Re: aes128gcm: why verify padding?

Martin Thomson <> Mon, 30 January 2017 03:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 14608120726 for <>; Sun, 29 Jan 2017 19:22:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.719
X-Spam-Status: No, score=-9.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6ObR3YW6CA9B for <>; Sun, 29 Jan 2017 19:22:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 133DD126CD8 for <>; Sun, 29 Jan 2017 19:22:47 -0800 (PST)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1cY2W3-0004b6-6V for; Mon, 30 Jan 2017 03:20:27 +0000
Resent-Date: Mon, 30 Jan 2017 03:20:27 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1cY2Vx-0004XT-L0 for; Mon, 30 Jan 2017 03:20:21 +0000
Received: from ([]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <>) id 1cY2Vr-00064I-Fa for; Mon, 30 Jan 2017 03:20:16 +0000
Received: by with SMTP id u25so116633343qki.2 for <>; Sun, 29 Jan 2017 19:19:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kX4nTU9lMd6OeGy8lI4uNJGMKTj9OXHLTA2T/Wl7Zlk=; b=Pd1/tSWjZxyz+lxz5ZbgVGVtqDl3OdtaBImvW+d+2ejgAmbony/RYBfX04L2AhoSMV /CZH6w/lIE1a2hrXT8Qih/G5olU+1s6u2cX868V7vD+OMDKPR04EEkzujPw6Ylqi7jdY q571+nFzUuIqKbXw6VngJbBK8QIr/z6YDxQ/739fXy+3MhcZpmQqi+bS8bQPckorEaa7 Frmran0UhDZ2XfRFW0FzBjSlSRkUxfdCeKe/dK0TWGBU8yPVFWS9Pa0D3kfKr6ZrR9Jx BCMxU4aw9Sps4oeNbbhG06/LF9oq+oirOhkCkuRolitWmSkTZf9Ks+yGJZ6u96JrecyI 8NNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kX4nTU9lMd6OeGy8lI4uNJGMKTj9OXHLTA2T/Wl7Zlk=; b=DFSq3M2eRTEAJe5aWo5oCarolglIlLmS8ynA4P8GSHJ8o/zXlpIqXYr4PX8/Wd+A0U pCRXo/u3RsUSg5xKe8eA3A0esHkipwTp9dilNmDnt6M3rH+trXifqKqcSfSW4L8fhjXY A83J1PiO487QAaeiLWzyg4ojXFbUQwuJEPW9RH2ntcHO6/4KHO489GgwyMdS9N8Pq5CO M0ib6pKFY4vgKAv84hmS5/RDOFBmZ/tWlSlZZJCy8p7TiaEEneYwUTgFOeCYUoj85/KB zMqnqrl8nHAnbLePC0qb1gfqwcJtWlwBcH9x/gInZCTFWyFoMduMNa2nTrJGDtWe6msu semA==
X-Gm-Message-State: AIkVDXJqCmG+RJ1fg2DXki6TAdn30SD2+KcGZuEbOSz74t9A1rwHqN/fTSu0U9AEt0wdxWNWKXja12lr5QyatQ==
X-Received: by with SMTP id b62mr20811560qkb.202.1485746389497; Sun, 29 Jan 2017 19:19:49 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 29 Jan 2017 19:19:49 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <>
From: Martin Thomson <>
Date: Mon, 30 Jan 2017 14:19:49 +1100
Message-ID: <>
To: "Manger, James" <>
Cc: "" <>, "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-6.3
X-W3C-Hub-Spam-Report: AWL=0.338, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1cY2Vr-00064I-Fa 57aa2a4c4d248851bde77751a39d780c
Subject: Re: aes128gcm: why verify padding?
Archived-At: <>
X-Mailing-List: <> archive/latest/33389
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 30 January 2017 at 13:30, Manger, James
<> wrote:
>> Actually, if you don't use KDF to obtain the nonce base together with
>> the key, attacker can corrupt messages unless you actually verify that
>> the start block is in its proper place.
> Is this because the scheme uses Nonce XOR Index (not Nonce + Index)?

Not exactly.  The theoretical attack (if I understood Ilari correctly)
is if you had an explicit nonce on each record.  For instance, the
nonce is the first 12 octets of the ciphertext.  At that point, an
attacker would be more capable of performing interchanging any two

That's different to your concern regarding dropping of some number of
records and producing a valid sequence of records.

Even assuming that you find an input that produces the same key while
allowing you to control the nonce, you would be stuck with the
interesting problem of finding a pattern of records that fit the XOR
pattern. If there were only two records, dropping the first is
trivial.  If there were three records and you wanted to keep two of
them, you have to switch the second and third to fit the pattern,
which would run afoul of the padding delimiter check.

Given that you would know the key at this point, I'd suggest that
constructing a new message would be easier.

> Given 2 valid AEADs, you can get the XOR of their indices but that isn't enough to tell how far apart they are in a sequence. It isn't even sufficient to tell that one comes right before the other. Hence, you really need to get the AEAD marked "start" first (or get the salt from which the "start" record's nonce is derived).

Are you saying that you can feed random data into your oracle until it
accepts two records?  And that you used the same key to generate that
random data?  Assuming those preconditions, I agree that you can get
the XOR of the indices of these records.  But you must have known
those indices because the oracle we're designing only accepts records
at those indices.

Even if you could do what you suggest (with a different oracle
perhaps), I think that you are right in suggesting that that isn't
much use.  You have just won every lottery on the planet in the same
week, and still that information doesn't seem very useful.