AES256 GCM IV guidelines
$begingroup$
If I use for example AES256 (GCM), and my message is bigger than 256bit (breaked into smaller 256bit blocks for encryption), should the IV change every 256bit of the message?
aes initialization-vector gcm
edited yesterday
kelalaka
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
If I use for example AES256 (GCM), and my message is bigger than 256bit (breaked into smaller 256bit blocks for encryption), should the IV change every 256bit of the message?
aes initialization-vector gcm
edited yesterday
kelalaka
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago
add a comment |
$begingroup$
If I use for example AES256 (GCM), and my message is bigger than 256bit (breaked into smaller 256bit blocks for encryption), should the IV change every 256bit of the message?
aes initialization-vector gcm
edited yesterday
kelalaka
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
If I use for example AES256 (GCM), and my message is bigger than 256bit (breaked into smaller 256bit blocks for encryption), should the IV change every 256bit of the message?
aes initialization-vector gcm
aes initialization-vector gcm
edited yesterday
kelalaka
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
kelalaka
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
kelalaka
6,90022144
edited yesterday
kelalaka
6,90022144
edited yesterday
kelalaka
6,90022144
6,90022144
asked yesterday
OffirOffir
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
OffirOffir
111
asked yesterday
OffirOffir
111
111
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Offir is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago
add a comment |
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.
Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.
For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka's answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded.
MESSAGE = ([ PLAINTEXT1 ][ PLAINTEXT2 ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on
([ IV ][ctr0]) -----> [AES] -----> ([ STREAM0 ])
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
([ IV ][ctr2]) -----> [AES] -----> ([ STREAM2 ])
([ IV ][ctr3]) -----> [AES] -----> ([ STREAM3 ])
([ PLAINTEXT1 ]) XOR ([ STREAM1 ]) = ([ CIPHERTXT1 ])
([ PLAINTEXT2 ]) XOR ([ STREAM2 ]) = ([ CIPHERTXT2 ])
([ PLAINTEXT3 ]) XOR ([ STREAM3 ]) = ([ CIPHERTXT3 ])
CIPHERTEXT= ([ CIPHERTXT1 ][ CIPHERTXT2 ][ CIPHERTXT3 ])
H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )
As many blocks are generated as required to encrypt all the plaintext, as long as the limit of GCM is not reached, which is 549,755,813,632 bits, or 256 bits less than 64GiB, as explained here.
answered yesterday
Richie FrameRichie Frame
9,94911530
$endgroup$
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
add a comment |
$begingroup$
AES-GCM uses the Counter (CTR) mode for AES. If you use an SP 800-38D compatible library, actually, it handles the incrementing the IV for you.
For an encryption session, once the IV is initialized the counter part (32-bit part) of the IV is incremented for the encryption of every block. The IV fot CTR mode start from 2 as mentioned Maarten's comment. Thus, encryption can be continued until the counter is reached to the maximum, that is $2^{32}-2$ AES blocks if 32-bit counter is used. Then, you have to use a new IV to continue.
The real problem is generating the IV's uniquely per session. If IV ever repeats then it is insecure so you need to make sure that the IV never repeats.
For the generation of the IV, you can use a good random source, or you can use the IV incrementally. In this case, the IV size must be 96-bit, see page 15 of SP 800-38D.
If $len(IV)=96$, then let $J_0 = IV | 0^{31} |1$.
Storing the last used IV and incrementing it then providing to GCM is the general practice to mitigate from a birthday attack.
If the supplied IV is not 96-bits it is processed by $operatorname{GHASH}$. You can see how it is processed in this answer Generate J0 for GCM cipher when $len(IV)neq96$ bits in details.
answered yesterday
kelalakakelalaka
6,90022144
$endgroup$
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Offir is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66837%2faes256-gcm-iv-guidelines%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.
Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.
For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka's answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded.
