1
$\begingroup$

I have a doubt about AES-GCM on how can I avoid replay attacks. We have 2 users (Alice and Bob). After that the entities negotiate crypto parameters and generate a symmetric key, they'll exchange encrypted message.

The possible encryption algorithms are two: AES-128-GCM and AES-128-CBC. By using AES-128-GCM, Alice and Bob choose the following parameters:

  • $IV=nonce$ where $nonce$ is a pseudorandom number
  • $AAD="static-data"$
  • $K$, a 128 bit key
  • $D$, the plaintext

Now we suppose that in order to avoid replay attacks, I want to use a timestamp $t$. Is it correct that Alice sends the ciphertext $CT=E_K(IV,AAD,D)$ to Bob together a timestamp $t$ like $CT||t$ or encrypt the timestamp in the ciphertext (and in this case the plaintext $D$ becomes $D||t$) in order to avoid replay attacks ?

Improve this question
$\endgroup$

1 Answer 1

Reset to default
4
$\begingroup$

Is it correct that Alice sends the ciphertext $CT=E_K(IV,AAD,D)$ to Bob together a timestamp $t$ like $CT||t$

That doesn't work; here, GCM doesn't protect $t$; the attacker can easily change it to anything he wants, and GCM will never notice.

Now, you could expand the AAD to include the value $t$; , that is, we have $CT=E_K(IV,AAD || t,D)$. With that change, this is safe. What this does is cryptographically bind the value $t$ to the ciphertext (the GCM tag), if the attacker modifies it, then the tag would not validate.

or encrypt the timestamp in the ciphertext (and in this case the plaintext $D$ becomes $D||t$)

That also works; in this case, $t$ is cryptographically bound to the ciphertext, and hence cannot be modified.

The main difference between the two is whether the timestamp is in the clear or not.

Improve this answer
$\endgroup$

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.