AES Chain Block Cipher vs Galois/Counter Modes of Operation
If you’re anything like me (in other words, passionate about security and more than a little bit perfectionist), one of the first things you’ll notice when you examine the security settings of this website in Google Chrome is that Chrome considers this website to use obsolete cryptography. Why is this? All the resources are forcibly served over HTTPS, all certificates that matter in the chain of trust are signed with SHA2 or higher (SHA1 is used for message authentication, but this is acceptable since it is only vouching for the integrity of the message), and the key exchange method is specified as Elliptic Curve Diffie-Hellman (which is not vulnerable to the “LOGJAM” attack, unlike its predecessor simple Diffie-Hellman).
The answer lies in the symmetric cipher that is used to encrypt the actual contents of the communication between your client and this website’s server. Remember that most key-exchange protocols involve using an asymmetric cipher, which is computationally expensive to encrypt and decrypt, to encrypt the key that was used to encrypt messages using a robust and secure symmetric cipher. Symmetric ciphers are faster than asymmetric ones, and so that is the advantage of using a separate cipher for key exchange vs communication.
Now, this website uses AES-256-CBC as its symmetric cipher, which is to say that the symmetric cipher is the one developed for the American Encryption Standard, with a 256 bit key length, operating in the Chain Block Cipher mode. In the chain block cipher mode of operation, each block of plaintext is XOR’ed (exclusive or) with the previous block before being encrypted. Cryptography uses XOR for the purpose of removing bias in the output when given inputs that are themselves biased while at the same time maintaining the ability to separate the the output into its original form later one. This is very important because human text is biased in several ways, such as the relative frequencies of certain letters.
Google has decided that the Chain Block Cipher mode of operation is obsolete and on its way out. However, as it is still widely used, the only action at this time is the provision of the “obsolete cryptography” message. This was (and still is) a controversial decision on their part, but I am beginning to see the wisdom of it. Chain Block Ciphers, because they XOR each block with the previous block, cannot be written in parallel. This affects performance in the encryption portion. Chain block ciphers are also vulnerable to padding oracle attacks, which exploit the tendency of block ciphers to add arbitrary values onto the end of the last block in a sequence in order to meet the specified block size. POODLE is an example of such an attack, which combines a padding oracle attack with an attempt to downgrade the security protocol being used by the client.
The Galois/Counter mode (GCM) of operation (AES-128-GCM), however, operates quite differently. As the name suggests, GCM combines Galois field multiplication with the counter mode of operation for block ciphers. The counter mode of operation is designed to turn block ciphers into stream ciphers, where each block is encrypted with a pseudorandom value from a “keystream”. The counter concept achieves this by using successive values of an incrementing “counter” such that every block is encrypted with a unique value that is unlikely to reoccur. The Galois field multiplication component takes this to the next level by conceptualizing each block as its own finite field for the use of encryption on the basis of the AES standard. A sufficiently random initialization vector is used to kick off the encryption process.
GCM combines Galois field multiplication with the counter mode of operation for block ciphers
Each block can be encrypted independently of the previous block because, outside of knowledge of the initialization vector, the only other component needed to complete encryption is the sequence in which the block lies, for the purpose of incrementing the counter after applying the initialization vector. This is itself a property of the block itself, the GCM mode of operation can actually be carried out in parallel both for encryption and decryption. The additional security that this method provides also allows the site to use only a 128 bit key, whereas CBC typically requires a 256 bit key to be considered secure. 256 bit GCM is available, but it is unrealistically costly from a computational standpoint at this time. In the future, I expect this to be adopted widely, unless a non-AES cipher becomes predominant (ChaCha20 is an example of such a contender)
Update – this site now uses AES-128-GCM!
Hi!
Very nice article. Just one amendment to make it a bit better. AES stands for Advanced Encryption Standard, not American Encryption Standard. 😉
Sweet article. I am supporting a software product that needs to handle AES-128-GCM encryption and I’ve only worked with AES-128-CBC. I knew from reading that the GCM is “streamed” but didn’t know why. Your explanation really helped to answer that question. And you even sparked me to read the Wiki page on Évariste Galois.
-Johnny
What does “biased” mean? I know what it means in the grammatical sense, but what does it mean here?