Score:0

How to produce Auth Data and tag in GCM? Does MAC appended CTR mode encrypted text weaker than GCM?

is flag

In https://en.wikipedia.org/wiki/Galois/Counter_Mode, there's a diagram which tells us how GCM works in general.

I have watched computerphile video on how ECB,CBC and CTR mode works and able to implement them on my own given the block cipher (SM4) was properly implemented in library like BouncyCastle.

I have several questions on the diagram, where does the auth data comes from? If there's no auth data can I actually use HMAC-SHA method to generate one and XOR along the way?

If I encrypt a message by using counter mode, will the security be weaker than GCM given that there's MAC appended in front of the counter mode encrypted message?

kelalaka avatar
in flag
You don't need to watch, read [Special Publication 800-38d](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pd), auth data is associated data, mostly used in protocols, that doesn't need encryption but beed authentication. Your question is too broad and some really not related. AD [add little protection](https://crypto.stackexchange.com/q/95621/18298), AD is optional, the aim of GMAC is authentication and integrity of the ciphertext.
Hern avatar
is flag
Authentication data is any additional plain text data that exists in AES-GCM or any AEAD ciphers?
kelalaka avatar
in flag
[How to produce Auth Data and tag in GCM? Does MAC appended CTR mode encrypted text weaker than GCM?](https://crypto.stackexchange.com/q/14747/18298)
kelalaka avatar
in flag
CCM and [Poly1305](https://datatracker.ietf.org/doc/html/rfc8439) had it too, preferable almost all should support it.
Score:1
cn flag

where does the auth data comes from?

What the diagram labels “Auth Data” is additional authenticated data which is more commonly called “associated data” or “additional data” and abbreviated AAD or AD. It's an input of the GCM calculation. You don't generate it. GCM always takes AD input. It can be empty, there's nothing special about empty AD in the calculation or the security.

How to produce Auth Data and tag in GCM?

To produce the GCM tag, you follow the GCM specification to calculate it.

If I encrypt a message by using counter mode, will the security be weaker than GCM

If you encrypt a message in counter mode, this won't be authenticated. So the security is completely different from GCM. GCM is authenticated encryption: it guarantees both the confidentiality and the authenticity of the message. Successfully decrypting a CTR-encrypted message means nothing: if the message was fake or corrupted, you just get corrupted data. Successfully decrypting a GCM-protected message guarantees that you're getting a message produced by a holder of the secret key. Notice how I wrote “GCM-protected” and not just “GCM-encrypted”; terminology around AEAD is sometimes a misleading. “GCM-encrypted” is correct, but misleading because GCM does more than encrypting. “Encrypting” a message with GCM (or any other AEAD algorithm) also authenticates it, and “decrypting” a message also verifies its authenticity. The verbs “encrypt” and “decrypt” are standard terminology, however, so keep using them, but be aware that they don't tell the full story.

Does MAC appended CTR mode encrypted text weaker than GCM?

If done right, a MAC appended to a CTR ciphertext, or CTR encryption of the plaintext plus a MAC, is a valid AEAD construct. In fact, that's how many standard AEAD constructs work, including GCM. However, there are many opportunities to do it wrong, such as undesirable interactions between the encryption key and the MAC key (that broke OCB2), bad nonce/IV choices, etc. (Another potential mistake would be to use CBC instead of CTR, which opens opportunities to padding oracle attacks.) For example, “use HMAC-SHA method” is a good way to generate a MAC, but “XOR along the way” could mean a lot of things, most of which would be insecure.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.