I would like to implement a file transfer using AES GCM, both peers share the same key. However the GCM tag that is used to verify the data integrity is computed at the end of the encryption process. So should the sender also send the tag to the receiver so he can decrypt and validate them ? Or is it considered unsafe ? (assuming the tag is encrypted and sent the same way the data are)
0
votes
The tag is not a secret and must be send too. Read this, maybe this and here are the NIST docs.
– sascha
Oh ok, i did not see that, but then i guess that i must protect the sent tag to be altered too, Not very clear to me.
– user1362220
No. It does not matter if it is tampered with. If it is, you will recognize it. That's the whole idea (infeasible to tamper ciphertext and additional data part of the tag-calc and change tag to mask it).
– sascha
Ok, thank you a lot, i'll do some more research.
– user1362220
1 Answers
0
votes
You can send the tag and you even have to, as most proper implementations of GCM will fail to decrypt the ciphertext unless you provide them with a valid tag.
To decrypt succesfully, you must have the ciphertext, the key, and the nonce. To verify the authenticity you must have the ciphertext,the tag, the key, the nonce and the assosiated data (if some was used during encryption)
