Authenticated encryption

GCM and CCM modes

Lorenzo Peraldo and Vittorio Picco

Authenticated encryption
Definition “ Authenticated Encryption (AE) is a term used to describe encryption systems which simultaneously protect confidentiality, confidentiality, authenticity and integrity of communications ”

Basic components
Message Authentication Code (MAC)

Symmetric encryption

Integrity: Integrity: an attacker can’t modify the data and then compute a new MAC, because a secret key is needed Authentication: Authentication: only the user who has got the secret key can authenticate the message

Symmetric encryption
Confidentiality: Confidentiality: data are encrypted Authentication: Authentication: if only 2 users share the secret key

A non-computer example nonA letter from a lover by ordinary mail: Envelope: confidentiality and integrity Signature: authentication

Sender AE black box
A plaintext message A key Possibly a nonce

The encrypted message (ciphertext) An authentication tag

Recipient AE black box
An encrypted message A tag The nonce, if used The key

If the tag is verified: the plaintext else: FAIL

AE security
An attacker can sniff the ciphertext and the nonce, but must not be able to recover the plaintext The ciphertext should look like random bits

An attacker shouldn’t be able to construct a ciphertext, a tag and a nonce such that the recipient accept them as valid. Protection from replay attacks

AE implementations
Usually with “modes” A mode is a sequence of operations applied to a block cipher, like DES or AES Examples: CBC, ECB, CTR, … CCM and GCM provide authenticated encryption

Generic composition
Immediate solution
PRO: easy, secure, no need to develop specific apps CON: not optimized, 2 keys needed for best security

3 ways
MtE: MAC then Encrypt EtM: Encrypt then MAC E&M: Encrypt and MAC

EtM is the best

SingleSingle-pass combined mode
2000: IBM developed IAPM Comparison with generic composition
Split the plaintext in m parts Generic composition: 2m calls of the block cipher SingleSingle-pass: about m invocations

Many followed: XCBC, XECB, OCB, … There is only a problem…

Oh no, Intellectual Properties !!
SingleSingle-pass modes were all patented

By Rogaway, Bellare, Black,By Gligor and By By Gligor and IBM and Krovetz Donescu Donescu

As a result …
Probably some of the patents are interrelated Nobody has gone to court to prove it (yet…) The possible users of these technologies has been scared by the legal implications The researchers have moved toward other directions All single-pass combined mode are used by singleanybody, even though they are the best solution

TwoTwo-pass combined mode
Not that different from generic composition Some advantages
Use of only one key Patent free Better performances than generic composition


A brief introduction

What is CCM
Counter with CBC-MAC CBCAn authenticated encryption solution Encryption
Use of the block cipher AES-128 AESCounter (CTR) mode

MAC computed with CBC (Cipher Block Chaining)

Main features
Symmetric key Designed for AES-128 AESUse in packet environment (no stream data) Arbitrary length MAC Only one key for authentication and encryption No intellectual property restrictions

How does it work ?
Generation - encryption

How does it work ? (cont’d)
Decryption - verification

1. The MAC (Message Authentication Code) is computed applying CBC to the formatted input data
(N, P, A) m1, m2, …, mx

GenerationGeneration-encryption (cont’d)
2. Counter mode is applied to encrypt data and MAC

GenerationGeneration-encryption (cont’d)
3. Output ciphertext




Counter mode decryption Computation of MAC with CBC-MAC CBC(N, A, P’)

Verification of authenticity Output: Payload / INVALID

Hardware implementation
CCM cannot be parallelized Operations to be implemented:
Encryption: hw implementation of AES cipher XOR Counter increment Formatting function

Keys must be secret and “fresh” IV: 0 for CBC-MAC CBCNever use the same nonce twice Max n° of nonce with the same key: 261 n° Choose an appropriate MAC length Replay attacks: use of timestamps / number packets

A possible attack
“be conservative in what you send, and liberal in what you accept”
16-byte MAC 12-byte MAC 8-byte MAC 4-byte MAC

16-byte MAC

A possible attack (cont’d)
Here comes the bad guy !!

4-byte MAC

16-byte MAC 12-byte MAC 8-byte MAC 4-byte MAC

A possible attack (cont’d)
232 4-byte MAC computed

At least one valid ciphertext


Fix the tag length parameter
During key negotiation

Never change it during the current session

Galois/Counter Mode of operations

What is GCM - GMAC
An authenticated encryption solution Encryption
Use of the block cipher AES Mode of operation similar to the CTR

The MAC provided is a sort of keyed digest Can provide authentication only → GMAC

Main features
Extremely fast, more than 10Gbps Easy to implement in software and hardware Can be used for authentication only, if desired Designed for AES, optimized for 128 bits Arbitrary length IV, optimized for 96 bits Only one key for authentication and encryption No intellectual property restrictions

Authenticated encryption function

WHAT ?!?!

Version for human beings
1. The hash sub-key H is computed and stored sub0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Enc K


Version for human beings
2. The IV length is checked If it’s 96 bits is padded to 128 If it’s different is computed a 128 bit IV using a special function (GHASH) The IV is the starting value of the counter

Version for human beings
3. Encryption

Version for human beings
4. Authentication


Hardware implementation
The only way to manage more than 10Gbps GCM can be parallelized Operations to be implemented:
Encryption: hw implementation of AES cipher XOR Increment of the counter Multiplication within GF(2128)

Hardware implementation

The multiplication in GF(2q)
Different approaches
Parallel Serial: super serial, bit serial, etc

Serial solutions
Time and area linear with q

Parallel solution
Time: 1 clock cycle Area: quadratic with q, but only 30% of AES cipher


Keys: secret and “fresh” IV: probability of using same IV and key < 2-32 Known security problem with reused IVs Appropriate tag length Replay attacks: use of timestamps


Permutation oracle
Outputs random number of PRF The PRF represent an encrypted message

Distinguishing advantage

TagTag-generation oracle
Input: a message Output: a valid tag

TagTag-validation oracle
Input: a message and a tag Output: is the tag correct for the given message?

Forgery advantage

CTR known issue
Hello world, this is me, life should be fun for everyone 72dd0294rth%p 29sj!5z/k=p akd'^3sddG#/ap5 97;7*h2?375ba+?9

Hello Sarah, Sarah, this is me, life should be fun for everyone

72dd023&F7j%p 72dd023&F7j%p 29sj!5z/k=p akd'^3sddG#/ap5 97;7*h2?375ba+?9

Beware !
Attacker with access to a tag-generation oracle tagIf IVs are not changed the output will be function of the hash sub-key H subAnalyzing the resulting tags the attacker could recover H With H he can generate valid authentication tags, thus pretending to be your friend !

This attack is possible only if you use at least twice the same key with the same IV


NIST Special Publication 800-38C (CCM) 800NIST Special Publication 800-38D (GCM) 800Authenticated Encryption (J. Black) A Critique of CCM (P. Rogaway, D. Wagner) On The Security of CTR + CBC-MAC (J. Jonsson) CBCCounter with CBC-MAC (D. Whiting, R. Housley, N. Ferguson) CBCFlexible and Efficient Message Authentication in Hardware and Software (D. A. McGrew, J. Viega) The Security and Performance of the Galois/Counter Mode (GCM) of Operation (D. A. McGrew, J. Viega)

Questions ?

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.