Score:1

Crypto

How does AES-GCM and AES-CCM provide authenticity?

user946822

6/25/24, 11:04 AM

My lecture notes state that of the AES operating modes ECB, CBC, CTR, CCM (CTR+CBC MAC) and GCM, only CCM and GCM provide authenticity. In CCM, as I understand it, the authenticity lies in the MAC, i.e. the symmetric key.

AES-GCM calculates the authentication tag (AT) using, among other things, the additional authenticated data (AAD) and the symmetric key. According to the specification, the AAD must remain unencrypted.

How then is the AAD supposed to be authentic? (Example?)
Does the authenticity of AES-GCM then also lie in the symmetric key?
If yes, why are the other operating modes not authentic if they also use a symmetric key?

103

1 + 1

aes

authenticated-encryption

gcm

ccm

aes-gcm

DannyNiu

6/25/24, 12:03 PM

IETF has an RFC for starters: https://datatracker.ietf.org/doc/html/rfc5116

Score:1

Crypto

bk2204

6/25/24, 11:32 AM

Both GCM and CCM turn a regular block cipher into what we call an AEAD (authenticated encryption with additional data). Both algorithms provide encryption with what is effectively counter (CTR) mode and a MAC, combined into one algorithm with a single nonce and key.

The difference in how CCM and GCM authenticate the data is the major difference in the modes. CCM uses a variant of CBC-MAC to authenticate the data and GCM uses a polynomial (Carter-Wegman-style) MAC. Due to the requirements of using CBC-MAC in a secure way, the length is prefixed to the data, so with CCM one must typically know the data length ahead of time, whereas GCM doesn't have this problem.

Both algorithms require the use of a unique nonce plus a symmetric key. Anyone who knows the symmetric key can encrypt and decrypt data as well as create and verify valid messages.

The reason that ECB, CBC, CTR, CFB, OFB, and the like don't provide authenticity is that they only encrypt the data. An AEAD produces encrypted data plus a tag, which is traditionally appended to the message. This tag (and its correct verification) provides authenticity, and can be thought of as the output of a MAC. However, the five modes I mentioned above don't provide a tag, and as a result, they don't provide any authenticity. As a result, they should be used with a standalone MAC, such as HMAC with a secure hash function, in almost all cases.

The additional data is usually unencrypted for practical reasons. For example, in TLS, the packet header and sequence number are authenticated, but the packet header cannot be encrypted (since it's needed to parse the data properly) and the sequence number is not sent at all (it's an increasing integer kept as part of the state). This approach prevents replay attacks and, in some protocols, things like protocol downgrades. In any event, any change to either the encrypted message or the additional data will cause the tag to fail to verify with very high probability, and thus the message will be rejected.

+ 6

user946822

6/25/24, 11:54 AM

Ok, I understand that the "tag" (MAC) at GCM and CCM provides integrity unlike the other modes of operation. But I am solely concerned with authenticity: "How do I know for sure that I am communicating with A?" As you explained, with GCM, authenticity is ensured by the AAD, as this data is not encrypted but is authenticated by the embedded protocol, for example TLS. With CCM, I don't see the point of authenticity: "How do I know for sure that I have agreed the symmetric key with A to calculate the CBC-MAC?" At this point, doesn't CCM offer no more authenticity than the other AES modes?

DannyNiu

6/25/24, 12:02 PM

@user946822 The tag authenticates both the AAD and the encrypted payload, not the other way around. AAD stands for "additionally authenticated data", it does not authenticate the tag, it's authenticated *by* the tag.

SAI Peregrinus

6/25/24, 12:21 PM

To know which entity you're communicating with requires a signature of a challenge. Entity authentication is unrelated to message authentication, AEADs only handle the latter. In TLS, the server (and sometimes client) signs a challenge during the same "handshake" where the symmetric AEAD key is generated.

user946822

6/25/24, 12:27 PM

@SAIPeregrinus Message authentication is precisely the point: This authenticity is based exclusively on the trust that the symmetric key (and the nonce) has been determined with the correct communication partner, right? And this is ensured by the signature in the TLS handshake?

dave_thompson_085

6/26/24, 4:03 AM

@SAIPeregrinus: not quite. Through TLS1.2 if a forward-secret (FF)DHE or ECDHE keyexchange is used, server signs only _ServerKeyExchange body_ which _should_ be unique but client can't enforce it; for plain-RSA keyexchange (now rare) there is no signature and server proves identity by recovering and using client's PremasterSecret. In either case client optionally signs _transcript_ which includes both client and server nonces, and ephemerals if used. In TLS1.3 only xxDHE is used (except for PSK) and both server and optional client signatures are on transcript.

user946822

6/27/24, 9:10 AM

I thought about the whole thing again: as I understand it, "message authenticity" with AES-CCM and GCM is only possible through a previous "entity authenticity". For example by a signed (or as described by @dave_thompson_085 using other methods) exchange of the symmetric key, right?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How does AES-GCM and AES-CCM provide authenticity?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.