MESSAGE = ([ PLAINTEXT1 ][ PLAINTEXT2 ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on
([ IV ][ctr0]) -----> [AES] -----> ([ STREAM0 ])
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
([ IV ][ctr2]) -----> [AES] -----> ([ STREAM2 ])
([ IV ][ctr3]) -----> [AES] -----> ([ STREAM3 ])
([ PLAINTEXT1 ]) XOR ([ STREAM1 ]) = ([ CIPHERTXT1 ])
([ PLAINTEXT2 ]) XOR ([ STREAM2 ]) = ([ CIPHERTXT2 ])
([ PLAINTEXT3 ]) XOR ([ STREAM3 ]) = ([ CIPHERTXT3 ])
CIPHERTEXT= ([ CIPHERTXT1 ][ CIPHERTXT2 ][ CIPHERTXT3 ])
H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )
As many blocks are generated as required to encrypt all the plaintext, as long as the limit of GCM is not reached, which is 549,755,813,632 bits, or 256 bits less than 64GiB, as explained here.
answered yesterday
Richie FrameRichie Frame
9,94911530
$endgroup$
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
add a comment |
$begingroup$
The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.
Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.
For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka's answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded.
MESSAGE = ([ PLAINTEXT1 ][ PLAINTEXT2 ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on
([ IV ][ctr0]) -----> [AES] -----> ([ STREAM0 ])
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
([ IV ][ctr2]) -----> [AES] -----> ([ STREAM2 ])
([ IV ][ctr3]) -----> [AES] -----> ([ STREAM3 ])
([ PLAINTEXT1 ]) XOR ([ STREAM1 ]) = ([ CIPHERTXT1 ])
([ PLAINTEXT2 ]) XOR ([ STREAM2 ]) = ([ CIPHERTXT2 ])
([ PLAINTEXT3 ]) XOR ([ STREAM3 ]) = ([ CIPHERTXT3 ])
CIPHERTEXT= ([ CIPHERTXT1 ][ CIPHERTXT2 ][ CIPHERTXT3 ])
H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )
As many blocks are generated as required to encrypt all the plaintext, as long as the limit of GCM is not reached, which is 549,755,813,632 bits, or 256 bits less than 64GiB, as explained here.
answered yesterday
Richie FrameRichie Frame
9,94911530
$endgroup$
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
add a comment |
$begingroup$
The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.
Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.
For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka's answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded.
MESSAGE = ([ PLAINTEXT1 ][ PLAINTEXT2 ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on
([ IV ][ctr0]) -----> [AES] -----> ([ STREAM0 ])
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
([ IV ][ctr2]) -----> [AES] -----> ([ STREAM2 ])
([ IV ][ctr3]) -----> [AES] -----> ([ STREAM3 ])
([ PLAINTEXT1 ]) XOR ([ STREAM1 ]) = ([ CIPHERTXT1 ])
([ PLAINTEXT2 ]) XOR ([ STREAM2 ]) = ([ CIPHERTXT2 ])
([ PLAINTEXT3 ]) XOR ([ STREAM3 ]) = ([ CIPHERTXT3 ])
CIPHERTEXT= ([ CIPHERTXT1 ][ CIPHERTXT2 ][ CIPHERTXT3 ])
H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )
As many blocks are generated as required to encrypt all the plaintext, as long as the limit of GCM is not reached, which is 549,755,813,632 bits, or 256 bits less than 64GiB, as explained here.
answered yesterday
Richie FrameRichie Frame
9,94911530
$endgroup$
The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.
Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.
For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka's answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded.
MESSAGE = ([ PLAINTEXT1 ][ PLAINTEXT2 ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on
([ IV ][ctr0]) -----> [AES] -----> ([ STREAM0 ])
([ IV ][ctr1]) -----> [AES] -----> ([ STREAM1 ])
([ IV ][ctr2]) -----> [AES] -----> ([ STREAM2 ])
([ IV ][ctr3]) -----> [AES] -----> ([ STREAM3 ])
([ PLAINTEXT1 ]) XOR ([ STREAM1 ]) = ([ CIPHERTXT1 ])
([ PLAINTEXT2 ]) XOR ([ STREAM2 ]) = ([ CIPHERTXT2 ])
([ PLAINTEXT3 ]) XOR ([ STREAM3 ]) = ([ CIPHERTXT3 ])
CIPHERTEXT= ([ CIPHERTXT1 ][ CIPHERTXT2 ][ CIPHERTXT3 ])
H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )
As many blocks are generated as required to encrypt all the plaintext, as long as the limit of GCM is not reached, which is 549,755,813,632 bits, or 256 bits less than 64GiB, as explained here.
