Re: [openpgp] Pull request for AEAD encrypted data packet with GCM

Peter Gutmann <> Wed, 15 February 2017 03:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 78ED81293E1 for <>; Tue, 14 Feb 2017 19:34:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Dy5YH9NAL4ji for <>; Tue, 14 Feb 2017 19:34:57 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 055C0129436 for <>; Tue, 14 Feb 2017 19:34:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=mail; t=1487129696; x=1518665696; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Ti3l8usVD8N+xo+0vrrbmbgw2tW6BN+fCa8+Hs1f4P0=; b=vIaqacY7dIKl4qR4F01GZ0J2NTT/aBnsOkT8Ijv1hLZvdS4bZVhdOwRI 8DEI445I0T+Pu82+P7/bywHzcWhAfIMTnOPZvkMQ9Oaa2q/Pv8dMpzOvV aYOu/JUsQrBSc0ghdZm/XisPa/GhUcrnujQ4Y2+1utl1x6vygiDo2SVmj RzTmAn+bhkgBiJkaKNP9IgqCYBDN0ygxLXgCRld/Z/84HDQj9SlhwU5cN 9hmCXnQoFf8rZzqEkRfmaLU8wVV/CfxVB3Cv6+DUzYMOlQOzjHbLs25Ni IcmidABfr80Y2V3FeIJa8SsNiV562d1e+k5E711LdCH51hVghM7Zyjw2C A==;
X-IronPort-AV: E=Sophos;i="5.35,164,1483959600"; d="scan'208";a="135227464"
X-Ironport-Source: - Outgoing - Outgoing
Received: from (HELO ([]) by with ESMTP/TLS/AES256-SHA; 15 Feb 2017 16:34:55 +1300
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 15 Feb 2017 16:34:55 +1300
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Wed, 15 Feb 2017 16:34:55 +1300
From: Peter Gutmann <>
To: Jon Callas <>, "brian m. carlson" <>
Thread-Topic: [openpgp] Pull request for AEAD encrypted data packet with GCM
Thread-Index: AQHShZWCI87Yb3MUEEORMG27g756BKFm2PqAgAKRNDc=
Date: Wed, 15 Feb 2017 03:34:55 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [openpgp] Pull request for AEAD encrypted data packet with GCM
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Feb 2017 03:34:59 -0000

Jon Callas <> writes:

>I'll request that another mode than GCM be used. In particular, I disagree
>with it being "uncontroversial." It's the most controversial mode you could

+1.  However the adjective I'd use for GCM is most trendy, not necessarily
most controversial.  It's the mode you use without thinking about it
because... um, because everyone says its cool.  Like MongoDB, or Go, or
Angular.js, or Bimodal IT.

>GCM is very brittle. It breaks in very bad ways if you aren't careful with
>nonces/tags. There are many cases of people misusing it and getting worse
>than no security. I state that because if you *think* you're getting
>authenticated data, but it's actually been altered in transit, and that will
>likely cause issues in the receiving state machine.

+1 again.  You can take something like AES-CBC + HMAC and abuse it as much as
you want, e.g. by memsetting the IV to all zeroes on each block, and at most
you degrade to ECB, with no effect on the MAC's security.  OTOH do that with a
single IV in GCM (== CTR) mode (so you get a repeated IV) and you get a
catastrophic loss of security.  CTR is RC4 all over again.

>Furthermore, the multiply in GHASH is slow in software. 

Again, and at the risk of sounding like the Callas fan club... 

GCM is a dangerously easy to misuse encryption mode paired with a slow, also
failure-prone MAC.  If you want a minimal-fuss AEAD mode, just turn the
current encryption into encrypt-then-MAC.  It's a very minimal change, append
an HMAC to the end of the existing encrypted data.

>I think that GCM is actually controversial and dangerous for generic use.

Not sure about controversial since it's so trendy that most people don't think
about it but just use it, but it's certainly too dangerous for general use.