We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions, and a credit card company. We present a proof of concept of our attack allowing to violate the authenticity of affected HTTPS connections which in turn can be utilized to inject seemingly valid content into encrypted sessions. Furthermore, we discovered over 70,000 HTTPS servers using random nonces, which puts them at risk of nonce reuse, in the unlikely case that large amounts of data are sent via the same session.

Study Details

Study
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS
Cryptology ePrint Archive, Report 2016/475
Authors
Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic
Contact
Aaron Zauner
Tags
TCP/443, masscan, nonce reuse, nonce misuse, GCM

Dataset Details

We investigate nonce reuse issues with the GCM block cipher mode as used in TLS and focus in particular on AES-GCM, the most widely deployed variant. With an Internet-wide scan we identified 184 HTTPS servers repeating nonces, which fully breaks the authenticity of the connections. Affected servers include large corporations, financial institutions, and a credit card company. We present a proof of concept of our attack allowing to violate the authenticity of affected HTTPS connections which in turn can be utilized to inject seemingly valid content into encrypted sessions. Furthermore, we discovered over 70,000 HTTPS servers using random nonces, which puts them at risk of nonce reuse, in the unlikely case that large amounts of data are sent via the same session.

Fingerprints are SHA256 not SHA-1 as indicated.

File Download

File NameMetaDataSHA-1 FingerprintSizeUpdated At
masscan-gcm-https-result.json.xz unavailable 02079527036BBE97640A63FDCC0BE827277B95C5870A830812C9FFAB31B7C777 17 GB 2016-01-02
noncerun100_result.xz unavailable 7DF71A0932ED1697C1231F9C46094D755508B929C1351BD9407F22A63E85A250 7.9 GB 2016-01-17
noncerun_result.xz unavailable 250087DFC19E1A7EF1663CDF2BC042B0E77366B86DAD3A580A234B3A80B48C66 8.8 GB 2016-01-04
parallel_job.log.xz unavailable 9A83F1D6A1F3D925022F2A3C48DB4B62BFA367647A6EEBD5AED642045D0BE39A 524 MB 2016-01-17
masscan-gcm-https-result.json.xz.sha256 unavailable unavailable unknown unknown
noncerun100_result.xz.sha256 unavailable unavailable unknown unknown
noncerun_result.xz.sha256 unavailable unavailable unknown unknown
parallel_job.log.xz.sha256 unavailable unavailable unknown unknown