Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [gcm]

The Galois Counter Mode, an authenticated encryption mode of operation for a block cipher.

The Galois Counter mode is an authenticated encryption mode of operation for a block cipher. It takes a block cipher as a primitive, and provides both privacy and integrity services for arbitrary messages.

See the wikipedia page for more information.

317 questions
92
votes
2 answers

What is the difference between CBC and GCM mode?

I am trying to learn more about GCM mode and how it differs from CBC. I already know that GCM provides a MAC, which is used for message authentication. From what I have read and from the code snippets I've seen, GCM does an exclusive-or much like…
Bob Bryan
  • 1,283
  • 2
  • 10
  • 11
50
votes
2 answers

AES-GCM recommended IV size: Why 12 bytes?

When using AES-GCM, a 96-bit IV is generally recommended. Most implementations I've seen also use 96-bit. However, I'm unsure on where this recommendation or convention comes from. Let's assume a shorter IV is bad. Assuming all other constraints for…
Hendrikvh
  • 603
  • 1
  • 5
  • 8
49
votes
1 answer

AES256-GCM - can someone explain how to use it securely (ruby)

I am looking into using AES256-GCM for encrypting some database fields. I know that for AES256-CBC, I need to generate a new IV for each encrypt, but I can use the same key. The IV can be openly stored alongside the ciphertext (ie, it can be…
breakingbreadmuffins
  • 491
  • 1
  • 5
  • 3
47
votes
2 answers

How to choose between AES-CCM and AES-GCM for storage volume encryption

We are using the encryption built into Solaris 11 ZFS, which offers the choice between CCM (CBC counter mode) and GCM (Galois counter mode). What are the pros and cons of choosing each of these cipher modes?
ruief
  • 662
  • 1
  • 5
  • 8
44
votes
1 answer

Ciphertext and tag size and IV transmission with AES in GCM mode

I am completely new to using AES in GCM mode of operation, and I have not a very large background in cryptography as well. I have been playing with OpenSSL trying to encrypt and decrypt some messages. From my simple experiments rise the following…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
36
votes
3 answers

Practical disadvantages of GCM mode encryption

It seems that GCM mode encryption has a clear advantage over CBC + HMAC in the sense that it only requires a single key. But it seems that there are some experts here that do not trust it enough to recommend it. This question is a call to those…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
33
votes
2 answers

Disadvantage AES-GCM

What are the disadvantages and weaknesses of AES-GCM mode for authenticated encryption? Why does the CAESAR competition say that it’s one of the goals to "find an AE scheme that offers an advantage over AES-GCM"? What advantage they are talking…
user2035863
  • 437
  • 4
  • 4
29
votes
2 answers

How bad it is using the same IV twice with AES/GCM?

I understand that initialization vectors (IV) should not be used twice when using AES/GCM. I am using a counter as an initialization vector. Every time I send out a new packet (I am developing an UDP based protocol that needs packet encryption) I…
Matteo Monti
  • 1,477
  • 2
  • 14
  • 19
28
votes
3 answers

Plain text size limits for AES-GCM mode just 64GB?

Based on NIST SP 800-38D section 5.2.1.1, it seems that the maximum length of plaintext is 2^39-256 bits ~ 64 GB. We've got 100+GB files in genomics that need to be GCM encrypted so are concerned about hitting this. So two questions: What's the…
DeepSpace101
  • 1,717
  • 3
  • 17
  • 24
26
votes
3 answers

AES-GCM and its IV/nonce value

I was reading about the differences between the GCM and the CBC modes here and I have a follow up question: In the CBC mode the person who performs the encryption is the one who provides the IV for the encryption -- and the IV is required to decrypt…
user114
24
votes
2 answers

Does AAD make GCM encryption more secure?

Does additional authenticated data (AAD) make AES GCM encryption more secure? What if we drop AAD in AES-GCM 256? If we drop it, how will it make the encryption less secure?
dReAmEr
  • 353
  • 1
  • 2
  • 7
24
votes
2 answers

Is GCM still recommended?

I stumbled across a forum thread where security researcher Thomas Ptacek seemed to have negative feelings towards GCM. I had always thought from prior readings that GCM was the current gold standard for efficient, secure, easy-to-use AES modes? Here…
Anthony Kraft
  • 531
  • 3
  • 10
22
votes
2 answers

Is (AES-)GCM parallelizable?

I recentely faced the issue of random access decryption while AES-GCM was being used. I said this person that the underlying CTR should allow parallelization but I have no idea how authentication comes into play. Now I know that one of the cool…
SEJPM
  • 46,697
  • 9
  • 103
  • 214
19
votes
5 answers

AES GCM : is it acceptable to return the wrong plaintext if the tag is incorrect?

Let's start by saying I'm no cryptography expert, I'm just a developer, so feel free to correct me (using words, not downvotes) if what I'm saying is non-sense. Context: I'm doing some crypto as a service for embedded devices. Users of this service…
ShellCode
  • 293
  • 2
  • 7
18
votes
1 answer

GCM vs CTR+HMAC tradeoffs

So these days I see everyone using AES-GCM. What are its advantages over simple CTR+HMAC modes? Is it speed? Or ciphertext length? And what are the security tradeoffs, both in terms of practical cryptanalysis and theoretical attacks complexity?
Samee
  • 281
  • 1
  • 2
  • 3
1
2 3
21 22