没有合适的资源?快使用搜索试试~ 我知道了~
首页aes128加密算法的GCM工作模式详解
aes128加密算法的GCM工作模式详解
5星 · 超过95%的资源 需积分: 44 371 下载量 157 浏览量
更新于2023-03-03
12
收藏 367KB PDF 举报
这个文档是在官方网站上下载的,讲述很详尽,还有很多加密数据的例子,方便验证自己的程序,不过是英文的 这个文档是在官方网站上下载的,讲述很详尽,还有很多加密数据的例子,方便验证自己的程序,不过是英文的
资源详情
资源推荐
The Galois/Counter Mode of Operation (GCM)
David A. McGrew
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95032
mcgrew@cisco.com
John Viega
Secure Software
4100 Lafayette Center Drive, Suite 100
Chantilly, VA 20151
viega@securesoftware.com
Contents
1 Introduction 1
2 Definition 2
2.1 Inputs and Outputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5 Multiplication in GF (2
128
) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3 The Field GF (2
128
) 8
4 Implementation 10
4.1 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.2 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5 Using GCM 15
6 Properties and Rationale 16
7 Security 22
A GCM for 64-bit block ciphers 25
B AES Test Vectors 27
GCM
1 Introduction
Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over
a binary Galois field to provide authenticated encryption. It can be implemented in hardware to
achieve high speeds with low cost and low latency. Software implementations can achieve excel-
lent performance by using table-driven field operations. It uses mechanisms that are supported
by a well-understood theoretical foundation, and its security follows from a single reasonable
assumption about the security of the block cipher.
There is a compelling need for a mode of operation that can efficiently provide authenticated
encryption at speeds of 10 gigabits per second and above in hardware, perform well in software,
and is free of intellectual property restrictions. The mode must admit pipelined and paralellized
implementations and have minimal computational latency in order to be useful at high data rates.
Counter mode has emerged as the best method for high-speed encryption, because it meets those
requirements. However, there is no suitable standard message authentication algorithm. This fact
leaves us in the situation in which we can encrypt at high speed, but we cannot provide message
authentication that can keep up with our cipher. This lack is especially conspicuous since counter
mode provides no protection against bit-flipping attacks.
GCM fills this need, while no other proposed mode meets the same criteria. CBC-MAC [1, Ap-
pendix F] and the modes that use it to provide authentication, such as CCM [2], EAX [3], and
OMAC [4], cannot be pipelined or parallelized, and thus are unsuitable for high data rates. OCB
[5] is covered by multiple intellectual property claims. CWC [6] does not share those problems,
but is less appropriate for high speed implementations. In particular, CWC’s message authen-
tication component uses 127-bit integer multiplication operations whose implementation costs
exceed those of even AES counter mode at high speeds, and it has a circuit depth that is twice
that of GCM. In contrast, the binary field multiplication used to provide authentication in GCM is
easily implemented at a fraction of the cost of counter mode at high speeds.
GCM also has additional useful properties. It is capable of acting as a stand-alone MAC, authen-
ticating messages when there is no data to encrypt, with no modifications. Importantly, it can be
used as an incremental MAC [7]: if an authentication tag is computed for a message, then part of
the message is changed, an authentication tag can be computed for the new message with compu-
tational cost proportional to the number of bits that were changed. This feature is unique among
all of the proposed modes.
Another useful property is that it accepts initialization vectors of arbitrary length, which makes it
easier for applications to meet the requirement that all IVs be distinct. In many situations in which
authenticated encryption is needed, there is a data element that could be used as a nonce, or as a
part of a nonce, except that the length of the element(s) may exceed the block size of the cipher. In
GCM, a nonce of any size can be used as the IV. This property is shared with EAX, but no other
1
GCM
proposed mode.
This document is organized as follows. Section 2 contains a complete specification of GCM, and
is the only normative part of this document. Section 3 contains an overview of finite fields and
a detailed description of the field representation used in GCM. Implementation strategies are de-
scribed in Section 4, along with a discussion of their performance. A summary of the mode’s
properties and a rationale for its design is offered in Section 6, along with a detailed performance
comparison with other modes. The security analysis is summarized in Section 7. Appendix A
describes the use of GCM for 64-bit block ciphers. Test data that can be used for validating AES
GCM implementations is contained in Appendix B.
