2

I wonder if there is an AES mode which would verify data integrity after decryption operation.

Due to the reasons which does not matter here, there is a possibility that AES implementation I use may produce wrong results under certain conditions (particular data length, memory alignment etc). On the platform, two authenticated encryption modes are available: GCM and CCM.

There is an answer on Crypto which explains that CCM does MAC on plaintext whereas GCM does on cyphertext. Does it mean that if AES should malfunction during decryption, CCM will detect it whereas GCM won't?

olegst
  • 171
  • 1
  • 7

1 Answers1

3

Yes, you are correct, as long as it really only is the AES part which could dysfunction.

Quoting another source, for example Wikipedia's CCM page:

These two primitives are applied in an "authenticate-then-encrypt" manner, that is, CBC-MAC is first computed on the message to obtain a tag t; the message and the tag are then encrypted using counter mode.

Note that we generally do not recommend to do "Mac then Encrypt", however CCM is a mode of encryption which features its very own proof of security, so you are good to go.

Lery
  • 7,819
  • 1
  • 27
  • 46