|
|
| Line 1: |
Line 1: |
| {{copyedit|date=January 2014}}<!-- almost "advertisement" -->
| | They call me Emilia. For years he's been working as a meter reader and it's some thing he really appreciate. Years ago he moved to North Dakota and his family members enjoys it. Body building is what my family and I appreciate.<br><br>My web page ... [http://mcb-law.net/candidiasis-tips-you-have-to-remember/ over the counter std test] |
| '''Galois/Counter Mode''' ('''GCM''') is a [[block cipher modes of operation|mode of operation]] for symmetric key cryptographic [[block cipher]]s that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources.<ref>Lemsitzer, Wolkerstorfer, Felber, Braendli, Multi-gigabit GCM-AES Architecture Optimized for FPGAs. CHES '07: Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems, 2007.</ref> | |
| It is an [[authenticated encryption]] algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. '''Galois Message Authentication Code''' ('''GMAC''') is an authentication-only variant of the GCM which can be used as an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length.
| |
| | |
| Different block cipher modes of operation can have significantly different performance and efficiency characteristics, even when used with the same block cipher. GCM can take full advantage of parallel processing, and an implementation can make efficient use of an [[instruction pipeline]] or a hardware pipeline. In contrast, the [[Cipher block chaining]] (CBC) mode of operation incurs significant [[pipeline stall]]s that hamper its efficiency and performance.
| |
| | |
| ==Encryption and authentication==
| |
| [[File:GCM-Galois Counter Mode.svg|right|thumb|''GCM encryption operation'']] As the name suggests, GCM mode combines the well-known [[Block cipher modes of operation#Counter (CTR)|counter mode]] of encryption with the new Galois mode of authentication. The key feature is that the [[Galois field]] multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like [[Block cipher modes of operation#Cipher-block chaining (CBC)|CBC]]. The GF(2<sup>128</sub>) field used is defined by the polynomial
| |
| | |
| : <math>x^{128} + x^7 + x^2 + x + 1</math>
| |
| | |
| The authentication tag is constructed by feeding blocks of data into the GHASH function, and encrypting the result. This GHASH function is defined by
| |
| | |
| : <math>\text{GHASH}(H,A,C) = X_{m+n+1}</math>
| |
| | |
| where ''H'' is a string of 128 zeros encrypted using the [[block cipher]], ''A'' is data which is only authenticated (not encrypted), ''C'' is the [[ciphertext]], ''m'' is the number of 128 bit blocks in ''A'', ''n'' is the number of 128 bit blocks in ''C'' (the final blocks of ''A'' and ''C'' need not be exactly 128 bits), and the variable ''X''<sub>''i''</sub> for ''i'' = 0, ..., ''m'' + ''n'' + 1 is defined as<ref>{{cite web |url=http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf |title=The Galois/Counter Mode of Operation (GCM) |last1=McGrew |first1=David A. |last2=Viega |first2=John |authorlink2=John Viega |page=5 |year=2005 |accessdate=20 July 2013}} ''Note that there is a typo in the formulas in the article.''</ref>
| |
| | |
| : <math>X_i =
| |
| \begin{cases}
| |
| 0 & \text{for }i=0 \\
| |
| (X_{i-1} \oplus A_i) \cdot H & \text{for }i=1,\ldots, m-1 \\
| |
| (X_{m-1} \oplus (A^*_m\lVert0^{128-v})) \cdot H & \text{for }i=m \\
| |
| (X_{i-1} \oplus C_{i-m}) \cdot H & \text{for }i=m+1,\ldots, m+n-1 \\
| |
| (X_{m+n-1} \oplus (C^*_n\lVert0^{128-u})) \cdot H & \text{for }i=m+n \\
| |
| (X_{m+n} \oplus (\operatorname{len}(A)\lVert \operatorname{len}(C))) \cdot H & \text{for }i=m+n+1 \\
| |
| \end{cases}
| |
| </math>
| |
| | |
| where ''v'' is the bit length of the final block of ''A'', ''u'' is the bit length of the final block of ''C'', and <math> \lVert </math> denotes concatenation of bit strings. Note that this is an iterative algorithm: each ''X''<sub>''i''</sub> depends on ''X''<sub>''i-1''</sub>, and only the final ''X''<sub>''i''</sub> is retained as output.
| |
| | |
| GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter–Wegman Counter [[CWC mode]].
| |
| | |
| On November 26, 2007 [[NIST]] announced the release of NIST Special Publication 800-38D ''Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC'' making GCM and GMAC official standards.
