diff options
Diffstat (limited to 'templates/mac-truncation.html')
| -rw-r--r-- | templates/mac-truncation.html | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html index cf91149..1cbd629 100644 --- a/templates/mac-truncation.html +++ b/templates/mac-truncation.html @@ -116,6 +116,14 @@ on the web: <a href="#show-code">download the library</a> to run it locally. </p> <p> + This attack was shown by Dutch cryptographer Niels Ferguson + in <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>. + He notes that a (then-)competing mode, CWC, avoids this attack by + encrypting the GMAC polynomial with the block cipher before adding + \(s\). This breaks the linear relationship between the ciphertext + and the MAC. + </p> + <p> Review the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a> to learn why recovering the authentication key is enough to forge MACs over arbitrary ciphertexts. @@ -336,15 +344,6 @@ and compute a forged MAC for arbitrary ciphertext under the same nonce as in the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a>. </p> - <h4>Addendum</h4> - <p> - This attack was first shown by Dutch cryptographer Niels Ferguson - in his paper <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>. - He notes that a (then-)competing mode, CWC, avoids this attack by - encrypting the GMAC polynomial with the block cipher before adding - \(s\). This breaks the linear relationship between the ciphertext - and the MAC. - </p> <p> Readers who wish to implement this attack themselves can try <a href="https://cryptopals.com/">Cryptopals</a>; specifically |