From 36b27e733c83e02ac54d7a6c1aa0a43938d1fc1f Mon Sep 17 00:00:00 2001 From: cyfraeviolae Date: Sat, 27 Aug 2022 05:46:17 -0400 Subject: key com --- templates/mac-truncation.html | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'templates/mac-truncation.html') diff --git a/templates/mac-truncation.html b/templates/mac-truncation.html index cf91149..1cbd629 100644 --- a/templates/mac-truncation.html +++ b/templates/mac-truncation.html @@ -115,6 +115,14 @@ cryptography libraries. However, the attack is too slow to demonstrate on the web: download the library to run it locally.

+

+ This attack was shown by Dutch cryptographer Niels Ferguson + in Authentication weaknesses in GCM. + He notes that a (then-)competing mode, CWC, avoids this attack by + encrypting the GMAC polynomial with the block cipher before adding + \(s\). This breaks the linear relationship between the ciphertext + and the MAC. +

Review the nonce reuse attack to learn why recovering the authentication key is enough to forge MACs over @@ -336,15 +344,6 @@ and compute a forged MAC for arbitrary ciphertext under the same nonce as in the nonce reuse attack.

-

Addendum

-

- This attack was first shown by Dutch cryptographer Niels Ferguson - in his paper Authentication weaknesses in GCM. - He notes that a (then-)competing mode, CWC, avoids this attack by - encrypting the GMAC polynomial with the block cipher before adding - \(s\). This breaks the linear relationship between the ciphertext - and the MAC. -

Readers who wish to implement this attack themselves can try Cryptopals; specifically -- cgit v1.2.3