10

I'm currently migrating a project to use the bouncy castle GCM mode. I understand that using an authenticated mode removes the need for a HMAC, however I want to be sure that I'm using this mode correctly. When applying a HMAC to ciphertext, I know it's imperative to include in the HMAC'd data any params that could affect the outcome of the decryption (IV, block-size, algorithm name, etc). The bouncy castle GCM implementation accepts AEAD parameters, one of which is 'Associated Text'.

With authenticated modes, is it correct to:

  • use encryption params as Associated Text
  • encrypt cleartext (without params appended)
  • append params to ciphertext (in cleartext) to facilitate future decryption

I assume this workflow applies to EAX mode as well?

hunter
  • 4,051
  • 6
  • 29
  • 42

1 Answers1

10

GCM mode already incorporates any params that could affect the outcome of the decryption. The associated authenticated data is there to allow you to rely on context for your decryption.

For example, say you are encrypting some records associated with a user. You may want to include the user's database ID as the authenticated data. If a user found a way to copy another user's data and key into his own record, it would still fail to decrypt since his database ID is not the same.

In general, you would like it to be something that's inherently managed separately from the nonce and ciphertext.

Stephen Touset
  • 11,162
  • 1
  • 39
  • 53