- In the case of nonce reuse both integrity and confidentiality properties are violated. If the same nonce is used twice, an adversary can create forged ciphertexts easily.
- When short tags are used, it is rather easy to produce message forgeries. For instance, if the tag is 32 bits, then after $2^{16}$ forgery attempts and $2^{16}$ encryptions of chosen plaintexts (also of length $2^{16}$), a forged ciphertext can be produced. Creation of forgeries can be instantaneous when enough forgeries have been found.
- GCM security proof has a flaw. It has been repaired recently, but the new security bounds are far worse for nonces not 12 bytes long;
- GCM implementations are vulnerable to timing attacks if they do not use special AES instructions. The vulnerability remains even if the AES itself is implemented in constant-time. Constant-time implementations of GCM exist, but they are rather slow.
- GCM restricts the total amount of data encrypted on a single key to 60 GBytes, which might be undesirable in the future.
Monday, October 06, 2014
How secure your iPhone 5 and 6 are ?
•All attributes are now encrypted (not only password)
•AES-GCM is used instead of AES-CBC
AES-GCM has the following problems:
___________________________
99% BAD HARDWARE WEEK: AES-GCM uses 128 bit keys. Thus you can't consider your iPhone 6 data TOP SECRET, but secret. At least under NSA suit B classification. Secret means the same as for iPhone 4 and earlier versions: Open to law enforcement upon request !. SEEMS THAT iPhone IS STILL MORE BENDABLE TOWARD THOSE REQUESTS THAN ADVERTISED BY APPLE !
THIS LINK posted by Joseph Bell : 8:34 AM
