AES-GCM
What is AES-GCM?
AES-GCMAn authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
AES-GCM (Galois/Counter Mode) is the authenticated encryption with associated data (AEAD) mode standardised in NIST SP 800-38D. It uses AES (128-bit block, 128/192/256-bit keys) in CTR mode for encryption and a GF(2^128) GHASH function to produce a 128-bit authentication tag over the ciphertext and additional authenticated data (AAD). One pass yields both confidentiality and integrity, and because counter mode is fully parallel and benefits from AES-NI hardware instructions, AES-GCM is the default in TLS 1.2/1.3 (RFC 5288, RFC 8446), IPsec, SSH, and 802.11ac.
Its defining weakness is catastrophic failure on nonce reuse. GCM's authentication is a polynomial MAC evaluated at a key derived from encrypting the zero block; repeating a 96-bit nonce under the same key gives two ciphertexts whose tag equations let an attacker solve for that authentication key (the "forbidden attack" described by Antoine Joux). Once recovered, the attacker can forge valid tags for arbitrary messages. This is not theoretical: in 2016 the Nonce-Disrespecting Adversaries study (Böck, Zauner, Devlin, Somorovsky, Jovanovic, USENIX WOOT) scanned the internet and found 184 HTTPS servers repeating nonces — including financial institutions — fully breaking their connection authenticity, plus over 70,000 servers using random nonces that risk collision over long sessions.
Defences: use deterministic or counter-based nonces, never random ones; cap data per key (NIST limits ~2³² blocks); or adopt nonce-misuse-resistant modes like AES-GCM-SIV (RFC 8452).
flowchart TD K[AES key] --> CTR N[96-bit nonce/IV] --> CTR[AES-CTR encrypt] P[Plaintext] --> CTR CTR --> C[Ciphertext] C --> G[GHASH over GF 2^128] AAD[Additional auth data] --> G G --> T[128-bit auth tag] C --> OUT[Ciphertext + tag] T --> OUT N -. reuse under same key .-> X[Forbidden attack:<br/>recover auth key, forge tags]
● Examples
- 01
TLS 1.3 cipher suite TLS_AES_128_GCM_SHA256.
- 02
Disk encryption and per-record encryption in cloud KMS services.
● Frequently asked questions
What is AES-GCM?
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass. It belongs to the Cryptography category of cybersecurity.
What does AES-GCM mean?
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
How do you defend against AES-GCM?
Defences for AES-GCM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AES-GCM?
Common alternative names include: Galois/Counter Mode, AES-128-GCM, AES-256-GCM.