| |
| | |
| ==Use==
| |
| GCM mode is used in the [[IEEE 802.1AE]] (MACsec) Ethernet security, [[802.11ad|IEEE 802.11ad]] (also known as [[WiGig]]), ANSI ([[INCITS]]) [[Fibre Channel]] Security Protocols (FC-SP), [[IEEE P1619]].1 tape storage, [[Internet Engineering Task Force|IETF]] [[IPsec]] standards,<ref>RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)</ref><ref>RFC 4543 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH</ref> [[Secure Shell|SSH]] <ref>RFC 5647 AES Galois Counter Mode for the Secure Shell Transport Layer Protocol</ref> and [[Transport Layer Security|TLS]] 1.2.<ref>RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS</ref><ref>RFC 6367 Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)</ref> AES-GCM is included into the [[NSA Suite B Cryptography]].
| |
| | |
| ==Performance==
| |
| GCM is ideal for protecting packetized data, because it has minimum latency and minimum operation overhead.
| |
| | |
| GCM requires one block cipher operation and one 128-bit multiplication in the [[Galois field]] per each block (128 bit) of encrypted and authenticated data. The block cipher operations are easily pipelined or parallelized; the multiplication operations are easily pipelined, and can be parallelized with some modest effort (either by parallelizing the actual operation, or by adapting [[Horner's method]] as described in the original NIST submission, or both).
| |
| | |
| Intel has added the [[CLMUL instruction set|PCLMULQDQ]] instruction, highlighting its use for GCM [http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode]. This instruction enables fast multiplication over GF(2<sup>n</sup>), and can be used with any field representation.
| |
| | |
| Impressive performance results have been published for GCM on a number of platforms. Käsper and Schwabe described a "Faster and Timing-Attack Resistant AES-GCM"
| |
| <ref>Cryptographic Hardware and Embedded Systems — CHES 2009, Lecture Notes in Computer Science 5745, Springer-Verlag (2009), pp 1—17.</ref> that achieves 10.68 cycles per byte AES-GCM authenticated encryption on 64-bit Intel processors. Dai et al. report 3.5 cycles per byte for the same algorithm when using Intel's AES-NI and PCLMULQDQ instructions.<ref>http://groups.google.com/group/cryptopp-users/msg/a688203c2314ef08</ref> Shay Gueron and Vlad Krasnov achieved 2.47 cycles per byte on the 3rd generation Intel processors. Appropriate patch was prepared for the OpenSSL and NSS.<ref>{{cite web|last=Gueron|first=Shay|title=AES-GCM for Efficient Authenticated Encryption – Ending the Reign of HMAC-SHA-1?|url=https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf|work=Workshop on Real-World Cryptography|accessdate=8 February 2013}}</ref>
| |
| | |
| When both authentication and encryption need to be performed on a message, a software implementation can achieve speed gains by overlapping the execution of those operations. Performance is increased by exploiting instruction level parallelism by interleaving operations. This process is called function stitching,<ref>Gopal, V., Feghali, W., Guilford, J., Ozturk, E., Wolrich, G., Dixon, M., Locktyukhin, M., Perminov, M.: Fast Cryptographic Computation on Intel Architecture Via Function Stitching. Intel Corp. (2010) http://download.intel.com/design/intarch/PAPERS/323686.pdf.</ref> and while in principle it can be applied to any combination of cryptographic algorithms, GCM is especially suitable. Manley and Gregg <ref>Raymond Manley, David Gregg, "A Program Generator for Intel AES-NI Instructions", INDOCRYPT 2010</ref> show the ease of optimizing when using function-stitching with GCM, and present a program generator that takes an annotated C version a cryptographic algorithm and generates code that runs well on the target processor.
| |
| | |
| ==Patents==
| |
| According to the [http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-nist-ipr.pdf authors' statement], GCM is unencumbered by patents.
| |
| | |
| ==Security==
| |
| GCM has been proven secure in the [[concrete security model]].<ref>[http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.1.4591] The Security and Performance of the Galois/counter mode (GCM) of Operation, Proceedings of INDOCRYPT 2004, LNCS 3348 (2004)</ref> It is secure when it is used with a block cipher mode of operation that is indistinguishable from a random permutation; however security depends on choosing a unique [[initialization vector]] for every encryption performed with the same key (''see'' [[stream cipher attack]]). For any given key and initialization vector combination, GCM is limited to encrypting 2<sup>39</sup> − 256 bits of plain text. NIST Special Publication 800-38D includes guidelines for initialization vector selection.
| |
| | |
| The authentication strength depends on the length of the authentication tag, as with all symmetric message authentication codes. However, the use of shorter authentication tags with GCM is discouraged. The bit-length of the tag, denoted ''t'', is a security parameter. In general, ''t'' may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications, ''t'' may be 64 or 32, but the use of these two tag lengths constrains the length of the input data and the lifetime of the key. Appendix C in NIST SP 800-38D provides guidance for these constraints (for example, if ''t'' = 32 and the maximal packet size is 2<sup>10</sup> bytes, then the authentication decryption function should be invoked no more than 2<sup>11</sup> times; if ''t'' = 64 and the maximal packet size is 2<sup>15</sup> bytes, then the authentication decryption function should be invoked no more than 2<sup>32</sup> times).
| |
| | |
| As with any message authentication code, if the adversary chooses a ''t''-bit tag at random, it is expected to be correct for given data with probability 2<sup>−''t''</sup>. With GCM, however, an adversary can choose tags that increase this probability, proportional to the total length of the ciphertext and additional authenticated data (AAD). Consequently, GCM is not well-suited for use with very short tag lengths or very long messages.
| |
| | |
| Ferguson and Saarinen independently described how an attacker can perform optimal attacks against GCM authentication, which meet the lower bound on its security.
| |
| Ferguson showed that, if ''n'' denotes the total number of blocks in the encoding (the input to the GHASH function), then there is a method of constructing a targeted ciphertext forgery that is expected to succeed with a probability of approximately ''n''2<sup> − ''t''</sup>. If the tag length ''t'' is shorter than 128, then each successful forgery in this attack increases the probability that subsequent targeted forgeries will succeed, and leaks information about the hash subkey, ''H''. Eventually, ''H'' may be compromised entirely and the authentication assurance is completely lost.<ref>Niels Ferguson, [http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf Authentication Weaknesses in GCM], 2005-05-20</ref>
| |
| | |
| Independent of this attack, an adversary may attempt to systematically guess many different tags for a given input to authenticated decryption, and thereby increase the probability that one (or more) of them, eventually, will be accepted as valid. For this reason, the system or protocol that implements GCM should monitor and, if necessary, limit the number of unsuccessful verification attempts for each key.
| |
| | |
| Saarinen described GCM [[weak key]]s.<ref name="gcm-ghash-weak-keys">{{cite paper |author=Markku-Juhani O. Saarinen |date=2011-04-20 |title=Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes|publisher=FSE 2012 |url=http://eprint.iacr.org/2011/202 }}</ref> This work gives some valuable insights into how polynomial hash based authentication works. More precisely, this work describes a particular way of forging a GCM message, given a valid GCM message, which works with probability of about (n/2){{sup|128}} for messages that are n*128 bits long. However, this work does not show a more effective attack than was previously known; the success probability in observation 1 of this paper matches that of lemma 2 from the INDOCRYPT 2004 analysis (setting w=128 and l=n*128). Saarinen also described a GCM variant [[Sophie Germain Counter Mode]] (SGCM), continuing the GCM tradition of including a mathematician in the name of the mode.
| |
| | |
| ==See also==
| |
| * [[Block cipher modes of operation]]
| |
| | |
| ==Notes==
| |
| {{reflist|30em}}
| |
| | |
| ==References==
| |
| * [http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf NIST Special Publication 800-38D (November, 2007)] Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication
| |
| | |
| ==External links==
| |
| * [http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf NIST Special Publication SP800-38D defining GCM and GMAC]
| |
| * RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
| |
| * RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
| |
| * RFC 5288: AES Galois Counter Mode (GCM) Cipher Suites for TLS
| |
| * RFC 6367: Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)
| |
| * [http://www.ieee802.org/1/pages/802.1ae.html IEEE 802.1AE - Media Access Control (MAC) Security]
| |
| * [http://siswg.org/ IEEE Security in Storage Working Group] developed the P1619.1 standard
| |
| * [http://www.t11.org/index.htm INCITS T11 Technical Committee] works on [http://www.t11.org/t11/stat.nsf/7db1e1431d9d045f852566dc004cc14d/43b527df16f4b28d85256b9a00653843?OpenDocument Fibre Channel - Security Protocols] project.
| |
| * [http://tools.ietf.org/html/draft-ietf-avt-srtp-aes-gcm-01 AES-GCM and AES-CCM Authenticated Encryption in Secure RTP (SRTP) ]
| |
| | |
| {{Cryptography navbox | block | hash}}
| |
| | |
| {{DEFAULTSORT:Galois Counter Mode}}
| |
| [[Category:Block cipher modes of operation]]
| |
| [[Category:Finite fields]]
| |
| [[Category:Message authentication codes]]
| |
| [[Category:Authenticated-encryption schemes]]
| |