2 Definition
This section contains the complete definition of GCM for 128-bit block ciphers. The mode is
slightly different when applied to 64-bit block ciphers; those differences are outlined in Appendix A.
2.1 Inputs and Outputs
GCM has two operations, authenticated encryption and authenticated decryption. The authenti-
cated encryption operation has four inputs, each of which is a bit string:
• A secret key K, whose length is appropriate for the underlying block cipher.
• An initialization vector IV , that can have any number of bits between 1 and 2
64
. For a fixed
value of the key, each IV value must be distinct, but need not have equal lengths. 96-bit
IV values can be processed more efficiently, so that length is recommended for situations in
which efficiency is critical.
• A plaintext P , which can have any number of bits between 0 and 2
39
− 256.
• Additional authenticated data (AAD), which is denoted as A. This data is authenticated, but
not encrypted, and can have any number of bits between 0 and 2
64
.
There are two outputs:
• A ciphertext C whose length is exactly that of the plaintext P .
2
GCM 2.2 Notation
• An authentication tag T , whose length can be any value between 0 and 128. The length of
the tag is denoted as t.
The authenticated decryption operation has five inputs: K, IV , C, A, and T . It has only a single
output, either the plaintext value P or a special symbol FAIL that indicates that the inputs are not
authentic. A ciphertext C, initialization vector IV , additional authenticated data A and tag T are
authentic for key K when they are generated by the encrypt operation with inputs K, IV , A and
P , for some plaintext P . The authenticated decrypt operation will, with high probability, return
FAIL whenever its inputs were not created by the encrypt operation with the identical key.
The additional authenticated data A is used to protect information that needs to be authenticated,
but which must be left unencrypted. When using GCM to secure a network protocol, this input
could include addresses, ports, sequence numbers, protocol version numbers, and other fields that
indicate how the plaintext should be handled, forwarded, or processed. In many situations, it is
desirable to authenticate these fields, though they must be left in the clear to allow the network or
system to function properly. When this data is included in the AAD, authentication is provided
without copying the data into the ciphertext.
The primary purpose of the IV is to be a nonce, that is, to be distinct for each invocation of the
encryption operation for a fixed key. It is acceptable for the IV to be generated randomly, as long
as the distinctness of the IV values is highly likely. The IV is authenticated, and it is not necessary
to include it in the AAD field.
Both confidentiality and message authentication is provided on the plaintext. The strength of the
authentication of P, IV and A is determined by the length t of the authentication tag. When the
length of P is zero, GCM acts as a MAC on the input A. The mode of operation that uses GCM as
a stand-alone message authentication code is denoted as GMAC.
An example use of GCM for network security is provided in Section 5, which shows how the
inputs and outputs can be used in a typical cryptographic application.
2.2 Notation
Our notation follows that of the Recommendation for Block Cipher Modes of Operation [8]. The
two main functions used in GCM are block cipher encryption and multiplication over the field
GF (2
128
). The block cipher encryption of the value X with the key K is denoted as E(K, X). The
multiplication of two elements X, Y ∈ GF (2
128
) is denoted as X · Y , and the addition of X and Y
is denoted as X ⊕ Y . Addition in this field is equivalent to the bitwise exclusive-or operation, and
the multiplication operation is defined in Section 2.5.
3
剩余42页未读,继续阅读
zphlg
- 粉丝: 3
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- zigbee-cluster-library-specification
- JSBSim Reference Manual
- c++校园超市商品信息管理系统课程设计说明书(含源代码) (2).pdf
- 建筑供配电系统相关课件.pptx
- 企业管理规章制度及管理模式.doc
- vb打开摄像头.doc
- 云计算-可信计算中认证协议改进方案.pdf
- [详细完整版]单片机编程4.ppt
- c语言常用算法.pdf
- c++经典程序代码大全.pdf
- 单片机数字时钟资料.doc
- 11项目管理前沿1.0.pptx
- 基于ssm的“魅力”繁峙宣传网站的设计与实现论文.doc
- 智慧交通综合解决方案.pptx
- 建筑防潮设计-PowerPointPresentati.pptx
- SPC统计过程控制程序.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功