Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
Switch branches/tags
Nothing to show
Clone or download
Latest commit 4255245 Apr 10, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
gcmproxy Initial commit May 18, 2016
getnonce Initial commit May 18, 2016
paper add LaTeX for IACR eprint and WOOT submission Apr 10, 2017
slides add blackhat USA 16 and WOOT16 slides Apr 10, 2017
tool Initial commit May 18, 2016
LICENSE Initial commit May 18, 2016 add link to slides Apr 10, 2017

Nonce-Disrespecting Adversaries

We provide supplemental material to our research on AES-GCM nonce reuse vulnerabilities in TLS.

Research paper

Online check



We investigate nonce reuse issues with the GCM block cipher mode as
used in TLS and focus in particular on AES-GCM, the most widely
deployed variant. With an Internet-wide scan we identified 184 HTTPS
servers repeating nonces, which fully breaks the authenticity of the
connections. Affected servers include large corporations, financial
institutions, and a credit card company. We present a proof of
concept of our attack allowing to violate the authenticity of affected
HTTPS connections which in turn can be utilized to inject seemingly
valid content into encrypted sessions. Furthermore, we discovered
over 70,000 HTTPS servers using random nonces, which puts them at risk
of nonce reuse, in the unlikely case that large amounts of data are
sent via the same session.

This repository provides supplemental code and information.


  • getnonce - scan tool and OpenSSL patch used for our Internet-wide scan.
  • gcmproxy - attack implemented in Go.
  • tool - helper tools used by attack code.
  • paper - LaTeX source-code for IACR ePrint and WOOT16 camera-ready versions.
  • slides - presentation slides for Black Hat USA 2016 and WOOT16.


All our code is published as CC0 1.0 / Public Domain.



Security advisories from affected vendors:

Media / Blogs