Why GCM Mode
Considered a safe and efficient method of operation. It is a very popular choice for authenticated encryption MAC. There are no other advantages from a security standpoint (as long as all modes of operation are configured as per the best practice).
Additonal Reading: Matthew Green: How to choose authenticated encryption?
How it works
Where is it commonly used
GCM is used in many of the SSL/TLS cipher suites. It has various other applications as listed on this wiki page.
How to use GCM
GCM requires no padding. This is because CTR mode is also a part of GCM.
As a reminder, CTR mode is special in a few ways:
It would be a mistake to encrypt 20 strings using an instance of the Crypt2 object, and then attempt to decrypt with the same Crypt2 object. To decrypt successfully, the app would need to instantiate a new Crypt2 object and then decrypt, so that the counters match.
Good points: Secure when done right, parallel encryption and decryption with authentication built in.
Bad points: Not many. It is complicated to implement and can be catostrophical if not implemented correctly.
DO NOT roll your own Crypto! Use standard services and libraries.
It is NOT advisable in any circumstances to develop any sort of cryptography on your own. Instead , there are a few options for standard libraries that can be used. These libraries offer better stability as they are usually a product of several years of experience in implementing cryptography by an active development community who are dedicated towards efforts in implementation. It is therefore considered to be reliable and robust.
OpenSSL is one such library which popular and therefore is used as an example for this concept. OpenSSL is not the only available crypto library. For a list of different libraries and a comparision between them, visit here.
The recommended version of OpenSSL is the latest 1.1.1. Some of them are additon the latest encryption standards and removal of older vulnerable ones.
It is again advised to not roll out your own cryptography while developing software. There are popular libraries in almost all programming languages that can readily be used to perform cryptographic operations.
There are multiple libraries that support AES in GCM mode. Some of them are:
Cryptography is a popular library and here is a basic example of how it works:
>>> import os >>> from cryptography.hazmat.primitives.ciphers.aead import AESCCM >>> data = b"a secret message" >>> aad = b"authenticated but unencrypted data" >>> key = AESCCM.generate_key(bit_length=128) >>> aesccm = AESCCM(key) >>> nonce = os.urandom(13) >>> ct = aesccm.encrypt(nonce, data, aad) >>> aesccm.decrypt(nonce, ct, aad) b'a secret message'
Some of the popular libraries in Java:
An example from the Java Cryptographic Extensions:
SecretKey myKey = ... byte myAAD = ... byte plainText = ... int myTLen = ... byte myIv = ... GCMParameterSpec myParams = new GCMParameterSpec(myTLen, myIv); Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); c.init(Cipher.ENCRYPT_MODE, myKey, myParams); // AAD is optional, if present, it must be supplied before any update/doFinal calls. c.updateAAD(myAAD); // if AAD is non-null byte cipherText = new byte[c.getOutputSize(plainText.length)]; // conclusion of encryption operation int actualOutputLen = c.doFinal(plainText, 0, plainText.length, cipherText); // To decrypt, same AAD and GCM parameters must be supplied c.init(Cipher.DECRYPT_MODE, myKey, myParams); c.updateAAD(myAAD); byte recoveredText = c.doFinal(cipherText, 0, actualOutputLen); // MUST CHANGE IV VALUE if the same key were to be used again for encryption byte newIv = ...; myParams = new GCMParameterSpec(myTLen, newIv);