  • 37. ● Use AES-GCM, with NO changes ● Keep it NIST compliance → FIPS 140-2* / FedRAMP ● Probability of collision <= 10-10 ● At least 264 encryptions. ● No requirements for performance. ● No requirements for efficiency Workaround requirements * or FIPS 140-3
  • 39. Workaround: Random Salt ● Derive Keys from a Master Key ○ “Synthetically emulate larger nonces” ● NO changes to how nonces are created ● NIST/FIPS 140-2 compliant ○ NOT changing the algorithm at all ● If a nonce were to repeat, it should happen with a different Key.
  • 40. Workaround: Random Salt ● For AES with 256 bit keys: ○ Derived Key = HMAC-SHA256(Master Key, Salt) ● Salts are random → Figure out the required size. ● Master Key is never used to encrypt.
  • 41. Workaround: Random Salt ● Let’s calculate Salt size! ● Salts are random too → Birthday paradox is applicable!
  • 43. Workaround: Random Salt ● 264 is ~1019 (< 1.1 x 1023). We are actually getting better than P=10-18
  • 44. Workaround: Random Salt ● We need 192 bits random in TOTAL. ● We have 96 bits already from nonce ● So Salt → 96 bits (12 bytes)
  • 45. Workaround: Random Salt ● Use SecureRandom ● Seeding should use fresh entropy when having many instances, to avoid different instances having the same seed.
  • 46. Workaround: Random Salt Extra cost compared to plain AES-GCM: ● 96 bits SecureRandom ● 1 HMAC ● 12 extra bytes It’s not that bad :) ● You can adapt salt size based on need. https://github.com/kantos/go_encryption_library
  • 48. Workaround: Time-based salts ● Derived Key = HMAC-SHA256(Master Key, Salt) ● Counters are good nonces! ● Hard to sync among instances. ● Let’s uses salts based on time! ● Time doesn’t repeat itself ○ It does repeat among different instances though. ○ Or on local time adjustments
  • 49. Workaround: Time-based salts ● 32-bit Unix time → 4 bytes ● Birthday paradox doesn’t apply → 232 by 232 = 264 encryptions. ● As long as you don’t perform more than 232 encryptions in 1 second, you should be fine.
  • 50. Workaround: Time-based salts ● No need to worry about time shifts between instances, they end up cancelling each other. ● If clocks are not working at all, i.e. stuck, then you have to worry.
  • 51. Workaround: Time-based salts Side effects: ● You are storing the time of record encryption. ○ If you are for example encrypting Bank account creation date, then “salt” = “account creation date” ○ Useful for scheduling re- encryptions (for key rotations)
  • 52. Workaround: Time-based salts Side effects: ● Unix 32 bits timestamps are “signed int”. Overflows in the year 2038. ○ Overflow won’t break the scheme → Useful until year 2106. ○ Prepare your Operating System for overflows. ○ You could end up finding every record to be old, even immediately after encrypting.
  • 54. AES-GCM-SIV ● SIV = Synthetic Initialization Vector ● “Nonce Misuse-Resistant Authenticated Encryption” ● 2017: Shay Gueron, Adam Langley, Yehuda Lindell. https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-gcmsiv-05 https://eprint.iacr.org/2017/168.pdf
  • 55. AES-GCM-SIV Pros ● Resistant to nonce repetition ● Less performant than plain AES-GCM, but still pretty good. ● Available in multiple programming languages. ● Encrypt 264 messages of length 4KiB
  • 56. AES-GCM-SIV Cons ● Still not available in every programming language [1] ● Support is up to individual projects ● Not FIPS 140-2 (nor NIST approved. Submitted in 2019 [2]) [1] It’s getting better every year though. [2] https://csrc.nist.gov/projects/block-cipher-techniques/bcm/modes-development
  • 57. AES-GCM-SIV ● Repeating nonces still leaks that the plain text is the same. ● You can mix AES-GCM-SIV with the proposed solutions. ● AES-GCM-SIV is likely secure, but it’s too new.
  • 58. Should we really worry about AES-GCM collisions?
