AES GCM manual byte[] concatenation of IV and tag to encrypted information

2
votes

I am using AES 256 encryption in GCM mode using a class called AuthenticatedAesCng from this site: CLR security

After writing the plaintext through the crypto stream, I manually concatenate the IV, TAG, and encrypted data, then return that value.

cs is the cryptostream and ms the memorystream

// Write through and retrieve encrypted data.
cs.Write(message, 0, message.Length);
cs.FlushFinalBlock();
byte[] cipherText = ms.ToArray();                   

// Retrieve tag and create array to hold encrypted data.
byte[] authenticationTag = encryptor.GetTag();      
byte[] encrypted = new byte[cipherText.Length + aes.IV.Length + authenticationTag.Length];

// Set needed data in byte array.
aes.IV.CopyTo(encrypted, 0);                       
authenticationTag.CopyTo(encrypted, IV_LENGTH);
cipherText.CopyTo(encrypted, IV_LENGTH + TAG_LENGTH);

// Store encrypted value in base 64.
return Convert.ToBase64String(encrypted);

Is this the correct manner of using the AES cipher in GCM mode? Am I supposed to manually place all these values together or is it done automatically and I just missed it?

1
c#.netencryptionaesencryption-symmetric
That looks like an implementation specific issue to me, so it's probably off-topic on crypto.SE.CodesInChaos
ok, any suggestion as to where I should post instead?crawfish
@crawfish, StackOverflow is probably the best place. I'm migrating it now.mikeazo
Your best bet is to suck it and see. Try it first without adding the tag and see if the decryption side fails with "Missing tag" or similar. Ensure that it is checking things by testing it with a changed non-tag byte in the cyphertext array. That should definitely fail with "Mismatched tag" or whatever.rossum
Em, no, ciphertext is just the data but you cannot have GCM ciphertext without the tag: it would defeat the entire purpose of GCM. The tag is normally appended to the ciphtertext. The AAD data is optional, and the entire purpose of it is to have it send in the clear. The IV is actually a nonce, so it may be computed on both sides. If you use a random NONCE or cannot precompute it, then it is normal to prepend it to the ciphertext (but you will have to explicitly code this at both sides).Maarten Bodewes

1 Answers

1
votes

Ciphertext is just the data but you cannot have GCM ciphertext without the tag: it would defeat the entire purpose of GCM. The tag is normally appended to the ciphtertext.

The AAD data is optional, and the entire purpose of it is to have it send in the clear.

The IV is actually a nonce, so it may be computed on both sides. If you use a random NONCE or cannot pre-compute it, then it is normal to prefix it to the ciphertext (but you will have to explicitly code this at both sides).