The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

Viega, John; McGrew, David

doi:10.17487/rfc4106

Cited by 65 publications

(52 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This makes it vulnerable to an IV replacement attack. AES-GCM for IPsec is described in [49]. It involves an 8 byte IV which is transmitted for every packet.…”

Section: Defeating Asasmentioning

confidence: 99%

“…It involves an 8 byte IV which is transmitted for every packet. According to [49], the only requirement is that the IV be unique, though using a counter is mentioned as the most natural way to achieve this property. This flexibility means that an implementation of AES-GCM in IPsec can be RFC-compliant but still vulnerable to an IV replacement attack.…”

Section: Defeating Asasmentioning

confidence: 99%

See 1 more Smart Citation

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

147

208

View full text Add to dashboard Cite

Abstract. Motivated by revelations concerning population-wide surveillance of encrypted communications, we formalize and investigate the resistance of symmetric encryption schemes to mass surveillance. The focus is on algorithm-substitution attacks (ASAs), where a subverted encryption algorithm replaces the real one. We assume that the goal of "big brother" is undetectable subversion, meaning that ciphertexts produced by the subverted encryption algorithm should reveal plaintexts to big brother yet be indistinguishable to users from those produced by the real encryption scheme. We formalize security notions to capture this goal and then offer both attacks and defenses. In the first category we show that successful (from the point of view of big brother) ASAs may be mounted on a large class of common symmetric encryption schemes. In the second category we show how to design symmetric encryption schemes that avoid such attacks and meet our notion of security. The lesson that emerges is the danger of choice: randomized, stateless schemes are subject to attack while deterministic, stateful ones are not.

show abstract

“…This makes it vulnerable to an IV replacement attack. AES-GCM for IPsec is described in [49]. It involves an 8 byte IV which is transmitted for every packet.…”

Section: Defeating Asasmentioning

confidence: 99%

Section: Defeating Asasmentioning

confidence: 99%

Security of Symmetric Encryption against Mass Surveillance

Bellare

Paterson

Rogaway

2014

Lecture Notes in Computer Science

147

208

View full text Add to dashboard Cite

show abstract

“…It relies on non-repeating IV (or nonce), e.g. CCM [16], EAX [4], GCM [36], CHM [17], CWC [22], Sarkar's generic construction [35] and dedicated Stream Ciphers like Grain [15], Helix [10], Zuc [2] etc. All these constructions combine counter type encryption and a Mac.…”

Section: Examples Of Authenticated Encryptionsmentioning

confidence: 99%

ELmE: A Misuse Resistant Parallel Authenticated Encryption

Datta

Nandi

2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The authenticated encryptions which resist misuse of initial value (or nonce) at some desired level of privacy are two-pass or Macthen-Encrypt constructions (inherently inefficient but provide full privacy) and online constructions, e.g., McOE, sponge-type authenticated encryptions (such as duplex, AEGIS) and COPA. Only the last one is almost parallelizable with some bottleneck in processing associated data. In this paper, we design a new online secure authenticated encryption, called ELmE or Encrypt-Linear mix-Encrypt, which is completely (twostage) parallel (even in associated data) and pipeline implementable. It also provides full privacy when associated data (which includes initial value) is not repeated. The basic idea of our construction and COPA are based on EME, an Encrypt-Mix-Encrypt type SPRP constructions (secure against chosen plaintext and ciphertext). Unlike EME, we consider online computable efficient linear mixing. Our construction optionally supports intermediate tags, which can be verified faster with less buffer size to provide security against block-wise adversaries which is meaningful in low-end device implementation.

show abstract

“…That characterization now applies to AES GCM [RFC4106], which provides both encryption and integrity protection in a single cryptographic When IPsec is used, the receipt of an IKEv1 Phase 2 delete message or an IKEv2 INFORMATIONAL exchange that deletes the SA SHOULD NOT be interpreted as a reason for tearing down the block storage protocol connection (e.g., TCP-based). If additional traffic is sent, a new SA will be created to protect that traffic.…”

Section: Esp Requirementsmentioning

confidence: 99%

“…If both IPsec v2 and v3 are supported by both endpoints of a block storage protocol connection, the use of IPsec v3 is RECOMMENDED. Of particular interest are the security considerations concerning the use of AES GCM [RFC4106] and AES GMAC [RFC4543]; both modes are vulnerable to catastrophic forgery attacks if a nonce is ever repeated with a given key.…”

Section: Esp Requirementsmentioning

confidence: 99%

Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3

Black¹

2014

View full text Add to dashboard Cite

show abstract

The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

Cited by 65 publications

References 7 publications

Security of Symmetric Encryption against Mass Surveillance

Security of Symmetric Encryption against Mass Surveillance

ELmE: A Misuse Resistant Parallel Authenticated Encryption

Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3

Contact Info

Product

Resources

About