AES-GCM with HMAC

LUMPAAK

12/21/23, 9:59 AM

I am using AES-GCM to encrypt some data. I want every encryption to be done with a new random iv. For every encryption a new iv is generated and appended to the encrypted text to produce the cipher. Since the iv would be send in plaintext I thought I could also generate a HMAC of the iv and the encrypted text and append this mac to the cipher.

mac: HMAC(iv || encryptedText)

The cipher would look like this: iv || encryptedText || mac

The receiver can now proof the authenticity and integrity of the iv and the encrypted text and then decrypt the data.

Are there any security breaches? Is it even necessary to create a mac?

Thanks!

440

1 + 0

aes

hmac

aes-gcm

Score:2

Crypto

Maarten Bodewes

12/21/23, 10:16 AM

No, the HMAC is not required. The value of the IV - or rather nonce for GCM - is included in the GMAC algorithm which calculates the authentication tag for GCM; it is explicitly made part of the GMAC calculation. So if the adversary changes the IV then the authentication tag will not verify. It depends on the library used, but it may be that the authentication tag is automatically tagged onto the end of the ciphertext.

One particular issue is that you get the same "verification error" if any of the GCM input changes. So you cannot detect what was the cause or causes of the error. Generally this is not an issue though; you test sender / receiver and if verification fails the ciphertext is discarded in its entirety.

+ 3

LUMPAAK

12/21/23, 1:24 PM

Thanks. What if I use AES-CBC instead of GCM?

poncho

12/21/23, 1:56 PM

@LUMPAAK: CBC does not provide any integrity guarantees; you need something (such as HMAC) to do that.

Maarten Bodewes

12/21/23, 1:57 PM

GCM is an authenticated (AEAD) cipher, CBC is not. For CBC you would try and use encrypt-then-mac, i.e. you would create an authenticated cipher for it. There is a draft RFC [here](https://datatracker.ietf.org/doc/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05) where the IV is included in the ciphertext and thus authenticated. Yes, it is a draft, but at least that is better than most of the self-made stuff out there. Oh, almost forgot, the padding that that RFC draft describes is called PKCS#5 or PKCS#7 padding.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AES-GCM with HMAC

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.