Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [aes-gcm]

Deprecated tag, see tag info.

Advanced Encryption Standard Galois/Counter Mode, better known as AES-GCM is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM supports authenticated encryption, meaning that the mode not only offers privacy, but also integrity.

Please do not use this tag, use in combination with .

225 questions
39
votes
3 answers

Why was AES CBC removed in TLS 1.3?

I don't quite understand why AES CBC was removed in TLS1.3. From what I know CBC is the most secure Mode of operation for the AES block cipher (if you can say it like that). It only needs a TRND IV and has not been broken. If you pair it with a…
Richard R. Matthews
  • 4,545
  • 9
  • 31
  • 49
17
votes
1 answer

What are the rules for using AES-GCM correctly?

When using AES-GCM I know that I am supposed to use a new initialization vector every time I call the AES-GCM algorithm with the same key. What are other rules must be followed to use AES-GCM correctly? I am looking for a bullet point checklist with…
ams
  • 701
  • 1
  • 8
  • 14
11
votes
1 answer

how does BearSSL's GCM modular reduction work?

BearSSL (in src/hash/ghash_ctmul.c) seems to be doing a modular reduction that I don't completely understand. Here's the code: /* * GHASH specification has the bits "reversed" (most * significant is in fact least significant), which does * not…
neubert
  • 2,969
  • 1
  • 29
  • 58
11
votes
2 answers

Can AES-GCM be broken if initialisation vector is known?

We are using AES encryption in GCM block mode in order to encrypt a number of different kinds of data at rest on a mobile device - Android. The key used for encryption is stored in the protected key-store offered Android so I am assuming that it is…
Suhas
  • 253
  • 3
  • 10
9
votes
2 answers

What are the popular modes-of-operation (AES-GCM, AES-SIV, AES-GCM-SIV, etc.) geared for?

I'm interested in developing software capable of encrypting personal files (which will ultimately be backed up to the cloud) and have been doing my best to follow best practices. There are many forms of authenticated encryption. (AES-GCM, AES-SIV,…
meci
  • 191
  • 1
  • 2
9
votes
3 answers

How to encrypt files using AES256-GCM cipher under Linux?

I'm struggling to implement AES256-GCM on a Linux machine to encrypt files outgoing to another party. We're usually exchanging files using PKI, but this particular party insists on AES256-GCM and will not allow PKI. However, I've been struggling to…
Marek
  • 133
  • 1
  • 1
  • 7
9
votes
3 answers

Can a zero nonce be safely used with AES-GCM if the key is random and never used again?

I could generate a random nonce and prepend it to the ciphertext, but storage space is at a premium and the only constraint AES-GCM has on the nonce (if I'm reading correctly) is that the same nonce must never be paired with the same key for a…
jnm2
  • 582
  • 5
  • 11
9
votes
0 answers

Key size, performance, and security tradeoffs for AES GCM / CCM

AES can be used with 128, 192 or 256 bit keys and each one appears to have a performance vs security trade-off (What is the effect of the different AES key lengths?, What are the practical differences between 256-bit, 192-bit, and 128-bit AES…
Raghu
  • 255
  • 1
  • 6
9
votes
0 answers

GCM with reversed poly

These slides talk about how GCM can be sped up if one uses $x^{128}+x^{127}+x^{126}+x^{121}+1$ as the reduction polynomial instead of $x^{128}+x^7+x^2+x^1+1$. When one is doing that one needs to multiply the polynomial you're attempting to reduce by…
neubert
  • 2,969
  • 1
  • 29
  • 58
9
votes
1 answer

TLS 1.2 Cipher Suites With AES-GCM – What data (if any) is passed to the AES-GCM cipher as the Additional Authentication Data?

TLS 1.2 defines a number of cipher suites that employ AES-GCM, e.g.: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384…
weaver
  • 193
  • 1
  • 3
9
votes
2 answers

IV in Galois Counter Mode

I am looking at Wikepedia Galois Counter Mode article. I see this diagram I am trying to figure out where the IV works its way in. Is it used to initialize the counter? If so, how does a sequence of 12 bytes (96 bits)initialize a counter on a 32…
John Frye
  • 93
  • 3
8
votes
1 answer

Why GCM operation mode with AES-128 is recomended and can we use AES-192 and AES-256 with GCM?

It happens that on the internet I often find that AES encryption should use a 128-bit key only if it is used in conjunction with the GCM mode of operation. Why only with 128-bit keys? What happens if I use one of 192 or 256? Can it be? Why is this…
user75600
8
votes
1 answer

Deterministic Encryption with AES GCM - how to choose the IV (nonce)

I have not a very large background in cryptography so I hope these questions are not very dumb. I don't want to reinvent the wheel, I'm just looking for advise on the best practices about how to build the following. I've seeking and reading for…
inieto
  • 183
  • 1
  • 5
8
votes
2 answers

Delayed tag checks in AES-GCM for streaming data

There is currently a GitHub discussion on .NET not supporting AES-GCM for any streaming data since releasing decrypted data prior to tag checks somehow reveals the plaintext or the AES key (or some such undocumented catastrophic failure). A lot of…
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24
7
votes
1 answer

What is Associated Data in AEAD?

I am trying to understand what is AEAD exactly. I am application developer not a cryptographer. I have been searching online for a while watched a bunch of Youtube videos, read through a couple of books "Serious Cryptography" and "Understanding…
ams
  • 701
  • 1
  • 8
  • 14
1
2 3
14 15