Authenticated Encryption: AES-GCM and ChaCha20-Poly1305
Understand how AEAD ciphers provide confidentiality and integrity simultaneously, and why misuse of nonces in AES-GCM leads to catastrophic key recovery.
What Is Authenticated Encryption?
Authenticated Encryption (AE) solves a fundamental problem: traditional encryption only provides confidentiality — it keeps data secret — but it does not verify whether the ciphertext has been tampered with. An attacker could flip bits in ciphertext and the receiver would decrypt garbage without knowing it was modified. Authenticated Encryption with Associated Data (AEAD) adds an integrity and authenticity guarantee simultaneously, producing both encrypted ciphertext and an authentication tag that detects any modification.
AES-GCM: Counter Mode Plus GMAC
AES-GCM (Galois/Counter Mode) combines two components: AES-CTR (Counter Mode) for encryption and GMAC (Galois Message Authentication Code) for integrity. AES-CTR generates a keystream by encrypting a counter value and XOR-ing it with plaintext — this makes encryption parallelizable, unlike CBC mode. GMAC computes an authentication tag over the ciphertext and any associated data. The resulting tag (128 bits) travels alongside the ciphertext; a single bit change invalidates the tag.
# AES-256-GCM encryption with openssl
openssl enc -aes-256-gcm -in plaintext.txt -out encrypted.bin \
-K $(openssl rand -hex 32) \
-iv $(openssl rand -hex 12)All lessons in this course
- TLS 1.3 Handshake and 0-RTT Resumption
- Authenticated Encryption: AES-GCM and ChaCha20-Poly1305
- Key Derivation Functions: PBKDF2, bcrypt, and Argon2
- Post-Quantum Cryptography: CRYSTALS-Kyber and Dilithium