Reputation: 81
AES GCM decryption security
When I decrypt using AES GCM, if my Authentication Tag does not match the computed Authentication Tag (indicating something supplied in the decryption process is incorrect), is it completely safe for the user to see the output from the decryption?
Or should I set the output from the decryption to zeroes so that the potential attacker can not get any information back besides the decryption process failing?
I am worried that some hacker/mathematician would be able to begin guessing the key value more accurately if they had access to the output from the decryption.
Upvotes: 0
Views: 691
Answers (1)
Reputation: 93978
The key value will be safe what ever you do - bar side channel attacks or abusing the key bytes. A block cipher such as AES is designed not to give any information back about the key. If the GCM authentication fails then you should not make the decrypted data available. Failure is failure - if GCM fails you cannot trust the contents of the bytes.
If you want to thwart attack, make sure that the attacker cannot easily change the plaintext that is encrypted, and make sure that all the bytes of the authentication tag are always verified. With GCM it also pays to make the authentication tag as big as possible.
Returning a minimum amount of information is generally seen as a good defense as well. Zapping the encrypted bytes to zero is probably a good thing, as long as you don't return any of those bytes.
Upvotes: 1
Related Questions
- PGP encryption algor
- OpenSSL Authenticated Encryption
- I am doing AES-GCM algorithm and I got stuck in one step. Can somebody help me out?
- Android GCM encryption
- GCM(Google Cloud Messaging ) in iOS( notification and data payload.)
- How Android GCM works?
- google cloud messaging security
- Basic encryption algorithms
- GWAN encryption
- Android : Some Questions to Understand GCM well