Re: [Cfrg] AES-GCM weakness

Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 19 July 2011 05:02 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D27621F856F for <cfrg@ietfa.amsl.com>; Mon, 18 Jul 2011 22:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.649
X-Spam-Level:
X-Spam-Status: No, score=-3.649 tagged_above=-999 required=5 tests=[AWL=-0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLn7H-FLj-Z7 for <cfrg@ietfa.amsl.com>; Mon, 18 Jul 2011 22:02:34 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by ietfa.amsl.com (Postfix) with ESMTP id E60CE21F856C for <cfrg@irtf.org>; Mon, 18 Jul 2011 22:02:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1311051754; x=1342587754; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20cfrg@irtf.org,=20jeremie.crenne@univ-ubs.fr |Subject:=20Re:=20[Cfrg]=20AES-GCM=20weakness |In-Reply-To:=20<000001cc4583$5f371720$1da54560$@crenne@u niv-ubs.fr>|Message-Id:=20<E1Qj2Ry-0002yg-CU@login01.fos. auckland.ac.nz>|Date:=20Tue,=2019=20Jul=202011=2017:02:30 =20+1200; bh=FSIOn1z1OnERypJefSX8BUAeDRoI4HWV67xwafOp8Us=; b=N7Jogh/Ijpj7OSRuxCArMwxHppCyumdsb7IQY6tELj0YdWkoJwqYuDkY UenXQzo67BwNtgyBdu6wji56THkSEox5hNaRYvhXrVqvhj5oC9V/DNXrO in29DfQ4U8Mj7TuBJUFw7EH7MgBwyg5LuNOKMY8uwcBHUsr24ZnEuFAWs Q=;
X-IronPort-AV: E=Sophos;i="4.67,226,1309694400"; d="scan'208";a="72525187"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Jul 2011 17:02:30 +1200
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1Qj2Ry-0002xB-HV; Tue, 19 Jul 2011 17:02:30 +1200
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1Qj2Ry-0002yg-CU; Tue, 19 Jul 2011 17:02:30 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cfrg@irtf.org, jeremie.crenne@univ-ubs.fr
In-Reply-To: <000001cc4583$5f371720$1da54560$@crenne@univ-ubs.fr>
Message-Id: <E1Qj2Ry-0002yg-CU@login01.fos.auckland.ac.nz>
Date: Tue, 19 Jul 2011 17:02:30 +1200
Subject: Re: [Cfrg] AES-GCM weakness
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 05:02:38 -0000

=?iso-8859-1?Q?J=E9r=E9mie_Crenne?= <jeremie.crenne@univ-ubs.fr>; writes:

>What is the feeling of the community about the recent potential AES-GCM
>weakness due to weak keys ?

GCM's problem isn't the weak keys in AES-GCM, it's that it's a KSG rather than
a standard block cipher.  It's RC4 all over again, and we're going to see the
same problems with GCM that we've already seen with RC4.  There have been
several already, and the only reason why we haven't seen more is that GCM
isn't used that much (that is, it's used in a small number of widely-deployed
applications, but hasn't become the universal algorithm of choice that RC4
was.  Once, or if, it does, we'll see exactly the same problems that plagued
RC4 throughout its effective lifetime).

Peter.