Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

Black Hat USA 2016

Presented by: Hanno Böck, Sean Devlin, PhilippJovanovic, Aaron Zauner
Date: Wednesday August 03, 2016
Time: 11:30 - 12:20
Location: South Seas IJ

We investigate nonce-reuse issues with the Galois/Counter Mode (GCM) algorithm as used in TLS. Nonce reuse in GCM allows an attacker to recover the authentication key and forge messages as described by Joux. With an Internet- wide scan we identified over 70,000 HTTPS servers that are at risk of nonce reuse. We also identified 184 HTTPS servers repeating nonces directly in a short connection. Affected servers include large corporations, financial institutions, and a credit card company. We implement a proof of concept attack allowing us to violate the authenticity of affected HTTPS connections and inject content.

Sean Devlin

Sean Devlin is a cofounder of NCC Group's Cryptography Services and a coauthorof the Matasano Crypto Challenges. Previously a principal consultant withMatasano and NCC Group, he is now an independent security researcher andconsultant.

Hanno Böck

Johannes Böck works as a freelance journalist and regularly covers ITsecurity topics for the German IT news webpage Golem.de. He has written forseveral newspapers in the past and is the author of the monthly BulletproofTLS Newsletter. Hanno also runs the Fuzzing Project, an effort to improve thesecurity of free software applications.

Aaron Zauner

Aaron Zauner is self-employed and primarily does engineering work, training,consulting and research on IT Infrastructure Architecture, Operations &Development, High Performance Computing and Information Security. He's beenworking in different corners of the IT-industry over more than 10 years, hasseen the fallacies of distributed computing - still enjoys working andresearching in the industry. Loves tuning, scaling and securing of distributedsystems - building on and contributing to great Free & Open Source Software.He has held talks on DevOps, HPC and Security related topics at various venues- from local meetups to internationally recognized conferences. In addition,he currently holds a research position at SBA-Research in Vienna where hefocuses on network security, applied cryptography, conducting Internet-widesurveys, attacking protocol implementations and proliferating strongcryptography.

PhilippJovanovic

Philipp Jovanovic finished his PhD in the field of symmetric cryptology at theUniversity of Passau, Germany, in 2015. In his thesis "Analysis and Design ofSymmetric Cryptographic Algorithms" he investigates fault-based attacks onvarious block ciphers and presents NORX a novel authenticated encryptionscheme which is a second round candidate in the still ongoing CAESARcompetition. After his graduation, Philipp became a post-doc at the SwissFederal Institute of Technology Lausanne (EPFL), Switzerland, where hecurrently works at the Decentralized and Distributed Systems (DeDiS) Lab onscalable cryptographic protocols and their applications in the areas ofInternet PKI, software deployment, generation of public randomness,blockchains, etc. He is also a regular speaker at academic and non-academicconferences, and presented, amongst others, at the Chaos CommunicationCongress, ESORICS, and FSE.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats