Score:0

CTR HMAC SHA1 vs GCM Key management

cn flag

The protocol SRTP uses by default AES in CTR mode with HMAC-SHA1. For my thesis I want to research if GCM would be a better option. Therefore I read following discussion.

There the answer was that GCM mode is better among other things because GCM just needs one key for encryption and message authentication and CTR+SHA1 needs two for these things.

But can't I use just one key for CTR+SHA1? Couldn't I reuse the same key for encryption with CTR mode and then maybe trim or expand the same key to use it with SHA1 to authenticate the message.

Are there any security drawbacks or other things I forgot to consider?

kelalaka avatar
in flag
You can find GCM forgery bounds [here](https://crypto.stackexchange.com/a/67367/18298) and using the same key in CTR and HMAC is not a problem, and remember AES-GCM uses one key however the key for CTR and GHash are not the same...
Score:2
my flag

Are there any security drawbacks or other things I forgot to consider?

Yes, GCM has security issues with how SRTP would want to use it.

SRTP is designed to have as low a bandwidth-overhead (that is, packet size) as possible; SRTP is sometimes used over wireless, and there, packet size is quite expensive. IIRC, the only bandwidth SRTP adds is the integrity tag (the IV, if the mode needs one that never repeats, can be a function of the position in the stream, which is included in the unencrypted section of the packet already); we would like to reduce the tag to be as short as possible (both to reduce the cost, and for SRTP, having someone introduce a single bogus packet isn't all that bad - for audio use, they might be able to modify 20msec of the voice connection at a not-too-high ($<10^{-6}$) probability, and that was considered tolerable for this use case).

When we get to GCM, we have a problem with short tags. GCM has this property: if we have an encrypted GCM message with IV, ciphertext/tag $(IV, C, T)$ and someone finds a bogus message $(IV, C', T')$ that is accepted (note: same IV was used, the ciphertext and tag was modified arbitrarily), then for any future encrypted message $(IV", C", T")$, then the message $(IV", C" \oplus C \oplus C', T" \oplus T \oplus T')$ will also be accepted. That is, by finding a single forgery, the attacker can introduce forgeries from here on out.

And, if you have a short tag, then the attacker has a decent probabilities of finding an accepted bogus message $(IV, C', T')$ by simply guessing various $T'$ values.

A single forgery was considered tolerable; allowing the attacker to generate a continuous stream of forgeries is less so. With GCM, we can avoid this issue by using a long tag (where the probability of randomly guessing it is sufficiently low), however the use cases for SRTP doesn't like long tags.

HMAC doesn't have this property; if the attacker does find a forgery $(C', T')$ (HMAC doesn't have an IV), that does not help him to generate any future forgeries.

kelalaka avatar
in flag
The OP clarified after my answer they consider SRTP. I've deleted my answer (won't undelete) and you can use any ideas that fits.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.