Score:1

Crypto

Is AES GCM without GMAC vulnerable against known plaintext attack?

MichaelW

6/7/23, 2:04 PM

Is AES GCM without GMAC vulnerable against bit-flip attacks? Let's assume the plaintext is known for some reason (e.g. it can be guessed). In my opinion, I can flip bits in the ciphered blocks and can so generate a plaintext, which is flipped at the same position. So it would be easy to change 0x01 to 0x00 in the plaintext, even when I don't know the key or Initialization vector.

Did I oversee something?

105

0 + 0

encryption

known-plaintext-attack

ctr

aes-gcm

Martin Thompson

6/7/23, 2:15 PM

Do you mean "Lets assume the *plaintext* is known"?

Marc Ilunga

6/7/23, 2:19 PM

HMAC ensures integrity, without it there is no way for the receiver to check that the ciphertext wasn't tampered with. Therefore, a number of attacks apply and in particular simple bitflips.

MichaelW

6/7/23, 2:24 PM

Sorry, I mean "Lets assume the plaintext is known"

MichaelW

6/7/23, 2:25 PM

I talk about GMAC, not HMAC.

Martin Thompson

6/7/23, 2:27 PM

As far as I understand, GCM mode is *defined* to include the authentication code - from the spec "The two functions that comprise GCM are called authenticated encryption and authenticated decryption"... so without the GMAC, it is potentially vulnerable to all kinds of attacks. But you're not supposed to do that :)

MichaelW

6/7/23, 2:30 PM

I work for a real world project. There it can be chosen to use just encryption (GCM) or encryption + authentication (GCM/GMAC). There was a discussion to use GCM without GMAC, but I think for the reasons above this is quite dangerous.

Marc Ilunga

6/7/23, 2:34 PM

Seems my autocorrect prefers HMAC to GMAC. Anyway, the statement should still hold. An addition could be that without GMAC, we fallback on CTR.

poncho

6/7/23, 3:47 PM

If they are discussing 'lets do GCM without passing or validating the tag', they're effectively saying 'lets use a broken version of GCM'. If they don't/can't spend the bandwidth to send the GCM tag, they shouldn't be using GCM at all.

Score:2

Crypto

kelalaka

6/7/23, 2:57 PM

As an Authenticated Encryption with Associated Data, AES-GCM internally uses CTR mode and GCM adds authentication and integrity. Without GCM one can have only Ind-CPA security.

CTR in AES-GCM starts IV incremented ($inc_{32}(J_0)$ in NIST format and if IV size is not 96-bit then the IV is processed). The initial $J_0$ is used in the authentication tag calculation.

The rest is the usual CTR mode. If one knows the message, they can change the message into whatever message they want. Just x-or (the bit-flip attack) the necessary bits.

Consider the encryption. One has no control of the output stream. On the other hand, if the ciphertext is modified, only the plaintext is changed. Or see in the equation;

$$C_i = O_i \oplus P_i$$ The output stream $O_i$ is fixed by the block cipher encryption therefore changing the $C_i$ modifies the $P_i$.

This is, however, is not a known-plaintext attack! In a known-plaintext attack, one has known-plaintext pairs and tries to determine the key. CTR mode is secure against KPA attacks and actually, that is a lesser attack than Ind-CPA.

0 + 0

MichaelW

6/7/23, 5:55 PM

Ah... and what kind of attack would be the bit-flipping which modifies a known plaintext by flipping bits in the ciphertext? Or isn't this an attack, because it is trivial?

kelalaka

6/7/23, 5:59 PM

In general terms, it is an active attack that modifies the ciphertext. In specific, it is a bit-flipping attack even [CBC mode has bit flipping attack](https://crypto.stackexchange.com/a/66086/18298)

MichaelW

6/7/23, 6:02 PM

But anyway, in practical terms I can state, that GCM without GMAC is not secure when the plain text can be guessed? Right?

kelalaka

6/7/23, 6:18 PM

Remember, the main target of attackers in the encryption is accessing the message which doesn't mean that one has reached the key with brute force or other means. In general, it is revealed with the key. In your case, once you reveal the message, now you have a known-plaintext pair to attack with at least KPA. Remember CTR mode Ind-CPA secure.

kelalaka

6/7/23, 6:19 PM

Guessing the message makes the attack easier in the case if the IV-reuse under the same key. This will reveal the other message not the key.

MichaelW

6/7/23, 6:37 PM

Lets say there is a command to be transmitted to a power plant, which can be "Set Status=0" and "set Status=1". If Mallory in the middle can guess that the first command is transmitted, he can, just by bit-flipping, change 0 to 1 without knowing the key and without re-using the IV. If "1" means for instance "switch off power plant", Mallory can easily cause big harm. However, when the command is additionally protected by authentication tag and each IV is used only once, this scenario cannot happen. This is a simple version of my real world problem. Do you think my fears are realistic?

kelalaka

6/7/23, 7:01 PM

[The games we played in the Ind-CPA, Ind-CCAx](https://crypto.stackexchange.com/q/26689/18298) we talk about a single bit with multiple tries of the adversary. We expect that the advantage of the adversary is $1/2+\epsilon$ where $\epsilon$ is a negligible amount. So the adversary has only a negligible chance of success.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is AES GCM without GMAC vulnerable against known plaintext attack?

TH: AES GCM ที่ไม่มี GMAC เสี่ยงต่อการถูกโจมตีด้วยข้อความธรรมดาหรือไม่

RO: Este AES GCM fără GMAC vulnerabil împotriva atacurilor de text clar cunoscut?

RU: Уязвим ли AES GCM без GMAC к атаке с известным открытым текстом?

VI: AES GCM không có GMAC có dễ bị tấn công bằng văn bản gốc đã biết không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.