3

I have an implementation that natively uses the same IV (12 bytes of 0) for all encryption. The key is always a 32 byte SHA-512 hash. I know via this post that I can

  1. deduce the bit-wise XOR of the two plaintexts.

  2. deduce the internal authentication value, and thus modify the ciphertexts without being detected.

How can I achieve either of these?

SEJPM
  • 45,967
  • 7
  • 99
  • 205
B.Li
  • 183
  • 4
  • What research have you done to answer these questions? Can you quote a definition of AES-GCM in algebraic equations that you can manipulate? – Squeamish Ossifrage May 12 '18 at 20:15
  • 1
    Funny, I cannot find a post that explains point 2.; I'm sure I saw that one. 1. is of course easy, just perform a many-time-pad attack on the CTR mode that forms the ciphertext (minus the authentication tag). – Maarten Bodewes May 12 '18 at 20:27
  • Actually, it should not be that hard. You know that $t \oplus t'$ XOR's the encryption of the first counter value from the equation, and then you've just GMAC over known data (the authenticaton data and ciphertext) with the only unknown being $H$, and no one way functions in there. – Maarten Bodewes May 12 '18 at 22:31
  • 1
    @MaartenBodewes Try joux' "forbidden attack". – cypherfox May 13 '18 at 09:40
  • This image on twitter already supplies the TL;DR :) https://twitter.com/tqbf/status/760910618228424704 – Maarten Bodewes May 13 '18 at 14:43

0 Answers0