AES-GCM
What is AES-GCM?
AES-GCMAn authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
AES-GCM (Galois/Counter Mode) is the authenticated encryption with associated data (AEAD) mode standardised in NIST SP 800-38D. It uses AES (128-bit block, 128/192/256-bit keys) in CTR mode for encryption and a GF(2^128) GHASH function to produce a 128-bit authentication tag over the ciphertext and additional authenticated data. AES-GCM is the default cipher suite for TLS 1.2/1.3, IPsec, SSH, and 802.11ac because of its parallelisability and AES-NI hardware acceleration. Its main weakness is catastrophic failure on IV reuse: repeating a 96-bit nonce under the same key allows recovery of the authentication key and plaintext, so nonces must be unique per key.
● Examples
- 01
TLS 1.3 cipher suite TLS_AES_128_GCM_SHA256.
- 02
Disk encryption and per-record encryption in cloud KMS services.
● Frequently asked questions
What is AES-GCM?
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass. It belongs to the Cryptography category of cybersecurity.
What does AES-GCM mean?
An authenticated encryption mode that combines AES in counter mode with a GHASH-based authentication tag for confidentiality and integrity in a single pass.
How does AES-GCM work?
AES-GCM (Galois/Counter Mode) is the authenticated encryption with associated data (AEAD) mode standardised in NIST SP 800-38D. It uses AES (128-bit block, 128/192/256-bit keys) in CTR mode for encryption and a GF(2^128) GHASH function to produce a 128-bit authentication tag over the ciphertext and additional authenticated data. AES-GCM is the default cipher suite for TLS 1.2/1.3, IPsec, SSH, and 802.11ac because of its parallelisability and AES-NI hardware acceleration. Its main weakness is catastrophic failure on IV reuse: repeating a 96-bit nonce under the same key allows recovery of the authentication key and plaintext, so nonces must be unique per key.
How do you defend against AES-GCM?
Defences for AES-GCM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for AES-GCM?
Common alternative names include: Galois/Counter Mode, AES-128-GCM, AES-256-GCM.
● Related terms
- cryptography№ 020
AES (Advanced Encryption Standard)
A NIST-standardized 128-bit block cipher with 128-, 192- or 256-bit keys, designed by Daemen and Rijmen and used as the dominant symmetric cipher worldwide.
- cryptography№ 022
AES-CTR
A stream-cipher mode that turns AES into a keystream generator by encrypting an incrementing counter and XORing the output with the plaintext.
- cryptography№ 161
ChaCha20-Poly1305
An AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 one-time authenticator, standardised in RFC 8439 for TLS 1.3 and WireGuard.
- cryptography№ 105
Block Cipher
A symmetric cipher that encrypts fixed-size blocks of plaintext with a secret key, usually combined with a mode of operation to handle data of arbitrary length.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
● See also
- № 021AES-CBC
- № 384Envelope Encryption