0

I am currently working on a cryptography challenge. The program uses AES-GCM to encrypt and decrypt strings.

Let's say I have the following:

  1. IV which is reused
  2. only 1 cipher text
  3. authentication tag
  4. AAD data

Is it possible to uncover the plaintext even if I don't have the key? I've read somewhere that IV reuse is bad but is this true even if the key is different?

fdfdfd
  • 101
  • 1
  • AES-GCM internally uses CTR mode, for which IV-reuse is catastrophic. Using same IV, enables crib-dragging attack 1 2 on the ciphertext. And, even that can be automated. I'hope those are enough to solve your challange. – kelalaka Sep 16 '23 at 08:43
  • thanks for your help. For a crib-dragging attack, I would assume I need at least 2 cipher text encrypted with the same key and IV. however, I only have 1 cipher text now. the IV is 16 bytes instead of 12, will there be any issue on that? – fdfdfd Sep 16 '23 at 12:15
  • While GCM supports 16 byte IVs, that size would be unusual (the normal size is 12 bytes). Are you sure that GCM is being used here? – poncho Sep 16 '23 at 14:02
  • If 16-byte is used then GCM does extra GHASH call that complicated it's security analysis. I don't get the point that in the first of the list, it says the IV which is reused, This means that there must be either some means that you can create or some means that you can query. Otherwise, I don't see point of calling reused. – kelalaka Sep 16 '23 at 15:00
  • What does it mean that the IV is reused if there's just one ciphertext? – Mikero Sep 16 '23 at 17:15

0 Answers0