2

I am trying to implement AES-GCM encryption but when comes to

cipher.Encrypt(_iv, toEncrypt, cipherText, tag, associatedData);

I realize that I also need to implement the associated data, this is a byte[] data type, anyone has an idea in terms of where does the AAD part should come from?

jy824212
  • 37
  • 8
  • 1
    Maybe related to https://stackoverflow.com/a/60891115/706456, but the ADD is not used there (it's null). The docs say it has to be present during the decryption phase. Adding it should be trivial: just pass plain text byte[] that is ADD. Pass the same value for the ADD during the decryption. – oleksii Feb 19 '21 at 19:34
  • AAD is data that will not be encrypted but will be integrity protected. If you don't require that functionality, then don't use it. It is optional. AAD will need to be sent separately since it is not part of the ciphertext. – Artjom B. Feb 19 '21 at 19:40
  • Hey @ArtjomB. so you meant if I need AAD part, I should pass NULL to Encrypt function then add that AAD part in the end as a plain text ( basically AAD is the length of the while message in plain text and it's 4 bytes) – jy824212 Feb 19 '21 at 20:02
  • Hey @oleksii does that mean if I need AAD part, I should pass NULL to Encrypt function (because we should not encrypt the AAD part) then add that AAD part in the end as a plain text ( basically AAD is the length of the entire message in plain text and it should be a 4 bytes array) – jy824212 Feb 19 '21 at 20:14
  • 1
    No, that is not at all what I mean. If your use case (why you encrypt in the first place) doesn't have any additional data that needs to be integrity protected but not encrypted then you simply skip the `associatedData` value. AAD is `associatedData` – Artjom B. Feb 19 '21 at 21:40
  • but when you said AAD will need to be sent separately since it is not part of the ciphertext, why the function is taking associatedData as an input, I thought the function will not encrypt it but will generate it in plain text which is the length as from MS says associatedData Byte[] Extra data associated with this message, which must also be provided during decryption. – jy824212 Feb 20 '21 at 00:05
  • Hey @oleksii, what I meant is if there is AAD, why we need to pass into the encrypt function. AAD is always in plain text which should be the total length of the message. and should not be encrypted should be like this ? (1) encrypt the whole message (2) calculate the length of the ciphertext (which is 4 bytes and this is AAD) and then attach to the end of the packet (this is the only unencrypted part ) – jy824212 Feb 21 '21 at 17:21

1 Answers1

3

Since you are trying to implement AES-GCM encryption, I'm assuming you already know that the two major parts of AES-GCM encryption are:

  • The confidentiality of input data using a variant of counter-mode of operation. In your case AES is used as the underlying block cipher.
  • The authenticity of the confidential data using GHASH algorithm.

That's mean the plaintext (toEncrypt) needs to be enciphered using the variant of counter-mode and calculate the authentication tag from the resulting ciphertext (cipherText).

additional authenticated data (AAD) protects the confidentiality of plaintext without enciphering it, usually AAD implies small amount of data like version numbers, address, and port..

So you only need to apply the GHASH algorithm on AAD (associatedData) and assign the output tag value of the encrypting operation to the input tag of GHASH algorithm. Note this assumes the scheme that function uses is encrypting input data then hashing AAD, if it's the opposite order you have to assign the output tag of GHASH function for AAD to the input tag of GHASH function for data to encrypt.

Mamone
  • 75
  • 6