There are many papers out there that show that a message authenticated and encrypted by AES-GCM can be forged if the used key is weak (e.g. by Handschuh and Preneel, Saarinen or Procter and Cid). With weak keys I refer to the definition given by Handschuh and Preneel:
In symmetric cryptology, a class of keys [D] is called a weak key class if for the members of that class the algorithm behaves in an unexpected way and if it is easy to detect whether a particular unknown key belongs to this class. For a MAC algorithm, the unexpected behavior can be that the forgery probability for this key is substantially larger than average.
All these papers give suggestions how to avoid weak keys or how to minimize the class of weak keys. However, none of these suggestions have been accepted in the NIST standard. The standard is obviously older than the papers about weak keys, yet AES-GCM is still one of the most accepted algorithms.
Thus, I would like to know if famous applications like TLS or IPSec have implemented a weak keys detection or how do they avoid weak keys? Or is the probability to get a weak key (assumed that one is using secure random number generators) still so so small that the existence of weak keys is negligible?
