Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS

by Sean Devlin, Hanno Böck, Aaron Zauner, Philipp Jovanovic
Sept. 15, 2017 0 comments belen_caty

We investigate nonce-reuse issues with the Galois/Counter Mode (GCM) algorithm as used in TLS. Nonce reuse in GCM allows an attacker to recover the authentication key and forge messages as described by Joux. With an Internet-wide scan we identified over 70,000 HTTPS servers that are at risk of nonce reuse. We also identified 184 HTTPS servers repeating nonces directly in a short connection. Affected servers include large corporations, financial institutions, and a credit card company. We implement a proof of concept attack allowing us to violate the authenticity of affected HTTPS connections and inject content.