We provide supplemental material to our research on AES-GCM nonce reuse vulnerabilities in TLS.
- Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (camera-ready version / Usenix WOOT16)
- Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS (preprint version / IACR ePrint)
We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions, and a credit card company. We present a proof of concept of our attack allowing to violate the authenticity of affected HTTPS connections which in turn can be utilized to inject seemingly valid content into encrypted sessions. Furthermore, we discovered over 70,000 HTTPS servers using random nonces, which puts them at risk of nonce reuse, in the unlikely case that large amounts of data are sent via the same session.
This repository provides supplemental code and information.
- getnonce - scan tool and OpenSSL patch used for our Internet-wide scan.
- gcmproxy - attack implemented in Go.
- tool - helper tools used by attack code.
- paper - LaTeX source-code for IACR ePrint and WOOT16 camera-ready versions.
- slides - presentation slides for Black Hat USA 2016 and WOOT16.
All our code is published as CC0 1.0 / Public Domain.
Security advisories from affected vendors:
- Security Bulletin: Vulnerability in IBM Domino Web Server TLS AES GCM Nonce Generation (CVE-2016-0270)
- Radware / SA18456: Security Advisory Explicit Initialization Vector for AES-GCM Cipher (CVE-2016-10212)
- A10: CVE-2016-0270 GCM nonce vulnerability (fixed in 2.7.2-p8) (CVE-2016-10213, vendor references wrong CVE)
- CTX220329: Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway GCM nonce generation (CVE-2017-5933)
Media / Blogs
- Golem: TLS/GCM - Gefahr durch doppelte Nonces
- Ars Technica: “Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering
- Veracode: Crypto Fun at Black Hat 2016
- David Wong: Breaking https' AES-GCM (or a part of it)
- TLS Symmetric Crypto (Blogpost by Adam Langley with the initial idea for this research)
- Authentication Failures in NIST version of GCM (Antoine Joux, source for Forbidden Attack against GCM)
- Youtube video showing XSS injection on visa.dk
- Black Hat USA 2016 talk announcement
- Usenix WOOT '16 talk announcement
- Slides from talk at BerlinSec Meetup
- Errata on RFC5288 (AES GCM Cipher-suites in TLS)