Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) is a symmetric-key cryptographic mode that combines the AES block cipher with Galois field multiplication for authentication. It is used in protocols such as TLS 1.2+, IPsec, and HTTP/3 due to its ability to provide both encryption (confidentiality) and authentication (integrity) in a single pass.
AES-GCM operates on 128-bit blocks and supports key lengths of 128, 192, or 256 bits. It uses counter (CTR) mode for encryption and a Galois Message Authentication Code (GMAC) for integrity.
How AES-GCM Works
AES-GCM performs the following internal operations:
Key and Nonce Setup: A randomly generated nonce (96 bits) and a symmetric AES key are initialized for each encryption session. The nonce must never repeat under the same key.
Counter Mode Encryption: CTR mode transforms AES into a stream cipher by encrypting successive counter blocks. Each encrypted counter block is XORed with the corresponding plaintext block to produce ciphertext.
Galois Authentication: A polynomial hash over the ciphertext and any Additional Authenticated Data (AAD) is computed using finite field multiplication in GF(2^128), producing a 128-bit authentication tag. This tag is transmitted with the ciphertext.
Parallel Execution: Both encryption and authentication operations can proceed concurrently, improving performance on hardware supporting pipelining or SIMD instructions.
Example: AES-GCM Encryption (Python / PyCryptodome)
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
key = get_random_bytes(32) # AES-256 key
nonce = get_random_bytes(12) # 96-bit nonce
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
plaintext = b'sensitive video metadata'
aad = b'header'
cipher.update(aad)
ciphertext, tag = cipher.encrypt_and_digest(plaintext)
print("Ciphertext:", ciphertext.hex())
print("Tag:", tag.hex())Explanation:
- key: 256-bit symmetric key used for encryption and tag generation.
- nonce: A unique, non-repeating value required by CTR-based ciphers.
- aad: Authenticated data included in tag computation but not encrypted.
- encrypt_and_digest(): Encrypts plaintext and generates a tag for validation.
Decryption and Tag Verification
During decryption, the AES-GCM function reconstructs the keystream using the same nonce and key and recomputes the authentication tag using the received ciphertext and AAD. The tag is compared against the transmitted one. If the tags match, decryption proceeds and returns the plaintext. Otherwise, decryption fails.
cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
cipher.update(aad)
plaintext = cipher.decrypt_and_verify(ciphertext, tag)Explanation:
- decrypt_and_verify(): Verifies the tag before returning plaintext.
- Tampering with either ciphertext or AAD causes this function to raise an error.
Advantages of AES-GCM
Authenticated Encryption
AES-GCM provides authenticated encryption with associated data (AEAD). This means it guarantees both:
- Confidentiality: Ciphertext cannot be reversed without the key.
- Integrity and Authenticity: Tampering with ciphertext or AAD invalidates the authentication tag.
Parallelizable Operations
Unlike CBC mode, AES-GCM allows encryption and authentication blocks to be computed in parallel. This results in better performance on multi-core CPUs and SIMD-capable hardware.
Single-Pass Processing
AES-GCM performs encryption and authentication in one pass, which reduces processing time and memory overhead. This makes it suitable for high-throughput or low-latency environments.
Protocol Support
AES-GCM is supported in:
- TLS 1.2 and 1.3
- IPsec
- SSH
- HTTP/3 (QUIC)
Its use in modern internet protocols reflects its performance and security characteristics.
Built-In Support for AAD
The ability to authenticate non-encrypted metadata via AAD is useful in secure communication protocols that need to verify payload and context.
Security Considerations
- Nonce Reuse: Using the same nonce with the same key results in catastrophic key leakage. Always generate a new nonce per encryption session.
- Tag Verification: During decryption, the authentication tag must be verified before trusting the plaintext.
- Hardware Acceleration: Many modern CPUs (e.g., Intel with AES-NI) have built-in instructions to accelerate AES-GCM and reduce overhead.