answered yesterday
Richie FrameRichie Frame
9,94911530
edited yesterday
answered yesterday
Richie FrameRichie Frame
9,94911530
answered yesterday
Richie FrameRichie Frame
9,94911530
answered yesterday
Richie FrameRichie Frame
9,94911530
9,94911530
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
add a comment |
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
1
1
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
The counter starts as 2, the first counter value is used for the initial calculation of H - an internal value for GMAC within GCM (or at least the authentication tag, I'm starting to forget some details) - and zero is not used at all, possibly to avoid issues with key check values.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
$begingroup$
@MaartenBodewes I am pretty sure a 128-bit 0 block is used to generate H, but you are right, the counter for encryption of the plaintext starts at 2, the first counter value is used to encrypt the authentication tag after the final multiplication
$endgroup$
– Richie Frame
yesterday
1
1
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
$begingroup$
I should mention the reason they do not use 0 at all in the counter, is because if your nonce is all 0, the first counter would be identical to H
$endgroup$
– Richie Frame
23 hours ago
add a comment |
$begingroup$
AES-GCM uses the Counter (CTR) mode for AES. If you use an SP 800-38D compatible library, actually, it handles the incrementing the IV for you.
For an encryption session, once the IV is initialized the counter part (32-bit part) of the IV is incremented for the encryption of every block. The IV fot CTR mode start from 2 as mentioned Maarten's comment. Thus, encryption can be continued until the counter is reached to the maximum, that is $2^{32}-2$ AES blocks if 32-bit counter is used. Then, you have to use a new IV to continue.
The real problem is generating the IV's uniquely per session. If IV ever repeats then it is insecure so you need to make sure that the IV never repeats.
For the generation of the IV, you can use a good random source, or you can use the IV incrementally. In this case, the IV size must be 96-bit, see page 15 of SP 800-38D.
If $len(IV)=96$, then let $J_0 = IV | 0^{31} |1$.
Storing the last used IV and incrementing it then providing to GCM is the general practice to mitigate from a birthday attack.
If the supplied IV is not 96-bits it is processed by $operatorname{GHASH}$. You can see how it is processed in this answer Generate J0 for GCM cipher when $len(IV)neq96$ bits in details.
answered yesterday
kelalakakelalaka
6,90022144
$endgroup$
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
add a comment |
$begingroup$
AES-GCM uses the Counter (CTR) mode for AES. If you use an SP 800-38D compatible library, actually, it handles the incrementing the IV for you.
For an encryption session, once the IV is initialized the counter part (32-bit part) of the IV is incremented for the encryption of every block. The IV fot CTR mode start from 2 as mentioned Maarten's comment. Thus, encryption can be continued until the counter is reached to the maximum, that is $2^{32}-2$ AES blocks if 32-bit counter is used. Then, you have to use a new IV to continue.
The real problem is generating the IV's uniquely per session. If IV ever repeats then it is insecure so you need to make sure that the IV never repeats.
For the generation of the IV, you can use a good random source, or you can use the IV incrementally. In this case, the IV size must be 96-bit, see page 15 of SP 800-38D.
If $len(IV)=96$, then let $J_0 = IV | 0^{31} |1$.
Storing the last used IV and incrementing it then providing to GCM is the general practice to mitigate from a birthday attack.
If the supplied IV is not 96-bits it is processed by $operatorname{GHASH}$. You can see how it is processed in this answer Generate J0 for GCM cipher when $len(IV)neq96$ bits in details.
answered yesterday
kelalakakelalaka
6,90022144
$endgroup$
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
add a comment |
$begingroup$
AES-GCM uses the Counter (CTR) mode for AES. If you use an SP 800-38D compatible library, actually, it handles the incrementing the IV for you.
For an encryption session, once the IV is initialized the counter part (32-bit part) of the IV is incremented for the encryption of every block. The IV fot CTR mode start from 2 as mentioned Maarten's comment. Thus, encryption can be continued until the counter is reached to the maximum, that is $2^{32}-2$ AES blocks if 32-bit counter is used. Then, you have to use a new IV to continue.
