AES-256 GCM IV guidelines (HashiCorp Vault)

If I use for example AES-256 (GCM), and my message is bigger than 256 bit (broken into smaller 256 bit blocks for encryption), I’m thinking of using the new Hashicorp Vault integration, can someone explain the guidelines to me?

Hi @Northskool,

Glad you’re going to try out our new Hashicorp Vault integration!

The IV for GCM mode, in this case the thing we call the Nonce, is different from the IV used for the CTR mode inside of GCM.

Additionally as per the wording of your question, AES256 has a 256-bit key and a 128-bit block, not a 256-bit block, and encrypts plaintext in 128-bit increments.

For GCM, you MUST use a unique Nonce for every message. Inside GCM, the Nonce is turned into the CTR IV. If you look at kelalaka’s answer, if the Nonce is 96-bits, the CTR IV is the exact same thing. If it is some other size, it converts it to a 96-bit IV using the referenced algorithm. CTR mode uses the IV plus a counter starting at 1 to generate the stream. The 96-bit IV plus the 32-bit counter equal the 128-bit input block to the cipher.

([     IV     ][ctr1]) -----> [AES] -----> ([      STREAM1      ])

The output 128-bit stream block is used to encrypt the plaintext blocks. If there are multiple blocks of plaintext, only one can be encrypted with a given counter, so it is incremented by 1, and the same operation is repeated to generate the next 128-bit stream block. If the final plaintext block is shorter than 128-bits, the unused stream bits are discarded:

MESSAGE = ([     PLAINTEXT1    ][     PLAINTEXT2    ][ PLAINTEXT3 ])
AUTHDAT = additional data to authenticate
LEN_T = desired length of authentication tag
L = length_64(AUTHDAT) || length_64(MESSAGE)
NONCE = 96-bits, therefore IV=NONCE
H = AES_K(0x00000000000000000000000000000000)
ctr0 = 0x00000001, ctr1 = 0x00000002, and so on

([     IV     ][ctr0]) -----> [AES] -----> ([      STREAM0      ])

([     IV     ][ctr1]) -----> [AES] -----> ([      STREAM1      ])
([     IV     ][ctr2]) -----> [AES] -----> ([      STREAM2      ])
([     IV     ][ctr3]) -----> [AES] -----> ([      STREAM3      ])

([     PLAINTEXT1    ]) XOR ([      STREAM1      ]) = ([     CIPHERTXT1    ])
([     PLAINTEXT2    ]) XOR ([      STREAM2      ]) = ([     CIPHERTXT2    ])
([ PLAINTEXT3 ])        XOR ([      STREAM3      ]) = ([ CIPHERTXT3 ])

CIPHERTEXT= ([     CIPHERTXT1    ][     CIPHERTXT2    ][ CIPHERTXT3 ])

H = GHASH(H,AUTHDAT,CIPHERTEXT,L)
TAG = truncate_LEN_T( H XOR STREAM0 )

All Travis environment variables that are encrypted using Hashicorp Vault are encrypted using AES256-GCM96. So I think AES256-GCM96 is something you’ll want to look into more.

1 Like

Excellent explanation @Montana, thank you so much!

Yep, no problem.