summaryrefslogtreecommitdiff
path: root/templates/mac-truncation.html
diff options
context:
space:
mode:
Diffstat (limited to 'templates/mac-truncation.html')
-rw-r--r--templates/mac-truncation.html17
1 files changed, 8 insertions, 9 deletions
diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html
index cf91149..1cbd629 100644
--- a/templates/mac-truncation.html
+++ b/templates/mac-truncation.html
@@ -116,6 +116,14 @@
on the web: <a href="#show-code">download the library</a> to run it locally.
</p>
<p>
+ This attack was shown by Dutch cryptographer Niels Ferguson
+ in <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>.
+ He notes that a (then-)competing mode, CWC, avoids this attack by
+ encrypting the GMAC polynomial with the block cipher before adding
+ \(s\). This breaks the linear relationship between the ciphertext
+ and the MAC.
+ </p>
+ <p>
Review the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a>
to learn why recovering the authentication key is enough to forge MACs over
arbitrary ciphertexts.
@@ -336,15 +344,6 @@
and compute a forged MAC for arbitrary ciphertext under the same nonce
as in the <a href="/forbidden-salamanders/nonce-reuse">nonce reuse attack</a>.
</p>
- <h4>Addendum</h4>
- <p>
- This attack was first shown by Dutch cryptographer Niels Ferguson
- in his paper <a href="https://csrc.nist.gov/csrc/media/projects/block-cipher-techniques/documents/bcm/comments/cwc-gcm/ferguson2.pdf">Authentication weaknesses in GCM</a>.
- He notes that a (then-)competing mode, CWC, avoids this attack by
- encrypting the GMAC polynomial with the block cipher before adding
- \(s\). This breaks the linear relationship between the ciphertext
- and the MAC.
- </p>
<p>
Readers who wish to implement this attack themselves can try
<a href="https://cryptopals.com/">Cryptopals</a>; specifically