Internal counter in AES GCM

mvg7 · 2024-12-22 09:30:58

Hi! I did some test but still hardly undertsand: How do I properly use the TAesGcm on mulpiple packets?

I Encrypt a packet, to get its hash I call AesGcmFinal which resets the internal counter to 1.
So the next encryption starts with the initial IV.
What is the correct using of the TAesGcm to work with increasing counter?

ab · 2024-12-22 11:22:32

Yes, it is as expected.
You need to fill a new random IV for every encryption process.
The security between key reuse comes from the IV, not from the counter.
In fact, since the AES GCM is a AES CTR, the IV is XORed with the counter, so it is easier to always start at 1, and ensure a new random IV is transmitted with the encrypted packet (or guessed from an outside independent source).

mvg7 · 2024-12-22 12:37:01

ab wrote:

In fact, since the AES GCM is a AES CTR, the IV is XORed with the counter, so it is easier to always start at 1, and ensure a new random IV is transmitted with the encrypted packet (or guessed from an outside independent source).

Sorry let me please clarify once more, you wrote " to always start at 1" but actually we don't use the counter at all? its always 1 cause each new packet is encrypted after reseting the internal counter to 1?
What is the idea of CTR in this case?

ab wrote:

a new random IV is transmitted with the encrypted packet

Its enough to transmit only 8 bytes of IV correct? (12 bytes - 4 bytes which are always Cardinal(1))

Last edited by mvg7 (2024-12-22 12:48:14)

ab · 2024-12-22 13:48:48

What do you call a "packet"?
In AES block mode, the algorithms works with blocks of 16 bytes, and in AES-CTR the CTR is increased for each block.

For AES-GCM, the usual is to use 12 bytes of IV.
With less (e.g. 8 bytes) or more (e.g. 16 bytes), GHASH(IV,H) is computed, so it is less efficient.
See how TAesGcmEngine.Reset is implemented.

To be fair, you seem a bit confused within all the implementation details.
The easiest is to use a high-level method like TAesFast[mGcm].MacEncrypt().

mvg7 · 2024-12-23 18:05:35

ab wrote:

To be fair, you seem a bit confused within all the implementation details.
The easiest is to use a high-level method like TAesFast[mGcm].MacEncrypt().

Hi again! Maby thanks for your explanations! Indeed I was confused twice:)
In my task I want to encryot messages beeing sent via UDP.
1) I was thinking that a counter in CTR mode increase for next message - now I understand that in increase for next block in 1 message, and for the next message I create new IV,
2) I was also confused thinking that from 12 bits of IV 4 are used for the counter. Now I see that its 4 bits from 16 used for the counter, and 12 are pure for IV.

so the correct workflow is like this:
1) generate random IV of 12 bits
2) encrypt a message, send these 12 bits IV + encrypted + tag
3) repeat step 1 for the next message

ab · 2024-12-24 13:50:08

Yes, and this is what MacEncrypt() does for you.
(even if it sends 16 bytes of IV, but it is the same idea)

mORMot Open Source

#1 2024-12-22 09:30:58

Internal counter in AES GCM

#2 2024-12-22 11:22:32

Re: Internal counter in AES GCM

#3 2024-12-22 12:37:01

Re: Internal counter in AES GCM

#4 2024-12-22 13:48:48

Re: Internal counter in AES GCM

#5 2024-12-23 18:05:35

Re: Internal counter in AES GCM

#6 2024-12-24 13:50:08

Re: Internal counter in AES GCM

Board footer