[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

[Peter Gutmann]

Jon Callas <jon at callas.org> writes:

>My apologies for being pedantic, but it's Counter Mode that makes GCM a
>stream cipher. GCM is a CTR stream cipher combined with GHash to get you the
>integrity bits to make it an AEAD.

It's not just a stream cipher, it's RC4 all over again.  And by RC4 I don't
mean the stream cipher with statistical weaknesses, I mean the stream cipher
that almost everyone who used it got wrong over and over and over again, until
automated scanning tools immediately flagged any use of it as a security
vulnerability.

I occasionally get asked to audit crypto code, and I don't think I've ever
seen GCM / AES-RC4 used correctly.  In fact I use the presence of AES-RC4 as a
shortcut to where the security vulnerabilities are.  For example recently when
I was asked to analyse a control protocol for critical infrastructure, as soon
as I saw that AES-RC4 was specified I knew that I could skip the four to five
hundred pages of overall specification and only needed to look at the small
subset where AES-RC4 was used.  It took less than ten minutes of skimming the
text, with AES-RC4 to guide me, to find the first (catastrophic)
vulnerability.

For the protocols like TLS and SSH that use AES-RC4 and other RC4-equivalents
like ChaCha20 (seen that too a few times, always used wrong), you only have to
look at the incredible convolutions the protocols have to engage in to use it
securely to see why it's so easy to get wrong.  These modes/ciphers default to
insecure.  Any standard developer (i.e. a non-crypto-geek) is practically
guaranteed to use them incorrectly.

Which makes it easy for me to find vulnerabilities during audits, but probably
doesn't do much for security.  Stream ciphers are unsafe at any speed, whether
they're called RC4 or AES-GCM or ChaCha20.

Peter.