GCM with encryption only using Botan-3

[jhfigueiredo]

Hi,

The protocol that I'm working with includes the use of GCM with encryption only (without authentication).
With the current code (Botan-3) is this possible? Can we set the TAG size to 0? Are there workarounds?
I would like to avoid adding changes to Botan's code.

Any help will be appreciated.

[randombit]

😱

That is incredibly cursed (not to mention completely insecure). What protocol is this?!?

For encryption, all you need to do is truncate the tag off before sending the message. But that doesn't work for decryption since the implementation expects you to present a valid tag.

Probably the simplest thing is actually copy the implementation of GCM and just remove all of the tag/GHASH handling. That will anyway save the overhead of computing the polynomial MAC since you aren't using it.

[jhfigueiredo]

Hi Jack,

Thank you for your support.
I completely agree with the insecurity issues but the DLMS protocol does require this, although it is rarely used this way.
I am trying to extend the GCM code so that I can have a custom decrypt, without authentication, but I'm having some issues linking:

Error LNK2019 unresolved external symbol "public: virtual unsigned __int64 __cdecl Botan::GCM_Mode::update_granularity(void)const " (?update_granularity@GCM_Mode@Botan@@UEBA_KXZ) referenced in function "private: virtual unsigned __int64 __cdecl csw_crypto::DLMS_GCM_Decryption::process_msg(unsigned char * const,unsigned __int64)" (?process_msg@DLMS_GCM_Decryption@csw_crypto@@EEAA_KQEAE_K@Z)
Severity Code Description Project File Line Suppression State

Error LNK2019 unresolved external symbol "__declspec(dllimport) public: void __cdecl Botan::GHASH::update(unsigned char const * const,unsigned __int64)" (_imp?update@GHASH@Botan@@QEAAXQEBE_K@Z) referenced in function "private: virtual void __cdecl csw_crypto::DLMS_GCM_Decryption::finish_msg(class std::vector<unsigned char,class Botan::secure_allocator > &,unsigned __int64)" (?finish_msg@DLMS_GCM_Decryption@csw_crypto@@EEAAXAEAV?$vector@EV?$secure_allocator@E@Botan@@@std@@_K@Z)

Severity Code Description Project File Line Suppression State
Error LNK2019 unresolved external symbol "__declspec(dllimport) public: void __cdecl Botan::GHASH::final(unsigned char * const,unsigned __int64)" (_imp?final@GHASH@Botan@@QEAAXQEAE_K@Z) referenced in function "private: virtual void __cdecl csw_crypto::DLMS_GCM_Decryption::finish_msg(class std::vector<unsigned char,class Botan::secure_allocator > &,unsigned __int64)" (?finish_msg@DLMS_GCM_Decryption@csw_crypto@@EEAAXAEAV?$vector@EV?$secure_allocator@E@Botan@@@std@@_K@Z)

I have appended the extension code. Any hope will be much appreciated.

CswCrypto.zip

[randombit]

I did not look at your code 😅 but I created an example that seems to work in #3541 the idea being you would just include CursedGCM_Encryption and CursedGCM_Decryption within your own application, and use them in the case that you need to use this (did I mention cursed!!) tagless GCM.

As I mentioned for the encryption you could alternatively just use normal GCM and chop off the tag at the end.

[jhfigueiredo]

Thanks Jack for your quick support and the cursed version ;)

[mouse07410]

I must be missing something - but AES-GCM is AES-CTR for encryption plus GHASH for MAC. So, why isn't AES-CTR the answer to AES-GCM "encryption-only"?

[randombit]

It basically is just CTR but there are some complications because to match how GCM uses counter you have to throw away some bits that were used to key GASH, format the nonce in a particular way, etc.