3

I am using AES 256 encryption in GCM mode using a class called AuthenticatedAesCng from this site: CLR security

After writing the plaintext through the crypto stream, I manually concatenate the IV, TAG, and encrypted data, then return that value.

cs is the cryptostream and ms the memorystream

// Write through and retrieve encrypted data.
cs.Write(message, 0, message.Length);
cs.FlushFinalBlock();
byte[] cipherText = ms.ToArray();                   

// Retrieve tag and create array to hold encrypted data.
byte[] authenticationTag = encryptor.GetTag();      
byte[] encrypted = new byte[cipherText.Length + aes.IV.Length + authenticationTag.Length];

// Set needed data in byte array.
aes.IV.CopyTo(encrypted, 0);                       
authenticationTag.CopyTo(encrypted, IV_LENGTH);
cipherText.CopyTo(encrypted, IV_LENGTH + TAG_LENGTH);

// Store encrypted value in base 64.
return Convert.ToBase64String(encrypted);

Is this the correct manner of using the AES cipher in GCM mode? Am I supposed to manually place all these values together or is it done automatically and I just missed it?

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
crawfish
  • 853
  • 4
  • 11
  • 14
  • That looks like an implementation specific issue to me, so it's probably off-topic on crypto.SE. – CodesInChaos Jul 17 '12 at 20:56
  • ok, any suggestion as to where I should post instead? – crawfish Jul 17 '12 at 21:05
  • @crawfish, StackOverflow is probably the best place. I'm migrating it now. – mikeazo Jul 18 '12 at 01:30
  • Your best bet is to suck it and see. Try it first without adding the tag and see if the decryption side fails with "Missing tag" or similar. Ensure that it is checking things by testing it with a changed non-tag byte in the cyphertext array. That should definitely fail with "Mismatched tag" or whatever. – rossum Jul 18 '12 at 12:19
  • @rossum - This implementation works currently, my question, which is not clear above and I need to edit, is asking whether a cipher text with this information is secure. In other words is a security risk for the IV and tag to be visible in plaintext form – crawfish Jul 18 '12 at 14:11
  • The tag, iv and aad can all be send in the clear. Normally the tag (not the aad) is placed at the end of the ciphertext; if you see repetition of otherwise random looking bytes in the message then your message contains spurious data, such as a double tag. The ciphertext should be identical to the plain text size for GCM mode, so if the result is larger, then the tag is likely already contained in the resulting ciphertext. – Maarten Bodewes Jul 18 '12 at 16:49
  • if ciphertext refers to [IV][TAG][DATA] and not just data, then all that makes sense and thanks. – crawfish Jul 18 '12 at 17:48
  • 3
    Em, no, ciphertext is just the data but you cannot have GCM ciphertext without the tag: it would defeat the entire purpose of GCM. The tag is normally appended to the ciphtertext. The AAD data is optional, and the entire purpose of it is to have it send in the clear. The IV is actually a nonce, so it may be computed on both sides. If you use a random NONCE or cannot precompute it, then it is normal to prepend it to the ciphertext (but you will have to explicitly code this at both sides). – Maarten Bodewes Jul 18 '12 at 21:31
  • alright great, I already do all of that so thanks a bunch – crawfish Jul 19 '12 at 17:42

1 Answers1

2

Ciphertext is just the data but you cannot have GCM ciphertext without the tag: it would defeat the entire purpose of GCM. The tag is normally appended to the ciphtertext.

The AAD data is optional, and the entire purpose of it is to have it send in the clear.

The IV is actually a nonce, so it may be computed on both sides. If you use a random NONCE or cannot pre-compute it, then it is normal to prefix it to the ciphertext (but you will have to explicitly code this at both sides).

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263