aes128gcm: vulnerable to truncation attacks

"Manger, James" <> Mon, 23 January 2017 02:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 635B8129531 for <>; Sun, 22 Jan 2017 18:52:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.793
X-Spam-Status: No, score=-8.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, TRACKER_ID=1.306] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2sBb8SEfNn5V for <>; Sun, 22 Jan 2017 18:52:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2DBC1129575 for <>; Sun, 22 Jan 2017 18:52:45 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1cVUgd-0008SP-Ph for; Mon, 23 Jan 2017 02:48:51 +0000
Resent-Date: Mon, 23 Jan 2017 02:48:51 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1cVUgX-0008RZ-Ta for; Mon, 23 Jan 2017 02:48:45 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <>) id 1cVUgQ-0002he-7h for; Mon, 23 Jan 2017 02:48:40 +0000
X-IronPort-AV: E=Sophos;i="5.33,272,1477918800"; d="scan'208,217";a="20334565"
Received: from unknown (HELO ([]) by with ESMTP; 23 Jan 2017 13:48:05 +1100
X-IronPort-AV: E=McAfee;i="5700,7163,8416"; a="383131979"
Received: from ([]) by with ESMTP; 23 Jan 2017 13:48:05 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 8.3.485.1; Mon, 23 Jan 2017 13:48:04 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3; Mon, 23 Jan 2017 13:48:03 +1100
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1236.3 via Frontend Transport; Mon, 23 Jan 2017 13:48:03 +1100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-team-telstra-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ysTdghYOWHhNdcR8++OfNZQX0N/d0b86mI4T0gXfjS4=; b=tacGfCg0EkOjNR6R2IlamPJIyiLPpcn8uZyxqhxTIDsdNT7PWwd8Yvb40sjjQAb9PCdOpv4ZeikYx1VTuma4LMme8MCdAeV1s9ThBMMQT4bIZTqvL7lDUSK9X/o2crDcJHVi4iSU0MeqNVUnSUZOjDDyvQq7LubXjevxL4QxHRs=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Mon, 23 Jan 2017 02:48:02 +0000
Received: from ([]) by ([]) with mapi id 15.01.0860.021; Mon, 23 Jan 2017 02:48:03 +0000
From: "Manger, James" <>
To: "" <>
Thread-Topic: aes128gcm: vulnerable to truncation attacks
Thread-Index: AdJ1HoQK8Yqsd9ulSaycdXGhz74bdQ==
Date: Mon, 23 Jan 2017 02:48:03 +0000
Message-ID: <>
Accept-Language: en-AU, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 1da3ee0e-df1e-4cc0-cd44-08d4433a4052
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SYXPR01MB1613;
x-microsoft-exchange-diagnostics: 1; SYXPR01MB1613; 7:mwO/9Wk1bXyFXwdrHTv4FgvEmlSgOn3P1KsgnZKycw0xBoWTSVvn6YFwGS6OGpnngRcUP8dJb3kRJkIgf534NvwrrAcz2DuXhwF5md5T97/aTVhjnJuI8PVvL+XNndrCARC8iL+0bLg/iADLI0olhwZIAqj2nzE/UKLh9zV6Ub9KZIVgADXyi8h2ZspP/Y5bYOA067mH++Fs3SE4y7cLagHJdhYYTon6nCcwpWPwZQCI37ECNP6NU+vW1PDUKR0oAA2DY92i8UgQUHjkmJjzVysrKWoZHsfXhswSKF+ias6whqRsLCWJZbr+5Wtur7rqIq0QYuSK46Bh5oIUbrC4p5G18ejXBvF+DG2Kf7BcQYsW8JVsEqpG07hLNncY1lcyjxkhSY06LRlighL69d+c3dHxQvWXr6Zz8n7JBHBcj267z1NxW+4z/0ghWymD8v3snOPTYzZgsql9pLaAN+kziw==
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6041248)(20161123560025)(20161123562025)(20161123555025)(20161123564025)(6072148); SRVR:SYXPR01MB1613; BCL:0; PCL:0; RULEID:; SRVR:SYXPR01MB1613;
x-forefront-prvs: 0196A226D1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(189002)(199003)(92566002)(8936002)(66066001)(81166006)(33656002)(110136003)(97736004)(7696004)(2900100001)(8676002)(6916009)(7736002)(5660300001)(6116002)(790700001)(575784001)(42882006)(102836003)(122556002)(3660700001)(86362001)(3846002)(81156014)(107886002)(5640700003)(25786008)(2906002)(101416001)(53936002)(2501003)(6436002)(77096006)(450100001)(3280700002)(74316002)(105586002)(6306002)(106356001)(6506006)(55016002)(189998001)(50986999)(38730400001)(9686003)(68736007)(54356999)(5630700001)(99286003)(54896002)(2351001); DIR:OUT; SFP:1102; SCL:1; SRVR:SYXPR01MB1613;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SYXPR01MB16150B64E1F19E560321ACDFE5720SYXPR01MB1615ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2017 02:48:03.0853 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYXPR01MB1613
Received-SPF: none client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-0.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, TRACKER_ID=1.306, W3C_NW=0.5
X-W3C-Scan-Sig: 1cVUgQ-0002he-7h 89056555d253ac22bdd6cb23b613cd34
Subject: aes128gcm: vulnerable to truncation attacks
Archived-At: <>
X-Mailing-List: <> archive/latest/33354
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

There is a serious flaw in aes128gcm that allows a message to be truncated while authenticated decryption still succeeds.

aes128gcm produces 1 or more AEAD records, where all but the last match the given record size. This allows you to authenticate the end of the stream when you receive at least 2 records. But if you only receive 1 record you cannot tell if you have a complete message or a truncated message with a tampered record size.

The problem is that the record size in the header is not authenticated.

For example, the "Encryption with Multiple Records" example in the spec consists of the following ciphertext (in base64url), which decrypted to "I am the walrus":


Truncating this ciphertext after the 1st record, and increasing the record size field in the header from 26 to 27 gives:


This successfully decrypts to "I am th". It needs to fail, either with an authentication failure or a premature end failure.

Suggestion: include the record size in the derivation of the key and nonces.
Passing the 20 bytes <16-byte salt><4-byte records size> as the 'salt' parameter of the HKDF Extract call might work. Though putting including the record size in the cek_info and nonce_info values that are fed to HKDF Expand calls might be even better.

James Manger