- Notifications
You must be signed in to change notification settings - Fork8
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
License
NotificationsYou must be signed in to change notification settings
nonce-disrespect/nonce-disrespect
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
We provide supplemental material to our research on AES-GCM nonce reuse vulnerabilities in TLS.
- Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (camera-ready version / Usenix WOOT16)
- Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (preprint version / IACR ePrint)
Abstract:
We investigate nonce reuse issues with the GCM block cipher mode asused in TLS and focus in particular on AES-GCM, the most widelydeployed variant. With an Internet-wide scan we identified 184 HTTPSservers repeating nonces, which fully breaks the authenticity of theconnections. Affected servers include large corporations, financialinstitutions, and a credit card company. We present a proof ofconcept of our attack allowing to violate the authenticity of affectedHTTPS connections which in turn can be utilized to inject seeminglyvalid content into encrypted sessions. Furthermore, we discoveredover 70,000 HTTPS servers using random nonces, which puts them at riskof nonce reuse, in the unlikely case that large amounts of data aresent via the same session.This repository provides supplemental code and information.
- getnonce - scan tool and OpenSSL patch used for our Internet-wide scan.
- gcmproxy - attack implemented in Go.
- tool - helper tools used by attack code.
- paper - LaTeX source-code for IACR ePrint and WOOT16camera-ready versions.
- slides - presentation slides for Black Hat USA 2016 and WOOT16.
All our code is published asCC0 1.0 / PublicDomain.
Security advisories from affected vendors:
- Security Bulletin: Vulnerability in IBM Domino Web Server TLS AES GCM Nonce Generation (CVE-2016-0270)
- Radware / SA18456: Security Advisory Explicit Initialization Vector for AES-GCM Cipher (CVE-2016-10212)
- A10: CVE-2016-0270 GCM nonce vulnerability (fixed in 2.7.2-p8) (CVE-2016-10213, vendor references wrong CVE)
- CTX220329: Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation (CVE-2017-5933)
- Golem: TLS/GCM - Gefahr durch doppelte Nonces
- Ars Technica: “Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering
- Veracode: Crypto Fun at Black Hat 2016
- David Wong: Breaking https' AES-GCM (or a part of it)
- TLS Symmetric Crypto (Blogpost by Adam Langley with the initial idea for this research)
- Authentication Failures in NIST version of GCM (Antoine Joux, source for Forbidden Attack against GCM)
- Youtube video showing XSS injection on visa.dk
- Black Hat USA 2016 talk announcement
- Usenix WOOT '16 talk announcement
- Slides from talk at BerlinSec Meetup
- Errata on RFC5288 (AES GCM Cipher-suites inTLS)