Join Log in
Score:3
yaoxin jing avatar Crypto

Does HMAC provide anything that AES GCM does not?

US flag
yaoxin jing

I would like to let the receiver has the ability to check the sender's authenticity when he gets the message.

Also, I want to protect the message's confidentiality and integrity.

Should I use aes gcm + hmamc or just aes gcm?

I heard aes gcm provides messages authentication suing Ghash. But ghash is not a mac, so I am confused how aes gcm achieve message authentication

131
1 + 3
aes
Richard Thiessen avatar
mx flag
Richard Thiessen
GHASH is a [MAC](https://en.wikipedia.org/wiki/Message_authentication_code). [Specifically it computes an authentication tag (AKA:MAC) for a given ciphertext.](https://en.wikipedia.org/wiki/Galois/Counter_Mode#Basic_operation). The Wikipedia articles on both should have made this very clear.
0
Reply
poncho avatar
my flag
poncho
@RichardThiessen: no, GHASH is not a MAC - given the values $A, C, GHASH(H, A, C)$, it is easy to recover the secret key $H$ (or, at least, list a handful of values it might be). What is a MAC is $AES(Nonce || 0 ) \oplus GHASH(H, A, C)$
3
Reply
Richard Thiessen avatar
mx flag
Richard Thiessen
Point, yes, GHASH by itself is not a MAC.
0
Reply
Score:3
poncho avatar Crypto
my flag
poncho

Should I use aes gcm + hmamc or just aes gcm?

Just aes gcm is fine - GCM includes the integrity protection.

I heard aes gcm provides messages authentication suing Ghash. But ghash is not a mac, so I am confused how aes gcm achieve message authentication

Ghash is indeed not a MAC - it is a universal hash. However, because the output of ghash is xor'ed from the output of AES (based on the nonce), that is indeed a MAC (a Carter Wegman MAC), and so provides the integrity protection you are looking for. That is, if the adversary makes any modification to the ciphertext, then (assuming AES is strong and the sender never encrypts two different messages with the same nonce) the modification will be detected with provably high probability.

Note: there are details I glossed over - not every universal hash xor'ed with per-packet secret data is a secure MAC. If you want to dig deeper into the theory behind GCM (and Poly1305, which works similarly), submit another question.

+ 6
yaoxin jing avatar
md
yaoxin jing
Thanks. My question is if gcm also provides the authentication that hmac provided?
0
Reply
yaoxin jing avatar
md
yaoxin jing
will the aes gcm allow the receiver to check the sender's identity?
0
Reply
poncho avatar
my flag
poncho
@yaoxinjing: if the GCM message decrypts (that is, the authentication tag is correct), then (with high probability) the message was generated by someone who knew the secret key - that is the same assurance that HMAC provides
0
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
I would argue this is misleading. AES-GCM is [not](https://www.usenix.org/conference/usenixsecurity22/presentation/albertini) committing, whereas Encrypt-then-MAC done [correctly](https://crypto.stackexchange.com/questions/101612/common-pitfalls-to-be-taken-care-of-while-implementing-encrypt-then-hmac-scheme/101613#101613) is fully committing. So is AES-GCM-then-HMAC, but that's needlessly inefficient. Whether no commitment leads to a vulnerability or not depends on the protocol, but it should be fixed in future AEAD schemes. AEGIS and Rocca-S are committing with a 256-bit tag.
1
Reply
Marc Ilunga avatar
tr flag
Marc Ilunga
@samuel-lucas6, being committing is a nice additional feature that would be reasonable to add in an answer to the question. But I don't think it is fair to say this answer is misleading. The question was quite specific on the MAC aspect of GCM; key/context commitment attacks do not invalidate the int-ctxt security of GCM, which is more the spirit of the question IMO. Also, the OP has not clarified whether the target application would need additional robustness guarantees. Another answer that highlights the need for key/context commitment is naturally a great addition.
1
Reply
samuel-lucas6 avatar
bs flag
samuel-lucas6
@MarcIlunga I agree; I was referring to the comment above mine but wasn't clear. However, I do think commitment is important to mention as it technically is the answer to the title of the question - HMAC provides commitment, whereas AES-GCM does not. I will try to write an answer at some point if I'm feeling up to it. I like how quick comments are.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.