The 2016 Pwnie Nominee For Best Cryptographic Attack

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

Credit: Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic

It’s one thing to know that when you’re encrypting with constructions that need a random nonce, you can’t ever re-use a nonce. Everyone knows that, right? Everyone, that is, except all the people who implement TLS stacks.

It’s another thing to know how to exploit crypto constructions with repeated nonces.

Sometimes it’s easy. Repeat a nonce for AES-CTR in AES-CTR-HMAC and you can decrypt messages as straightforwardly as you can decrypt toy XOR encryption.

Other times it’s not so easy. Accidentally repeat 8 bits of an 256-bit ECDSA nonce, for instance by leaving its 32nd byte zero in an off-by-one bug, and you’ve got a vulnerability that requires both lattice reductions and Fourier transforms to solve. Which is a good thing, if you find that sort of thing “fun”.

Attacks on GCM are on the “fun” end of the spectrum. Binary polynomial fun. Linear algebra fun. Factoring fun. There’s something in here for everyone to love. Except the people who write TLS stacks.

Real world impact? They did the TLS equivalent of popping CALC.EXE: they exploited GCM, the current state of the art in authenticated encryption, to inject XSS attacks into bank websites. Even though Antoine Joux, one of the world’s most famous cryptographers, forbade them from doing that. Take that, cryptographers! This attack is Forbidden! And they did it anyways!

Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS