52   GCM should not be allowed to be mixed with SHA

Created: 23 Jul 2024

Status: Triage

Part: Part 4 (2018, Edition 1.1)

Links:

Page: 78

Clause: 17.6

Paragraph: Table 11

Issue

The mixture of GCM/GMAC with other suites should be prohibited.

Proposal

Add a condition that mutually excludes GCM from the other suites.

Discussion Created Status
I have to retract proposal 5 regarding the avoidance of the combination of AES-CBC and AES-GMAC. After verifying in NIST SP800-38D and RFC 9044, AES-GMAC does not produce ciphertext. This would argue for keeping the combination of AES-CBC and AES-GMAC. The statement that in this combination ciphertext is produced twice was not correct.

In an case, being specific regarding the OID when referring to AES-GMAC (proposals 1-4) are still valid.

TISSUE 53 and TISSUE 55 will address the IV handling for AEA which is connected to this tissue.
05 Sep 24 Triage
I think the issue "The mixture of GCM/GMAC with other suites should be prohibited." is not correct from a cryptographic point of view, but may be done for practical reasons.

The intention in Part 4 was to enable the use of AES in GMAC mode also for integrity protection. This is possible as outlined in 13.4.2 a). The authenticator is defined as sequence holding the nonce as initialization vector for AES-GCM. Indicating AES-GCM as Supported-ICV-Algorithm should clarify the mode, but I have to admit that the definition and description may not be clear immediately and may cause different interpretation. As there are separate OIDs for the GMAC operation mode of AES I would align with the previous comment and use the specific OID and naming to avoid misinterpretation.

Therefore I would propose the following:

Proposal 1 to add at the end of clause 8.8:
"If AES-GCM is used as as MAC algorithm it is operated in GMAC mode and can be identified by a dedicated OID.

aes128-GMAC ALGORITHM ::= {
PARMS GCMParameters
IDENTIFIED BY id-aes128-GMAC }

aes256-GMAC ALGORITHM ::= {
PARMS GCMParameters
IDENTIFIED BY id-aes256-GMAC }

The associated object identifiers are allocated as:
id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 }
id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 }

GCMParameters is used as defined in clause 8.7."


Proposal 2 to add the following to Clause 13.4.2 a)
"If AES-GCM is used to calculate an ICV, it is used in GMAC mode. This is indicated by placing aes128-GMAC or aes256-GMAC into the list of Supported-ICV-Algorithms."


Proposal 3 to change the two entries in Table 11 for the integrity check value algorithms from
- aes128-GCM to aes128-GMAC and
- aes256-GCM to ase256-GMAC.


Proposal 4 to add the following to the ASN.1 definition in Annex B

aes128-GMAC ALGORITHM ::= {
PARMS GCMParameters
IDENTIFIED BY id-aes128-GMAC }

aes256-GMAC ALGORITHM ::= {
PARMS GCMParameters
IDENTIFIED BY id-aes256-GMAC }

id-aes128-GMAC OBJECT IDENTIFIER ::= { aes 9 }

id-aes256-GMAC OBJECT IDENTIFIER ::= { aes 49 }


Proposal 5 addresses the combination option. Technically it is possible to combine AES-CBC for encryption and AES-GMAC for integrity protection, but this may be rather an unusual combination as AES-GMAC performs AES-GCM and only uses the authentication tag without the encrypted part of the input. Thus combining AES-CBC and AES-GMAC leads to perform encryption twice but only the AES-CBC encrypted part is placed in the message.
Proposal for clause 8.7
Replace "When used for integrity and authentication only, i.e., as GMAC, it may be combined with AES-CBC encryption."
with "AES-GCM may also be used for integrity and authentication only, i.e., as GMAC as described in clause 8.8. The combination with AES-CBC encryption is technically possible but should be avoided." 		23 Aug 24 Triage
I believe the comment is valid.
In Table 11 aes128-GCM and aes256-GCM should be removed from the Integrity check value algorithms.
Insteaed we could add the aes128-GMAC and aes256-GMAC as Integrity check value algorithms. For these algorithms there is now also an ASN.1 definition (see RFC 9044)
I would then also propose to add aes128-GMAC and aes256-GMAC to clause 8.8 		22 Aug 24 Triage
A more detailed explanation of the problem would be helpful. 02 Aug 24 Triage

 

Privacy | Contact | Disclaimer

Tissue DB v. 24.4.30.1