GCM Compliance in IEEE 802.11 GCMP (G12a)
Galois/Counter Mode (GCM) is an approved block mode for the Advanced Encryption Standard (AES) cipher under FIPS 140-2, described in NIST Special Publication (SP) 800-38D. In that document, the security requirements call for the probability of invoking the authenticated encryption function of AES-GCM, with the same key and same initialization vector (IV) pair on two or more distinct sets of input data, to be no greater than 2 to the -32nd power. Section A.5 of the FIPS 140-2 Implementation Guidance (IG A.5) further provides guidance on the uniqueness of the key and IV requirement by offering case scenarios in which the uniqueness is satisfied. In all cases, the AES-GCM key is required to be fresh with high probability, and may either be generated internally or entered into the cryptographic module. Thus, the case scenarios focus on the generation of the IV to fulfill the maximum probability of a collision between key and IV pairs across GCM encryptions. In particular, scenario 1 names a number of network protocols in which the GCM IV is constructed and controlled with the assistance of the protocol. This scenario provides a framework wherein the appropriate operation of the protocol also results in the appropriate handling of the GCM IV and the maintenance of the probability requirements of SP 800-38D. The IEEE 802.11i standard defines specifications for the medium access control (MAC) layer and physical (PHY) layers for wireless connectivity between devices in a local area. In 2013, the standard was amended to include the 802.11ac specifications, finally published in IEEE 802.11-2016. In this latest version, a number of enhancements were introduced to the standard, including the GCM protocol (GCMP), which has at its core the AES-GCM algorithm for session encryption. This talk aims to investigate the implementation of AES-GCM within IEEE 802.11i GCMP (GCM protocol) and review its key and IV construction, and their compliance with the requirements of SP 800-38D and IG A.5.