The real problem is generating the IV's uniquely per session. If IV ever repeats then it is insecure so you need to make sure that the IV never repeats.
For the generation of the IV, you can use a good random source, or you can use the IV incrementally. In this case, the IV size must be 96-bit, see page 15 of SP 800-38D.
If $len(IV)=96$, then let $J_0 = IV | 0^{31} |1$.
Storing the last used IV and incrementing it then providing to GCM is the general practice to mitigate from a birthday attack.
If the supplied IV is not 96-bits it is processed by $operatorname{GHASH}$. You can see how it is processed in this answer Generate J0 for GCM cipher when $len(IV)neq96$ bits in details.
answered yesterday
kelalakakelalaka
6,90022144
$endgroup$
AES-GCM uses the Counter (CTR) mode for AES. If you use an SP 800-38D compatible library, actually, it handles the incrementing the IV for you.
For an encryption session, once the IV is initialized the counter part (32-bit part) of the IV is incremented for the encryption of every block. The IV fot CTR mode start from 2 as mentioned Maarten's comment. Thus, encryption can be continued until the counter is reached to the maximum, that is $2^{32}-2$ AES blocks if 32-bit counter is used. Then, you have to use a new IV to continue.
The real problem is generating the IV's uniquely per session. If IV ever repeats then it is insecure so you need to make sure that the IV never repeats.
For the generation of the IV, you can use a good random source, or you can use the IV incrementally. In this case, the IV size must be 96-bit, see page 15 of SP 800-38D.
If $len(IV)=96$, then let $J_0 = IV | 0^{31} |1$.
Storing the last used IV and incrementing it then providing to GCM is the general practice to mitigate from a birthday attack.
If the supplied IV is not 96-bits it is processed by $operatorname{GHASH}$. You can see how it is processed in this answer Generate J0 for GCM cipher when $len(IV)neq96$ bits in details.
answered yesterday
kelalakakelalaka
6,90022144
edited yesterday
answered yesterday
kelalakakelalaka
6,90022144
answered yesterday
kelalakakelalaka
6,90022144
answered yesterday
kelalakakelalaka
6,90022144
6,90022144
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
add a comment |
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
$begingroup$
i understand. but what does it mean unique per session? what is the definition of session?
$endgroup$
– Offir
yesterday
1
1
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
Note that the counter value 1 is used for GMAC, also see my comment below Richie Frame's answer. That's why you can encrypt 256 bits less than for just CTR mode ($2^{32} - 2$ blocks of 128 bits, in other words).
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
@MaartenBodewes Yes, it starts from 1. Thanks for the reminder.
$endgroup$
– kelalaka
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
$begingroup$
For the confidentiality part it starts at two.
$endgroup$
– Maarten Bodewes♦
yesterday
add a comment |
Offir is a new contributor. Be nice, and check out our Code of Conduct.
Offir is a new contributor. Be nice, and check out our Code of Conduct.
Offir is a new contributor. Be nice, and check out our Code of Conduct.
Offir is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f66837%2faes256-gcm-iv-guidelines%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
You can write comments under your question. A session, starting from setting the IV and the key until the max possible counter is reached. Did you looked at the links? IV repeat is insecure across sessions.
$endgroup$
– kelalaka
yesterday
$begingroup$
To answer the other subquestion you have, "session" means plaintext that is encrypted and gets a ciphertext plus authentication tag, regardless of the length of the message, as long as it is within the limit defined by the mode
$endgroup$
– Richie Frame
yesterday
$begingroup$
Besides that, GCM itself doesn't really know about sessions. The NIST version of the GCM spec does contain the word "session" but only in reference to a higher level protocol (w.r.t. key reuse). For this reason I don't think it is very useful to ask about sessions in a separate question, unless you can point out the protocol that you're targeting. GCM just deals with variable length messages. P.S. You deleted your question wrapped in an answer a second before I could post a comment with this content :| Thanks for deleting it regardless :)
$endgroup$
– Maarten Bodewes♦
23 hours ago