  • 59. Should we really worry about AES-GCM collisions? ● 248 encryptions → chance of a nonce collision is around 50%. ● An attacker needs to capture/retrieve and store, 15 petabytes* of records to have 50% chance of success of collision. ○ If your plain-text records are 32 bytes, when encrypted (with tag and nonce) they are 60 bytes long. ● This will only allow decrypting 1 record. ● And forging any new record. * in average, you never know when a repetition will happen.
  • 60. Should we really worry about this? ● You decide! ● Implementing these solutions it’s pretty easy, so why not do them. ● You never know how your system will be abused. ● You never know how your encryption library will be used by engineers. ● Encryption libraries live for a long time in organizations.
  • 61. Why use AES-GCM then? ● AES-GCM is FIPS 140-2* compliant ● Less error prone to AES-CBC ● FedRAMP requires FIPS 140-2* ● If you don’t need any of those (beware your org may change their mind) a. NaCl/libsodium b. XChaCha20-Poly1305-IETF c. AES-GCM-SIV * / FIPS 140-3

Editor's Notes

  1. We will focus on Key Life! If a key has a life we need to consider and implement rotation. Rethorical question: “What happens if I don’t?” → to intro that rotation is required by encryption algorithms
  2. We can’t talk about key life without talking about cryptoperiod. Nist defines it was the time span a key is authorized for us.
  3. We will focus on 7
  4. One clarification: Key life is just one factor of cryptoperiod, but not the same. Cryptoperiod <> maximum amount of encryptions you can perform without rotating the key. Cryptoperiod: suggested/enforced through standards like NIST and regulations like PCI.
  5. let’s sum it up to something random you add when encrypting so 2 plain texts have different cipher texts
  6. GCM was designed for TLS to replace CBC. it has authentication and integrity built-in compared to CBC. It’s more efficient and performant than CBC + HMAC, what it replaced.
  7. Plain_A could be for example an API key a service provides to us, and they stored encrypted. Through SQL injection we find Cipher_B is using the same nonce they used with Plain_A We do this operations.
  8. Plain_A could be for example an API key a service provides to us, and they stored encrypted. Through SQL injection we find Cipher_B is using the same nonce they used with Plain_A We do this operations.
  9. Papers that explain this vulnerability on GCM tag. https://cryptologie.net/article/361/breaking-https-aes-gcm-or-a-part-of-it/ https://www.cryptologie.net/article/519/key-wrapping-and-nonce-misuse-resistance/#:~:text=As%20you%20probably%20know%2C%20a,and%20to%20forge%20more%20messages. https://www.elttam.com/blog/key-recovery-attacks-on-gcm/#content https://soatok.blog/2020/05/13/why-aes-gcm-sucks/
  10. Random nonces is the common thing to do.
  11. Probability of nonce collision should not exceed 2^-32 For that it recommends not to invoke more than 2^32 times the encrypt function.
  12. Let’s talk why random numbers can repeat so easily.
  13. https://www.wolframalpha.com/input?i=birthday+paradox%2C+5+people%2C+10+possible+birthdays
  14. Where does this NIST 2^32 comes from. 2^32 is around 10^9, the closest number in the table with 96 bits nonces is 4.0 x 10^8, erring on the safe side of course
  15. equal or less than 10 to the power of minus twelve
  16. No requirements for performance. Thought for use cases of encryption of less 16KB of up to several thousands per second. not millions (like TLS). YMMV though. No requirements for efficiency Ok to store some additional bytes (4-12 bytes) per encrypted record But it needs to be good enough for production use.
  17. The table tells us we need 192 bits random. Since we have 96 random bits from the nonce then we need another 96 bits to get to 192.
  18. The table tells us we need 192 bits random. Since we have 96 random bits from the nonce then we need another 96 bits to get to 192.
  19. Standard random should in theory be OK too, I wouldn’t risk it though.
  20. Same Derived Key scheme as before, what changes is nonce generation.
  21. https://www.zerotier.com/2019/09/04/aes-gmac-ctr-siv/
  22. https://www.zerotier.com/2019/09/04/aes-gmac-ctr-siv/